diff --git a/patches/0001-Add-file-to-mandate-patch.patch b/patches/0001-Add-file-to-mandate-patch.patch new file mode 100644 index 00000000..6792a66b --- /dev/null +++ b/patches/0001-Add-file-to-mandate-patch.patch @@ -0,0 +1,19 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Ian Wahbe +Date: Mon, 9 Dec 2024 11:22:31 +0100 +Subject: [PATCH] Add file to mandate patch + + +diff --git a/patch.md b/patch.md +new file mode 100644 +index 0000000..a8fee35 +--- /dev/null ++++ b/patch.md +@@ -0,0 +1,7 @@ ++# Patch ++ ++This provider needs a patch since it's [`go.mod`](https://github.com/keycloak/terraform-provider-keycloak/blob/3f6b75b79ada48eddb41de6055f57a357d9b691c/go.mod#L1) is not valid: ++ ++```go ++module github.com/mrparkers/terraform-provider-keycloak ++``` diff --git a/patches/0001-fork.patch b/patches/0001-fork.patch deleted file mode 100644 index c4b0afe2..00000000 --- a/patches/0001-fork.patch +++ /dev/null @@ -1,2854 +0,0 @@ -diff --git b/website/docs/d/keycloak_group.html.markdown a/website/docs/d/keycloak_group.html.markdown -new file mode 100644 -index 0000000..2cfaf67 ---- /dev/null -+++ a/website/docs/d/keycloak_group.html.markdown -@@ -0,0 +1,47 @@ -+# keycloak_group data source -+ -+This data source can be used to fetch properties of a Keycloak group for -+usage with other resources, such as `keycloak_group_roles`. -+ -+### Example Usage -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "my-realm" -+ enabled = true -+} -+ -+data "keycloak_role" "offline_access" { -+ realm_id = "${keycloak_realm.realm.id}" -+ name = "offline_access" -+} -+ -+data "keycloak_group" "group" { -+ realm_id = "${keycloak_realm.realm.id}" -+ name = "group" -+} -+ -+resource "keycloak_group_roles" "group_roles" { -+ realm_id = "${keycloak_realm.realm.id}" -+ group_id = "${data.keycloak_group.group.id}" -+ -+ roles = [ -+ "${data.keycloak_role.offline_access.id}" -+ ] -+} -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm_id` - (Required) The realm this group exists within. -+- `name` - (Required) The name of the group -+ -+### Attributes Reference -+ -+In addition to the arguments listed above, the following computed attributes are exported: -+ -+- `id` - The unique ID of the group, which can be used as an argument to -+ other resources supported by this provider. -+ -diff --git b/website/docs/d/keycloak_openid_client.html.markdown a/website/docs/d/keycloak_openid_client.html.markdown -new file mode 100644 -index 0000000..bd38e9e ---- /dev/null -+++ a/website/docs/d/keycloak_openid_client.html.markdown -@@ -0,0 +1,30 @@ -+# keycloak_openid_client data source -+ -+This data source can be used to fetch properties of a Keycloak OpenID client for usage with other resources. -+ -+### Example Usage -+ -+```hcl -+data "keycloak_openid_client" "realm_management" { -+ realm_id = "my-realm" -+ client_id = "realm-management" -+} -+ -+# use the data source -+data "keycloak_role" "admin" { -+ realm_id = "my-realm" -+ client_id = data.keycloak_openid_client.realm_management.id -+ name = "realm-admin" -+} -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm_id` - (Required) The realm id. -+- `client_id` - (Required) The client id. -+ -+### Attributes Reference -+ -+See the docs for the [`keycloak_openid_client` resource](../resources/keycloak_openid_client.md) for details on the exported attributes. -diff --git b/website/docs/d/keycloak_realm.html.markdown a/website/docs/d/keycloak_realm.html.markdown -new file mode 100644 -index 0000000..f373cb6 ---- /dev/null -+++ a/website/docs/d/keycloak_realm.html.markdown -@@ -0,0 +1,30 @@ -+# keycloak_realm data source -+ -+This data source can be used to fetch properties of a Keycloak realm for -+usage with other resources. -+ -+### Example Usage -+ -+```hcl -+data "keycloak_realm" "realm" { -+ realm = "my-realm" -+} -+ -+# use the data source -+ -+resource "keycloak_role" "group" { -+ realm_id = "${data.keycloak_realm.id}" -+ name = "group" -+} -+ -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm` - (Required) The realm name. -+ -+### Attributes Reference -+ -+See the docs for the [`keycloak_realm` resource](../resources/keycloak_realm.md) for details on the exported attributes. -diff --git b/website/docs/d/keycloak_realm_keys.html.markdown a/website/docs/d/keycloak_realm_keys.html.markdown -new file mode 100644 -index 0000000..50e41b3 ---- /dev/null -+++ a/website/docs/d/keycloak_realm_keys.html.markdown -@@ -0,0 +1,38 @@ -+# keycloak_realm_keys data source -+ -+Use this data source to get the keys of a realm. Keys can be filtered by algorithm and status. -+ -+Remarks: -+ -+- A key must meet all filter criteria -+- This datasource may return more than one value. -+- If no key matches the filter criteria, then an error is returned. -+ -+### Example Usage -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "my-realm" -+ enabled = true -+} -+ -+data "keycloak_realm_keys" "keys" { -+ realm_id = keycloak_realm.realm -+ algorithms = ["AES", "RS256"] -+ status = ["ACTIVE", "PASSIVE"] -+} -+ -+# show certificate of first key: -+output "certificate" { -+ value = data.keycloak_realm_keys.realm.keys[0].certificate -+} -+ -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm_id` - (Required) The realm of which the keys are retrieved. -+- `algorithms` - (Optional) When specified, keys are filtered by algorithm (values for algorithm: `HS256`, `RS256`,`AES`, ...) -+- `status` - (Optional) When specified, keys are filtered by status (values for status: `ACTIVE`, `DISABLED` and `PASSIVE`) -diff --git b/website/docs/d/keycloak_role.html.markdown a/website/docs/d/keycloak_role.html.markdown -new file mode 100644 -index 0000000..7dfc4f9 ---- /dev/null -+++ a/website/docs/d/keycloak_role.html.markdown -@@ -0,0 +1,51 @@ -+# keycloak_role data source -+ -+This data source can be used to fetch properties of a Keycloak role for -+usage with other resources, such as `keycloak_group_roles`. -+ -+### Example Usage -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "my-realm" -+ enabled = true -+} -+ -+data "keycloak_role" "offline_access" { -+ realm_id = "${keycloak_realm.realm.id}" -+ name = "offline_access" -+} -+ -+# use the data source -+ -+resource "keycloak_group" "group" { -+ realm_id = "${keycloak_realm.realm.id}" -+ name = "group" -+} -+ -+resource "keycloak_group_roles" "group_roles" { -+ realm_id = "${keycloak_realm.realm.id}" -+ group_id = "${keycloak_group.group.id}" -+ -+ roles = [ -+ "${data.keycloak_role.offline_access.id}" -+ ] -+} -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm_id` - (Required) The realm this role exists within. -+- `client_id` - (Optional) When specified, this role is assumed to be a -+ client role belonging to the client with the provided ID -+- `name` - (Required) The name of the role -+ -+### Attributes Reference -+ -+In addition to the arguments listed above, the following computed attributes are exported: -+ -+- `id` - The unique ID of the role, which can be used as an argument to -+ other resources supported by this provider. -+- `description` - The description of the role. -diff --git b/website/docs/r/keycloak_attribute_importer_identity_provider_mapper.html.markdown a/website/docs/r/keycloak_attribute_importer_identity_provider_mapper.html.markdown -new file mode 100644 -index 0000000..80ef892 ---- /dev/null -+++ a/website/docs/r/keycloak_attribute_importer_identity_provider_mapper.html.markdown -@@ -0,0 +1,38 @@ -+# keycloak_attribute_importer_identity_provider_mapper -+ -+Allows to create and manage identity provider mappers within Keycloak. -+ -+### Example Usage -+ -+```hcl -+resource "keycloak_attribute_importer_identity_provider_mapper" "test_mapper" { -+ realm = "my-realm" -+ name = "my-mapper" -+ identity_provider_alias = "idp_alias" -+ attribute_name = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" -+ user_attribute = "lastName" -+} -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm` - (Required) The name of the realm. -+- `name` - (Required) The name of the mapper. -+- `identity_provider_alias` - (Required) The alias of the associated identity provider. -+- `user_attribute` - (Required) The user attribute name to store SAML attribute. -+- `attribute_name` - (Optional) The Name of attribute to search for in assertion. You can leave this blank and specify a friendly name instead. -+- `attribute_friendly_name` - (Optional) The friendly name of attribute to search for in assertion. You can leave this blank and specify an attribute name instead. -+- `claim_name` - (Optional) The claim name. -+ -+### Import -+ -+Identity provider mapper can be imported using the format `{{realm_id}}/{{idp_alias}}/{{idp_mapper_id}}`, where `idp_alias` is the identity provider alias, and `idp_mapper_id` is the unique ID that Keycloak -+assigns to the mapper upon creation. This value can be found in the URI when editing this mapper in the GUI, and is typically a GUID. -+ -+Example: -+ -+```bash -+$ terraform import keycloak_attribute_importer_identity_provider_mapper.test_mapper my-realm/my-mapper/f446db98-7133-4e30-b18a-3d28fde7ca1b -+``` -diff --git b/website/docs/r/keycloak_custom_user_federation.html.markdown a/website/docs/r/keycloak_custom_user_federation.html.markdown -new file mode 100644 -index 0000000..523a2a3 ---- /dev/null -+++ a/website/docs/r/keycloak_custom_user_federation.html.markdown -@@ -0,0 +1,44 @@ -+# keycloak_custom_user_federation -+ -+Allows for creating and managing custom user federation providers within Keycloak. -+ -+A custom user federation provider is an implementation of Keycloak's -+[User Storage SPI](https://www.keycloak.org/docs/4.2/server_development/index.html#_user-storage-spi). -+An example of this implementation can be found [here](https://github.com/mrparkers/terraform-provider-keycloak/tree/master/custom-user-federation-example). -+ -+### Example Usage -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "test" -+ enabled = true -+} -+ -+resource "keycloak_custom_user_federation" "custom_user_federation" { -+ name = "custom" -+ realm_id = "${keycloak_realm.realm.id}" -+ provider_id = "custom" -+ -+ enabled = true -+} -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm_id` - (Required) The realm that this provider will provide user federation for. -+- `name` - (Required) Display name of the provider when displayed in the console. -+- `provider_id` - (Required) The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. -+- `enabled` - (Optional) When `false`, this provider will not be used when performing queries for users. Defaults to `true`. -+- `priority` - (Optional) Priority of this provider when looking up users. Lower values are first. Defaults to `0`. -+- `cache_policy` - (Optional) Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. -+ -+### Import -+ -+Custom user federation providers can be imported using the format `{{realm_id}}/{{custom_user_federation_id}}`. -+The ID of the custom user federation provider can be found within the Keycloak GUI and is typically a GUID: -+ -+```bash -+$ terraform import keycloak_custom_user_federation.custom_user_federation my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860 -+``` -diff --git b/website/docs/r/keycloak_default_groups.html.markdown a/website/docs/r/keycloak_default_groups.html.markdown -new file mode 100644 -index 0000000..491e41b ---- /dev/null -+++ a/website/docs/r/keycloak_default_groups.html.markdown -@@ -0,0 +1,42 @@ -+# keycloak_default_groups -+ -+Allows for managing a realm's default groups. -+ -+Note that you should not use `keycloak_default_groups` with a group with memberships managed -+by `keycloak_group_memberships`. -+ -+### Example Usage -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "my-realm" -+ enabled = true -+} -+ -+resource "keycloak_group" "group" { -+ realm_id = "${keycloak_realm.realm.id}" -+ name = "my-group" -+} -+ -+resource "keycloak_default_groups" "default" { -+ realm_id = "${keycloak_realm.realm.id}" -+ group_ids = ["${keycloak_group.group.id}"] -+} -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm_id` - (Required) The realm this group exists in. -+- `group_ids` - (Required) A set of group ids that should be default groups on the realm referenced by `realm_id`. -+ -+### Import -+ -+Groups can be imported using the format `{{realm_id}}` where `realm_id` is the realm the group exists in. -+ -+Example: -+ -+```bash -+$ terraform import keycloak_default_groups.default my-realm -+``` -\ No newline at end of file -diff --git b/website/docs/r/keycloak_generic_client_protocol_mapper.html.markdown a/website/docs/r/keycloak_generic_client_protocol_mapper.html.markdown -new file mode 100644 -index 0000000..2746481 ---- /dev/null -+++ a/website/docs/r/keycloak_generic_client_protocol_mapper.html.markdown -@@ -0,0 +1,60 @@ -+# keycloak_generic_client_protocol_mapper -+ -+Allows for creating and managing protocol mapper for both types of clients (openid-connect and saml) within Keycloak. -+ -+There are two uses cases for using this resource: -+* If you implemented a custom protocol mapper, this resource can be used to configure it -+* If the provider doesn't support a particular protocol mapper, this resource can be used instead. -+ -+Due to the generic nature of this mapper, it is less user-friendly and more prone to configuration errors. -+Therefore, if possible, a specific mapper should be used. -+ -+### Example Usage -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "my-realm" -+ enabled = true -+} -+ -+resource "keycloak_saml_client" "saml_client" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_id = "test-client" -+} -+ -+resource "keycloak_generic_client_protocol_mapper" "saml_hardcode_attribute_mapper" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_id = "${keycloak_saml_client.saml_client.id}" -+ name = "tes-mapper" -+ protocol = "saml" -+ protocol_mapper = "saml-hardcode-attribute-mapper" -+ config = { -+ "attribute.name" = "name" -+ "attribute.nameformat" = "Basic" -+ "attribute.value" = "value" -+ "friendly.name" = "display name" -+ } -+} -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm_id` - (Required) The realm this protocol mapper exists within. -+- `client_id` - (Required) The client this protocol mapper is attached to. -+- `name` - (Required) The display name of this protocol mapper in the GUI. -+- `protocol` - (Required) The type of client (either `openid-connect` or `saml`). The type must match the type of the client. -+- `protocol_mapper` - (Required) The name of the protocol mapper. The protocol mapper must be -+ compatible with the specified client. -+- `config` - (Required) A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. -+ -+### Import -+ -+Protocol mappers can be imported using the following format: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` -+ -+Example: -+ -+```bash -+$ terraform import keycloak_generic_client_protocol_mapper.saml_hardcode_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -+``` -diff --git b/website/docs/r/keycloak_group.html.markdown a/website/docs/r/keycloak_group.html.markdown -new file mode 100644 -index 0000000..f6f03b3 ---- /dev/null -+++ a/website/docs/r/keycloak_group.html.markdown -@@ -0,0 +1,68 @@ -+# keycloak_group -+ -+Allows for creating and managing Groups within Keycloak. -+ -+Groups provide a logical wrapping for users within Keycloak. Users within a -+group can share attributes and roles, and group membership can be mapped -+to a claim. -+ -+Attributes can also be defined on Groups. -+ -+Groups can also be federated from external data sources, such as LDAP or Active Directory. -+This resource **should not** be used to manage groups that were created this way. -+ -+### Example Usage -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "my-realm" -+ enabled = true -+} -+ -+resource "keycloak_group" "parent_group" { -+ realm_id = "${keycloak_realm.realm.id}" -+ name = "parent-group" -+} -+ -+resource "keycloak_group" "child_group" { -+ realm_id = "${keycloak_realm.realm.id}" -+ parent_id = "${keycloak_group.parent_group.id}" -+ name = "child-group" -+} -+ -+resource "keycloak_group" "child_group_with_optional_attributes" { -+ realm_id = "${keycloak_realm.realm.id}" -+ parent_id = "${keycloak_group.parent_group.id}" -+ name = "child-group-with-optional-attributes" -+ attributes = { -+ "key1" = "value1" -+ "key2" = "value2" -+ } -+} -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm_id` - (Required) The realm this group exists in. -+- `parent_id` - (Optional) The ID of this group's parent. If omitted, this group will be defined at the root level. -+- `name` - (Required) The name of the group. -+- `attributes` - (Optional) A dict of key/value pairs to set as custom attributes for the group. -+ -+### Attributes Reference -+ -+In addition to the arguments listed above, the following computed attributes are exported: -+ -+- `path` - The complete path of the group. For example, the child group's path in the example configuration would be `/parent-group/child-group`. -+ -+### Import -+ -+Groups can be imported using the format `{{realm_id}}/{{group_id}}`, where `group_id` is the unique ID that Keycloak -+assigns to the group upon creation. This value can be found in the URI when editing this group in the GUI, and is typically a GUID. -+ -+Example: -+ -+```bash -+$ terraform import keycloak_group.child_group my-realm/934a4a4e-28bd-4703-a0fa-332df153aabd -+``` -diff --git b/website/docs/r/keycloak_group_memberships.html.markdown a/website/docs/r/keycloak_group_memberships.html.markdown -new file mode 100644 -index 0000000..19c2c39 ---- /dev/null -+++ a/website/docs/r/keycloak_group_memberships.html.markdown -@@ -0,0 +1,56 @@ -+# keycloak_group_memberships -+ -+Allows for managing a Keycloak group's members. -+ -+Note that this resource attempts to be an **authoritative** source over group members. -+When this resource takes control over a group's members, users that are manually added -+to the group will be removed, and users that are manually removed from the group will -+be added upon the next run of `terraform apply`. Eventually, a non-authoritative resource -+for group membership will be added to this provider. -+ -+Also note that you should not use `keycloak_group_memberships` with a group has been assigned -+as a default group via `keycloak_default_groups`. -+ -+This resource **should not** be used to control membership of a group that has its members -+federated from an external source via group mapping. -+ -+### Example Usage -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "my-realm" -+ enabled = true -+} -+ -+resource "keycloak_group" "group" { -+ realm_id = "${keycloak_realm.realm.id}" -+ name = "my-group" -+} -+ -+resource "keycloak_user" "user" { -+ realm_id = "${keycloak_realm.realm.id}" -+ username = "my-user" -+} -+ -+resource "keycloak_group_memberships" "group_members" { -+ realm_id = "${keycloak_realm.realm.id}" -+ group_id = "${keycloak_group.group.id}" -+ -+ members = [ -+ "${keycloak_user.user.username}" -+ ] -+} -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm_id` - (Required) The realm this group exists in. -+- `group_id` - (Required) The ID of the group this resource should manage memberships for. -+- `members` - (Required) An array of usernames that belong to this group. -+ -+### Import -+ -+This resource does not support import. Instead of importing, feel free to create this resource -+as if it did not already exist on the server. -diff --git b/website/docs/r/keycloak_group_roles.html.markdown a/website/docs/r/keycloak_group_roles.html.markdown -new file mode 100644 -index 0000000..e0903cf ---- /dev/null -+++ a/website/docs/r/keycloak_group_roles.html.markdown -@@ -0,0 +1,83 @@ -+# keycloak_group_roles -+ -+Allows you to manage roles assigned to a Keycloak group. -+ -+Note that this resource attempts to be an **authoritative** source over -+group roles. When this resource takes control over a group's roles, -+roles that are manually added to the group will be removed, and roles -+that are manually removed from the group will be added upon the next run -+of `terraform apply`. -+ -+Note that when assigning composite roles to a group, you may see a -+non-empty plan following a `terraform apply` if you assign a role and a -+composite that includes that role to the same group. -+ -+### Example Usage -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "my-realm" -+ enabled = true -+} -+ -+resource "keycloak_role" "realm_role" { -+ realm_id = "${keycloak_realm.realm.id}" -+ name = "my-realm-role" -+ description = "My Realm Role" -+} -+ -+resource "keycloak_openid_client" "client" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_id = "client" -+ name = "client" -+ -+ enabled = true -+ -+ access_type = "BEARER-ONLY" -+} -+ -+resource "keycloak_role" "client_role" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_id = "${keycloak_client.client.id}" -+ name = "my-client-role" -+ description = "My Client Role" -+} -+ -+resource "keycloak_group" "group" { -+ realm_id = "${keycloak_realm.realm.id}" -+ name = "my-group" -+} -+ -+resource "keycloak_group_roles" "group_roles" { -+ realm_id = "${keycloak_realm.realm.id}" -+ group_id = "${keycloak_group.group.id}" -+ -+ role_ids = [ -+ "${keycloak_role.realm_role.id}", -+ "${keycloak_role.client_role.id}", -+ ] -+} -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm_id` - (Required) The realm this group exists in. -+- `group_id` - (Required) The ID of the group this resource should -+ manage roles for. -+- `role_ids` - (Required) A list of role IDs to map to the group -+ -+### Import -+ -+This resource can be imported using the format -+`{{realm_id}}/{{group_id}}`, where `group_id` is the unique ID that -+Keycloak assigns to the group upon creation. This value can be found in -+the URI when editing this group in the GUI, and is typically a GUID. -+ -+Example: -+ -+```bash -+$ terraform import keycloak_group_roles.group_roles my-realm/18cc6b87-2ce7-4e59-bdc8-b9d49ec98a94 -+``` -+ -diff --git b/website/docs/r/keycloak_ldap_full_name_mapper.html.markdown a/website/docs/r/keycloak_ldap_full_name_mapper.html.markdown -new file mode 100644 -index 0000000..f2655c2 ---- /dev/null -+++ a/website/docs/r/keycloak_ldap_full_name_mapper.html.markdown -@@ -0,0 +1,61 @@ -+# keycloak_ldap_full_name_mapper -+ -+Allows for creating and managing full name mappers for Keycloak users federated -+via LDAP. -+ -+The LDAP full name mapper can map a user's full name from an LDAP attribute -+to the first and last name attributes of a Keycloak user. -+ -+### Example Usage -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "test" -+ enabled = true -+} -+ -+resource "keycloak_ldap_user_federation" "ldap_user_federation" { -+ name = "openldap" -+ realm_id = "${keycloak_realm.realm.id}" -+ -+ username_ldap_attribute = "cn" -+ rdn_ldap_attribute = "cn" -+ uuid_ldap_attribute = "entryDN" -+ user_object_classes = [ -+ "simpleSecurityObject", -+ "organizationalRole" -+ ] -+ connection_url = "ldap://openldap" -+ users_dn = "dc=example,dc=org" -+ bind_dn = "cn=admin,dc=example,dc=org" -+ bind_credential = "admin" -+} -+ -+resource "keycloak_ldap_full_name_mapper" "ldap_full_name_mapper" { -+ realm_id = "${keycloak_realm.realm.id}" -+ ldap_user_federation_id = "${keycloak_ldap_user_federation.ldap_user_federation.id}" -+ name = "full-name-mapper" -+ ldap_full_name_attribute = "cn" -+} -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm_id` - (Required) The realm that this LDAP mapper will exist in. -+- `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. -+- `name` - (Required) Display name of this mapper when displayed in the console. -+- `ldap_full_name_attribute` - (Required) The name of the LDAP attribute containing the user's full name. -+- `read_only` - (Optional) When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. -+- `write_only` - (Optional) When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. -+ -+### Import -+ -+LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. -+The ID of the LDAP user federation provider and the mapper can be found within -+the Keycloak GUI, and they are typically GUIDs: -+ -+```bash -+$ terraform import keycloak_ldap_full_name_mapper.ldap_full_name_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 -+``` -diff --git b/website/docs/r/keycloak_ldap_group_mapper.html.markdown a/website/docs/r/keycloak_ldap_group_mapper.html.markdown -new file mode 100644 -index 0000000..0f21461 ---- /dev/null -+++ a/website/docs/r/keycloak_ldap_group_mapper.html.markdown -@@ -0,0 +1,82 @@ -+# keycloak_ldap_group_mapper -+ -+Allows for creating and managing group mappers for Keycloak users federated -+via LDAP. -+ -+The LDAP group mapper can be used to map an LDAP user's groups from some DN -+to Keycloak groups. This group mapper will also create the groups within Keycloak -+if they do not already exist. -+ -+### Example Usage -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "test" -+ enabled = true -+} -+ -+resource "keycloak_ldap_user_federation" "ldap_user_federation" { -+ name = "openldap" -+ realm_id = "${keycloak_realm.realm.id}" -+ -+ username_ldap_attribute = "cn" -+ rdn_ldap_attribute = "cn" -+ uuid_ldap_attribute = "entryDN" -+ user_object_classes = [ -+ "simpleSecurityObject", -+ "organizationalRole" -+ ] -+ connection_url = "ldap://openldap" -+ users_dn = "dc=example,dc=org" -+ bind_dn = "cn=admin,dc=example,dc=org" -+ bind_credential = "admin" -+} -+ -+resource "keycloak_ldap_group_mapper" "ldap_group_mapper" { -+ realm_id = "${keycloak_realm.realm.id}" -+ ldap_user_federation_id = "${keycloak_ldap_user_federation.ldap_user_federation.id}" -+ name = "group-mapper" -+ -+ ldap_groups_dn = "dc=example,dc=org" -+ group_name_ldap_attribute = "cn" -+ group_object_classes = [ -+ "groupOfNames" -+ ] -+ membership_attribute_type = "DN" -+ membership_ldap_attribute = "member" -+ membership_user_ldap_attribute = "cn" -+ memberof_ldap_attribute = "memberOf" -+} -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm_id` - (Required) The realm that this LDAP mapper will exist in. -+- `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. -+- `name` - (Required) Display name of this mapper when displayed in the console. -+- `ldap_groups_dn` - (Required) The LDAP DN where groups can be found. -+- `group_name_ldap_attribute` - (Required) The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. -+- `group_object_classes` - (Required) Array of strings representing the object classes for the group. Must contain at least one. -+- `preserve_group_inheritance` - (Optional) When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. -+- `ignore_missing_groups` - (Optional) When `true`, missing groups in the hierarchy will be ignored. -+- `membership_ldap_attribute` - (Required) The name of the LDAP attribute that is used for membership mappings. -+- `membership_attribute_type` - (Optional) Can be one of `DN` or `UID`. Defaults to `DN`. -+- `membership_user_ldap_attribute` - (Required) The name of the LDAP attribute on a user that is used for membership mappings. -+- `groups_ldap_filter` - (Optional) When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. -+- `mode` - (Optional) Can be one of `READ_ONLY` or `LDAP_ONLY`. Defaults to `READ_ONLY`. -+- `user_roles_retrieve_strategy` - (Optional) Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. -+- `memberof_ldap_attribute` - (Optional) Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. -+- `mapped_group_attributes` - (Optional) Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. -+- `drop_non_existing_groups_during_sync` - (Optional) When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. -+ -+### Import -+ -+LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. -+The ID of the LDAP user federation provider and the mapper can be found within -+the Keycloak GUI, and they are typically GUIDs: -+ -+```bash -+$ terraform import keycloak_ldap_group_mapper.ldap_group_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 -+``` -diff --git b/website/docs/r/keycloak_ldap_hardcoded_role_mapper.html.markdown a/website/docs/r/keycloak_ldap_hardcoded_role_mapper.html.markdown -new file mode 100644 -index 0000000..2ec6556 ---- /dev/null -+++ a/website/docs/r/keycloak_ldap_hardcoded_role_mapper.html.markdown -@@ -0,0 +1,55 @@ -+# keycloak_ldap_hardcoded_role_mapper -+ -+This mapper will grant a specified Keycloak role to each Keycloak user linked with LDAP. -+ -+### Example Usage -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "test" -+ enabled = true -+} -+ -+resource "keycloak_ldap_user_federation" "ldap_user_federation" { -+ name = "openldap" -+ realm_id = keycloak_realm.realm.id -+ -+ username_ldap_attribute = "cn" -+ rdn_ldap_attribute = "cn" -+ uuid_ldap_attribute = "entryDN" -+ user_object_classes = [ -+ "simpleSecurityObject", -+ "organizationalRole" -+ ] -+ connection_url = "ldap://openldap" -+ users_dn = "dc=example,dc=org" -+ bind_dn = "cn=admin,dc=example,dc=org" -+ bind_credential = "admin" -+} -+ -+resource "keycloak_ldap_hardcoded_role_mapper" "assign_admin_role_to_all_users" { -+ realm_id = keycloak_realm.realm.id -+ ldap_user_federation_id = keycloak_ldap_user_federation.ldap_user_federation.id -+ name = "assign-admin-role-to-all-users" -+ role = "admin" -+} -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm_id` - (Required) The realm that this LDAP mapper will exist in. -+- `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. -+- `name` - (Required) Display name of this mapper when displayed in the console. -+- `role` - (Required) The role which should be assigned to the users. -+ -+### Import -+ -+LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. -+The ID of the LDAP user federation provider and the mapper can be found within -+the Keycloak GUI, and they are typically GUIDs: -+ -+```bash -+$ terraform import keycloak_ldap_hardcoded_role_mapper.ldap_hardcoded_role_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 -+``` -diff --git b/website/docs/r/keycloak_ldap_msad_user_account_control_mapper.html.markdown a/website/docs/r/keycloak_ldap_msad_user_account_control_mapper.html.markdown -new file mode 100644 -index 0000000..d4dc9f7 ---- /dev/null -+++ a/website/docs/r/keycloak_ldap_msad_user_account_control_mapper.html.markdown -@@ -0,0 +1,61 @@ -+# keycloak_ldap_msad_user_account_control_mapper -+ -+Allows for creating and managing MSAD user account control mappers for Keycloak -+users federated via LDAP. -+ -+The MSAD (Microsoft Active Directory) user account control mapper is specific -+to LDAP user federation providers that are pulling from AD, and it can propagate -+AD user state to Keycloak in order to enforce settings like expired passwords -+or disabled accounts. -+ -+### Example Usage -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "test" -+ enabled = true -+} -+ -+resource "keycloak_ldap_user_federation" "ldap_user_federation" { -+ name = "ad" -+ realm_id = "${keycloak_realm.realm.id}" -+ -+ username_ldap_attribute = "cn" -+ rdn_ldap_attribute = "cn" -+ uuid_ldap_attribute = "objectGUID" -+ user_object_classes = [ -+ "person", -+ "organizationalPerson", -+ "user" -+ ] -+ connection_url = "ldap://my-ad-server" -+ users_dn = "dc=example,dc=org" -+ bind_dn = "cn=admin,dc=example,dc=org" -+ bind_credential = "admin" -+} -+ -+resource "keycloak_ldap_msad_user_account_control_mapper" "msad_user_account_control_mapper" { -+ realm_id = "${keycloak_realm.realm.id}" -+ ldap_user_federation_id = "${keycloak_ldap_user_federation.ldap_user_federation.id}" -+ name = "msad-user-account-control-mapper" -+} -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm_id` - (Required) The realm that this LDAP mapper will exist in. -+- `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. -+- `name` - (Required) Display name of this mapper when displayed in the console. -+- `ldap_password_policy_hints_enabled` - (Optional) When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. -+ -+### Import -+ -+LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. -+The ID of the LDAP user federation provider and the mapper can be found within -+the Keycloak GUI, and they are typically GUIDs: -+ -+```bash -+$ terraform import keycloak_ldap_msad_user_account_control_mapper.msad_user_account_control_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 -+``` -diff --git b/website/docs/r/keycloak_ldap_user_attribute_mapper.html.markdown a/website/docs/r/keycloak_ldap_user_attribute_mapper.html.markdown -new file mode 100644 -index 0000000..89e0c18 ---- /dev/null -+++ a/website/docs/r/keycloak_ldap_user_attribute_mapper.html.markdown -@@ -0,0 +1,65 @@ -+# keycloak_ldap_user_attribute_mapper -+ -+Allows for creating and managing user attribute mappers for Keycloak users -+federated via LDAP. -+ -+The LDAP user attribute mapper can be used to map a single LDAP attribute -+to an attribute on the Keycloak user model. -+ -+### Example Usage -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "test" -+ enabled = true -+} -+ -+resource "keycloak_ldap_user_federation" "ldap_user_federation" { -+ name = "openldap" -+ realm_id = "${keycloak_realm.realm.id}" -+ -+ username_ldap_attribute = "cn" -+ rdn_ldap_attribute = "cn" -+ uuid_ldap_attribute = "entryDN" -+ user_object_classes = [ -+ "simpleSecurityObject", -+ "organizationalRole" -+ ] -+ connection_url = "ldap://openldap" -+ users_dn = "dc=example,dc=org" -+ bind_dn = "cn=admin,dc=example,dc=org" -+ bind_credential = "admin" -+} -+ -+resource "keycloak_ldap_user_attribute_mapper" "ldap_user_attribute_mapper" { -+ realm_id = "${keycloak_realm.realm.id}" -+ ldap_user_federation_id = "${keycloak_ldap_user_federation.ldap_user_federation.id}" -+ name = "user-attribute-mapper" -+ -+ user_model_attribute = "foo" -+ ldap_attribute = "bar" -+} -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm_id` - (Required) The realm that this LDAP mapper will exist in. -+- `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. -+- `name` - (Required) Display name of this mapper when displayed in the console. -+- `user_model_attribute` - (Required) Name of the user property or attribute you want to map the LDAP attribute into. -+- `ldap_attribute` - (Required) Name of the mapped attribute on the LDAP object. -+- `read_only` - (Optional) When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. -+- `always_read_value_from_ldap` - (Optional) When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. -+- `is_mandatory_in_ldap` - (Optional) When `true`, this attribute must exist in LDAP. Defaults to `false`. -+ -+### Import -+ -+LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. -+The ID of the LDAP user federation provider and the mapper can be found within -+the Keycloak GUI, and they are typically GUIDs: -+ -+```bash -+$ terraform import keycloak_ldap_user_attribute_mapper.ldap_user_attribute_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 -+``` -diff --git b/website/docs/r/keycloak_ldap_user_federation.html.markdown a/website/docs/r/keycloak_ldap_user_federation.html.markdown -new file mode 100644 -index 0000000..d399887 ---- /dev/null -+++ a/website/docs/r/keycloak_ldap_user_federation.html.markdown -@@ -0,0 +1,85 @@ -+# keycloak_ldap_user_federation -+ -+Allows for creating and managing LDAP user federation providers within Keycloak. -+ -+Keycloak can use an LDAP user federation provider to federate users to Keycloak -+from a directory system such as LDAP or Active Directory. Federated users -+will exist within the realm and will be able to log in to clients. Federated -+users can have their attributes defined using mappers. -+ -+### Example Usage -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "test" -+ enabled = true -+} -+ -+resource "keycloak_ldap_user_federation" "ldap_user_federation" { -+ name = "openldap" -+ realm_id = "${keycloak_realm.realm.id}" -+ -+ enabled = true -+ -+ username_ldap_attribute = "cn" -+ rdn_ldap_attribute = "cn" -+ uuid_ldap_attribute = "entryDN" -+ user_object_classes = [ -+ "simpleSecurityObject", -+ "organizationalRole" -+ ] -+ connection_url = "ldap://openldap" -+ users_dn = "dc=example,dc=org" -+ bind_dn = "cn=admin,dc=example,dc=org" -+ bind_credential = "admin" -+ -+ connection_timeout = "5s" -+ read_timeout = "10s" -+} -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm_id` - (Required) The realm that this provider will provide user federation for. -+- `name` - (Required) Display name of the provider when displayed in the console. -+- `enabled` - (Optional) When `false`, this provider will not be used when performing queries for users. Defaults to `true`. -+- `priority` - (Optional) Priority of this provider when looking up users. Lower values are first. Defaults to `0`. -+- `import_enabled` - (Optional) When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. -+- `edit_mode` - (Optional) Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. -+- `sync_registrations` - (Optional) When `true`, newly created users will be synced back to LDAP. Defaults to `false`. -+- `vendor` - (Optional) Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OPTIONAL`. -+- `username_ldap_attribute` - (Required) Name of the LDAP attribute to use as the Keycloak username. -+- `rdn_ldap_attribute` - (Required) Name of the LDAP attribute to use as the relative distinguished name. -+- `uuid_ldap_attribute` - (Required) Name of the LDAP attribute to use as a unique object identifier for objects in LDAP. -+- `user_object_classes` - (Required) Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. -+- `connection_url` - (Required) Connection URL to the LDAP server. -+- `users_dn` - (Required) Full DN of LDAP tree where your users are. -+- `bind_dn` - (Optional) DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bind_credential` is set. -+- `bind_credential` - (Optional) Password of LDAP admin. This attribute must be set if `bind_dn` is set. -+- `custom_user_search_filter` - (Optional) Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. -+- `search_scope` - (Optional) Can be one of `ONE_LEVEL` or `SUBTREE`: -+ - `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`. -+ - `SUBTREE`: Search entire LDAP subtree. -+- `validate_password_policy` - (Optional) When `true`, Keycloak will validate passwords using the realm policy before updating it. -+- `use_truststore_spi` - (Optional) Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: -+ - `ALWAYS` - Always use the truststore SPI for LDAP connections. -+ - `NEVER` - Never use the truststore SPI for LDAP connections. -+ - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. -+- `connection_timeout` - (Optional) LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). -+- `read_timeout` - (Optional) LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). -+- `pagination` - (Optional) When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. -+- `batch_size_for_sync` - (Optional) The number of users to sync within a single transaction. Defaults to `1000`. -+- `full_sync_period` - (Optional) How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync. -+- `changed_sync_period` - (Optional) How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. -+- `cache_policy` - (Optional) Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. -+ -+### Import -+ -+LDAP user federation providers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}`. -+The ID of the LDAP user federation provider can be found within the Keycloak GUI and is typically a GUID: -+ -+```bash -+$ terraform import keycloak_ldap_user_federation.ldap_user_federation my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860 -+``` -diff --git b/website/docs/r/keycloak_openid_audience_protocol_mapper.html.markdown a/website/docs/r/keycloak_openid_audience_protocol_mapper.html.markdown -new file mode 100644 -index 0000000..4d7b6b3 ---- /dev/null -+++ a/website/docs/r/keycloak_openid_audience_protocol_mapper.html.markdown -@@ -0,0 +1,86 @@ -+# keycloak_openid_audience_protocol_mapper -+ -+Allows for creating and managing audience protocol mappers within -+Keycloak. This mapper was added in Keycloak v4.6.0.Final. -+ -+Audience protocol mappers allow you add audiences to the `aud` claim -+within issued tokens. The audience can be a custom string, or it can be -+mapped to the ID of a pre-existing client. -+ -+### Example Usage (Client) -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "my-realm" -+ enabled = true -+} -+ -+resource "keycloak_openid_client" "openid_client" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_id = "test-client" -+ -+ name = "test client" -+ enabled = true -+ -+ access_type = "CONFIDENTIAL" -+ valid_redirect_uris = [ -+ "http://localhost:8080/openid-callback" -+ ] -+} -+ -+resource "keycloak_openid_audience_protocol_mapper" "audience_mapper" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_id = "${keycloak_openid_client.openid_client.id}" -+ name = "audience-mapper" -+ -+ included_custom_audience = "foo" -+} -+``` -+ -+### Example Usage (Client Scope) -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "my-realm" -+ enabled = true -+} -+ -+resource "keycloak_openid_client_scope" "client_scope" { -+ realm_id = "${keycloak_realm.realm.id}" -+ name = "test-client-scope" -+} -+ -+resource "keycloak_openid_audience_protocol_mapper" "audience_mapper" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_scope_id = "${keycloak_openid_client_scope.client_scope.id}" -+ name = "audience-mapper" -+ -+ included_custom_audience = "foo" -+} -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm_id` - (Required) The realm this protocol mapper exists within. -+- `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. -+- `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. -+- `name` - (Required) The display name of this protocol mapper in the GUI. -+- `included_client_audience` - (Required if `included_custom_audience` is not specified) A client ID to include within the token's `aud` claim. -+- `included_custom_audience` - (Required if `included_client_audience` is not specified) A custom audience to include within the token's `aud` claim. -+- `add_to_id_token` - (Optional) Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. -+- `add_to_access_token` - (Optional) Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. -+ -+### Import -+ -+Protocol mappers can be imported using one of the following formats: -+- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` -+- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` -+ -+Example: -+ -+```bash -+$ terraform import keycloak_openid_audience_protocol_mapper.audience_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -+$ terraform import keycloak_openid_audience_protocol_mapper.audience_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -+``` -diff --git b/website/docs/r/keycloak_openid_client.html.markdown a/website/docs/r/keycloak_openid_client.html.markdown -new file mode 100644 -index 0000000..ae8c9fb ---- /dev/null -+++ a/website/docs/r/keycloak_openid_client.html.markdown -@@ -0,0 +1,77 @@ -+# keycloak_openid_client -+ -+Allows for creating and managing Keycloak clients that use the OpenID Connect protocol. -+ -+Clients are entities that can use Keycloak for user authentication. Typically, -+clients are applications that redirect users to Keycloak for authentication -+in order to take advantage of Keycloak's user sessions for SSO. -+ -+### Example Usage -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "my-realm" -+ enabled = true -+} -+ -+resource "keycloak_openid_client" "openid_client" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_id = "test-client" -+ -+ name = "test client" -+ enabled = true -+ -+ access_type = "CONFIDENTIAL" -+ valid_redirect_uris = [ -+ "http://localhost:8080/openid-callback" -+ ] -+} -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm_id` - (Required) The realm this client is attached to. -+- `client_id` - (Required) The unique ID of this client, referenced in the URI during authentication and in issued tokens. -+- `name` - (Optional) The display name of this client in the GUI. -+- `enabled` - (Optional) When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. -+- `description` - (Optional) The description of this client in the GUI. -+- `access_type` - (Required) Specifies the type of client, which can be one of the following: -+ - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. -+ This client should be used for applications using the Authorization Code or Client Credentials grant flows. -+ - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect -+ URIs for security. This client should be used for applications using the Implicit grant flow. -+ - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. -+- `client_secret` - (Optional) The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and -+should be treated with the same care as a password. If omitted, Keycloak will generate a GUID for this attribute. -+- `standard_flow_enabled` - (Optional) When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. -+- `implicit_flow_enabled` - (Optional) When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. -+- `direct_access_grants_enabled` - (Optional) When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. -+- `service_accounts_enabled` - (Optional) When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. -+- `valid_redirect_uris` - (Optional) A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple -+wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled` -+is set to `true`. -+- `web_origins` - (Optional) A list of allowed CORS origins. `+` can be used to permit all valid redirect URIs, and `*` can be used to permit all origins. -+- `admin_url` - (Optional) URL to the admin interface of the client. -+- `base_url` - (Optional) Default URL to use when the auth server needs to redirect or link back to the client. -+- `pkce_code_challenge_method` - (Optional) The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. -+- `full_scope_allowed` - (Optional) - Allow to include all roles mappings in the access token. -+ -+### Attributes Reference -+ -+In addition to the arguments listed above, the following computed attributes are exported: -+ -+- `service_account_user_id` - When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account. -+ -+ -+### Import -+ -+Clients can be imported using the format `{{realm_id}}/{{client_keycloak_id}}`, where `client_keycloak_id` is the unique ID that Keycloak -+assigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID. -+ -+Example: -+ -+```bash -+$ terraform import keycloak_openid_client.openid_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352 -+``` -diff --git b/website/docs/r/keycloak_openid_client_default_scopes.html.markdown a/website/docs/r/keycloak_openid_client_default_scopes.html.markdown -new file mode 100644 -index 0000000..56c05ea ---- /dev/null -+++ a/website/docs/r/keycloak_openid_client_default_scopes.html.markdown -@@ -0,0 +1,65 @@ -+# keycloak_openid_client_default_scopes -+ -+Allows for managing a Keycloak client's default client scopes. A default -+scope that is attached to a client using the OpenID Connect protocol will -+automatically use the protocol mappers defined within that scope to build -+claims for this client regardless of the provided OAuth2.0 `scope` parameter. -+ -+Note that this resource attempts to be an **authoritative** source over -+default scopes for a Keycloak client using the OpenID Connect protocol. -+This means that once Terraform controls a particular client's default scopes, -+it will attempt to remove any default scopes that were attached manually, -+and it will attempt to add any default scopes that were detached manually. -+ -+By default, Keycloak sets the `profile`, `email`, `roles`, and `web-origins` -+scopes as default scopes for every newly created client. If you create this -+resource for the first time and do not include these scopes, a following run -+of `terraform plan` will result in changes. -+ -+### Example Usage -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "my-realm" -+ enabled = true -+} -+ -+resource "keycloak_openid_client" "client" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_id = "test-client" -+ -+ access_type = "CONFIDENTIAL" -+} -+ -+resource "keycloak_openid_client_scope" "client_scope" { -+ realm_id = "${keycloak_realm.realm.id}" -+ name = "test-client-scope" -+} -+ -+resource "keycloak_openid_client_default_scopes" "client_default_scopes" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_id = "${keycloak_openid_client.client.id}" -+ -+ default_scopes = [ -+ "profile", -+ "email", -+ "roles", -+ "web-origins", -+ "${keycloak_openid_client_scope.client_scope.name}" -+ ] -+} -+ -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm_id` - (Required) The realm this client and scopes exists in. -+- `client_id` - (Required) The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. -+- `default_scopes` - (Required) An array of client scope names to attach to this client. -+ -+### Import -+ -+This resource does not support import. Instead of importing, feel free to create this resource -+as if it did not already exist on the server. -diff --git b/website/docs/r/keycloak_openid_client_optional_scopes.html.markdown a/website/docs/r/keycloak_openid_client_optional_scopes.html.markdown -new file mode 100644 -index 0000000..960a3a8 ---- /dev/null -+++ a/website/docs/r/keycloak_openid_client_optional_scopes.html.markdown -@@ -0,0 +1,65 @@ -+# keycloak_openid_client_optional_scopes -+ -+Allows for managing a Keycloak client's optional client scopes. An optional -+scope that is attached to a client using the OpenID Connect protocol will -+allow a client to request it using the OAuth 2.0 `scope` parameter. When -+requested, the scope's protocol mappers defined within that scope will be -+used to build claims for this client. -+ -+Note that this resource attempts to be an **authoritative** source over -+optional scopes for a Keycloak client using the OpenID Connect protocol. -+This means that once Terraform controls a particular client's optional scopes, -+it will attempt to remove any optional scopes that were attached manually, -+and it will attempt to add any optional scopes that were detached manually. -+ -+By default, Keycloak sets the `address`, `phone` and `offline_access` scopes as -+optional scopes for every newly created client. If you create this resource for -+the first time and do not include these scopes, a following run of `terraform plan` -+will result in changes. -+ -+### Example Usage -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "my-realm" -+ enabled = true -+} -+ -+resource "keycloak_openid_client" "client" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_id = "test-client" -+ -+ access_type = "CONFIDENTIAL" -+} -+ -+resource "keycloak_openid_client_scope" "client_scope" { -+ realm_id = "${keycloak_realm.realm.id}" -+ name = "test-client-scope" -+} -+ -+resource "keycloak_openid_client_optional_scopes" "client_optional_scopes" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_id = "${keycloak_openid_client.client.id}" -+ -+ optional_scopes = [ -+ "address", -+ "phone", -+ "offline_access", -+ "${keycloak_openid_client_scope.client_scope.name}" -+ ] -+} -+ -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm_id` - (Required) The realm this client and scopes exists in. -+- `client_id` - (Required) The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. -+- `optional_scopes` - (Required) An array of client scope names to attach to this client as optional scopes. -+ -+### Import -+ -+This resource does not support import. Instead of importing, feel free to create this resource -+as if it did not already exist on the server. -diff --git b/website/docs/r/keycloak_openid_client_scope.html.markdown a/website/docs/r/keycloak_openid_client_scope.html.markdown -new file mode 100644 -index 0000000..81e6026 ---- /dev/null -+++ a/website/docs/r/keycloak_openid_client_scope.html.markdown -@@ -0,0 +1,45 @@ -+# keycloak_openid_client_scope -+ -+Allows for creating and managing Keycloak client scopes that can be attached to -+clients that use the OpenID Connect protocol. -+ -+Client Scopes can be used to share common protocol and role mappings between multiple -+clients within a realm. They can also be used by clients to conditionally request -+claims or roles for a user based on the OAuth 2.0 `scope` parameter. -+ -+### Example Usage -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "my-realm" -+ enabled = true -+} -+ -+resource "keycloak_openid_client_scope" "openid_client_scope" { -+ realm_id = "${keycloak_realm.realm.id}" -+ name = "groups" -+ description = "When requested, this scope will map a user's group memberships to a claim" -+} -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm_id` - (Required) The realm this client scope belongs to. -+- `name` - (Required) The display name of this client scope in the GUI. -+- `description` - (Optional) The description of this client scope in the GUI. -+- `consent_screen_text` - (Optional) When set, a consent screen will be displayed to users -+authenticating to clients with this scope attached. The consent screen will display the string -+value of this attribute. -+ -+### Import -+ -+Client scopes can be imported using the format `{{realm_id}}/{{client_scope_id}}`, where `client_scope_id` is the unique ID that Keycloak -+assigns to the client scope upon creation. This value can be found in the URI when editing this client scope in the GUI, and is typically a GUID. -+ -+Example: -+ -+```bash -+$ terraform import keycloak_openid_client_scope.openid_client_scope my-realm/8e8f7fe1-df9b-40ed-bed3-4597aa0dac52 -+``` -diff --git b/website/docs/r/keycloak_openid_full_name_protocol_mapper.html.markdown a/website/docs/r/keycloak_openid_full_name_protocol_mapper.html.markdown -new file mode 100644 -index 0000000..8b904e0 ---- /dev/null -+++ a/website/docs/r/keycloak_openid_full_name_protocol_mapper.html.markdown -@@ -0,0 +1,82 @@ -+# keycloak_openid_full_name_protocol_mapper -+ -+Allows for creating and managing full name protocol mappers within -+Keycloak. -+ -+Full name protocol mappers allow you to map a user's first and last name -+to the OpenID Connect `name` claim in a token. Protocol mappers can be defined -+for a single client, or they can be defined for a client scope which can -+be shared between multiple different clients. -+ -+### Example Usage (Client) -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "my-realm" -+ enabled = true -+} -+ -+resource "keycloak_openid_client" "openid_client" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_id = "test-client" -+ -+ name = "test client" -+ enabled = true -+ -+ access_type = "CONFIDENTIAL" -+ valid_redirect_uris = [ -+ "http://localhost:8080/openid-callback" -+ ] -+} -+ -+resource "keycloak_openid_full_name_protocol_mapper" "full_name_mapper" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_id = "${keycloak_openid_client.openid_client.id}" -+ name = "full-name-mapper" -+} -+``` -+ -+### Example Usage (Client Scope) -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "my-realm" -+ enabled = true -+} -+ -+resource "keycloak_openid_client_scope" "client_scope" { -+ realm_id = "${keycloak_realm.realm.id}" -+ name = "test-client-scope" -+} -+ -+resource "keycloak_openid_full_name_protocol_mapper" "full_name_mapper" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_scope_id = "${keycloak_openid_client_scope.client_scope.id}" -+ name = "full-name-mapper" -+} -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm_id` - (Required) The realm this protocol mapper exists within. -+- `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. -+- `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. -+- `name` - (Required) The display name of this protocol mapper in the GUI. -+- `add_to_id_token` - (Optional) Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. -+- `add_to_access_token` - (Optional) Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. -+- `add_to_userinfo` - (Optional) Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. -+ -+### Import -+ -+Protocol mappers can be imported using one of the following formats: -+- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` -+- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` -+ -+Example: -+ -+```bash -+$ terraform import keycloak_openid_full_name_protocol_mapper.full_name_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -+$ terraform import keycloak_openid_full_name_protocol_mapper.full_name_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -+``` -diff --git b/website/docs/r/keycloak_openid_group_membership_protocol_mapper.html.markdown a/website/docs/r/keycloak_openid_group_membership_protocol_mapper.html.markdown -new file mode 100644 -index 0000000..070b510 ---- /dev/null -+++ a/website/docs/r/keycloak_openid_group_membership_protocol_mapper.html.markdown -@@ -0,0 +1,88 @@ -+# keycloak_openid_group_membership_protocol_mapper -+ -+Allows for creating and managing group membership protocol mappers within -+Keycloak. -+ -+Group membership protocol mappers allow you to map a user's group memberships -+to a claim in a token. Protocol mappers can be defined for a single client, -+or they can be defined for a client scope which can be shared between multiple -+different clients. -+ -+### Example Usage (Client) -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "my-realm" -+ enabled = true -+} -+ -+resource "keycloak_openid_client" "openid_client" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_id = "test-client" -+ -+ name = "test client" -+ enabled = true -+ -+ access_type = "CONFIDENTIAL" -+ valid_redirect_uris = [ -+ "http://localhost:8080/openid-callback" -+ ] -+} -+ -+resource "keycloak_openid_group_membership_protocol_mapper" "group_membership_mapper" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_id = "${keycloak_openid_client.openid_client.id}" -+ name = "group-membership-mapper" -+ -+ claim_name = "groups" -+} -+``` -+ -+### Example Usage (Client Scope) -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "my-realm" -+ enabled = true -+} -+ -+resource "keycloak_openid_client_scope" "client_scope" { -+ realm_id = "${keycloak_realm.realm.id}" -+ name = "test-client-scope" -+} -+ -+resource "keycloak_openid_group_membership_protocol_mapper" "group_membership_mapper" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_scope_id = "${keycloak_openid_client_scope.client_scope.id}" -+ name = "group-membership-mapper" -+ -+ claim_name = "groups" -+} -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm_id` - (Required) The realm this protocol mapper exists within. -+- `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. -+- `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. -+- `name` - (Required) The display name of this protocol mapper in the GUI. -+- `claim_name` - (Required) The name of the claim to insert into a token. -+- `full_path` - (Optional) Indicates whether the full path of the group including its parents will be used. Defaults to `true`. -+- `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. -+- `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. -+- `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. -+ -+### Import -+ -+Protocol mappers can be imported using one of the following formats: -+- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` -+- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` -+ -+Example: -+ -+```bash -+$ terraform import keycloak_openid_group_membership_protocol_mapper.group_membership_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -+$ terraform import keycloak_openid_group_membership_protocol_mapper.group_membership_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -+``` -diff --git b/website/docs/r/keycloak_openid_hardcoded_claim_protocol_mapper.html.markdown a/website/docs/r/keycloak_openid_hardcoded_claim_protocol_mapper.html.markdown -new file mode 100644 -index 0000000..d2b8bc4 ---- /dev/null -+++ a/website/docs/r/keycloak_openid_hardcoded_claim_protocol_mapper.html.markdown -@@ -0,0 +1,91 @@ -+# keycloak_openid_hardcoded_claim_protocol_mapper -+ -+Allows for creating and managing hardcoded claim protocol mappers within -+Keycloak. -+ -+Hardcoded claim protocol mappers allow you to define a claim with a hardcoded -+value. Protocol mappers can be defined for a single client, or they can -+be defined for a client scope which can be shared between multiple different -+clients. -+ -+### Example Usage (Client) -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "my-realm" -+ enabled = true -+} -+ -+resource "keycloak_openid_client" "openid_client" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_id = "test-client" -+ -+ name = "test client" -+ enabled = true -+ -+ access_type = "CONFIDENTIAL" -+ valid_redirect_uris = [ -+ "http://localhost:8080/openid-callback" -+ ] -+} -+ -+resource "keycloak_openid_hardcoded_claim_protocol_mapper" "hardcoded_claim_mapper" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_id = "${keycloak_openid_client.openid_client.id}" -+ name = "hardcoded-claim-mapper" -+ -+ claim_name = "foo" -+ claim_value = "bar" -+} -+``` -+ -+### Example Usage (Client Scope) -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "my-realm" -+ enabled = true -+} -+ -+resource "keycloak_openid_client_scope" "client_scope" { -+ realm_id = "${keycloak_realm.realm.id}" -+ name = "test-client-scope" -+} -+ -+resource "keycloak_openid_hardcoded_claim_protocol_mapper" "hardcoded_claim_mapper" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_scope_id = "${keycloak_openid_client_scope.client_scope.id}" -+ name = "hardcoded-claim-mapper" -+ -+ claim_name = "foo" -+ claim_value = "bar" -+} -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm_id` - (Required) The realm this protocol mapper exists within. -+- `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. -+- `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. -+- `name` - (Required) The display name of this protocol mapper in the GUI. -+- `claim_name` - (Required) The name of the claim to insert into a token. -+- `claim_value` - (Required) The hardcoded value of the claim. -+- `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`. -+- `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. -+- `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. -+- `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. -+ -+### Import -+ -+Protocol mappers can be imported using one of the following formats: -+- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` -+- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` -+ -+Example: -+ -+```bash -+$ terraform import keycloak_openid_hardcoded_claim_protocol_mapper.hardcoded_claim_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -+$ terraform import keycloak_openid_hardcoded_claim_protocol_mapper.hardcoded_claim_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -+``` -diff --git b/website/docs/r/keycloak_openid_hardcoded_role_protocol_mapper.html.markdown a/website/docs/r/keycloak_openid_hardcoded_role_protocol_mapper.html.markdown -new file mode 100644 -index 0000000..c13a07c ---- /dev/null -+++ a/website/docs/r/keycloak_openid_hardcoded_role_protocol_mapper.html.markdown -@@ -0,0 +1,93 @@ -+# keycloak_openid_hardcoded_role_protocol_mapper -+ -+Allows for creating and managing hardcoded role protocol mappers within -+Keycloak. -+ -+Hardcoded role protocol mappers allow you to specify a single role to -+always map to an access token for a client. Protocol mappers can be -+defined for a single client, or they can be defined for a client scope -+which can be shared between multiple different clients. -+ -+### Example Usage (Client) -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "my-realm" -+ enabled = true -+} -+ -+resource "keycloak_role" "role" { -+ realm_id = "${keycloak_realm.realm.id}" -+ name = "my-role" -+} -+ -+resource "keycloak_openid_client" "openid_client" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_id = "test-client" -+ -+ name = "test client" -+ enabled = true -+ -+ access_type = "CONFIDENTIAL" -+ valid_redirect_uris = [ -+ "http://localhost:8080/openid-callback" -+ ] -+} -+ -+resource "keycloak_openid_hardcoded_role_protocol_mapper" "hardcoded_role_mapper" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_id = "${keycloak_openid_client.openid_client.id}" -+ name = "hardcoded-role-mapper" -+ role_id = "${keycloak_role.role.id}" -+} -+``` -+ -+### Example Usage (Client Scope) -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "my-realm" -+ enabled = true -+} -+ -+resource "keycloak_role" "role" { -+ realm_id = "${keycloak_realm.realm.id}" -+ name = "my-role" -+} -+ -+resource "keycloak_openid_client_scope" "client_scope" { -+ realm_id = "${keycloak_realm.realm.id}" -+ name = "test-client-scope" -+} -+ -+resource "keycloak_openid_hardcoded_role_protocol_mapper" "hardcoded_role_mapper" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_scope_id = "${keycloak_openid_client_scope.client_scope.id}" -+ name = "hardcoded-role-mapper" -+ role_id = "${keycloak_role.role.id}" -+} -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm_id` - (Required) The realm this protocol mapper exists within. -+- `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. -+- `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. -+- `name` - (Required) The display name of this protocol mapper in the -+ GUI. -+- `role_id` - (Required) The ID of the role to map to an access token. -+ -+### Import -+ -+Protocol mappers can be imported using one of the following formats: -+- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` -+- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` -+ -+Example: -+ -+```bash -+$ terraform import keycloak_openid_hardcoded_role_protocol_mapper.hardcoded_role_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -+$ terraform import keycloak_openid_hardcoded_role_protocol_mapper.hardcoded_role_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -+``` -diff --git b/website/docs/r/keycloak_openid_user_attribute_protocol_mapper.html.markdown a/website/docs/r/keycloak_openid_user_attribute_protocol_mapper.html.markdown -new file mode 100644 -index 0000000..bc302b6 ---- /dev/null -+++ a/website/docs/r/keycloak_openid_user_attribute_protocol_mapper.html.markdown -@@ -0,0 +1,92 @@ -+# keycloak_openid_user_attribute_protocol_mapper -+ -+Allows for creating and managing user attribute protocol mappers within -+Keycloak. -+ -+User attribute protocol mappers allow you to map custom attributes defined -+for a user within Keycloak to a claim in a token. Protocol mappers can be -+defined for a single client, or they can be defined for a client scope which -+can be shared between multiple different clients. -+ -+### Example Usage (Client) -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "my-realm" -+ enabled = true -+} -+ -+resource "keycloak_openid_client" "openid_client" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_id = "test-client" -+ -+ name = "test client" -+ enabled = true -+ -+ access_type = "CONFIDENTIAL" -+ valid_redirect_uris = [ -+ "http://localhost:8080/openid-callback" -+ ] -+} -+ -+resource "keycloak_openid_user_attribute_protocol_mapper" "user_attribute_mapper" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_id = "${keycloak_openid_client.openid_client.id}" -+ name = "test-mapper" -+ -+ user_attribute = "foo" -+ claim_name = "bar" -+} -+``` -+ -+### Example Usage (Client Scope) -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "my-realm" -+ enabled = true -+} -+ -+resource "keycloak_openid_client_scope" "client_scope" { -+ realm_id = "${keycloak_realm.realm.id}" -+ name = "test-client-scope" -+} -+ -+resource "keycloak_openid_user_attribute_protocol_mapper" "user_attribute_mapper" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_scope_id = "${keycloak_openid_client_scope.client_scope.id}" -+ name = "test-mapper" -+ -+ user_attribute = "foo" -+ claim_name = "bar" -+} -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm_id` - (Required) The realm this protocol mapper exists within. -+- `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. -+- `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. -+- `name` - (Required) The display name of this protocol mapper in the GUI. -+- `user_attribute` - (Required) The custom user attribute to map a claim for. -+- `claim_name` - (Required) The name of the claim to insert into a token. -+- `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`. -+- `multivalued` - (Optional) Indicates whether this attribute is a single value or an array of values. Defaults to `false`. -+- `add_to_id_token` - (Optional) Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. -+- `add_to_access_token` - (Optional) Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. -+- `add_to_userinfo` - (Optional) Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. -+ -+### Import -+ -+Protocol mappers can be imported using one of the following formats: -+- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` -+- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` -+ -+Example: -+ -+```bash -+$ terraform import keycloak_openid_user_attribute_protocol_mapper.user_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -+$ terraform import keycloak_openid_user_attribute_protocol_mapper.user_attribute_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -+``` -diff --git b/website/docs/r/keycloak_openid_user_property_protocol_mapper.html.markdown a/website/docs/r/keycloak_openid_user_property_protocol_mapper.html.markdown -new file mode 100644 -index 0000000..c010fb6 ---- /dev/null -+++ a/website/docs/r/keycloak_openid_user_property_protocol_mapper.html.markdown -@@ -0,0 +1,91 @@ -+# keycloak_openid_user_property_protocol_mapper -+ -+Allows for creating and managing user property protocol mappers within -+Keycloak. -+ -+User property protocol mappers allow you to map built in properties defined -+on the Keycloak user interface to a claim in a token. Protocol mappers can be -+defined for a single client, or they can be defined for a client scope which -+can be shared between multiple different clients. -+ -+### Example Usage (Client) -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "my-realm" -+ enabled = true -+} -+ -+resource "keycloak_openid_client" "openid_client" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_id = "test-client" -+ -+ name = "test client" -+ enabled = true -+ -+ access_type = "CONFIDENTIAL" -+ valid_redirect_uris = [ -+ "http://localhost:8080/openid-callback" -+ ] -+} -+ -+resource "keycloak_openid_user_property_protocol_mapper" "user_property_mapper" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_id = "${keycloak_openid_client.openid_client.id}" -+ name = "test-mapper" -+ -+ user_property = "email" -+ claim_name = "email" -+} -+``` -+ -+### Example Usage (Client Scope) -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "my-realm" -+ enabled = true -+} -+ -+resource "keycloak_openid_client_scope" "client_scope" { -+ realm_id = "${keycloak_realm.realm.id}" -+ name = "test-client-scope" -+} -+ -+resource "keycloak_openid_user_property_protocol_mapper" "user_property_mapper" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_scope_id = "${keycloak_openid_client_scope.client_scope.id}" -+ name = "test-mapper" -+ -+ user_property = "email" -+ claim_name = "email" -+} -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm_id` - (Required) The realm this protocol mapper exists within. -+- `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. -+- `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. -+- `name` - (Required) The display name of this protocol mapper in the GUI. -+- `user_property` - (Required) The built in user property (such as email) to map a claim for. -+- `claim_name` - (Required) The name of the claim to insert into a token. -+- `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`. -+- `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. -+- `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. -+- `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. -+ -+### Import -+ -+Protocol mappers can be imported using one of the following formats: -+- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` -+- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` -+ -+Example: -+ -+```bash -+$ terraform import keycloak_openid_user_property_protocol_mapper.user_property_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -+$ terraform import keycloak_openid_user_property_protocol_mapper.user_property_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -+``` -diff --git b/website/docs/r/keycloak_openid_user_realm_role_protocol_mapper.html.markdown a/website/docs/r/keycloak_openid_user_realm_role_protocol_mapper.html.markdown -new file mode 100644 -index 0000000..e1df531 ---- /dev/null -+++ a/website/docs/r/keycloak_openid_user_realm_role_protocol_mapper.html.markdown -@@ -0,0 +1,90 @@ -+# keycloak_openid_user_realm_role_protocol_mapper -+ -+Allows for creating and managing user realm role protocol mappers within -+Keycloak. -+ -+User realm role protocol mappers allow you to define a claim containing the list of the realm roles. -+Protocol mappers can be defined for a single client, or they can -+be defined for a client scope which can be shared between multiple different -+clients. -+ -+### Example Usage (Client) -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "my-realm" -+ enabled = true -+} -+ -+resource "keycloak_openid_client" "openid_client" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_id = "test-client" -+ -+ name = "test client" -+ enabled = true -+ -+ access_type = "CONFIDENTIAL" -+ valid_redirect_uris = [ -+ "http://localhost:8080/openid-callback" -+ ] -+} -+ -+resource "keycloak_openid_user_realm_role_protocol_mapper" "user_realm_role_mapper" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_id = "${keycloak_openid_client.openid_client.id}" -+ name = "user-realm-role-mapper" -+ -+ claim_name = "foo" -+} -+``` -+ -+### Example Usage (Client Scope) -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "my-realm" -+ enabled = true -+} -+ -+resource "keycloak_openid_client_scope" "client_scope" { -+ realm_id = "${keycloak_realm.realm.id}" -+ name = "test-client-scope" -+} -+ -+resource "keycloak_openid_user_realm_role_protocol_mapper" "user_realm_role_mapper" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_scope_id = "${keycloak_openid_client_scope.client_scope.id}" -+ name = "user-realm-role-mapper" -+ -+ claim_name = "foo" -+} -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm_id` - (Required) The realm this protocol mapper exists within. -+- `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. -+- `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. -+- `name` - (Required) The display name of this protocol mapper in the GUI. -+- `claim_name` - (Required) The name of the claim to insert into a token. -+- `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`. -+- `multivalued` - (Optional) Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `true`. -+- `realm_role_prefix` - (Optional) A prefix for each Realm Role. -+- `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. -+- `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. -+- `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. -+ -+### Import -+ -+Protocol mappers can be imported using one of the following formats: -+- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` -+- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` -+ -+Example: -+ -+```bash -+$ terraform import keycloak_openid_user_realm_role_protocol_mapper.user_realm_role_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -+$ terraform import keycloak_openid_user_realm_role_protocol_mapper.user_realm_role_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -+``` -diff --git b/website/docs/r/keycloak_realm.html.markdown a/website/docs/r/keycloak_realm.html.markdown -new file mode 100644 -index 0000000..23e4d35 ---- /dev/null -+++ a/website/docs/r/keycloak_realm.html.markdown -@@ -0,0 +1,161 @@ -+# keycloak_realm -+ -+Allows for creating and managing Realms within Keycloak. -+ -+A realm manages a logical collection of users, credentials, roles, and groups. -+Users log in to realms and can be federated from multiple sources. -+ -+### Example Usage -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "test" -+ enabled = true -+ display_name = "test realm" -+ display_name_html = "test realm" -+ -+ login_theme = "base" -+ -+ access_code_lifespan = "1h" -+ ssl_required = "external" -+ password_policy = "upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername" -+ attributes = { -+ mycustomAttribute = "myCustomValue" -+ } -+ -+ smtp_server { -+ host = "smtp.example.com" -+ from = "example@example.com" -+ -+ auth { -+ username = "tom" -+ password = "password" -+ } -+ } -+ -+ internationalization { -+ supported_locales = [ -+ "en", -+ "de", -+ "es" -+ ] -+ default_locale = "en" -+ } -+ -+ security_defenses { -+ headers { -+ x_frame_options = "DENY" -+ content_security_policy = "frame-src 'self'; frame-ancestors 'self'; object-src 'none';" -+ content_security_policy_report_only = "" -+ x_content_type_options = "nosniff" -+ x_robots_tag = "none" -+ x_xss_protection = "1; mode=block" -+ strict_transport_security = "max-age=31536000; includeSubDomains" -+ } -+ brute_force_detection { -+ permanent_lockout = false -+ max_login_failures = 30 -+ wait_increment_seconds = 60 -+ quick_login_check_milli_seconds = 1000 -+ minimum_quick_login_wait_seconds = 60 -+ max_failure_wait_seconds = 900 -+ failure_reset_time_seconds = 43200 -+ } -+ } -+} -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm` - (Required) The name of the realm. This is unique across Keycloak. -+- `enabled` - (Optional) When false, users and clients will not be able to access this realm. Defaults to `true`. -+- `display_name` - (Optional) The display name for the realm that is shown when logging in to the admin console. -+- `display_name_html` - (Optional) The display name for the realm that is rendered as HTML on the screen when logging in to the admin console. -+ -+##### Login Settings -+ -+The following attributes are all booleans, and can be found in the "Login" tab within the realm settings. -+If any of these attributes are not specified, they will default to Keycloak's default settings. -+ -+- `registration_allowed` - (Optional) When true, user registration will be enabled, and a link for registration will be displayed on the login page. -+- `registration_email_as_username` - (Optional) When true, the user's email will be used as their username during registration. -+- `edit_username_allowed` - (Optional) When true, the username field is editable. -+- `reset_password_allowed` - (Optional) When true, a "forgot password" link will be displayed on the login page. -+- `remember_me` - (Optional) When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts. -+- `verify_email` - (Optional) When true, users are required to verify their email address after registration and after email address changes. -+- `login_with_email_allowed` - (Optional) When true, users may log in with their email address. -+- `duplicate_emails_allowed` - (Optional) When true, multiple users will be allowed to have the same email address. This attribute must be set to `false` if `login_with_email_allowed` is set to `true`. -+- `ssl_required` - (Optional) Can be one of following values: 'none, 'external' or 'all' -+ -+##### Themes -+ -+The following attributes can be used to configure themes for the realm. Custom themes can be specified here. -+If any of these attributes are not specified, they will default to Keycloak's default settings. Typically the `keycloak` theme is used by default. -+ -+- `login_theme` - (Optional) Used for the login, forgot password, and registration pages. -+- `account_theme` - (Optional) Used for account management pages. -+- `admin_theme` - (Optional) Used for the admin console. -+- `email_theme` - (Optional) Used for emails that are sent by Keycloak. -+ -+##### Tokens -+ -+The following attributes can be found in the "Tokens" tab within the realm settings. -+ -+- `revoke_refresh_token` - (Optional) If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused. -+- `refresh_token_max_reuse` - (Optional) Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused. -+ -+The attributes below should be specified as [Go duration strings](https://golang.org/pkg/time/#Duration.String). They will default to Keycloak's default settings. -+ -+- `sso_session_idle_timeout` - (Optional) The amount of time a session can be idle before it expires. -+- `sso_session_max_lifespan` - (Optional) The maximum amount of time before a session expires regardless of activity. -+- `offline_session_idle_timeout` - (Optional) The amount of time an offline session can be idle before it expires. -+- `offline_session_max_lifespan` - (Optional) The maximum amount of time before an offline session expires regardless of activity. -+- `access_token_lifespan` - (Optional) The amount of time an access token can be used before it expires. -+- `access_token_lifespan_for_implicit_flow` - (Optional) The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires. -+- `access_code_lifespan` - (Optional) The maximum amount of time a client has to finish the authorization code flow. -+- `access_code_lifespan_login` - (Optional) The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted. -+- `access_code_lifespan_user_action` - (Optional) The maximum amount of time a user has to complete login related actions, such as updating a password. -+- `action_token_generated_by_user_lifespan` - (Optional) The maximum time a user has to use a user-generated permit before it expires. -+- `action_token_generated_by_admin_lifespan` - (Optional) The maximum time a user has to use an admin-generated permit before it expires. -+ -+##### SMTP -+ -+The `smtp_server` block can be used to configure the realm's SMTP settings, which can be found in the "Email" tab in the GUI. -+This block supports the following attributes: -+ -+- `host` - (Required) The host of the SMTP server. -+- `port` - (Optional) The port of the SMTP server (defaults to 25). -+- `from` - (Required) The email address for the sender. -+- `from_display_name` - (Optional) The display name of the sender email address. -+- `reply_to` - (Optional) The "reply to" email address. -+- `reply_to_display_name` - (Optional) The display name of the "reply to" email address. -+- `envelope_from` - (Optional) The email address uses for bounces. -+- `starttls` - (Optional) When `true`, enables StartTLS. Defaults to `false`. -+- `ssl` - (Optional) When `true`, enables SSL. Defaults to `false`. -+- `auth` - (Optional) Enables authentication to the SMTP server. This block supports the following attributes: -+ - `username`- (Required) The SMTP server username. -+ - `password` - (Required) The SMTP server password. -+ -+##### Internationalization -+ -+Internationalization support can be configured by using the `internationalization` block, which supports the following attributes: -+ -+- `supported_locales` - (Required) A list of [ISO 639-1](https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes) locale codes that the realm should support. -+- `default_locale` - (Required) The locale to use by default. This locale code must be present within the `supported_locales` list. -+ -+##### Security Defenses Headers -+ -+Header configuration support for browser security settings and brute force detection -+ -+#### Atributes -+Map, can be used to add custom attributes to a realm. Or perhaps influence a certain attribute that is not supported in this terraform-provider -+ -+### Import -+ -+Realms can be imported using their name: -+ -+```bash -+$ terraform import keycloak_realm.realm test -+``` -diff --git b/website/docs/r/keycloak_realm_events.html.markdown a/website/docs/r/keycloak_realm_events.html.markdown -new file mode 100644 -index 0000000..025f34c ---- /dev/null -+++ a/website/docs/r/keycloak_realm_events.html.markdown -@@ -0,0 +1,43 @@ -+# keycloak_realm_events -+ -+Allows for managing Realm Events settings within Keycloak. -+ -+### Example Usage -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "test" -+} -+ -+resource "keycloak_realm_events" "realm_events" { -+ realm_id = "${keycloak_realm.realm.id}" -+ -+ events_enabled = true -+ events_expiration = 3600 -+ -+ admin_events_enabled = true -+ admin_events_details_enabled = true -+ -+ # When omitted or left empty, keycloak will enable all event types -+ enabled_event_types = [ -+ "LOGIN", -+ "LOGOUT", -+ ] -+ -+ events_listeners = [ -+ "jboss-logging", # keycloak enables the 'jboss-logging' event listener by default. -+ ] -+} -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm_id` - (Required) The name of the realm the event settings apply to. -+- `admin_events_enabled` - (Optional) When true, admin events are saved to the database, making them available through the admin console. Defaults to `false`. -+- `admin_events_details_enabled` - (Optional) When true, saved admin events will included detailed information for create/update requests. Defaults to `false`. -+- `events_enabled` - (Optional) When true, events from `enabled_event_types` are saved to the database, making them available through the admin console. Defaults to `false`. -+- `events_expiration` - (Optional) The amount of time in seconds events will be saved in the database. Defaults to `0` or never. -+- `enabled_event_types` - (Optional) The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. -+- `events_listeners` - (Optional) The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. -diff --git b/website/docs/r/keycloak_role.html.markdown a/website/docs/r/keycloak_role.html.markdown -new file mode 100644 -index 0000000..a9f7eaa ---- /dev/null -+++ a/website/docs/r/keycloak_role.html.markdown -@@ -0,0 +1,136 @@ -+# keycloak_role -+ -+Allows for creating and managing roles within Keycloak. -+ -+Roles allow you define privileges within Keycloak and map them to users -+and groups. -+ -+### Example Usage (Realm role) -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "my-realm" -+ enabled = true -+} -+ -+resource "keycloak_role" "realm_role" { -+ realm_id = "${keycloak_realm.realm.id}" -+ name = "my-realm-role" -+ description = "My Realm Role" -+} -+``` -+ -+### Example Usage (Client role) -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "my-realm" -+ enabled = true -+} -+ -+resource "keycloak_openid_client" "client" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_id = "client" -+ name = "client" -+ -+ enabled = true -+ -+ access_type = "BEARER-ONLY" -+} -+ -+resource "keycloak_role" "client_role" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_id = "${keycloak_client.client.id}" -+ name = "my-client-role" -+ description = "My Client Role" -+} -+``` -+ -+### Example Usage (Composite role) -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "my-realm" -+ enabled = true -+} -+ -+# realm roles -+ -+resource "keycloak_role" "create_role" { -+ realm_id = "${keycloak_realm.realm.id}" -+ name = "create" -+} -+ -+resource "keycloak_role" "read_role" { -+ realm_id = "${keycloak_realm.realm.id}" -+ name = "read" -+} -+ -+resource "keycloak_role" "update_role" { -+ realm_id = "${keycloak_realm.realm.id}" -+ name = "update" -+} -+ -+resource "keycloak_role" "delete_role" { -+ realm_id = "${keycloak_realm.realm.id}" -+ name = "delete" -+} -+ -+# client role -+ -+resource "keycloak_openid_client" "client" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_id = "client" -+ name = "client" -+ -+ enabled = true -+ -+ access_type = "BEARER-ONLY" -+} -+ -+resource "keycloak_role" "client_role" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_id = "${keycloak_client.client.id}" -+ name = "my-client-role" -+ description = "My Client Role" -+} -+ -+resource "keycloak_role" "admin_role" { -+ realm_id = "${keycloak_realm.realm.id}" -+ name = "admin" -+ composite_roles = [ -+ "{keycloak_role.create_role.id}", -+ "{keycloak_role.read_role.id}", -+ "{keycloak_role.update_role.id}", -+ "{keycloak_role.delete_role.id}", -+ "{keycloak_role.client_role.id}", -+ ] -+} -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm_id` - (Required) The realm this role exists within. -+- `client_id` - (Optional) When specified, this role will be created as -+ a client role attached to the client with the provided ID -+- `name` - (Required) The name of the role -+- `description` - (Optional) The description of the role -+- `composite_roles` - (Optional) When specified, this role will be a -+ composite role, composed of all roles that have an ID present within -+ this list. -+ -+ -+### Import -+ -+Roles can be imported using the format `{{realm_id}}/{{role_id}}`, where -+`role_id` is the unique ID that Keycloak assigns to the role. The ID is -+not easy to find in the GUI, but it appears in the URL when editing the -+role. -+ -+Example: -+ -+```bash -+$ terraform import keycloak_role.role my-realm/7e8cf32a-8acb-4d34-89c4-04fb1d10ccad -+``` -diff --git b/website/docs/r/keycloak_saml_client.html.markdown a/website/docs/r/keycloak_saml_client.html.markdown -new file mode 100644 -index 0000000..3eec0de ---- /dev/null -+++ a/website/docs/r/keycloak_saml_client.html.markdown -@@ -0,0 +1,70 @@ -+# keycloak_saml_client -+ -+Allows for creating and managing Keycloak clients that use the SAML protocol. -+ -+Clients are entities that can use Keycloak for user authentication. Typically, -+clients are applications that redirect users to Keycloak for authentication -+in order to take advantage of Keycloak's user sessions for SSO. -+ -+### Example Usage -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "my-realm" -+ enabled = true -+} -+ -+resource "keycloak_saml_client" "saml_client" { -+ realm_id = "${keycloak_realm.realm.id}" -+ client_id = "test-saml-client" -+ name = "test-saml-client" -+ -+ sign_documents = false -+ sign_assertions = true -+ include_authn_statement = true -+ -+ signing_certificate = "${file("saml-cert.pem")}" -+ signing_private_key = "${file("saml-key.pem")}" -+} -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm_id` - (Required) The realm this client is attached to. -+- `client_id` - (Required) The unique ID of this client, referenced in the URI during authentication and in issued tokens. -+- `name` - (Optional) The display name of this client in the GUI. -+- `enabled` - (Optional) When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. -+- `description` - (Optional) The description of this client in the GUI. -+- `include_authn_statement` - (Optional) When `true`, an `AuthnStatement` will be included in the SAML response. -+- `sign_documents` - (Optional) When `true`, the SAML document will be signed by Keycloak using the realm's private key. -+- `sign_assertions` - (Optional) When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. -+- `client_signature_required` - (Optional) When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signing_certificate` and `signing_private_key`. -+- `force_post_binding` - (Optional) When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. -+- `front_channel_logout` - (Optional) When `true`, this client will require a browser redirect in order to perform a logout. -+- `name_id_format` - (Optional) Sets the Name ID format for the subject. -+- `root_url` - (Optional) When specified, this value is prepended to all relative URLs. -+- `valid_redirect_uris` - (Optional) When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. -+- `base_url` - (Optional) When specified, this URL will be used whenever Keycloak needs to link to this client. -+- `master_saml_processing_url` - (Optional) When specified, this URL will be used for all SAML requests. -+- `signing_certificate` - (Optional) If documents or assertions from the client are signed, this certificate will be used to verify the signature. -+- `signing_private_key` - (Optional) If documents or assertions from the client are signed, this private key will be used to verify the signature. -+- `idp_initiated_sso_url_name` - (Optional) URL fragment name to reference client when you want to do IDP Initiated SSO. -+- `idp_initiated_sso_relay_state` - (Optional) Relay state you want to send with SAML request when you want to do IDP Initiated SSO. -+- `assertion_consumer_post_url` - (Optional) SAML POST Binding URL for the client's assertion consumer service (login responses). -+- `assertion_consumer_redirect_url` - (Optional) SAML Redirect Binding URL for the client's assertion consumer service (login responses). -+- `logout_service_post_binding_url` - (Optional) SAML POST Binding URL for the client's single logout service. -+- `logout_service_redirect_binding_url` - (Optional) SAML Redirect Binding URL for the client's single logout service. -+- `full_scope_allowed` - (Optional) - Allow to include all roles mappings in the access token -+ -+### Import -+ -+Clients can be imported using the format `{{realm_id}}/{{client_keycloak_id}}`, where `client_keycloak_id` is the unique ID that Keycloak -+assigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID. -+ -+Example: -+ -+```bash -+$ terraform import keycloak_saml_client.saml_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352 -+``` -diff --git b/website/docs/r/keycloak_saml_identity_provider.html.markdown a/website/docs/r/keycloak_saml_identity_provider.html.markdown -new file mode 100644 -index 0000000..755a072 ---- /dev/null -+++ a/website/docs/r/keycloak_saml_identity_provider.html.markdown -@@ -0,0 +1,67 @@ -+# keycloak_saml_identity_provider -+ -+Allows to create and manage SAML Identity Providers within Keycloak. -+ -+SAML (Security Assertion Markup Language) identity providers allows to authenticate through a third-party system, using SAML standard. -+ -+### Example Usage -+ -+```hcl -+resource "keycloak_saml_identity_provider" "realm_identity_provider" { -+ realm = "my-realm" -+ alias = "my-idp" -+ single_sign_on_service_url = "https://domain.com/adfs/ls/" -+ single_logout_service_url = "https://domain.com/adfs/ls/?wa=wsignout1.0" -+ backchannel_supported = true -+ post_binding_response = true -+ post_binding_logout = true -+ post_binding_authn_request = true -+ store_token = false -+ trust_email = true -+ force_authn = true -+} -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm` - (Required) The name of the realm. This is unique across Keycloak. -+- `alias` - (Optional) The uniq name of identity provider. -+- `enabled` - (Optional) When false, users and clients will not be able to access this realm. Defaults to `true`. -+- `display_name` - (Optional) The display name for the realm that is shown when logging in to the admin console. -+- `store_token` - (Optional) Enable/disable if tokens must be stored after authenticating users. Defaults to `true`. -+- `add_read_token_role_on_create` - (Optional) Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. Defaults to `false`. -+- `trust_email` - (Optional) If enabled then email provided by this provider is not verified even if verification is enabled for the realm. Defaults to `false`. -+- `link_only` - (Optional) If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider. Defaults to `false`. -+- `hide_on_login_page` - (Optional) If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. -+- `first_broker_login_flow_alias` - (Optional) Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. -+- `post_broker_login_flow_alias` - (Optional) Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. -+- `authenticate_by_default` - (Optional) Authenticate users by default. Defaults to `false`. -+ -+#### SAML Configuration -+ -+- `single_sign_on_service_url` - (Optional) The Url that must be used to send authentication requests (SAML AuthnRequest). -+- `single_logout_service_url` - (Optional) The Url that must be used to send logout requests. -+- `backchannel_supported` - (Optional) Does the external IDP support back-channel logout ?. -+- `name_id_policy_format` - (Optional) Specifies the URI reference corresponding to a name identifier format. Defaults to empty. -+- `post_binding_response` - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. -+- `post_binding_authn_request` - (Optional) Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. -+- `post_binding_logout` - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. -+- `want_assertions_signed` - (Optional) Indicates whether this service provider expects a signed Assertion. -+- `want_assertions_encrypted` - (Optional) Indicates whether this service provider expects an encrypted Assertion. -+- `force_authn` - (Optional) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. -+- `validate_signature` - (Optional) Enable/disable signature validation of SAML responses. -+- `signing_certificate` - (Optional) Signing Certificate. -+- `signature_algorithm` - (Optional) Signing Algorithm. Defaults to empty. -+- `xml_sign_key_info_key_name_transformer` - (Optional) Sign Key Transformer. Defaults to empty. -+ -+### Import -+ -+Identity providers can be imported using the format `{{realm_id}}/{{idp_alias}}`, where `idp_alias` is the identity provider alias. -+ -+Example: -+ -+```bash -+$ terraform import keycloak_saml_identity_provider.realm_identity_provider my-realm/my-idp -+``` -diff --git b/website/docs/r/keycloak_saml_user_attribute_protocol_mapper.html.markdown a/website/docs/r/keycloak_saml_user_attribute_protocol_mapper.html.markdown -new file mode 100644 -index 0000000..a0feaf9 ---- /dev/null -+++ a/website/docs/r/keycloak_saml_user_attribute_protocol_mapper.html.markdown -@@ -0,0 +1,60 @@ -+# keycloak_saml_user_attribute_protocol_mapper -+ -+Allows for creating and managing user attribute protocol mappers for -+SAML clients within Keycloak. -+ -+SAML user attribute protocol mappers allow you to map custom attributes defined -+for a user within Keycloak to an attribute in a SAML assertion. Protocol mappers -+can be defined for a single client, or they can be defined for a client scope which -+can be shared between multiple different clients. -+ -+### Example Usage (Client) -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "my-realm" -+ enabled = true -+} -+ -+resource "keycloak_saml_client" "saml_client" { -+ realm_id = "${keycloak_realm.test.id}" -+ client_id = "test-saml-client" -+ name = "test-saml-client" -+} -+ -+resource "keycloak_saml_user_attribute_protocol_mapper" "saml_user_attribute_mapper" { -+ realm_id = "${keycloak_realm.test.id}" -+ client_id = "${keycloak_saml_client.saml_client.id}" -+ name = "displayname-user-attribute-mapper" -+ -+ user_attribute = "displayName" -+ saml_attribute_name = "displayName" -+ saml_attribute_name_format = "Unspecified" -+} -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm_id` - (Required) The realm this protocol mapper exists within. -+- `client_id` - (Required if `client_scope_id` is not specified) The SAML client this protocol mapper is attached to. -+- `client_scope_id` - (Required if `client_id` is not specified) The SAML client scope this protocol mapper is attached to. -+- `name` - (Required) The display name of this protocol mapper in the GUI. -+- `user_attribute` - (Required) The custom user attribute to map. -+- `friendly_name` - (Optional) An optional human-friendly name for this attribute. -+- `saml_attribute_name` - (Required) The name of the SAML attribute. -+- `saml_attribute_name_format` - (Required) The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. -+ -+### Import -+ -+Protocol mappers can be imported using one of the following formats: -+- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` -+- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` -+ -+Example: -+ -+```bash -+$ terraform import keycloak_saml_user_attribute_protocol_mapper.saml_user_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -+$ terraform import keycloak_saml_user_attribute_protocol_mapper.saml_user_attribute_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -+``` -diff --git b/website/docs/r/keycloak_saml_user_property_protocol_mapper.html.markdown a/website/docs/r/keycloak_saml_user_property_protocol_mapper.html.markdown -new file mode 100644 -index 0000000..b74209b ---- /dev/null -+++ a/website/docs/r/keycloak_saml_user_property_protocol_mapper.html.markdown -@@ -0,0 +1,60 @@ -+# keycloak_saml_user_property_protocol_mapper -+ -+Allows for creating and managing user property protocol mappers for -+SAML clients within Keycloak. -+ -+SAML user property protocol mappers allow you to map properties of the Keycloak -+user model to an attribute in a SAML assertion. Protocol mappers -+can be defined for a single client, or they can be defined for a client scope which -+can be shared between multiple different clients. -+ -+### Example Usage (Client) -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "my-realm" -+ enabled = true -+} -+ -+resource "keycloak_saml_client" "saml_client" { -+ realm_id = "${keycloak_realm.test.id}" -+ client_id = "test-saml-client" -+ name = "test-saml-client" -+} -+ -+resource "keycloak_saml_user_property_protocol_mapper" "saml_user_property_mapper" { -+ realm_id = "${keycloak_realm.test.id}" -+ client_id = "${keycloak_saml_client.saml_client.id}" -+ name = "email-user-property-mapper" -+ -+ user_property = "email" -+ saml_attribute_name = "email" -+ saml_attribute_name_format = "Unspecified" -+} -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm_id` - (Required) The realm this protocol mapper exists within. -+- `client_id` - (Required if `client_scope_id` is not specified) The SAML client this protocol mapper is attached to. -+- `client_scope_id` - (Required if `client_id` is not specified) The SAML client scope this protocol mapper is attached to. -+- `name` - (Required) The display name of this protocol mapper in the GUI. -+- `user_property` - (Required) The property of the Keycloak user model to map. -+- `friendly_name` - (Optional) An optional human-friendly name for this attribute. -+- `saml_attribute_name` - (Required) The name of the SAML attribute. -+- `saml_attribute_name_format` - (Required) The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. -+ -+### Import -+ -+Protocol mappers can be imported using one of the following formats: -+- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` -+- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` -+ -+Example: -+ -+```bash -+$ terraform import keycloak_saml_user_property_protocol_mapper.saml_user_property_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -+$ terraform import keycloak_saml_user_property_protocol_mapper.saml_user_property_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -+``` -diff --git b/website/docs/r/keycloak_user.html.markdown a/website/docs/r/keycloak_user.html.markdown -new file mode 100644 -index 0000000..03de8b1 ---- /dev/null -+++ a/website/docs/r/keycloak_user.html.markdown -@@ -0,0 +1,67 @@ -+# keycloak_user -+ -+Allows for creating and managing Users within Keycloak. -+ -+This resource was created primarily to enable the acceptance tests for the `keycloak_group` resource. -+Creating users within Keycloak is not recommended. Instead, users should be federated from external sources -+by configuring user federation providers or identity providers. -+ -+### Example Usage -+ -+```hcl -+resource "keycloak_realm" "realm" { -+ realm = "my-realm" -+ enabled = true -+} -+ -+resource "keycloak_user" "user" { -+ realm_id = "${keycloak_realm.realm.id}" -+ username = "bob" -+ enabled = true -+ -+ email = "bob@domain.com" -+ first_name = "Bob" -+ last_name = "Bobson" -+} -+ -+resource "keycloak_user" "user_with_initial_password" { -+ realm_id = "${keycloak_realm.realm.id}" -+ username = "alice" -+ enabled = true -+ -+ email = "alice@domain.com" -+ first_name = "Alice" -+ last_name = "Aliceberg" -+ -+ initial_password { -+ value = "some password" -+ temporary = true -+ } -+} -+``` -+ -+### Argument Reference -+ -+The following arguments are supported: -+ -+- `realm_id` - (Required) The realm this user belongs to. -+- `username` - (Required) The unique username of this user. -+- `initial_password` (Optional) When given, the user's initial password will be set. -+ This attribute is only respected during initial user creation. -+ - `value` (Required) The initial password. -+ - `temporary` (Optional) If set to `true`, the initial password is set up for renewal on first use. Default to `false`. -+- `enabled` - (Optional) When false, this user cannot log in. Defaults to `true`. -+- `email` - (Optional) The user's email. -+- `first_name` - (Optional) The user's first name. -+- `last_name` - (Optional) The user's last name. -+ -+### Import -+ -+Users can be imported using the format `{{realm_id}}/{{user_id}}`, where `user_id` is the unique ID that Keycloak -+assigns to the user upon creation. This value can be found in the GUI when editing the user. -+ -+Example: -+ -+```bash -+$ terraform import keycloak_user.user my-realm/60c3f971-b1d3-4b3a-9035-d16d7540a5e4 -+``` diff --git a/provider/cmd/pulumi-resource-keycloak/schema.json b/provider/cmd/pulumi-resource-keycloak/schema.json index ffceec65..83d1ea34 100644 --- a/provider/cmd/pulumi-resource-keycloak/schema.json +++ b/provider/cmd/pulumi-resource-keycloak/schema.json @@ -206,13 +206,15 @@ "keycloak:index/RealmInternationalization:RealmInternationalization": { "properties": { "defaultLocale": { - "type": "string" + "type": "string", + "description": "The locale to use by default. This locale code must be present within the `supported_locales` list.\n" }, "supportedLocales": { "type": "array", "items": { "type": "string" - } + }, + "description": "A list of [ISO 639-1](https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes) locale codes that the realm should support.\n" } }, "type": "object", @@ -225,23 +227,27 @@ "properties": { "algorithm": { "type": "string", - "description": "What hashing algorithm should be used to generate the OTP.\n" + "description": "What hashing algorithm should be used to generate the OTP, Valid options are `HmacSHA1`,`HmacSHA256` and `HmacSHA512`. Defaults to `HmacSHA1`.\n" }, "digits": { - "type": "integer" + "type": "integer", + "description": "How many digits the OTP have. Defaults to `6`.\n" }, "initialCounter": { - "type": "integer" + "type": "integer", + "description": "What should the initial counter value be. Defaults to `2`.\n" }, "lookAheadWindow": { - "type": "integer" + "type": "integer", + "description": "How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to `1`.\n" }, "period": { - "type": "integer" + "type": "integer", + "description": "How many seconds should an OTP token be valid. Defaults to `30`.\n" }, "type": { "type": "string", - "description": "OTP Type, totp for Time-Based One Time Password or hotp for counter base one time password\n" + "description": "One Time Password Type, supported Values are `totp` for Time-Based One Time Password and `hotp` for Counter Based. Defaults to `totp`.\n" } }, "type": "object" @@ -260,25 +266,31 @@ "keycloak:index/RealmSecurityDefensesBruteForceDetection:RealmSecurityDefensesBruteForceDetection": { "properties": { "failureResetTimeSeconds": { - "type": "integer" + "type": "integer", + "description": "When will failure count be reset?\n" }, "maxFailureWaitSeconds": { "type": "integer" }, "maxLoginFailures": { - "type": "integer" + "type": "integer", + "description": "How many failures before wait is triggered.\n" }, "minimumQuickLoginWaitSeconds": { - "type": "integer" + "type": "integer", + "description": "How long to wait after a quick login failure.\n- `max_failure_wait_seconds ` - (Optional) Max. time a user will be locked out.\n" }, "permanentLockout": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, this will lock the user permanently when the user exceeds the maximum login failures.\n" }, "quickLoginCheckMilliSeconds": { - "type": "integer" + "type": "integer", + "description": "Configures the amount of time, in milliseconds, for consecutive failures to lock a user out.\n" }, "waitIncrementSeconds": { - "type": "integer" + "type": "integer", + "description": "This represents the amount of time a user should be locked out when the login failure threshold has been met.\n" } }, "type": "object" @@ -286,28 +298,36 @@ "keycloak:index/RealmSecurityDefensesHeaders:RealmSecurityDefensesHeaders": { "properties": { "contentSecurityPolicy": { - "type": "string" + "type": "string", + "description": "Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the [W3C-CSP](https://www.w3.org/TR/CSP/) Abstract.\n" }, "contentSecurityPolicyReportOnly": { - "type": "string" + "type": "string", + "description": "Used for testing Content Security Policies.\n" }, "referrerPolicy": { - "type": "string" + "type": "string", + "description": "The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests.\n" }, "strictTransportSecurity": { - "type": "string" + "type": "string", + "description": "The Script-Transport-Security HTTP header tells browsers to always use HTTPS.\n" }, "xContentTypeOptions": { - "type": "string" + "type": "string", + "description": "Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type\n" }, "xFrameOptions": { - "type": "string" + "type": "string", + "description": "Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the [RFC7034](https://tools.ietf.org/html/rfc7034)\n" }, "xRobotsTag": { - "type": "string" + "type": "string", + "description": "Prevent pages from appearing in search engines.\n" }, "xXssProtection": { - "type": "string" + "type": "string", + "description": "This header configures the Cross-site scripting (XSS) filter in your browser.\n" } }, "type": "object" @@ -315,34 +335,44 @@ "keycloak:index/RealmSmtpServer:RealmSmtpServer": { "properties": { "auth": { - "$ref": "#/types/keycloak:index/RealmSmtpServerAuth:RealmSmtpServerAuth" + "$ref": "#/types/keycloak:index/RealmSmtpServerAuth:RealmSmtpServerAuth", + "description": "Enables authentication to the SMTP server. This block supports the following arguments:\n" }, "envelopeFrom": { - "type": "string" + "type": "string", + "description": "The email address uses for bounces.\n" }, "from": { - "type": "string" + "type": "string", + "description": "The email address for the sender.\n" }, "fromDisplayName": { - "type": "string" + "type": "string", + "description": "The display name of the sender email address.\n" }, "host": { - "type": "string" + "type": "string", + "description": "The host of the SMTP server.\n" }, "port": { - "type": "string" + "type": "string", + "description": "The port of the SMTP server (defaults to 25).\n" }, "replyTo": { - "type": "string" + "type": "string", + "description": "The \"reply to\" email address.\n" }, "replyToDisplayName": { - "type": "string" + "type": "string", + "description": "The display name of the \"reply to\" email address.\n" }, "ssl": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, enables SSL. Defaults to `false`.\n" }, "starttls": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, enables StartTLS. Defaults to `false`.\n" } }, "type": "object", @@ -355,10 +385,12 @@ "properties": { "password": { "type": "string", + "description": "The SMTP server password.\n", "secret": true }, "username": { - "type": "string" + "type": "string", + "description": "The SMTP server username.\n" } }, "type": "object", @@ -496,7 +528,8 @@ "type": "array", "items": { "type": "string" - } + }, + "description": "A set of AAGUIDs for which an authenticator can be registered.\n" }, "attestationConveyancePreference": { "type": "string", @@ -507,16 +540,20 @@ "description": "Either platform or cross-platform\n" }, "avoidSameAuthenticatorRegister": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`.\n" }, "createTimeout": { - "type": "integer" + "type": "integer", + "description": "The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`.\n" }, "relyingPartyEntityName": { - "type": "string" + "type": "string", + "description": "A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`.\n" }, "relyingPartyId": { - "type": "string" + "type": "string", + "description": "The WebAuthn relying party ID.\n" }, "requireResidentKey": { "type": "string", @@ -549,7 +586,8 @@ "type": "array", "items": { "type": "string" - } + }, + "description": "A set of AAGUIDs for which an authenticator can be registered.\n" }, "attestationConveyancePreference": { "type": "string", @@ -560,16 +598,20 @@ "description": "Either platform or cross-platform\n" }, "avoidSameAuthenticatorRegister": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`.\n" }, "createTimeout": { - "type": "integer" + "type": "integer", + "description": "The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`.\n" }, "relyingPartyEntityName": { - "type": "string" + "type": "string", + "description": "A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`.\n" }, "relyingPartyId": { - "type": "string" + "type": "string", + "description": "The WebAuthn relying party ID.\n" }, "requireResidentKey": { "type": "string", @@ -599,13 +641,16 @@ "keycloak:index/UserFederatedIdentity:UserFederatedIdentity": { "properties": { "identityProvider": { - "type": "string" + "type": "string", + "description": "The name of the identity provider\n" }, "userId": { - "type": "string" + "type": "string", + "description": "The ID of the user defined in the identity provider\n" }, "userName": { - "type": "string" + "type": "string", + "description": "The user name of the user defined in the identity provider\n" } }, "type": "object", @@ -618,10 +663,12 @@ "keycloak:index/UserInitialPassword:UserInitialPassword": { "properties": { "temporary": { - "type": "boolean" + "type": "boolean", + "description": "If set to `true`, the initial password is set up for renewal on first use. Default to `false`.\n" }, "value": { "type": "string", + "description": "The initial password.\n", "secret": true } }, @@ -793,28 +840,36 @@ "keycloak:index/getRealmKeysKey:getRealmKeysKey": { "properties": { "algorithm": { - "type": "string" + "type": "string", + "description": "Key algorithm (string)\n" }, "certificate": { - "type": "string" + "type": "string", + "description": "Key certificate (string)\n" }, "kid": { - "type": "string" + "type": "string", + "description": "Key ID (string)\n" }, "providerId": { - "type": "string" + "type": "string", + "description": "Key provider ID (string)\n" }, "providerPriority": { - "type": "integer" + "type": "integer", + "description": "Key provider priority (int64)\n" }, "publicKey": { - "type": "string" + "type": "string", + "description": "Key public key (string)\n" }, "status": { - "type": "string" + "type": "string", + "description": "When specified, keys will be filtered by status. The statuses can be any of `ACTIVE`, `DISABLED` and `PASSIVE`.\n" }, "type": { - "type": "string" + "type": "string", + "description": "Key type (string)\n" } }, "type": "object", @@ -1186,7 +1241,7 @@ "properties": { "evictionDay": { "type": "integer", - "description": "Day of the week the entry will become invalid on.\n" + "description": "Day of the week the entry will become invalid on\n" }, "evictionHour": { "type": "integer", @@ -1201,7 +1256,8 @@ "description": "Max lifespan of cache entry (duration string).\n" }, "policy": { - "type": "string" + "type": "string", + "description": "Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`.\n" } }, "type": "object" @@ -1210,7 +1266,7 @@ "properties": { "kerberosRealm": { "type": "string", - "description": "The name of the kerberos realm, e.g. FOO.LOCAL\n" + "description": "The name of the kerberos realm, e.g. FOO.LOCAL.\n" }, "keyTab": { "type": "string", @@ -1235,10 +1291,12 @@ "keycloak:openid/ClientAuthenticationFlowBindingOverrides:ClientAuthenticationFlowBindingOverrides": { "properties": { "browserId": { - "type": "string" + "type": "string", + "description": "Browser flow id, (flow needs to exist)\n" }, "directGrantId": { - "type": "string" + "type": "string", + "description": "Direct grant flow id (flow needs to exist)\n" } }, "type": "object" @@ -1246,16 +1304,20 @@ "keycloak:openid/ClientAuthorization:ClientAuthorization": { "properties": { "allowRemoteResourceManagement": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, resources can be managed remotely by the resource server. Defaults to `false`.\n" }, "decisionStrategy": { - "type": "string" + "type": "string", + "description": "Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of `AFFIRMATIVE`, `CONSENSUS`, or `UNANIMOUS`. Applies to permissions.\n" }, "keepDefaults": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, defaults set by Keycloak will be respected. Defaults to `false`.\n" }, "policyEnforcementMode": { - "type": "string" + "type": "string", + "description": "Dictates how policies are enforced when evaluating authorization requests. Can be one of `ENFORCING`, `PERMISSIVE`, or `DISABLED`.\n" } }, "type": "object", @@ -1491,10 +1553,12 @@ "keycloak:saml/ClientAuthenticationFlowBindingOverrides:ClientAuthenticationFlowBindingOverrides": { "properties": { "browserId": { - "type": "string" + "type": "string", + "description": "Browser flow id, (flow needs to exist)\n" }, "directGrantId": { - "type": "string" + "type": "string", + "description": "Direct grant flow id (flow needs to exist)\n" } }, "type": "object" @@ -2099,41 +2163,42 @@ } }, "keycloak:index/attributeImporterIdentityProviderMapper:AttributeImporterIdentityProviderMapper": { - "description": "## # keycloak.AttributeImporterIdentityProviderMapper\n\nAllows to create and manage identity provider mappers within Keycloak.\n\n### Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst testMapper = new keycloak.AttributeImporterIdentityProviderMapper(\"test_mapper\", {\n realm: \"my-realm\",\n name: \"my-mapper\",\n identityProviderAlias: \"idp_alias\",\n attributeName: \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\",\n userAttribute: \"lastName\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\ntest_mapper = keycloak.AttributeImporterIdentityProviderMapper(\"test_mapper\",\n realm=\"my-realm\",\n name=\"my-mapper\",\n identity_provider_alias=\"idp_alias\",\n attribute_name=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\",\n user_attribute=\"lastName\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var testMapper = new Keycloak.AttributeImporterIdentityProviderMapper(\"test_mapper\", new()\n {\n Realm = \"my-realm\",\n Name = \"my-mapper\",\n IdentityProviderAlias = \"idp_alias\",\n AttributeName = \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\",\n UserAttribute = \"lastName\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := keycloak.NewAttributeImporterIdentityProviderMapper(ctx, \"test_mapper\", \u0026keycloak.AttributeImporterIdentityProviderMapperArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tName: pulumi.String(\"my-mapper\"),\n\t\t\tIdentityProviderAlias: pulumi.String(\"idp_alias\"),\n\t\t\tAttributeName: pulumi.String(\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\"),\n\t\t\tUserAttribute: pulumi.String(\"lastName\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.AttributeImporterIdentityProviderMapper;\nimport com.pulumi.keycloak.AttributeImporterIdentityProviderMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var testMapper = new AttributeImporterIdentityProviderMapper(\"testMapper\", AttributeImporterIdentityProviderMapperArgs.builder()\n .realm(\"my-realm\")\n .name(\"my-mapper\")\n .identityProviderAlias(\"idp_alias\")\n .attributeName(\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\")\n .userAttribute(\"lastName\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n testMapper:\n type: keycloak:AttributeImporterIdentityProviderMapper\n name: test_mapper\n properties:\n realm: my-realm\n name: my-mapper\n identityProviderAlias: idp_alias\n attributeName: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\n userAttribute: lastName\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm` - (Required) The name of the realm.\n- `name` - (Required) The name of the mapper.\n- `identity_provider_alias` - (Required) The alias of the associated identity provider.\n- `user_attribute` - (Required) The user attribute name to store SAML attribute.\n- `attribute_name` - (Optional) The Name of attribute to search for in assertion. You can leave this blank and specify a friendly name instead.\n- `attribute_friendly_name` - (Optional) The friendly name of attribute to search for in assertion. You can leave this blank and specify an attribute name instead.\n- `claim_name` - (Optional) The claim name.\n\n### Import\n\nIdentity provider mapper can be imported using the format `{{realm_id}}/{{idp_alias}}/{{idp_mapper_id}}`, where `idp_alias` is the identity provider alias, and `idp_mapper_id` is the unique ID that Keycloak\nassigns to the mapper upon creation. This value can be found in the URI when editing this mapper in the GUI, and is typically a GUID.\n\nExample:\n\n```bash\n$ terraform import keycloak_attribute_importer_identity_provider_mapper.test_mapper my-realm/my-mapper/f446db98-7133-4e30-b18a-3d28fde7ca1b\n```\n", + "description": "Allows for creating and managing an attribute importer identity provider mapper within Keycloak.\n\nThe attribute importer mapper can be used to map attributes from externally defined users to attributes or properties of the imported Keycloak user:\n- For the OIDC identity provider, this will map a claim on the ID or access token to an attribute for the imported Keycloak user.\n- For the SAML identity provider, this will map a SAML attribute found within the assertion to an attribute for the imported Keycloak user.\n- For social identity providers, this will map a JSON field from the user profile to an attribute for the imported Keycloak user.\n\n\u003e If you are using Keycloak 10 or higher, you will need to specify the `extra_config` argument in order to define a `syncMode` for the mapper.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst oidc = new keycloak.oidc.IdentityProvider(\"oidc\", {\n realm: realm.id,\n alias: \"oidc\",\n authorizationUrl: \"https://example.com/auth\",\n tokenUrl: \"https://example.com/token\",\n clientId: \"example_id\",\n clientSecret: \"example_token\",\n defaultScopes: \"openid random profile\",\n});\nconst oidcAttributeImporterIdentityProviderMapper = new keycloak.AttributeImporterIdentityProviderMapper(\"oidc\", {\n realm: realm.id,\n name: \"email-attribute-importer\",\n claimName: \"my-email-claim\",\n identityProviderAlias: oidc.alias,\n userAttribute: \"email\",\n extraConfig: {\n syncMode: \"INHERIT\",\n },\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\noidc = keycloak.oidc.IdentityProvider(\"oidc\",\n realm=realm.id,\n alias=\"oidc\",\n authorization_url=\"https://example.com/auth\",\n token_url=\"https://example.com/token\",\n client_id=\"example_id\",\n client_secret=\"example_token\",\n default_scopes=\"openid random profile\")\noidc_attribute_importer_identity_provider_mapper = keycloak.AttributeImporterIdentityProviderMapper(\"oidc\",\n realm=realm.id,\n name=\"email-attribute-importer\",\n claim_name=\"my-email-claim\",\n identity_provider_alias=oidc.alias,\n user_attribute=\"email\",\n extra_config={\n \"syncMode\": \"INHERIT\",\n })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var oidc = new Keycloak.Oidc.IdentityProvider(\"oidc\", new()\n {\n Realm = realm.Id,\n Alias = \"oidc\",\n AuthorizationUrl = \"https://example.com/auth\",\n TokenUrl = \"https://example.com/token\",\n ClientId = \"example_id\",\n ClientSecret = \"example_token\",\n DefaultScopes = \"openid random profile\",\n });\n\n var oidcAttributeImporterIdentityProviderMapper = new Keycloak.AttributeImporterIdentityProviderMapper(\"oidc\", new()\n {\n Realm = realm.Id,\n Name = \"email-attribute-importer\",\n ClaimName = \"my-email-claim\",\n IdentityProviderAlias = oidc.Alias,\n UserAttribute = \"email\",\n ExtraConfig = \n {\n { \"syncMode\", \"INHERIT\" },\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/oidc\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\toidc, err := oidc.NewIdentityProvider(ctx, \"oidc\", \u0026oidc.IdentityProviderArgs{\n\t\t\tRealm: realm.ID(),\n\t\t\tAlias: pulumi.String(\"oidc\"),\n\t\t\tAuthorizationUrl: pulumi.String(\"https://example.com/auth\"),\n\t\t\tTokenUrl: pulumi.String(\"https://example.com/token\"),\n\t\t\tClientId: pulumi.String(\"example_id\"),\n\t\t\tClientSecret: pulumi.String(\"example_token\"),\n\t\t\tDefaultScopes: pulumi.String(\"openid random profile\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewAttributeImporterIdentityProviderMapper(ctx, \"oidc\", \u0026keycloak.AttributeImporterIdentityProviderMapperArgs{\n\t\t\tRealm: realm.ID(),\n\t\t\tName: pulumi.String(\"email-attribute-importer\"),\n\t\t\tClaimName: pulumi.String(\"my-email-claim\"),\n\t\t\tIdentityProviderAlias: oidc.Alias,\n\t\t\tUserAttribute: pulumi.String(\"email\"),\n\t\t\tExtraConfig: pulumi.StringMap{\n\t\t\t\t\"syncMode\": pulumi.String(\"INHERIT\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.oidc.IdentityProvider;\nimport com.pulumi.keycloak.oidc.IdentityProviderArgs;\nimport com.pulumi.keycloak.AttributeImporterIdentityProviderMapper;\nimport com.pulumi.keycloak.AttributeImporterIdentityProviderMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var oidc = new IdentityProvider(\"oidc\", IdentityProviderArgs.builder()\n .realm(realm.id())\n .alias(\"oidc\")\n .authorizationUrl(\"https://example.com/auth\")\n .tokenUrl(\"https://example.com/token\")\n .clientId(\"example_id\")\n .clientSecret(\"example_token\")\n .defaultScopes(\"openid random profile\")\n .build());\n\n var oidcAttributeImporterIdentityProviderMapper = new AttributeImporterIdentityProviderMapper(\"oidcAttributeImporterIdentityProviderMapper\", AttributeImporterIdentityProviderMapperArgs.builder()\n .realm(realm.id())\n .name(\"email-attribute-importer\")\n .claimName(\"my-email-claim\")\n .identityProviderAlias(oidc.alias())\n .userAttribute(\"email\")\n .extraConfig(Map.of(\"syncMode\", \"INHERIT\"))\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n oidc:\n type: keycloak:oidc:IdentityProvider\n properties:\n realm: ${realm.id}\n alias: oidc\n authorizationUrl: https://example.com/auth\n tokenUrl: https://example.com/token\n clientId: example_id\n clientSecret: example_token\n defaultScopes: openid random profile\n oidcAttributeImporterIdentityProviderMapper:\n type: keycloak:AttributeImporterIdentityProviderMapper\n name: oidc\n properties:\n realm: ${realm.id}\n name: email-attribute-importer\n claimName: my-email-claim\n identityProviderAlias: ${oidc.alias}\n userAttribute: email\n extraConfig:\n syncMode: INHERIT\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nIdentity provider mappers can be imported using the format `{{realm_id}}/{{idp_alias}}/{{idp_mapper_id}}`, where `idp_alias` is the identity provider alias, and `idp_mapper_id` is the unique ID that Keycloak\n\nassigns to the mapper upon creation. This value can be found in the URI when editing this mapper in the GUI, and is typically a GUID.\n\nExample:\n\nbash\n\n```sh\n$ pulumi import keycloak:index/attributeImporterIdentityProviderMapper:AttributeImporterIdentityProviderMapper test_mapper my-realm/my-mapper/f446db98-7133-4e30-b18a-3d28fde7ca1b\n```\n\n", "properties": { "attributeFriendlyName": { "type": "string", - "description": "Attribute Friendly Name\n" + "description": "For SAML based providers, this is the friendly name of the attribute to search for in the assertion. Conflicts with `attribute_name`.\n" }, "attributeName": { "type": "string", - "description": "Attribute Name\n" + "description": "For SAML based providers, this is the name of the attribute to search for in the assertion. Conflicts with `attribute_friendly_name`.\n" }, "claimName": { "type": "string", - "description": "Claim Name\n" + "description": "For OIDC based providers, this is the name of the claim to use.\n" }, "extraConfig": { "type": "object", "additionalProperties": { "type": "string" - } + }, + "description": "Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features.\n" }, "identityProviderAlias": { "type": "string", - "description": "IDP Alias\n" + "description": "The alias of the associated identity provider.\n" }, "name": { "type": "string", - "description": "IDP Mapper Name\n" + "description": "The name of the mapper.\n" }, "realm": { "type": "string", - "description": "Realm Name\n" + "description": "The name of the realm.\n" }, "userAttribute": { "type": "string", - "description": "User Attribute\n" + "description": "The user attribute or property name to store the mapped result.\n" } }, "required": [ @@ -2145,40 +2210,41 @@ "inputProperties": { "attributeFriendlyName": { "type": "string", - "description": "Attribute Friendly Name\n" + "description": "For SAML based providers, this is the friendly name of the attribute to search for in the assertion. Conflicts with `attribute_name`.\n" }, "attributeName": { "type": "string", - "description": "Attribute Name\n" + "description": "For SAML based providers, this is the name of the attribute to search for in the assertion. Conflicts with `attribute_friendly_name`.\n" }, "claimName": { "type": "string", - "description": "Claim Name\n" + "description": "For OIDC based providers, this is the name of the claim to use.\n" }, "extraConfig": { "type": "object", "additionalProperties": { "type": "string" - } + }, + "description": "Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features.\n" }, "identityProviderAlias": { "type": "string", - "description": "IDP Alias\n", + "description": "The alias of the associated identity provider.\n", "willReplaceOnChanges": true }, "name": { "type": "string", - "description": "IDP Mapper Name\n", + "description": "The name of the mapper.\n", "willReplaceOnChanges": true }, "realm": { "type": "string", - "description": "Realm Name\n", + "description": "The name of the realm.\n", "willReplaceOnChanges": true }, "userAttribute": { "type": "string", - "description": "User Attribute\n" + "description": "The user attribute or property name to store the mapped result.\n" } }, "requiredInputs": [ @@ -2191,40 +2257,41 @@ "properties": { "attributeFriendlyName": { "type": "string", - "description": "Attribute Friendly Name\n" + "description": "For SAML based providers, this is the friendly name of the attribute to search for in the assertion. Conflicts with `attribute_name`.\n" }, "attributeName": { "type": "string", - "description": "Attribute Name\n" + "description": "For SAML based providers, this is the name of the attribute to search for in the assertion. Conflicts with `attribute_friendly_name`.\n" }, "claimName": { "type": "string", - "description": "Claim Name\n" + "description": "For OIDC based providers, this is the name of the claim to use.\n" }, "extraConfig": { "type": "object", "additionalProperties": { "type": "string" - } + }, + "description": "Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features.\n" }, "identityProviderAlias": { "type": "string", - "description": "IDP Alias\n", + "description": "The alias of the associated identity provider.\n", "willReplaceOnChanges": true }, "name": { "type": "string", - "description": "IDP Mapper Name\n", + "description": "The name of the mapper.\n", "willReplaceOnChanges": true }, "realm": { "type": "string", - "description": "Realm Name\n", + "description": "The name of the realm.\n", "willReplaceOnChanges": true }, "userAttribute": { "type": "string", - "description": "User Attribute\n" + "description": "The user attribute or property name to store the mapped result.\n" } }, "type": "object" @@ -2489,24 +2556,26 @@ } }, "keycloak:index/customUserFederation:CustomUserFederation": { - "description": "## # keycloak.CustomUserFederation\n\nAllows for creating and managing custom user federation providers within Keycloak.\n\nA custom user federation provider is an implementation of Keycloak's\n[User Storage SPI](https://www.keycloak.org/docs/4.2/server_development/index.html#_user-storage-spi).\nAn example of this implementation can be found here.\n\n### Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"test\",\n enabled: true,\n});\nconst customUserFederation = new keycloak.CustomUserFederation(\"custom_user_federation\", {\n name: \"custom\",\n realmId: realm.id,\n providerId: \"custom\",\n enabled: true,\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"test\",\n enabled=True)\ncustom_user_federation = keycloak.CustomUserFederation(\"custom_user_federation\",\n name=\"custom\",\n realm_id=realm.id,\n provider_id=\"custom\",\n enabled=True)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"test\",\n Enabled = true,\n });\n\n var customUserFederation = new Keycloak.CustomUserFederation(\"custom_user_federation\", new()\n {\n Name = \"custom\",\n RealmId = realm.Id,\n ProviderId = \"custom\",\n Enabled = true,\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"test\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewCustomUserFederation(ctx, \"custom_user_federation\", \u0026keycloak.CustomUserFederationArgs{\n\t\t\tName: pulumi.String(\"custom\"),\n\t\t\tRealmId: realm.ID(),\n\t\t\tProviderId: pulumi.String(\"custom\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.CustomUserFederation;\nimport com.pulumi.keycloak.CustomUserFederationArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"test\")\n .enabled(true)\n .build());\n\n var customUserFederation = new CustomUserFederation(\"customUserFederation\", CustomUserFederationArgs.builder()\n .name(\"custom\")\n .realmId(realm.id())\n .providerId(\"custom\")\n .enabled(true)\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: test\n enabled: true\n customUserFederation:\n type: keycloak:CustomUserFederation\n name: custom_user_federation\n properties:\n name: custom\n realmId: ${realm.id}\n providerId: custom\n enabled: true\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm_id` - (Required) The realm that this provider will provide user federation for.\n- `name` - (Required) Display name of the provider when displayed in the console.\n- `provider_id` - (Required) The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface.\n- `enabled` - (Optional) When `false`, this provider will not be used when performing queries for users. Defaults to `true`.\n- `priority` - (Optional) Priority of this provider when looking up users. Lower values are first. Defaults to `0`.\n- `cache_policy` - (Optional) Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`.\n\n### Import\n\nCustom user federation providers can be imported using the format `{{realm_id}}/{{custom_user_federation_id}}`.\nThe ID of the custom user federation provider can be found within the Keycloak GUI and is typically a GUID:\n\n```bash\n$ terraform import keycloak_custom_user_federation.custom_user_federation my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860\n```\n", + "description": "Allows for creating and managing custom user federation providers within Keycloak.\n\nA custom user federation provider is an implementation of Keycloak's [User Storage SPI](https://www.keycloak.org/docs/4.2/server_development/index.html#_user-storage-spi).\nAn example of this implementation can be found here.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"test\",\n enabled: true,\n});\nconst customUserFederation = new keycloak.CustomUserFederation(\"custom_user_federation\", {\n name: \"custom\",\n realmId: realm.id,\n providerId: \"custom\",\n enabled: true,\n config: {\n dummyString: \"foobar\",\n dummyBool: \"true\",\n multivalue: \"value1##value2\",\n },\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"test\",\n enabled=True)\ncustom_user_federation = keycloak.CustomUserFederation(\"custom_user_federation\",\n name=\"custom\",\n realm_id=realm.id,\n provider_id=\"custom\",\n enabled=True,\n config={\n \"dummyString\": \"foobar\",\n \"dummyBool\": \"true\",\n \"multivalue\": \"value1##value2\",\n })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"test\",\n Enabled = true,\n });\n\n var customUserFederation = new Keycloak.CustomUserFederation(\"custom_user_federation\", new()\n {\n Name = \"custom\",\n RealmId = realm.Id,\n ProviderId = \"custom\",\n Enabled = true,\n Config = \n {\n { \"dummyString\", \"foobar\" },\n { \"dummyBool\", \"true\" },\n { \"multivalue\", \"value1##value2\" },\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"test\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewCustomUserFederation(ctx, \"custom_user_federation\", \u0026keycloak.CustomUserFederationArgs{\n\t\t\tName: pulumi.String(\"custom\"),\n\t\t\tRealmId: realm.ID(),\n\t\t\tProviderId: pulumi.String(\"custom\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tConfig: pulumi.StringMap{\n\t\t\t\t\"dummyString\": pulumi.String(\"foobar\"),\n\t\t\t\t\"dummyBool\": pulumi.String(\"true\"),\n\t\t\t\t\"multivalue\": pulumi.String(\"value1##value2\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.CustomUserFederation;\nimport com.pulumi.keycloak.CustomUserFederationArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"test\")\n .enabled(true)\n .build());\n\n var customUserFederation = new CustomUserFederation(\"customUserFederation\", CustomUserFederationArgs.builder()\n .name(\"custom\")\n .realmId(realm.id())\n .providerId(\"custom\")\n .enabled(true)\n .config(Map.ofEntries(\n Map.entry(\"dummyString\", \"foobar\"),\n Map.entry(\"dummyBool\", true),\n Map.entry(\"multivalue\", \"value1##value2\")\n ))\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: test\n enabled: true\n customUserFederation:\n type: keycloak:CustomUserFederation\n name: custom_user_federation\n properties:\n name: custom\n realmId: ${realm.id}\n providerId: custom\n enabled: true\n config:\n dummyString: foobar\n dummyBool: true\n multivalue: value1##value2\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nCustom user federation providers can be imported using the format `{{realm_id}}/{{custom_user_federation_id}}`.\n\nThe ID of the custom user federation provider can be found within the Keycloak GUI and is typically a GUID:\n\nbash\n\n```sh\n$ pulumi import keycloak:index/customUserFederation:CustomUserFederation custom_user_federation my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860\n```\n\n", "properties": { "cachePolicy": { - "type": "string" + "type": "string", + "description": "Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`.\n" }, "changedSyncPeriod": { "type": "integer", - "description": "How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users\nsync.\n" + "description": "How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users sync.\n" }, "config": { "type": "object", "additionalProperties": { "type": "string" - } + }, + "description": "The provider configuration handed over to your custom user federation provider. In order to add multivalue settings, use `##` to seperate the values.\n" }, "enabled": { "type": "boolean", - "description": "When false, this provider will not be used when performing queries for users.\n" + "description": "When `false`, this provider will not be used when performing queries for users. Defaults to `true`.\n" }, "fullSyncPeriod": { "type": "integer", @@ -2518,19 +2587,19 @@ }, "parentId": { "type": "string", - "description": "The parent_id of the generated component. will use realm_id if not specified.\n" + "description": "Must be set to the realms' `internal_id` when it differs from the realm. This can happen when existing resources are imported into the state.\n" }, "priority": { "type": "integer", - "description": "Priority of this provider when looking up users. Lower values are first.\n" + "description": "Priority of this provider when looking up users. Lower values are first. Defaults to `0`.\n" }, "providerId": { "type": "string", - "description": "The unique ID of the custom provider, specified in the `getId` implementation for the UserStorageProviderFactory\ninterface\n" + "description": "The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface.\n" }, "realmId": { "type": "string", - "description": "The realm (name) this provider will provide user federation for.\n" + "description": "The realm that this provider will provide user federation for.\n" } }, "required": [ @@ -2541,21 +2610,23 @@ ], "inputProperties": { "cachePolicy": { - "type": "string" + "type": "string", + "description": "Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`.\n" }, "changedSyncPeriod": { "type": "integer", - "description": "How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users\nsync.\n" + "description": "How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users sync.\n" }, "config": { "type": "object", "additionalProperties": { "type": "string" - } + }, + "description": "The provider configuration handed over to your custom user federation provider. In order to add multivalue settings, use `##` to seperate the values.\n" }, "enabled": { "type": "boolean", - "description": "When false, this provider will not be used when performing queries for users.\n" + "description": "When `false`, this provider will not be used when performing queries for users. Defaults to `true`.\n" }, "fullSyncPeriod": { "type": "integer", @@ -2567,21 +2638,21 @@ }, "parentId": { "type": "string", - "description": "The parent_id of the generated component. will use realm_id if not specified.\n", + "description": "Must be set to the realms' `internal_id` when it differs from the realm. This can happen when existing resources are imported into the state.\n", "willReplaceOnChanges": true }, "priority": { "type": "integer", - "description": "Priority of this provider when looking up users. Lower values are first.\n" + "description": "Priority of this provider when looking up users. Lower values are first. Defaults to `0`.\n" }, "providerId": { "type": "string", - "description": "The unique ID of the custom provider, specified in the `getId` implementation for the UserStorageProviderFactory\ninterface\n", + "description": "The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface.\n", "willReplaceOnChanges": true }, "realmId": { "type": "string", - "description": "The realm (name) this provider will provide user federation for.\n", + "description": "The realm that this provider will provide user federation for.\n", "willReplaceOnChanges": true } }, @@ -2593,21 +2664,23 @@ "description": "Input properties used for looking up and filtering CustomUserFederation resources.\n", "properties": { "cachePolicy": { - "type": "string" + "type": "string", + "description": "Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`.\n" }, "changedSyncPeriod": { "type": "integer", - "description": "How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users\nsync.\n" + "description": "How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users sync.\n" }, "config": { "type": "object", "additionalProperties": { "type": "string" - } + }, + "description": "The provider configuration handed over to your custom user federation provider. In order to add multivalue settings, use `##` to seperate the values.\n" }, "enabled": { "type": "boolean", - "description": "When false, this provider will not be used when performing queries for users.\n" + "description": "When `false`, this provider will not be used when performing queries for users. Defaults to `true`.\n" }, "fullSyncPeriod": { "type": "integer", @@ -2619,21 +2692,21 @@ }, "parentId": { "type": "string", - "description": "The parent_id of the generated component. will use realm_id if not specified.\n", + "description": "Must be set to the realms' `internal_id` when it differs from the realm. This can happen when existing resources are imported into the state.\n", "willReplaceOnChanges": true }, "priority": { "type": "integer", - "description": "Priority of this provider when looking up users. Lower values are first.\n" + "description": "Priority of this provider when looking up users. Lower values are first. Defaults to `0`.\n" }, "providerId": { "type": "string", - "description": "The unique ID of the custom provider, specified in the `getId` implementation for the UserStorageProviderFactory\ninterface\n", + "description": "The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface.\n", "willReplaceOnChanges": true }, "realmId": { "type": "string", - "description": "The realm (name) this provider will provide user federation for.\n", + "description": "The realm that this provider will provide user federation for.\n", "willReplaceOnChanges": true } }, @@ -2641,16 +2714,18 @@ } }, "keycloak:index/defaultGroups:DefaultGroups": { - "description": "## # keycloak.DefaultGroups\n\nAllows for managing a realm's default groups.\n\nNote that you should not use `keycloak.DefaultGroups` with a group with memberships managed\nby `keycloak.GroupMemberships`.\n\n### Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst group = new keycloak.Group(\"group\", {\n realmId: realm.id,\n name: \"my-group\",\n});\nconst _default = new keycloak.DefaultGroups(\"default\", {\n realmId: realm.id,\n groupIds: [group.id],\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\ngroup = keycloak.Group(\"group\",\n realm_id=realm.id,\n name=\"my-group\")\ndefault = keycloak.DefaultGroups(\"default\",\n realm_id=realm.id,\n group_ids=[group.id])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var @group = new Keycloak.Group(\"group\", new()\n {\n RealmId = realm.Id,\n Name = \"my-group\",\n });\n\n var @default = new Keycloak.DefaultGroups(\"default\", new()\n {\n RealmId = realm.Id,\n GroupIds = new[]\n {\n @group.Id,\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tgroup, err := keycloak.NewGroup(ctx, \"group\", \u0026keycloak.GroupArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"my-group\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewDefaultGroups(ctx, \"default\", \u0026keycloak.DefaultGroupsArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tGroupIds: pulumi.StringArray{\n\t\t\t\tgroup.ID(),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.Group;\nimport com.pulumi.keycloak.GroupArgs;\nimport com.pulumi.keycloak.DefaultGroups;\nimport com.pulumi.keycloak.DefaultGroupsArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var group = new Group(\"group\", GroupArgs.builder()\n .realmId(realm.id())\n .name(\"my-group\")\n .build());\n\n var default_ = new DefaultGroups(\"default\", DefaultGroupsArgs.builder()\n .realmId(realm.id())\n .groupIds(group.id())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n group:\n type: keycloak:Group\n properties:\n realmId: ${realm.id}\n name: my-group\n default:\n type: keycloak:DefaultGroups\n properties:\n realmId: ${realm.id}\n groupIds:\n - ${group.id}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm_id` - (Required) The realm this group exists in.\n- `group_ids` - (Required) A set of group ids that should be default groups on the realm referenced by `realm_id`.\n\n### Import\n\nGroups can be imported using the format `{{realm_id}}` where `realm_id` is the realm the group exists in.\n\nExample:\n\n```bash\n$ terraform import keycloak_default_groups.default my-realm\n```\n", + "description": "Allows for managing a realm's default groups.\n\n\u003e You should not use `keycloak.DefaultGroups` with a group whose members are managed by `keycloak.GroupMemberships`.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst group = new keycloak.Group(\"group\", {\n realmId: realm.id,\n name: \"my-group\",\n});\nconst _default = new keycloak.DefaultGroups(\"default\", {\n realmId: realm.id,\n groupIds: [group.id],\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\ngroup = keycloak.Group(\"group\",\n realm_id=realm.id,\n name=\"my-group\")\ndefault = keycloak.DefaultGroups(\"default\",\n realm_id=realm.id,\n group_ids=[group.id])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var @group = new Keycloak.Group(\"group\", new()\n {\n RealmId = realm.Id,\n Name = \"my-group\",\n });\n\n var @default = new Keycloak.DefaultGroups(\"default\", new()\n {\n RealmId = realm.Id,\n GroupIds = new[]\n {\n @group.Id,\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tgroup, err := keycloak.NewGroup(ctx, \"group\", \u0026keycloak.GroupArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"my-group\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewDefaultGroups(ctx, \"default\", \u0026keycloak.DefaultGroupsArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tGroupIds: pulumi.StringArray{\n\t\t\t\tgroup.ID(),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.Group;\nimport com.pulumi.keycloak.GroupArgs;\nimport com.pulumi.keycloak.DefaultGroups;\nimport com.pulumi.keycloak.DefaultGroupsArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var group = new Group(\"group\", GroupArgs.builder()\n .realmId(realm.id())\n .name(\"my-group\")\n .build());\n\n var default_ = new DefaultGroups(\"default\", DefaultGroupsArgs.builder()\n .realmId(realm.id())\n .groupIds(group.id())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n group:\n type: keycloak:Group\n properties:\n realmId: ${realm.id}\n name: my-group\n default:\n type: keycloak:DefaultGroups\n properties:\n realmId: ${realm.id}\n groupIds:\n - ${group.id}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nDefault groups can be imported using the format `{{realm_id}}` where `realm_id` is the realm the group exists in.\n\nExample:\n\nbash\n\n```sh\n$ pulumi import keycloak:index/defaultGroups:DefaultGroups default my-realm\n```\n\n", "properties": { "groupIds": { "type": "array", "items": { "type": "string" - } + }, + "description": "A set of group ids that should be default groups on the realm referenced by `realm_id`.\n" }, "realmId": { - "type": "string" + "type": "string", + "description": "The realm this group exists in.\n" } }, "required": [ @@ -2662,10 +2737,12 @@ "type": "array", "items": { "type": "string" - } + }, + "description": "A set of group ids that should be default groups on the realm referenced by `realm_id`.\n" }, "realmId": { "type": "string", + "description": "The realm this group exists in.\n", "willReplaceOnChanges": true } }, @@ -2680,10 +2757,12 @@ "type": "array", "items": { "type": "string" - } + }, + "description": "A set of group ids that should be default groups on the realm referenced by `realm_id`.\n" }, "realmId": { "type": "string", + "description": "The realm this group exists in.\n", "willReplaceOnChanges": true } }, @@ -2762,11 +2841,11 @@ } }, "keycloak:index/genericClientProtocolMapper:GenericClientProtocolMapper": { - "description": "## # keycloak.GenericClientProtocolMapper\n\nAllows for creating and managing protocol mapper for both types of clients (openid-connect and saml) within Keycloak.\n\nThere are two uses cases for using this resource:\n* If you implemented a custom protocol mapper, this resource can be used to configure it\n* If the provider doesn't support a particular protocol mapper, this resource can be used instead.\n\nDue to the generic nature of this mapper, it is less user-friendly and more prone to configuration errors. \nTherefore, if possible, a specific mapper should be used.\n\n### Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst samlClient = new keycloak.saml.Client(\"saml_client\", {\n realmId: realm.id,\n clientId: \"test-client\",\n});\nconst samlHardcodeAttributeMapper = new keycloak.GenericClientProtocolMapper(\"saml_hardcode_attribute_mapper\", {\n realmId: realm.id,\n clientId: samlClient.id,\n name: \"tes-mapper\",\n protocol: \"saml\",\n protocolMapper: \"saml-hardcode-attribute-mapper\",\n config: {\n \"attribute.name\": \"name\",\n \"attribute.nameformat\": \"Basic\",\n \"attribute.value\": \"value\",\n \"friendly.name\": \"display name\",\n },\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nsaml_client = keycloak.saml.Client(\"saml_client\",\n realm_id=realm.id,\n client_id=\"test-client\")\nsaml_hardcode_attribute_mapper = keycloak.GenericClientProtocolMapper(\"saml_hardcode_attribute_mapper\",\n realm_id=realm.id,\n client_id=saml_client.id,\n name=\"tes-mapper\",\n protocol=\"saml\",\n protocol_mapper=\"saml-hardcode-attribute-mapper\",\n config={\n \"attribute.name\": \"name\",\n \"attribute.nameformat\": \"Basic\",\n \"attribute.value\": \"value\",\n \"friendly.name\": \"display name\",\n })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var samlClient = new Keycloak.Saml.Client(\"saml_client\", new()\n {\n RealmId = realm.Id,\n ClientId = \"test-client\",\n });\n\n var samlHardcodeAttributeMapper = new Keycloak.GenericClientProtocolMapper(\"saml_hardcode_attribute_mapper\", new()\n {\n RealmId = realm.Id,\n ClientId = samlClient.Id,\n Name = \"tes-mapper\",\n Protocol = \"saml\",\n ProtocolMapper = \"saml-hardcode-attribute-mapper\",\n Config = \n {\n { \"attribute.name\", \"name\" },\n { \"attribute.nameformat\", \"Basic\" },\n { \"attribute.value\", \"value\" },\n { \"friendly.name\", \"display name\" },\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/saml\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tsamlClient, err := saml.NewClient(ctx, \"saml_client\", \u0026saml.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"test-client\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewGenericClientProtocolMapper(ctx, \"saml_hardcode_attribute_mapper\", \u0026keycloak.GenericClientProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: samlClient.ID(),\n\t\t\tName: pulumi.String(\"tes-mapper\"),\n\t\t\tProtocol: pulumi.String(\"saml\"),\n\t\t\tProtocolMapper: pulumi.String(\"saml-hardcode-attribute-mapper\"),\n\t\t\tConfig: pulumi.StringMap{\n\t\t\t\t\"attribute.name\": pulumi.String(\"name\"),\n\t\t\t\t\"attribute.nameformat\": pulumi.String(\"Basic\"),\n\t\t\t\t\"attribute.value\": pulumi.String(\"value\"),\n\t\t\t\t\"friendly.name\": pulumi.String(\"display name\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.saml.Client;\nimport com.pulumi.keycloak.saml.ClientArgs;\nimport com.pulumi.keycloak.GenericClientProtocolMapper;\nimport com.pulumi.keycloak.GenericClientProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var samlClient = new Client(\"samlClient\", ClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"test-client\")\n .build());\n\n var samlHardcodeAttributeMapper = new GenericClientProtocolMapper(\"samlHardcodeAttributeMapper\", GenericClientProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientId(samlClient.id())\n .name(\"tes-mapper\")\n .protocol(\"saml\")\n .protocolMapper(\"saml-hardcode-attribute-mapper\")\n .config(Map.ofEntries(\n Map.entry(\"attribute.name\", \"name\"),\n Map.entry(\"attribute.nameformat\", \"Basic\"),\n Map.entry(\"attribute.value\", \"value\"),\n Map.entry(\"friendly.name\", \"display name\")\n ))\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n samlClient:\n type: keycloak:saml:Client\n name: saml_client\n properties:\n realmId: ${realm.id}\n clientId: test-client\n samlHardcodeAttributeMapper:\n type: keycloak:GenericClientProtocolMapper\n name: saml_hardcode_attribute_mapper\n properties:\n realmId: ${realm.id}\n clientId: ${samlClient.id}\n name: tes-mapper\n protocol: saml\n protocolMapper: saml-hardcode-attribute-mapper\n config:\n attribute.name: name\n attribute.nameformat: Basic\n attribute.value: value\n friendly.name: display name\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm_id` - (Required) The realm this protocol mapper exists within.\n- `client_id` - (Required) The client this protocol mapper is attached to.\n- `name` - (Required) The display name of this protocol mapper in the GUI.\n- `protocol` - (Required) The type of client (either `openid-connect` or `saml`). The type must match the type of the client.\n- `protocol_mapper` - (Required) The name of the protocol mapper. The protocol mapper must be\n compatible with the specified client.\n- `config` - (Required) A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper.\n\n### Import\n\nProtocol mappers can be imported using the following format: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}`\n\nExample:\n\n```bash\n$ terraform import keycloak_generic_client_protocol_mapper.saml_hardcode_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n", + "description": "!\u003e **WARNING:** This resource is deprecated and will be removed in the next major version. Please use `keycloak.GenericProtocolMapper` instead.\n\nAllows for creating and managing protocol mappers for both types of clients (openid-connect and saml) within Keycloak.\n\nThere are two uses cases for using this resource:\n* If you implemented a custom protocol mapper, this resource can be used to configure it\n* If the provider doesn't support a particular protocol mapper, this resource can be used instead.\n\nDue to the generic nature of this mapper, it is less user-friendly and more prone to configuration errors.\nTherefore, if possible, a specific mapper should be used.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst samlClient = new keycloak.saml.Client(\"saml_client\", {\n realmId: realm.id,\n clientId: \"test-client\",\n});\nconst samlHardcodeAttributeMapper = new keycloak.GenericClientProtocolMapper(\"saml_hardcode_attribute_mapper\", {\n realmId: realm.id,\n clientId: samlClient.id,\n name: \"test-mapper\",\n protocol: \"saml\",\n protocolMapper: \"saml-hardcode-attribute-mapper\",\n config: {\n \"attribute.name\": \"name\",\n \"attribute.nameformat\": \"Basic\",\n \"attribute.value\": \"value\",\n \"friendly.name\": \"display name\",\n },\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nsaml_client = keycloak.saml.Client(\"saml_client\",\n realm_id=realm.id,\n client_id=\"test-client\")\nsaml_hardcode_attribute_mapper = keycloak.GenericClientProtocolMapper(\"saml_hardcode_attribute_mapper\",\n realm_id=realm.id,\n client_id=saml_client.id,\n name=\"test-mapper\",\n protocol=\"saml\",\n protocol_mapper=\"saml-hardcode-attribute-mapper\",\n config={\n \"attribute.name\": \"name\",\n \"attribute.nameformat\": \"Basic\",\n \"attribute.value\": \"value\",\n \"friendly.name\": \"display name\",\n })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var samlClient = new Keycloak.Saml.Client(\"saml_client\", new()\n {\n RealmId = realm.Id,\n ClientId = \"test-client\",\n });\n\n var samlHardcodeAttributeMapper = new Keycloak.GenericClientProtocolMapper(\"saml_hardcode_attribute_mapper\", new()\n {\n RealmId = realm.Id,\n ClientId = samlClient.Id,\n Name = \"test-mapper\",\n Protocol = \"saml\",\n ProtocolMapper = \"saml-hardcode-attribute-mapper\",\n Config = \n {\n { \"attribute.name\", \"name\" },\n { \"attribute.nameformat\", \"Basic\" },\n { \"attribute.value\", \"value\" },\n { \"friendly.name\", \"display name\" },\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/saml\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tsamlClient, err := saml.NewClient(ctx, \"saml_client\", \u0026saml.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"test-client\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewGenericClientProtocolMapper(ctx, \"saml_hardcode_attribute_mapper\", \u0026keycloak.GenericClientProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: samlClient.ID(),\n\t\t\tName: pulumi.String(\"test-mapper\"),\n\t\t\tProtocol: pulumi.String(\"saml\"),\n\t\t\tProtocolMapper: pulumi.String(\"saml-hardcode-attribute-mapper\"),\n\t\t\tConfig: pulumi.StringMap{\n\t\t\t\t\"attribute.name\": pulumi.String(\"name\"),\n\t\t\t\t\"attribute.nameformat\": pulumi.String(\"Basic\"),\n\t\t\t\t\"attribute.value\": pulumi.String(\"value\"),\n\t\t\t\t\"friendly.name\": pulumi.String(\"display name\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.saml.Client;\nimport com.pulumi.keycloak.saml.ClientArgs;\nimport com.pulumi.keycloak.GenericClientProtocolMapper;\nimport com.pulumi.keycloak.GenericClientProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var samlClient = new Client(\"samlClient\", ClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"test-client\")\n .build());\n\n var samlHardcodeAttributeMapper = new GenericClientProtocolMapper(\"samlHardcodeAttributeMapper\", GenericClientProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientId(samlClient.id())\n .name(\"test-mapper\")\n .protocol(\"saml\")\n .protocolMapper(\"saml-hardcode-attribute-mapper\")\n .config(Map.ofEntries(\n Map.entry(\"attribute.name\", \"name\"),\n Map.entry(\"attribute.nameformat\", \"Basic\"),\n Map.entry(\"attribute.value\", \"value\"),\n Map.entry(\"friendly.name\", \"display name\")\n ))\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n samlClient:\n type: keycloak:saml:Client\n name: saml_client\n properties:\n realmId: ${realm.id}\n clientId: test-client\n samlHardcodeAttributeMapper:\n type: keycloak:GenericClientProtocolMapper\n name: saml_hardcode_attribute_mapper\n properties:\n realmId: ${realm.id}\n clientId: ${samlClient.id}\n name: test-mapper\n protocol: saml\n protocolMapper: saml-hardcode-attribute-mapper\n config:\n attribute.name: name\n attribute.nameformat: Basic\n attribute.value: value\n friendly.name: display name\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nProtocol mappers can be imported using the following format: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}`\n\nExample:\n\nbash\n\n```sh\n$ pulumi import keycloak:index/genericClientProtocolMapper:GenericClientProtocolMapper saml_hardcode_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n\n", "properties": { "clientId": { "type": "string", - "description": "The mapper's associated client. Cannot be used at the same time as client_scope_id.\n" + "description": "The client this protocol mapper is attached to.\n" }, "clientScopeId": { "type": "string", @@ -2776,23 +2855,24 @@ "type": "object", "additionalProperties": { "type": "string" - } + }, + "description": "A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper.\n" }, "name": { "type": "string", - "description": "A human-friendly name that will appear in the Keycloak console.\n" + "description": "The display name of this protocol mapper in the GUI.\n" }, "protocol": { "type": "string", - "description": "The protocol of the client (openid-connect / saml).\n" + "description": "The type of client (either `openid-connect` or `saml`). The type must match the type of the client.\n" }, "protocolMapper": { "type": "string", - "description": "The type of the protocol mapper.\n" + "description": "The name of the protocol mapper. The protocol mapper must be compatible with the specified client.\n" }, "realmId": { "type": "string", - "description": "The realm id where the associated client or client scope exists.\n" + "description": "The realm this protocol mapper exists within.\n" } }, "required": [ @@ -2805,7 +2885,7 @@ "inputProperties": { "clientId": { "type": "string", - "description": "The mapper's associated client. Cannot be used at the same time as client_scope_id.\n", + "description": "The client this protocol mapper is attached to.\n", "willReplaceOnChanges": true }, "clientScopeId": { @@ -2817,26 +2897,27 @@ "type": "object", "additionalProperties": { "type": "string" - } + }, + "description": "A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper.\n" }, "name": { "type": "string", - "description": "A human-friendly name that will appear in the Keycloak console.\n", + "description": "The display name of this protocol mapper in the GUI.\n", "willReplaceOnChanges": true }, "protocol": { "type": "string", - "description": "The protocol of the client (openid-connect / saml).\n", + "description": "The type of client (either `openid-connect` or `saml`). The type must match the type of the client.\n", "willReplaceOnChanges": true }, "protocolMapper": { "type": "string", - "description": "The type of the protocol mapper.\n", + "description": "The name of the protocol mapper. The protocol mapper must be compatible with the specified client.\n", "willReplaceOnChanges": true }, "realmId": { "type": "string", - "description": "The realm id where the associated client or client scope exists.\n", + "description": "The realm this protocol mapper exists within.\n", "willReplaceOnChanges": true } }, @@ -2851,7 +2932,7 @@ "properties": { "clientId": { "type": "string", - "description": "The mapper's associated client. Cannot be used at the same time as client_scope_id.\n", + "description": "The client this protocol mapper is attached to.\n", "willReplaceOnChanges": true }, "clientScopeId": { @@ -2863,26 +2944,27 @@ "type": "object", "additionalProperties": { "type": "string" - } + }, + "description": "A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper.\n" }, "name": { "type": "string", - "description": "A human-friendly name that will appear in the Keycloak console.\n", + "description": "The display name of this protocol mapper in the GUI.\n", "willReplaceOnChanges": true }, "protocol": { "type": "string", - "description": "The protocol of the client (openid-connect / saml).\n", + "description": "The type of client (either `openid-connect` or `saml`). The type must match the type of the client.\n", "willReplaceOnChanges": true }, "protocolMapper": { "type": "string", - "description": "The type of the protocol mapper.\n", + "description": "The name of the protocol mapper. The protocol mapper must be compatible with the specified client.\n", "willReplaceOnChanges": true }, "realmId": { "type": "string", - "description": "The realm id where the associated client or client scope exists.\n", + "description": "The realm this protocol mapper exists within.\n", "willReplaceOnChanges": true } }, @@ -3175,25 +3257,30 @@ } }, "keycloak:index/group:Group": { - "description": "## # keycloak.Group\n\nAllows for creating and managing Groups within Keycloak.\n\nGroups provide a logical wrapping for users within Keycloak. Users within a\ngroup can share attributes and roles, and group membership can be mapped\nto a claim.\n\nAttributes can also be defined on Groups.\n\nGroups can also be federated from external data sources, such as LDAP or Active Directory.\nThis resource **should not** be used to manage groups that were created this way.\n\n### Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst parentGroup = new keycloak.Group(\"parent_group\", {\n realmId: realm.id,\n name: \"parent-group\",\n});\nconst childGroup = new keycloak.Group(\"child_group\", {\n realmId: realm.id,\n parentId: parentGroup.id,\n name: \"child-group\",\n});\nconst childGroupWithOptionalAttributes = new keycloak.Group(\"child_group_with_optional_attributes\", {\n realmId: realm.id,\n parentId: parentGroup.id,\n name: \"child-group-with-optional-attributes\",\n attributes: {\n key1: \"value1\",\n key2: \"value2\",\n },\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nparent_group = keycloak.Group(\"parent_group\",\n realm_id=realm.id,\n name=\"parent-group\")\nchild_group = keycloak.Group(\"child_group\",\n realm_id=realm.id,\n parent_id=parent_group.id,\n name=\"child-group\")\nchild_group_with_optional_attributes = keycloak.Group(\"child_group_with_optional_attributes\",\n realm_id=realm.id,\n parent_id=parent_group.id,\n name=\"child-group-with-optional-attributes\",\n attributes={\n \"key1\": \"value1\",\n \"key2\": \"value2\",\n })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var parentGroup = new Keycloak.Group(\"parent_group\", new()\n {\n RealmId = realm.Id,\n Name = \"parent-group\",\n });\n\n var childGroup = new Keycloak.Group(\"child_group\", new()\n {\n RealmId = realm.Id,\n ParentId = parentGroup.Id,\n Name = \"child-group\",\n });\n\n var childGroupWithOptionalAttributes = new Keycloak.Group(\"child_group_with_optional_attributes\", new()\n {\n RealmId = realm.Id,\n ParentId = parentGroup.Id,\n Name = \"child-group-with-optional-attributes\",\n Attributes = \n {\n { \"key1\", \"value1\" },\n { \"key2\", \"value2\" },\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tparentGroup, err := keycloak.NewGroup(ctx, \"parent_group\", \u0026keycloak.GroupArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"parent-group\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewGroup(ctx, \"child_group\", \u0026keycloak.GroupArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tParentId: parentGroup.ID(),\n\t\t\tName: pulumi.String(\"child-group\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewGroup(ctx, \"child_group_with_optional_attributes\", \u0026keycloak.GroupArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tParentId: parentGroup.ID(),\n\t\t\tName: pulumi.String(\"child-group-with-optional-attributes\"),\n\t\t\tAttributes: pulumi.StringMap{\n\t\t\t\t\"key1\": pulumi.String(\"value1\"),\n\t\t\t\t\"key2\": pulumi.String(\"value2\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.Group;\nimport com.pulumi.keycloak.GroupArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var parentGroup = new Group(\"parentGroup\", GroupArgs.builder()\n .realmId(realm.id())\n .name(\"parent-group\")\n .build());\n\n var childGroup = new Group(\"childGroup\", GroupArgs.builder()\n .realmId(realm.id())\n .parentId(parentGroup.id())\n .name(\"child-group\")\n .build());\n\n var childGroupWithOptionalAttributes = new Group(\"childGroupWithOptionalAttributes\", GroupArgs.builder()\n .realmId(realm.id())\n .parentId(parentGroup.id())\n .name(\"child-group-with-optional-attributes\")\n .attributes(Map.ofEntries(\n Map.entry(\"key1\", \"value1\"),\n Map.entry(\"key2\", \"value2\")\n ))\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n parentGroup:\n type: keycloak:Group\n name: parent_group\n properties:\n realmId: ${realm.id}\n name: parent-group\n childGroup:\n type: keycloak:Group\n name: child_group\n properties:\n realmId: ${realm.id}\n parentId: ${parentGroup.id}\n name: child-group\n childGroupWithOptionalAttributes:\n type: keycloak:Group\n name: child_group_with_optional_attributes\n properties:\n realmId: ${realm.id}\n parentId: ${parentGroup.id}\n name: child-group-with-optional-attributes\n attributes:\n key1: value1\n key2: value2\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm_id` - (Required) The realm this group exists in.\n- `parent_id` - (Optional) The ID of this group's parent. If omitted, this group will be defined at the root level.\n- `name` - (Required) The name of the group.\n- `attributes` - (Optional) A dict of key/value pairs to set as custom attributes for the group.\n\n### Attributes Reference\n\nIn addition to the arguments listed above, the following computed attributes are exported:\n\n- `path` - The complete path of the group. For example, the child group's path in the example configuration would be `/parent-group/child-group`.\n\n### Import\n\nGroups can be imported using the format `{{realm_id}}/{{group_id}}`, where `group_id` is the unique ID that Keycloak\nassigns to the group upon creation. This value can be found in the URI when editing this group in the GUI, and is typically a GUID.\n\nExample:\n\n```bash\n$ terraform import keycloak_group.child_group my-realm/934a4a4e-28bd-4703-a0fa-332df153aabd\n```\n", + "description": "Allows for creating and managing Groups within Keycloak.\n\nGroups provide a logical wrapping for users within Keycloak. Users within a group can share attributes and roles, and\ngroup membership can be mapped to a claim.\n\nAttributes can also be defined on Groups.\n\nGroups can also be federated from external data sources, such as LDAP or Active Directory. This resource **should not**\nbe used to manage groups that were created this way.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst parentGroup = new keycloak.Group(\"parent_group\", {\n realmId: realm.id,\n name: \"parent-group\",\n});\nconst childGroup = new keycloak.Group(\"child_group\", {\n realmId: realm.id,\n parentId: parentGroup.id,\n name: \"child-group\",\n});\nconst childGroupWithOptionalAttributes = new keycloak.Group(\"child_group_with_optional_attributes\", {\n realmId: realm.id,\n parentId: parentGroup.id,\n name: \"child-group-with-optional-attributes\",\n attributes: {\n foo: \"bar\",\n multivalue: \"value1##value2\",\n },\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nparent_group = keycloak.Group(\"parent_group\",\n realm_id=realm.id,\n name=\"parent-group\")\nchild_group = keycloak.Group(\"child_group\",\n realm_id=realm.id,\n parent_id=parent_group.id,\n name=\"child-group\")\nchild_group_with_optional_attributes = keycloak.Group(\"child_group_with_optional_attributes\",\n realm_id=realm.id,\n parent_id=parent_group.id,\n name=\"child-group-with-optional-attributes\",\n attributes={\n \"foo\": \"bar\",\n \"multivalue\": \"value1##value2\",\n })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var parentGroup = new Keycloak.Group(\"parent_group\", new()\n {\n RealmId = realm.Id,\n Name = \"parent-group\",\n });\n\n var childGroup = new Keycloak.Group(\"child_group\", new()\n {\n RealmId = realm.Id,\n ParentId = parentGroup.Id,\n Name = \"child-group\",\n });\n\n var childGroupWithOptionalAttributes = new Keycloak.Group(\"child_group_with_optional_attributes\", new()\n {\n RealmId = realm.Id,\n ParentId = parentGroup.Id,\n Name = \"child-group-with-optional-attributes\",\n Attributes = \n {\n { \"foo\", \"bar\" },\n { \"multivalue\", \"value1##value2\" },\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tparentGroup, err := keycloak.NewGroup(ctx, \"parent_group\", \u0026keycloak.GroupArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"parent-group\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewGroup(ctx, \"child_group\", \u0026keycloak.GroupArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tParentId: parentGroup.ID(),\n\t\t\tName: pulumi.String(\"child-group\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewGroup(ctx, \"child_group_with_optional_attributes\", \u0026keycloak.GroupArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tParentId: parentGroup.ID(),\n\t\t\tName: pulumi.String(\"child-group-with-optional-attributes\"),\n\t\t\tAttributes: pulumi.StringMap{\n\t\t\t\t\"foo\": pulumi.String(\"bar\"),\n\t\t\t\t\"multivalue\": pulumi.String(\"value1##value2\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.Group;\nimport com.pulumi.keycloak.GroupArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var parentGroup = new Group(\"parentGroup\", GroupArgs.builder()\n .realmId(realm.id())\n .name(\"parent-group\")\n .build());\n\n var childGroup = new Group(\"childGroup\", GroupArgs.builder()\n .realmId(realm.id())\n .parentId(parentGroup.id())\n .name(\"child-group\")\n .build());\n\n var childGroupWithOptionalAttributes = new Group(\"childGroupWithOptionalAttributes\", GroupArgs.builder()\n .realmId(realm.id())\n .parentId(parentGroup.id())\n .name(\"child-group-with-optional-attributes\")\n .attributes(Map.ofEntries(\n Map.entry(\"foo\", \"bar\"),\n Map.entry(\"multivalue\", \"value1##value2\")\n ))\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n parentGroup:\n type: keycloak:Group\n name: parent_group\n properties:\n realmId: ${realm.id}\n name: parent-group\n childGroup:\n type: keycloak:Group\n name: child_group\n properties:\n realmId: ${realm.id}\n parentId: ${parentGroup.id}\n name: child-group\n childGroupWithOptionalAttributes:\n type: keycloak:Group\n name: child_group_with_optional_attributes\n properties:\n realmId: ${realm.id}\n parentId: ${parentGroup.id}\n name: child-group-with-optional-attributes\n attributes:\n foo: bar\n multivalue: value1##value2\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nGroups can be imported using the format `{{realm_id}}/{{group_id}}`, where `group_id` is the unique ID that Keycloak\n\nassigns to the group upon creation. This value can be found in the URI when editing this group in the GUI, and is typically a GUID.\n\nExample:\n\nbash\n\n```sh\n$ pulumi import keycloak:index/group:Group child_group my-realm/934a4a4e-28bd-4703-a0fa-332df153aabd\n```\n\n", "properties": { "attributes": { "type": "object", "additionalProperties": { "type": "string" - } + }, + "description": "A map representing attributes for the group. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars\n" }, "name": { - "type": "string" + "type": "string", + "description": "The name of the group.\n" }, "parentId": { - "type": "string" + "type": "string", + "description": "The ID of this group's parent. If omitted, this group will be defined at the root level.\n" }, "path": { - "type": "string" + "type": "string", + "description": "(Computed) The complete path of the group. For example, the child group's path in the example configuration would be `/parent-group/child-group`.\n" }, "realmId": { - "type": "string" + "type": "string", + "description": "The realm this group exists in.\n" } }, "required": [ @@ -3206,17 +3293,21 @@ "type": "object", "additionalProperties": { "type": "string" - } + }, + "description": "A map representing attributes for the group. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars\n" }, "name": { - "type": "string" + "type": "string", + "description": "The name of the group.\n" }, "parentId": { "type": "string", + "description": "The ID of this group's parent. If omitted, this group will be defined at the root level.\n", "willReplaceOnChanges": true }, "realmId": { "type": "string", + "description": "The realm this group exists in.\n", "willReplaceOnChanges": true } }, @@ -3230,20 +3321,25 @@ "type": "object", "additionalProperties": { "type": "string" - } + }, + "description": "A map representing attributes for the group. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars\n" }, "name": { - "type": "string" + "type": "string", + "description": "The name of the group.\n" }, "parentId": { "type": "string", + "description": "The ID of this group's parent. If omitted, this group will be defined at the root level.\n", "willReplaceOnChanges": true }, "path": { - "type": "string" + "type": "string", + "description": "(Computed) The complete path of the group. For example, the child group's path in the example configuration would be `/parent-group/child-group`.\n" }, "realmId": { "type": "string", + "description": "The realm this group exists in.\n", "willReplaceOnChanges": true } }, @@ -3251,19 +3347,22 @@ } }, "keycloak:index/groupMemberships:GroupMemberships": { - "description": "## # keycloak.GroupMemberships\n\nAllows for managing a Keycloak group's members.\n\nNote that this resource attempts to be an **authoritative** source over group members.\nWhen this resource takes control over a group's members, users that are manually added\nto the group will be removed, and users that are manually removed from the group will\nbe added upon the next run of `pulumi up`. Eventually, a non-authoritative resource\nfor group membership will be added to this provider.\n\nAlso note that you should not use `keycloak.GroupMemberships` with a group has been assigned\nas a default group via `keycloak.DefaultGroups`.\n\nThis resource **should not** be used to control membership of a group that has its members\nfederated from an external source via group mapping.\n\n### Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst group = new keycloak.Group(\"group\", {\n realmId: realm.id,\n name: \"my-group\",\n});\nconst user = new keycloak.User(\"user\", {\n realmId: realm.id,\n username: \"my-user\",\n});\nconst groupMembers = new keycloak.GroupMemberships(\"group_members\", {\n realmId: realm.id,\n groupId: group.id,\n members: [user.username],\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\ngroup = keycloak.Group(\"group\",\n realm_id=realm.id,\n name=\"my-group\")\nuser = keycloak.User(\"user\",\n realm_id=realm.id,\n username=\"my-user\")\ngroup_members = keycloak.GroupMemberships(\"group_members\",\n realm_id=realm.id,\n group_id=group.id,\n members=[user.username])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var @group = new Keycloak.Group(\"group\", new()\n {\n RealmId = realm.Id,\n Name = \"my-group\",\n });\n\n var user = new Keycloak.User(\"user\", new()\n {\n RealmId = realm.Id,\n Username = \"my-user\",\n });\n\n var groupMembers = new Keycloak.GroupMemberships(\"group_members\", new()\n {\n RealmId = realm.Id,\n GroupId = @group.Id,\n Members = new[]\n {\n user.Username,\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tgroup, err := keycloak.NewGroup(ctx, \"group\", \u0026keycloak.GroupArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"my-group\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tuser, err := keycloak.NewUser(ctx, \"user\", \u0026keycloak.UserArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tUsername: pulumi.String(\"my-user\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewGroupMemberships(ctx, \"group_members\", \u0026keycloak.GroupMembershipsArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tGroupId: group.ID(),\n\t\t\tMembers: pulumi.StringArray{\n\t\t\t\tuser.Username,\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.Group;\nimport com.pulumi.keycloak.GroupArgs;\nimport com.pulumi.keycloak.User;\nimport com.pulumi.keycloak.UserArgs;\nimport com.pulumi.keycloak.GroupMemberships;\nimport com.pulumi.keycloak.GroupMembershipsArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var group = new Group(\"group\", GroupArgs.builder()\n .realmId(realm.id())\n .name(\"my-group\")\n .build());\n\n var user = new User(\"user\", UserArgs.builder()\n .realmId(realm.id())\n .username(\"my-user\")\n .build());\n\n var groupMembers = new GroupMemberships(\"groupMembers\", GroupMembershipsArgs.builder()\n .realmId(realm.id())\n .groupId(group.id())\n .members(user.username())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n group:\n type: keycloak:Group\n properties:\n realmId: ${realm.id}\n name: my-group\n user:\n type: keycloak:User\n properties:\n realmId: ${realm.id}\n username: my-user\n groupMembers:\n type: keycloak:GroupMemberships\n name: group_members\n properties:\n realmId: ${realm.id}\n groupId: ${group.id}\n members:\n - ${user.username}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm_id` - (Required) The realm this group exists in.\n- `group_id` - (Required) The ID of the group this resource should manage memberships for.\n- `members` - (Required) An array of usernames that belong to this group.\n\n### Import\n\nThis resource does not support import. Instead of importing, feel free to create this resource\nas if it did not already exist on the server.\n", + "description": "Allows for managing a Keycloak group's members.\n\nNote that this resource attempts to be an **authoritative** source over group members. When this resource takes control\nover a group's members, users that are manually added to the group will be removed, and users that are manually removed\nfrom the group will be added upon the next run of `pulumi up`.\n\nAlso note that you should not use `keycloak.GroupMemberships` with a group has been assigned as a default group via\n`keycloak.DefaultGroups`.\n\nThis resource **should not** be used to control membership of a group that has its members federated from an external\nsource via group mapping.\n\nTo non-exclusively manage the group's of a user, see the [`keycloak.UserGroups` resource][1]\n\nThis resource paginates its data loading on refresh by 50 items.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst group = new keycloak.Group(\"group\", {\n realmId: realm.id,\n name: \"my-group\",\n});\nconst user = new keycloak.User(\"user\", {\n realmId: realm.id,\n username: \"my-user\",\n});\nconst groupMembers = new keycloak.GroupMemberships(\"group_members\", {\n realmId: realm.id,\n groupId: group.id,\n members: [user.username],\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\ngroup = keycloak.Group(\"group\",\n realm_id=realm.id,\n name=\"my-group\")\nuser = keycloak.User(\"user\",\n realm_id=realm.id,\n username=\"my-user\")\ngroup_members = keycloak.GroupMemberships(\"group_members\",\n realm_id=realm.id,\n group_id=group.id,\n members=[user.username])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var @group = new Keycloak.Group(\"group\", new()\n {\n RealmId = realm.Id,\n Name = \"my-group\",\n });\n\n var user = new Keycloak.User(\"user\", new()\n {\n RealmId = realm.Id,\n Username = \"my-user\",\n });\n\n var groupMembers = new Keycloak.GroupMemberships(\"group_members\", new()\n {\n RealmId = realm.Id,\n GroupId = @group.Id,\n Members = new[]\n {\n user.Username,\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tgroup, err := keycloak.NewGroup(ctx, \"group\", \u0026keycloak.GroupArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"my-group\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tuser, err := keycloak.NewUser(ctx, \"user\", \u0026keycloak.UserArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tUsername: pulumi.String(\"my-user\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewGroupMemberships(ctx, \"group_members\", \u0026keycloak.GroupMembershipsArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tGroupId: group.ID(),\n\t\t\tMembers: pulumi.StringArray{\n\t\t\t\tuser.Username,\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.Group;\nimport com.pulumi.keycloak.GroupArgs;\nimport com.pulumi.keycloak.User;\nimport com.pulumi.keycloak.UserArgs;\nimport com.pulumi.keycloak.GroupMemberships;\nimport com.pulumi.keycloak.GroupMembershipsArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var group = new Group(\"group\", GroupArgs.builder()\n .realmId(realm.id())\n .name(\"my-group\")\n .build());\n\n var user = new User(\"user\", UserArgs.builder()\n .realmId(realm.id())\n .username(\"my-user\")\n .build());\n\n var groupMembers = new GroupMemberships(\"groupMembers\", GroupMembershipsArgs.builder()\n .realmId(realm.id())\n .groupId(group.id())\n .members(user.username())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n group:\n type: keycloak:Group\n properties:\n realmId: ${realm.id}\n name: my-group\n user:\n type: keycloak:User\n properties:\n realmId: ${realm.id}\n username: my-user\n groupMembers:\n type: keycloak:GroupMemberships\n name: group_members\n properties:\n realmId: ${realm.id}\n groupId: ${group.id}\n members:\n - ${user.username}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nThis resource does not support import. Instead of importing, feel free to create this resource\n\nas if it did not already exist on the server.\n\n[1]: providers/mrparkers/keycloak/latest/docs/resources/group_memberships\n\n", "properties": { "groupId": { - "type": "string" + "type": "string", + "description": "The ID of the group this resource should manage memberships for.\n" }, "members": { "type": "array", "items": { "type": "string" - } + }, + "description": "A list of usernames that belong to this group.\n" }, "realmId": { - "type": "string" + "type": "string", + "description": "The realm this group exists in.\n" } }, "required": [ @@ -3273,16 +3372,19 @@ "inputProperties": { "groupId": { "type": "string", + "description": "The ID of the group this resource should manage memberships for.\n", "willReplaceOnChanges": true }, "members": { "type": "array", "items": { "type": "string" - } + }, + "description": "A list of usernames that belong to this group.\n" }, "realmId": { "type": "string", + "description": "The realm this group exists in.\n", "willReplaceOnChanges": true } }, @@ -3295,16 +3397,19 @@ "properties": { "groupId": { "type": "string", + "description": "The ID of the group this resource should manage memberships for.\n", "willReplaceOnChanges": true }, "members": { "type": "array", "items": { "type": "string" - } + }, + "description": "A list of usernames that belong to this group.\n" }, "realmId": { "type": "string", + "description": "The realm this group exists in.\n", "willReplaceOnChanges": true } }, @@ -3416,22 +3521,26 @@ } }, "keycloak:index/groupRoles:GroupRoles": { - "description": "## # keycloak.GroupRoles\n\nAllows you to manage roles assigned to a Keycloak group.\n\nNote that this resource attempts to be an **authoritative** source over\ngroup roles. When this resource takes control over a group's roles,\nroles that are manually added to the group will be removed, and roles\nthat are manually removed from the group will be added upon the next run\nof `pulumi up`.\n\nNote that when assigning composite roles to a group, you may see a\nnon-empty plan following a `pulumi up` if you assign a role and a\ncomposite that includes that role to the same group.\n\n### Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst realmRole = new keycloak.Role(\"realm_role\", {\n realmId: realm.id,\n name: \"my-realm-role\",\n description: \"My Realm Role\",\n});\nconst client = new keycloak.openid.Client(\"client\", {\n realmId: realm.id,\n clientId: \"client\",\n name: \"client\",\n enabled: true,\n accessType: \"BEARER-ONLY\",\n});\nconst clientRole = new keycloak.Role(\"client_role\", {\n realmId: realm.id,\n clientId: clientKeycloakClient.id,\n name: \"my-client-role\",\n description: \"My Client Role\",\n});\nconst group = new keycloak.Group(\"group\", {\n realmId: realm.id,\n name: \"my-group\",\n});\nconst groupRoles = new keycloak.GroupRoles(\"group_roles\", {\n realmId: realm.id,\n groupId: group.id,\n roleIds: [\n realmRole.id,\n clientRole.id,\n ],\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nrealm_role = keycloak.Role(\"realm_role\",\n realm_id=realm.id,\n name=\"my-realm-role\",\n description=\"My Realm Role\")\nclient = keycloak.openid.Client(\"client\",\n realm_id=realm.id,\n client_id=\"client\",\n name=\"client\",\n enabled=True,\n access_type=\"BEARER-ONLY\")\nclient_role = keycloak.Role(\"client_role\",\n realm_id=realm.id,\n client_id=client_keycloak_client[\"id\"],\n name=\"my-client-role\",\n description=\"My Client Role\")\ngroup = keycloak.Group(\"group\",\n realm_id=realm.id,\n name=\"my-group\")\ngroup_roles = keycloak.GroupRoles(\"group_roles\",\n realm_id=realm.id,\n group_id=group.id,\n role_ids=[\n realm_role.id,\n client_role.id,\n ])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var realmRole = new Keycloak.Role(\"realm_role\", new()\n {\n RealmId = realm.Id,\n Name = \"my-realm-role\",\n Description = \"My Realm Role\",\n });\n\n var client = new Keycloak.OpenId.Client(\"client\", new()\n {\n RealmId = realm.Id,\n ClientId = \"client\",\n Name = \"client\",\n Enabled = true,\n AccessType = \"BEARER-ONLY\",\n });\n\n var clientRole = new Keycloak.Role(\"client_role\", new()\n {\n RealmId = realm.Id,\n ClientId = clientKeycloakClient.Id,\n Name = \"my-client-role\",\n Description = \"My Client Role\",\n });\n\n var @group = new Keycloak.Group(\"group\", new()\n {\n RealmId = realm.Id,\n Name = \"my-group\",\n });\n\n var groupRoles = new Keycloak.GroupRoles(\"group_roles\", new()\n {\n RealmId = realm.Id,\n GroupId = @group.Id,\n RoleIds = new[]\n {\n realmRole.Id,\n clientRole.Id,\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\trealmRole, err := keycloak.NewRole(ctx, \"realm_role\", \u0026keycloak.RoleArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"my-realm-role\"),\n\t\t\tDescription: pulumi.String(\"My Realm Role\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewClient(ctx, \"client\", \u0026openid.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"client\"),\n\t\t\tName: pulumi.String(\"client\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tAccessType: pulumi.String(\"BEARER-ONLY\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tclientRole, err := keycloak.NewRole(ctx, \"client_role\", \u0026keycloak.RoleArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.Any(clientKeycloakClient.Id),\n\t\t\tName: pulumi.String(\"my-client-role\"),\n\t\t\tDescription: pulumi.String(\"My Client Role\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tgroup, err := keycloak.NewGroup(ctx, \"group\", \u0026keycloak.GroupArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"my-group\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewGroupRoles(ctx, \"group_roles\", \u0026keycloak.GroupRolesArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tGroupId: group.ID(),\n\t\t\tRoleIds: pulumi.StringArray{\n\t\t\t\trealmRole.ID(),\n\t\t\t\tclientRole.ID(),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.Role;\nimport com.pulumi.keycloak.RoleArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport com.pulumi.keycloak.Group;\nimport com.pulumi.keycloak.GroupArgs;\nimport com.pulumi.keycloak.GroupRoles;\nimport com.pulumi.keycloak.GroupRolesArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var realmRole = new Role(\"realmRole\", RoleArgs.builder()\n .realmId(realm.id())\n .name(\"my-realm-role\")\n .description(\"My Realm Role\")\n .build());\n\n var client = new Client(\"client\", ClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"client\")\n .name(\"client\")\n .enabled(true)\n .accessType(\"BEARER-ONLY\")\n .build());\n\n var clientRole = new Role(\"clientRole\", RoleArgs.builder()\n .realmId(realm.id())\n .clientId(clientKeycloakClient.id())\n .name(\"my-client-role\")\n .description(\"My Client Role\")\n .build());\n\n var group = new Group(\"group\", GroupArgs.builder()\n .realmId(realm.id())\n .name(\"my-group\")\n .build());\n\n var groupRoles = new GroupRoles(\"groupRoles\", GroupRolesArgs.builder()\n .realmId(realm.id())\n .groupId(group.id())\n .roleIds( \n realmRole.id(),\n clientRole.id())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n realmRole:\n type: keycloak:Role\n name: realm_role\n properties:\n realmId: ${realm.id}\n name: my-realm-role\n description: My Realm Role\n client:\n type: keycloak:openid:Client\n properties:\n realmId: ${realm.id}\n clientId: client\n name: client\n enabled: true\n accessType: BEARER-ONLY\n clientRole:\n type: keycloak:Role\n name: client_role\n properties:\n realmId: ${realm.id}\n clientId: ${clientKeycloakClient.id}\n name: my-client-role\n description: My Client Role\n group:\n type: keycloak:Group\n properties:\n realmId: ${realm.id}\n name: my-group\n groupRoles:\n type: keycloak:GroupRoles\n name: group_roles\n properties:\n realmId: ${realm.id}\n groupId: ${group.id}\n roleIds:\n - ${realmRole.id}\n - ${clientRole.id}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm_id` - (Required) The realm this group exists in.\n- `group_id` - (Required) The ID of the group this resource should\n manage roles for.\n- `role_ids` - (Required) A list of role IDs to map to the group\n\n### Import\n\nThis resource can be imported using the format\n`{{realm_id}}/{{group_id}}`, where `group_id` is the unique ID that\nKeycloak assigns to the group upon creation. This value can be found in\nthe URI when editing this group in the GUI, and is typically a GUID.\n\nExample:\n\n```bash\n$ terraform import keycloak_group_roles.group_roles my-realm/18cc6b87-2ce7-4e59-bdc8-b9d49ec98a94\n```\n", + "description": "Allows you to manage roles assigned to a Keycloak group.\n\nIf `exhaustive` is true, this resource attempts to be an **authoritative** source over group roles: roles that are manually added to the group will be removed, and roles that are manually removed from the\ngroup will be added upon the next run of `pulumi up`.\nIf `exhaustive` is false, this resource is a partial assignation of roles to a group. As a result, you can get multiple `keycloak.GroupRoles` for the same `group_id`.\n\nNote that when assigning composite roles to a group, you may see a non-empty plan following a `pulumi up` if you\nassign a role and a composite that includes that role to the same group.\n\n## Example Usage\n\n### Exhaustive Roles)\n\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst realmRole = new keycloak.Role(\"realm_role\", {\n realmId: realm.id,\n name: \"my-realm-role\",\n description: \"My Realm Role\",\n});\nconst client = new keycloak.openid.Client(\"client\", {\n realmId: realm.id,\n clientId: \"client\",\n name: \"client\",\n enabled: true,\n accessType: \"BEARER-ONLY\",\n});\nconst clientRole = new keycloak.Role(\"client_role\", {\n realmId: realm.id,\n clientId: clientKeycloakClient.id,\n name: \"my-client-role\",\n description: \"My Client Role\",\n});\nconst group = new keycloak.Group(\"group\", {\n realmId: realm.id,\n name: \"my-group\",\n});\nconst groupRoles = new keycloak.GroupRoles(\"group_roles\", {\n realmId: realm.id,\n groupId: group.id,\n roleIds: [\n realmRole.id,\n clientRole.id,\n ],\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nrealm_role = keycloak.Role(\"realm_role\",\n realm_id=realm.id,\n name=\"my-realm-role\",\n description=\"My Realm Role\")\nclient = keycloak.openid.Client(\"client\",\n realm_id=realm.id,\n client_id=\"client\",\n name=\"client\",\n enabled=True,\n access_type=\"BEARER-ONLY\")\nclient_role = keycloak.Role(\"client_role\",\n realm_id=realm.id,\n client_id=client_keycloak_client[\"id\"],\n name=\"my-client-role\",\n description=\"My Client Role\")\ngroup = keycloak.Group(\"group\",\n realm_id=realm.id,\n name=\"my-group\")\ngroup_roles = keycloak.GroupRoles(\"group_roles\",\n realm_id=realm.id,\n group_id=group.id,\n role_ids=[\n realm_role.id,\n client_role.id,\n ])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var realmRole = new Keycloak.Role(\"realm_role\", new()\n {\n RealmId = realm.Id,\n Name = \"my-realm-role\",\n Description = \"My Realm Role\",\n });\n\n var client = new Keycloak.OpenId.Client(\"client\", new()\n {\n RealmId = realm.Id,\n ClientId = \"client\",\n Name = \"client\",\n Enabled = true,\n AccessType = \"BEARER-ONLY\",\n });\n\n var clientRole = new Keycloak.Role(\"client_role\", new()\n {\n RealmId = realm.Id,\n ClientId = clientKeycloakClient.Id,\n Name = \"my-client-role\",\n Description = \"My Client Role\",\n });\n\n var @group = new Keycloak.Group(\"group\", new()\n {\n RealmId = realm.Id,\n Name = \"my-group\",\n });\n\n var groupRoles = new Keycloak.GroupRoles(\"group_roles\", new()\n {\n RealmId = realm.Id,\n GroupId = @group.Id,\n RoleIds = new[]\n {\n realmRole.Id,\n clientRole.Id,\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\trealmRole, err := keycloak.NewRole(ctx, \"realm_role\", \u0026keycloak.RoleArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"my-realm-role\"),\n\t\t\tDescription: pulumi.String(\"My Realm Role\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewClient(ctx, \"client\", \u0026openid.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"client\"),\n\t\t\tName: pulumi.String(\"client\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tAccessType: pulumi.String(\"BEARER-ONLY\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tclientRole, err := keycloak.NewRole(ctx, \"client_role\", \u0026keycloak.RoleArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.Any(clientKeycloakClient.Id),\n\t\t\tName: pulumi.String(\"my-client-role\"),\n\t\t\tDescription: pulumi.String(\"My Client Role\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tgroup, err := keycloak.NewGroup(ctx, \"group\", \u0026keycloak.GroupArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"my-group\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewGroupRoles(ctx, \"group_roles\", \u0026keycloak.GroupRolesArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tGroupId: group.ID(),\n\t\t\tRoleIds: pulumi.StringArray{\n\t\t\t\trealmRole.ID(),\n\t\t\t\tclientRole.ID(),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.Role;\nimport com.pulumi.keycloak.RoleArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport com.pulumi.keycloak.Group;\nimport com.pulumi.keycloak.GroupArgs;\nimport com.pulumi.keycloak.GroupRoles;\nimport com.pulumi.keycloak.GroupRolesArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var realmRole = new Role(\"realmRole\", RoleArgs.builder()\n .realmId(realm.id())\n .name(\"my-realm-role\")\n .description(\"My Realm Role\")\n .build());\n\n var client = new Client(\"client\", ClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"client\")\n .name(\"client\")\n .enabled(true)\n .accessType(\"BEARER-ONLY\")\n .build());\n\n var clientRole = new Role(\"clientRole\", RoleArgs.builder()\n .realmId(realm.id())\n .clientId(clientKeycloakClient.id())\n .name(\"my-client-role\")\n .description(\"My Client Role\")\n .build());\n\n var group = new Group(\"group\", GroupArgs.builder()\n .realmId(realm.id())\n .name(\"my-group\")\n .build());\n\n var groupRoles = new GroupRoles(\"groupRoles\", GroupRolesArgs.builder()\n .realmId(realm.id())\n .groupId(group.id())\n .roleIds( \n realmRole.id(),\n clientRole.id())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n realmRole:\n type: keycloak:Role\n name: realm_role\n properties:\n realmId: ${realm.id}\n name: my-realm-role\n description: My Realm Role\n client:\n type: keycloak:openid:Client\n properties:\n realmId: ${realm.id}\n clientId: client\n name: client\n enabled: true\n accessType: BEARER-ONLY\n clientRole:\n type: keycloak:Role\n name: client_role\n properties:\n realmId: ${realm.id}\n clientId: ${clientKeycloakClient.id}\n name: my-client-role\n description: My Client Role\n group:\n type: keycloak:Group\n properties:\n realmId: ${realm.id}\n name: my-group\n groupRoles:\n type: keycloak:GroupRoles\n name: group_roles\n properties:\n realmId: ${realm.id}\n groupId: ${group.id}\n roleIds:\n - ${realmRole.id}\n - ${clientRole.id}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n\n### Non Exhaustive Roles)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst realmRole = new keycloak.Role(\"realm_role\", {\n realmId: realm.id,\n name: \"my-realm-role\",\n description: \"My Realm Role\",\n});\nconst client = new keycloak.openid.Client(\"client\", {\n realmId: realm.id,\n clientId: \"client\",\n name: \"client\",\n enabled: true,\n accessType: \"BEARER-ONLY\",\n});\nconst clientRole = new keycloak.Role(\"client_role\", {\n realmId: realm.id,\n clientId: clientKeycloakClient.id,\n name: \"my-client-role\",\n description: \"My Client Role\",\n});\nconst group = new keycloak.Group(\"group\", {\n realmId: realm.id,\n name: \"my-group\",\n});\nconst groupRoleAssociation1 = new keycloak.GroupRoles(\"group_role_association1\", {\n realmId: realm.id,\n groupId: group.id,\n exhaustive: false,\n roleIds: [realmRole.id],\n});\nconst groupRoleAssociation2 = new keycloak.GroupRoles(\"group_role_association2\", {\n realmId: realm.id,\n groupId: group.id,\n exhaustive: false,\n roleIds: [clientRole.id],\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nrealm_role = keycloak.Role(\"realm_role\",\n realm_id=realm.id,\n name=\"my-realm-role\",\n description=\"My Realm Role\")\nclient = keycloak.openid.Client(\"client\",\n realm_id=realm.id,\n client_id=\"client\",\n name=\"client\",\n enabled=True,\n access_type=\"BEARER-ONLY\")\nclient_role = keycloak.Role(\"client_role\",\n realm_id=realm.id,\n client_id=client_keycloak_client[\"id\"],\n name=\"my-client-role\",\n description=\"My Client Role\")\ngroup = keycloak.Group(\"group\",\n realm_id=realm.id,\n name=\"my-group\")\ngroup_role_association1 = keycloak.GroupRoles(\"group_role_association1\",\n realm_id=realm.id,\n group_id=group.id,\n exhaustive=False,\n role_ids=[realm_role.id])\ngroup_role_association2 = keycloak.GroupRoles(\"group_role_association2\",\n realm_id=realm.id,\n group_id=group.id,\n exhaustive=False,\n role_ids=[client_role.id])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var realmRole = new Keycloak.Role(\"realm_role\", new()\n {\n RealmId = realm.Id,\n Name = \"my-realm-role\",\n Description = \"My Realm Role\",\n });\n\n var client = new Keycloak.OpenId.Client(\"client\", new()\n {\n RealmId = realm.Id,\n ClientId = \"client\",\n Name = \"client\",\n Enabled = true,\n AccessType = \"BEARER-ONLY\",\n });\n\n var clientRole = new Keycloak.Role(\"client_role\", new()\n {\n RealmId = realm.Id,\n ClientId = clientKeycloakClient.Id,\n Name = \"my-client-role\",\n Description = \"My Client Role\",\n });\n\n var @group = new Keycloak.Group(\"group\", new()\n {\n RealmId = realm.Id,\n Name = \"my-group\",\n });\n\n var groupRoleAssociation1 = new Keycloak.GroupRoles(\"group_role_association1\", new()\n {\n RealmId = realm.Id,\n GroupId = @group.Id,\n Exhaustive = false,\n RoleIds = new[]\n {\n realmRole.Id,\n },\n });\n\n var groupRoleAssociation2 = new Keycloak.GroupRoles(\"group_role_association2\", new()\n {\n RealmId = realm.Id,\n GroupId = @group.Id,\n Exhaustive = false,\n RoleIds = new[]\n {\n clientRole.Id,\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\trealmRole, err := keycloak.NewRole(ctx, \"realm_role\", \u0026keycloak.RoleArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"my-realm-role\"),\n\t\t\tDescription: pulumi.String(\"My Realm Role\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewClient(ctx, \"client\", \u0026openid.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"client\"),\n\t\t\tName: pulumi.String(\"client\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tAccessType: pulumi.String(\"BEARER-ONLY\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tclientRole, err := keycloak.NewRole(ctx, \"client_role\", \u0026keycloak.RoleArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.Any(clientKeycloakClient.Id),\n\t\t\tName: pulumi.String(\"my-client-role\"),\n\t\t\tDescription: pulumi.String(\"My Client Role\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tgroup, err := keycloak.NewGroup(ctx, \"group\", \u0026keycloak.GroupArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"my-group\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewGroupRoles(ctx, \"group_role_association1\", \u0026keycloak.GroupRolesArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tGroupId: group.ID(),\n\t\t\tExhaustive: pulumi.Bool(false),\n\t\t\tRoleIds: pulumi.StringArray{\n\t\t\t\trealmRole.ID(),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewGroupRoles(ctx, \"group_role_association2\", \u0026keycloak.GroupRolesArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tGroupId: group.ID(),\n\t\t\tExhaustive: pulumi.Bool(false),\n\t\t\tRoleIds: pulumi.StringArray{\n\t\t\t\tclientRole.ID(),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.Role;\nimport com.pulumi.keycloak.RoleArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport com.pulumi.keycloak.Group;\nimport com.pulumi.keycloak.GroupArgs;\nimport com.pulumi.keycloak.GroupRoles;\nimport com.pulumi.keycloak.GroupRolesArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var realmRole = new Role(\"realmRole\", RoleArgs.builder()\n .realmId(realm.id())\n .name(\"my-realm-role\")\n .description(\"My Realm Role\")\n .build());\n\n var client = new Client(\"client\", ClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"client\")\n .name(\"client\")\n .enabled(true)\n .accessType(\"BEARER-ONLY\")\n .build());\n\n var clientRole = new Role(\"clientRole\", RoleArgs.builder()\n .realmId(realm.id())\n .clientId(clientKeycloakClient.id())\n .name(\"my-client-role\")\n .description(\"My Client Role\")\n .build());\n\n var group = new Group(\"group\", GroupArgs.builder()\n .realmId(realm.id())\n .name(\"my-group\")\n .build());\n\n var groupRoleAssociation1 = new GroupRoles(\"groupRoleAssociation1\", GroupRolesArgs.builder()\n .realmId(realm.id())\n .groupId(group.id())\n .exhaustive(false)\n .roleIds(realmRole.id())\n .build());\n\n var groupRoleAssociation2 = new GroupRoles(\"groupRoleAssociation2\", GroupRolesArgs.builder()\n .realmId(realm.id())\n .groupId(group.id())\n .exhaustive(false)\n .roleIds(clientRole.id())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n realmRole:\n type: keycloak:Role\n name: realm_role\n properties:\n realmId: ${realm.id}\n name: my-realm-role\n description: My Realm Role\n client:\n type: keycloak:openid:Client\n properties:\n realmId: ${realm.id}\n clientId: client\n name: client\n enabled: true\n accessType: BEARER-ONLY\n clientRole:\n type: keycloak:Role\n name: client_role\n properties:\n realmId: ${realm.id}\n clientId: ${clientKeycloakClient.id}\n name: my-client-role\n description: My Client Role\n group:\n type: keycloak:Group\n properties:\n realmId: ${realm.id}\n name: my-group\n groupRoleAssociation1:\n type: keycloak:GroupRoles\n name: group_role_association1\n properties:\n realmId: ${realm.id}\n groupId: ${group.id}\n exhaustive: false\n roleIds:\n - ${realmRole.id}\n groupRoleAssociation2:\n type: keycloak:GroupRoles\n name: group_role_association2\n properties:\n realmId: ${realm.id}\n groupId: ${group.id}\n exhaustive: false\n roleIds:\n - ${clientRole.id}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nThis resource can be imported using the format `{{realm_id}}/{{group_id}}`, where `group_id` is the unique ID that Keycloak\n\nassigns to the group upon creation. This value can be found in the URI when editing this group in the GUI, and is typically\n\na GUID.\n\nExample:\n\nbash\n\n```sh\n$ pulumi import keycloak:index/groupRoles:GroupRoles group_roles my-realm/18cc6b87-2ce7-4e59-bdc8-b9d49ec98a94\n```\n\n", "properties": { "exhaustive": { - "type": "boolean" + "type": "boolean", + "description": "Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the group will be removed. Defaults to `true`.\n" }, "groupId": { - "type": "string" + "type": "string", + "description": "The ID of the group this resource should manage roles for.\n" }, "realmId": { - "type": "string" + "type": "string", + "description": "The realm this group exists in.\n" }, "roleIds": { "type": "array", "items": { "type": "string" - } + }, + "description": "A list of role IDs to map to the group.\n" } }, "required": [ @@ -3441,21 +3550,25 @@ ], "inputProperties": { "exhaustive": { - "type": "boolean" + "type": "boolean", + "description": "Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the group will be removed. Defaults to `true`.\n" }, "groupId": { "type": "string", + "description": "The ID of the group this resource should manage roles for.\n", "willReplaceOnChanges": true }, "realmId": { "type": "string", + "description": "The realm this group exists in.\n", "willReplaceOnChanges": true }, "roleIds": { "type": "array", "items": { "type": "string" - } + }, + "description": "A list of role IDs to map to the group.\n" } }, "requiredInputs": [ @@ -3467,21 +3580,25 @@ "description": "Input properties used for looking up and filtering GroupRoles resources.\n", "properties": { "exhaustive": { - "type": "boolean" + "type": "boolean", + "description": "Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the group will be removed. Defaults to `true`.\n" }, "groupId": { "type": "string", + "description": "The ID of the group this resource should manage roles for.\n", "willReplaceOnChanges": true }, "realmId": { "type": "string", + "description": "The realm this group exists in.\n", "willReplaceOnChanges": true }, "roleIds": { "type": "array", "items": { "type": "string" - } + }, + "description": "A list of role IDs to map to the group.\n" } }, "type": "object" @@ -3824,6 +3941,7 @@ } }, "keycloak:index/realm:Realm": { + "description": "Allows for creating and managing Realms within Keycloak.\n\nA realm manages a logical collection of users, credentials, roles, and groups. Users log in to realms and can be federated\nfrom multiple sources.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n displayName: \"my realm\",\n displayNameHtml: \"\u003cb\u003emy realm\u003c/b\u003e\",\n loginTheme: \"base\",\n accessCodeLifespan: \"1h\",\n sslRequired: \"external\",\n passwordPolicy: \"upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername\",\n attributes: {\n mycustomAttribute: \"myCustomValue\",\n },\n smtpServer: {\n host: \"smtp.example.com\",\n from: \"example@example.com\",\n auth: {\n username: \"tom\",\n password: \"password\",\n },\n },\n internationalization: {\n supportedLocales: [\n \"en\",\n \"de\",\n \"es\",\n ],\n defaultLocale: \"en\",\n },\n securityDefenses: {\n headers: {\n xFrameOptions: \"DENY\",\n contentSecurityPolicy: \"frame-src 'self'; frame-ancestors 'self'; object-src 'none';\",\n contentSecurityPolicyReportOnly: \"\",\n xContentTypeOptions: \"nosniff\",\n xRobotsTag: \"none\",\n xXssProtection: \"1; mode=block\",\n strictTransportSecurity: \"max-age=31536000; includeSubDomains\",\n },\n bruteForceDetection: {\n permanentLockout: false,\n maxLoginFailures: 30,\n waitIncrementSeconds: 60,\n quickLoginCheckMilliSeconds: 1000,\n minimumQuickLoginWaitSeconds: 60,\n maxFailureWaitSeconds: 900,\n failureResetTimeSeconds: 43200,\n },\n },\n webAuthnPolicy: {\n relyingPartyEntityName: \"Example\",\n relyingPartyId: \"keycloak.example.com\",\n signatureAlgorithms: [\n \"ES256\",\n \"RS256\",\n ],\n },\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True,\n display_name=\"my realm\",\n display_name_html=\"\u003cb\u003emy realm\u003c/b\u003e\",\n login_theme=\"base\",\n access_code_lifespan=\"1h\",\n ssl_required=\"external\",\n password_policy=\"upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername\",\n attributes={\n \"mycustomAttribute\": \"myCustomValue\",\n },\n smtp_server={\n \"host\": \"smtp.example.com\",\n \"from_\": \"example@example.com\",\n \"auth\": {\n \"username\": \"tom\",\n \"password\": \"password\",\n },\n },\n internationalization={\n \"supported_locales\": [\n \"en\",\n \"de\",\n \"es\",\n ],\n \"default_locale\": \"en\",\n },\n security_defenses={\n \"headers\": {\n \"x_frame_options\": \"DENY\",\n \"content_security_policy\": \"frame-src 'self'; frame-ancestors 'self'; object-src 'none';\",\n \"content_security_policy_report_only\": \"\",\n \"x_content_type_options\": \"nosniff\",\n \"x_robots_tag\": \"none\",\n \"x_xss_protection\": \"1; mode=block\",\n \"strict_transport_security\": \"max-age=31536000; includeSubDomains\",\n },\n \"brute_force_detection\": {\n \"permanent_lockout\": False,\n \"max_login_failures\": 30,\n \"wait_increment_seconds\": 60,\n \"quick_login_check_milli_seconds\": 1000,\n \"minimum_quick_login_wait_seconds\": 60,\n \"max_failure_wait_seconds\": 900,\n \"failure_reset_time_seconds\": 43200,\n },\n },\n web_authn_policy={\n \"relying_party_entity_name\": \"Example\",\n \"relying_party_id\": \"keycloak.example.com\",\n \"signature_algorithms\": [\n \"ES256\",\n \"RS256\",\n ],\n })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n DisplayName = \"my realm\",\n DisplayNameHtml = \"\u003cb\u003emy realm\u003c/b\u003e\",\n LoginTheme = \"base\",\n AccessCodeLifespan = \"1h\",\n SslRequired = \"external\",\n PasswordPolicy = \"upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername\",\n Attributes = \n {\n { \"mycustomAttribute\", \"myCustomValue\" },\n },\n SmtpServer = new Keycloak.Inputs.RealmSmtpServerArgs\n {\n Host = \"smtp.example.com\",\n From = \"example@example.com\",\n Auth = new Keycloak.Inputs.RealmSmtpServerAuthArgs\n {\n Username = \"tom\",\n Password = \"password\",\n },\n },\n Internationalization = new Keycloak.Inputs.RealmInternationalizationArgs\n {\n SupportedLocales = new[]\n {\n \"en\",\n \"de\",\n \"es\",\n },\n DefaultLocale = \"en\",\n },\n SecurityDefenses = new Keycloak.Inputs.RealmSecurityDefensesArgs\n {\n Headers = new Keycloak.Inputs.RealmSecurityDefensesHeadersArgs\n {\n XFrameOptions = \"DENY\",\n ContentSecurityPolicy = \"frame-src 'self'; frame-ancestors 'self'; object-src 'none';\",\n ContentSecurityPolicyReportOnly = \"\",\n XContentTypeOptions = \"nosniff\",\n XRobotsTag = \"none\",\n XXssProtection = \"1; mode=block\",\n StrictTransportSecurity = \"max-age=31536000; includeSubDomains\",\n },\n BruteForceDetection = new Keycloak.Inputs.RealmSecurityDefensesBruteForceDetectionArgs\n {\n PermanentLockout = false,\n MaxLoginFailures = 30,\n WaitIncrementSeconds = 60,\n QuickLoginCheckMilliSeconds = 1000,\n MinimumQuickLoginWaitSeconds = 60,\n MaxFailureWaitSeconds = 900,\n FailureResetTimeSeconds = 43200,\n },\n },\n WebAuthnPolicy = new Keycloak.Inputs.RealmWebAuthnPolicyArgs\n {\n RelyingPartyEntityName = \"Example\",\n RelyingPartyId = \"keycloak.example.com\",\n SignatureAlgorithms = new[]\n {\n \"ES256\",\n \"RS256\",\n },\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tDisplayName: pulumi.String(\"my realm\"),\n\t\t\tDisplayNameHtml: pulumi.String(\"\u003cb\u003emy realm\u003c/b\u003e\"),\n\t\t\tLoginTheme: pulumi.String(\"base\"),\n\t\t\tAccessCodeLifespan: pulumi.String(\"1h\"),\n\t\t\tSslRequired: pulumi.String(\"external\"),\n\t\t\tPasswordPolicy: pulumi.String(\"upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername\"),\n\t\t\tAttributes: pulumi.StringMap{\n\t\t\t\t\"mycustomAttribute\": pulumi.String(\"myCustomValue\"),\n\t\t\t},\n\t\t\tSmtpServer: \u0026keycloak.RealmSmtpServerArgs{\n\t\t\t\tHost: pulumi.String(\"smtp.example.com\"),\n\t\t\t\tFrom: pulumi.String(\"example@example.com\"),\n\t\t\t\tAuth: \u0026keycloak.RealmSmtpServerAuthArgs{\n\t\t\t\t\tUsername: pulumi.String(\"tom\"),\n\t\t\t\t\tPassword: pulumi.String(\"password\"),\n\t\t\t\t},\n\t\t\t},\n\t\t\tInternationalization: \u0026keycloak.RealmInternationalizationArgs{\n\t\t\t\tSupportedLocales: pulumi.StringArray{\n\t\t\t\t\tpulumi.String(\"en\"),\n\t\t\t\t\tpulumi.String(\"de\"),\n\t\t\t\t\tpulumi.String(\"es\"),\n\t\t\t\t},\n\t\t\t\tDefaultLocale: pulumi.String(\"en\"),\n\t\t\t},\n\t\t\tSecurityDefenses: \u0026keycloak.RealmSecurityDefensesArgs{\n\t\t\t\tHeaders: \u0026keycloak.RealmSecurityDefensesHeadersArgs{\n\t\t\t\t\tXFrameOptions: pulumi.String(\"DENY\"),\n\t\t\t\t\tContentSecurityPolicy: pulumi.String(\"frame-src 'self'; frame-ancestors 'self'; object-src 'none';\"),\n\t\t\t\t\tContentSecurityPolicyReportOnly: pulumi.String(\"\"),\n\t\t\t\t\tXContentTypeOptions: pulumi.String(\"nosniff\"),\n\t\t\t\t\tXRobotsTag: pulumi.String(\"none\"),\n\t\t\t\t\tXXssProtection: pulumi.String(\"1; mode=block\"),\n\t\t\t\t\tStrictTransportSecurity: pulumi.String(\"max-age=31536000; includeSubDomains\"),\n\t\t\t\t},\n\t\t\t\tBruteForceDetection: \u0026keycloak.RealmSecurityDefensesBruteForceDetectionArgs{\n\t\t\t\t\tPermanentLockout: pulumi.Bool(false),\n\t\t\t\t\tMaxLoginFailures: pulumi.Int(30),\n\t\t\t\t\tWaitIncrementSeconds: pulumi.Int(60),\n\t\t\t\t\tQuickLoginCheckMilliSeconds: pulumi.Int(1000),\n\t\t\t\t\tMinimumQuickLoginWaitSeconds: pulumi.Int(60),\n\t\t\t\t\tMaxFailureWaitSeconds: pulumi.Int(900),\n\t\t\t\t\tFailureResetTimeSeconds: pulumi.Int(43200),\n\t\t\t\t},\n\t\t\t},\n\t\t\tWebAuthnPolicy: \u0026keycloak.RealmWebAuthnPolicyArgs{\n\t\t\t\tRelyingPartyEntityName: pulumi.String(\"Example\"),\n\t\t\t\tRelyingPartyId: pulumi.String(\"keycloak.example.com\"),\n\t\t\t\tSignatureAlgorithms: pulumi.StringArray{\n\t\t\t\t\tpulumi.String(\"ES256\"),\n\t\t\t\t\tpulumi.String(\"RS256\"),\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.inputs.RealmSmtpServerArgs;\nimport com.pulumi.keycloak.inputs.RealmSmtpServerAuthArgs;\nimport com.pulumi.keycloak.inputs.RealmInternationalizationArgs;\nimport com.pulumi.keycloak.inputs.RealmSecurityDefensesArgs;\nimport com.pulumi.keycloak.inputs.RealmSecurityDefensesHeadersArgs;\nimport com.pulumi.keycloak.inputs.RealmSecurityDefensesBruteForceDetectionArgs;\nimport com.pulumi.keycloak.inputs.RealmWebAuthnPolicyArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .displayName(\"my realm\")\n .displayNameHtml(\"\u003cb\u003emy realm\u003c/b\u003e\")\n .loginTheme(\"base\")\n .accessCodeLifespan(\"1h\")\n .sslRequired(\"external\")\n .passwordPolicy(\"upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername\")\n .attributes(Map.of(\"mycustomAttribute\", \"myCustomValue\"))\n .smtpServer(RealmSmtpServerArgs.builder()\n .host(\"smtp.example.com\")\n .from(\"example@example.com\")\n .auth(RealmSmtpServerAuthArgs.builder()\n .username(\"tom\")\n .password(\"password\")\n .build())\n .build())\n .internationalization(RealmInternationalizationArgs.builder()\n .supportedLocales( \n \"en\",\n \"de\",\n \"es\")\n .defaultLocale(\"en\")\n .build())\n .securityDefenses(RealmSecurityDefensesArgs.builder()\n .headers(RealmSecurityDefensesHeadersArgs.builder()\n .xFrameOptions(\"DENY\")\n .contentSecurityPolicy(\"frame-src 'self'; frame-ancestors 'self'; object-src 'none';\")\n .contentSecurityPolicyReportOnly(\"\")\n .xContentTypeOptions(\"nosniff\")\n .xRobotsTag(\"none\")\n .xXssProtection(\"1; mode=block\")\n .strictTransportSecurity(\"max-age=31536000; includeSubDomains\")\n .build())\n .bruteForceDetection(RealmSecurityDefensesBruteForceDetectionArgs.builder()\n .permanentLockout(false)\n .maxLoginFailures(30)\n .waitIncrementSeconds(60)\n .quickLoginCheckMilliSeconds(1000)\n .minimumQuickLoginWaitSeconds(60)\n .maxFailureWaitSeconds(900)\n .failureResetTimeSeconds(43200)\n .build())\n .build())\n .webAuthnPolicy(RealmWebAuthnPolicyArgs.builder()\n .relyingPartyEntityName(\"Example\")\n .relyingPartyId(\"keycloak.example.com\")\n .signatureAlgorithms( \n \"ES256\",\n \"RS256\")\n .build())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n displayName: my realm\n displayNameHtml: \u003cb\u003emy realm\u003c/b\u003e\n loginTheme: base\n accessCodeLifespan: 1h\n sslRequired: external\n passwordPolicy: upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername\n attributes:\n mycustomAttribute: myCustomValue\n smtpServer:\n host: smtp.example.com\n from: example@example.com\n auth:\n username: tom\n password: password\n internationalization:\n supportedLocales:\n - en\n - de\n - es\n defaultLocale: en\n securityDefenses:\n headers:\n xFrameOptions: DENY\n contentSecurityPolicy: frame-src 'self'; frame-ancestors 'self'; object-src 'none';\n contentSecurityPolicyReportOnly:\n xContentTypeOptions: nosniff\n xRobotsTag: none\n xXssProtection: 1; mode=block\n strictTransportSecurity: max-age=31536000; includeSubDomains\n bruteForceDetection:\n permanentLockout: false\n maxLoginFailures: 30\n waitIncrementSeconds: 60\n quickLoginCheckMilliSeconds: 1000\n minimumQuickLoginWaitSeconds: 60\n maxFailureWaitSeconds: 900\n failureResetTimeSeconds: 43200\n webAuthnPolicy:\n relyingPartyEntityName: Example\n relyingPartyId: keycloak.example.com\n signatureAlgorithms:\n - ES256\n - RS256\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Default Client Scopes\n\n- `default_default_client_scopes` - (Optional) A list of default default client scopes to be used for client definitions. Defaults to `[]` or keycloak's built-in default default client-scopes.\n- `default_optional_client_scopes` - (Optional) A list of default optional client scopes to be used for client definitions. Defaults to `[]` or keycloak's built-in default optional client-scopes.\n\n## Import\n\nRealms can be imported using their name.\n\nExample:\n\nbash\n\n```sh\n$ pulumi import keycloak:index/realm:Realm realm my-realm\n```\n\n", "properties": { "accessCodeLifespan": { "type": "string" @@ -3856,7 +3974,8 @@ "type": "object", "additionalProperties": { "type": "string" - } + }, + "description": "A map of custom attributes to add to the realm.\n" }, "browserFlow": { "type": "string", @@ -3892,10 +4011,12 @@ "description": "Which flow should be used for DirectGrantFlow\n" }, "displayName": { - "type": "string" + "type": "string", + "description": "The display name for the realm that is shown when logging in to the admin console.\n" }, "displayNameHtml": { - "type": "string" + "type": "string", + "description": "The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.\n" }, "dockerAuthenticationFlow": { "type": "string", @@ -3911,10 +4032,12 @@ "type": "string" }, "enabled": { - "type": "boolean" + "type": "boolean", + "description": "When `false`, users and clients will not be able to access this realm. Defaults to `true`.\n" }, "internalId": { - "type": "string" + "type": "string", + "description": "When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.\n" }, "internationalization": { "$ref": "#/types/keycloak:index/RealmInternationalization:RealmInternationalization" @@ -3949,6 +4072,7 @@ }, "realm": { "type": "string", + "description": "The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.\n", "language": { "csharp": { "name": "RealmName" @@ -4004,7 +4128,8 @@ "type": "string" }, "userManagedAccess": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, users are allowed to manage their own resources. Defaults to `false`.\n" }, "verifyEmail": { "type": "boolean" @@ -4086,7 +4211,8 @@ "type": "object", "additionalProperties": { "type": "string" - } + }, + "description": "A map of custom attributes to add to the realm.\n" }, "browserFlow": { "type": "string", @@ -4122,10 +4248,12 @@ "description": "Which flow should be used for DirectGrantFlow\n" }, "displayName": { - "type": "string" + "type": "string", + "description": "The display name for the realm that is shown when logging in to the admin console.\n" }, "displayNameHtml": { - "type": "string" + "type": "string", + "description": "The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.\n" }, "dockerAuthenticationFlow": { "type": "string", @@ -4141,10 +4269,12 @@ "type": "string" }, "enabled": { - "type": "boolean" + "type": "boolean", + "description": "When `false`, users and clients will not be able to access this realm. Defaults to `true`.\n" }, "internalId": { "type": "string", + "description": "When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.\n", "willReplaceOnChanges": true }, "internationalization": { @@ -4180,6 +4310,7 @@ }, "realm": { "type": "string", + "description": "The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.\n", "language": { "csharp": { "name": "RealmName" @@ -4236,7 +4367,8 @@ "type": "string" }, "userManagedAccess": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, users are allowed to manage their own resources. Defaults to `false`.\n" }, "verifyEmail": { "type": "boolean" @@ -4285,7 +4417,8 @@ "type": "object", "additionalProperties": { "type": "string" - } + }, + "description": "A map of custom attributes to add to the realm.\n" }, "browserFlow": { "type": "string", @@ -4321,10 +4454,12 @@ "description": "Which flow should be used for DirectGrantFlow\n" }, "displayName": { - "type": "string" + "type": "string", + "description": "The display name for the realm that is shown when logging in to the admin console.\n" }, "displayNameHtml": { - "type": "string" + "type": "string", + "description": "The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.\n" }, "dockerAuthenticationFlow": { "type": "string", @@ -4340,10 +4475,12 @@ "type": "string" }, "enabled": { - "type": "boolean" + "type": "boolean", + "description": "When `false`, users and clients will not be able to access this realm. Defaults to `true`.\n" }, "internalId": { "type": "string", + "description": "When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.\n", "willReplaceOnChanges": true }, "internationalization": { @@ -4379,6 +4516,7 @@ }, "realm": { "type": "string", + "description": "The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.\n", "language": { "csharp": { "name": "RealmName" @@ -4435,7 +4573,8 @@ "type": "string" }, "userManagedAccess": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, users are allowed to manage their own resources. Defaults to `false`.\n" }, "verifyEmail": { "type": "boolean" @@ -4451,34 +4590,41 @@ } }, "keycloak:index/realmEvents:RealmEvents": { - "description": "## # keycloak.RealmEvents\n\nAllows for managing Realm Events settings within Keycloak.\n\n### Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {realm: \"test\"});\nconst realmEvents = new keycloak.RealmEvents(\"realm_events\", {\n realmId: realm.id,\n eventsEnabled: true,\n eventsExpiration: 3600,\n adminEventsEnabled: true,\n adminEventsDetailsEnabled: true,\n enabledEventTypes: [\n \"LOGIN\",\n \"LOGOUT\",\n ],\n eventsListeners: [\"jboss-logging\"],\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\", realm=\"test\")\nrealm_events = keycloak.RealmEvents(\"realm_events\",\n realm_id=realm.id,\n events_enabled=True,\n events_expiration=3600,\n admin_events_enabled=True,\n admin_events_details_enabled=True,\n enabled_event_types=[\n \"LOGIN\",\n \"LOGOUT\",\n ],\n events_listeners=[\"jboss-logging\"])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"test\",\n });\n\n var realmEvents = new Keycloak.RealmEvents(\"realm_events\", new()\n {\n RealmId = realm.Id,\n EventsEnabled = true,\n EventsExpiration = 3600,\n AdminEventsEnabled = true,\n AdminEventsDetailsEnabled = true,\n EnabledEventTypes = new[]\n {\n \"LOGIN\",\n \"LOGOUT\",\n },\n EventsListeners = new[]\n {\n \"jboss-logging\",\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"test\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewRealmEvents(ctx, \"realm_events\", \u0026keycloak.RealmEventsArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tEventsEnabled: pulumi.Bool(true),\n\t\t\tEventsExpiration: pulumi.Int(3600),\n\t\t\tAdminEventsEnabled: pulumi.Bool(true),\n\t\t\tAdminEventsDetailsEnabled: pulumi.Bool(true),\n\t\t\tEnabledEventTypes: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"LOGIN\"),\n\t\t\t\tpulumi.String(\"LOGOUT\"),\n\t\t\t},\n\t\t\tEventsListeners: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"jboss-logging\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.RealmEvents;\nimport com.pulumi.keycloak.RealmEventsArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"test\")\n .build());\n\n var realmEvents = new RealmEvents(\"realmEvents\", RealmEventsArgs.builder()\n .realmId(realm.id())\n .eventsEnabled(true)\n .eventsExpiration(3600)\n .adminEventsEnabled(true)\n .adminEventsDetailsEnabled(true)\n .enabledEventTypes( \n \"LOGIN\",\n \"LOGOUT\")\n .eventsListeners(\"jboss-logging\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: test\n realmEvents:\n type: keycloak:RealmEvents\n name: realm_events\n properties:\n realmId: ${realm.id}\n eventsEnabled: true\n eventsExpiration: 3600\n adminEventsEnabled: true\n adminEventsDetailsEnabled: true # When omitted or left empty, keycloak will enable all event types\n enabledEventTypes:\n - LOGIN\n - LOGOUT\n eventsListeners:\n - jboss-logging\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm_id` - (Required) The name of the realm the event settings apply to.\n- `admin_events_enabled` - (Optional) When true, admin events are saved to the database, making them available through the admin console. Defaults to `false`.\n- `admin_events_details_enabled` - (Optional) When true, saved admin events will included detailed information for create/update requests. Defaults to `false`.\n- `events_enabled` - (Optional) When true, events from `enabled_event_types` are saved to the database, making them available through the admin console. Defaults to `false`.\n- `events_expiration` - (Optional) The amount of time in seconds events will be saved in the database. Defaults to `0` or never.\n- `enabled_event_types` - (Optional) The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types.\n- `events_listeners` - (Optional) The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified.\n", + "description": "Allows for managing Realm Events settings within Keycloak.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst realmEvents = new keycloak.RealmEvents(\"realm_events\", {\n realmId: realm.id,\n eventsEnabled: true,\n eventsExpiration: 3600,\n adminEventsEnabled: true,\n adminEventsDetailsEnabled: true,\n enabledEventTypes: [\n \"LOGIN\",\n \"LOGOUT\",\n ],\n eventsListeners: [\"jboss-logging\"],\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nrealm_events = keycloak.RealmEvents(\"realm_events\",\n realm_id=realm.id,\n events_enabled=True,\n events_expiration=3600,\n admin_events_enabled=True,\n admin_events_details_enabled=True,\n enabled_event_types=[\n \"LOGIN\",\n \"LOGOUT\",\n ],\n events_listeners=[\"jboss-logging\"])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var realmEvents = new Keycloak.RealmEvents(\"realm_events\", new()\n {\n RealmId = realm.Id,\n EventsEnabled = true,\n EventsExpiration = 3600,\n AdminEventsEnabled = true,\n AdminEventsDetailsEnabled = true,\n EnabledEventTypes = new[]\n {\n \"LOGIN\",\n \"LOGOUT\",\n },\n EventsListeners = new[]\n {\n \"jboss-logging\",\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewRealmEvents(ctx, \"realm_events\", \u0026keycloak.RealmEventsArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tEventsEnabled: pulumi.Bool(true),\n\t\t\tEventsExpiration: pulumi.Int(3600),\n\t\t\tAdminEventsEnabled: pulumi.Bool(true),\n\t\t\tAdminEventsDetailsEnabled: pulumi.Bool(true),\n\t\t\tEnabledEventTypes: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"LOGIN\"),\n\t\t\t\tpulumi.String(\"LOGOUT\"),\n\t\t\t},\n\t\t\tEventsListeners: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"jboss-logging\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.RealmEvents;\nimport com.pulumi.keycloak.RealmEventsArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var realmEvents = new RealmEvents(\"realmEvents\", RealmEventsArgs.builder()\n .realmId(realm.id())\n .eventsEnabled(true)\n .eventsExpiration(3600)\n .adminEventsEnabled(true)\n .adminEventsDetailsEnabled(true)\n .enabledEventTypes( \n \"LOGIN\",\n \"LOGOUT\")\n .eventsListeners(\"jboss-logging\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n realmEvents:\n type: keycloak:RealmEvents\n name: realm_events\n properties:\n realmId: ${realm.id}\n eventsEnabled: true\n eventsExpiration: 3600\n adminEventsEnabled: true\n adminEventsDetailsEnabled: true # When omitted or left empty, keycloak will enable all event types\n enabledEventTypes:\n - LOGIN\n - LOGOUT\n eventsListeners:\n - jboss-logging\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nThis resource currently does not support importing.\n\n", "properties": { "adminEventsDetailsEnabled": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, saved admin events will included detailed information for create/update requests. Defaults to `false`.\n" }, "adminEventsEnabled": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, admin events are saved to the database, making them available through the admin console. Defaults to `false`.\n" }, "enabledEventTypes": { "type": "array", "items": { "type": "string" - } + }, + "description": "The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types.\n" }, "eventsEnabled": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, events from `enabled_event_types` are saved to the database, making them available through the admin console. Defaults to `false`.\n" }, "eventsExpiration": { - "type": "integer" + "type": "integer", + "description": "The amount of time in seconds events will be saved in the database. Defaults to `0` or never.\n" }, "eventsListeners": { "type": "array", "items": { "type": "string" - } + }, + "description": "The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified.\n" }, "realmId": { - "type": "string" + "type": "string", + "description": "The name of the realm the event settings apply to.\n" } }, "required": [ @@ -4486,31 +4632,38 @@ ], "inputProperties": { "adminEventsDetailsEnabled": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, saved admin events will included detailed information for create/update requests. Defaults to `false`.\n" }, "adminEventsEnabled": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, admin events are saved to the database, making them available through the admin console. Defaults to `false`.\n" }, "enabledEventTypes": { "type": "array", "items": { "type": "string" - } + }, + "description": "The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types.\n" }, "eventsEnabled": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, events from `enabled_event_types` are saved to the database, making them available through the admin console. Defaults to `false`.\n" }, "eventsExpiration": { - "type": "integer" + "type": "integer", + "description": "The amount of time in seconds events will be saved in the database. Defaults to `0` or never.\n" }, "eventsListeners": { "type": "array", "items": { "type": "string" - } + }, + "description": "The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified.\n" }, "realmId": { "type": "string", + "description": "The name of the realm the event settings apply to.\n", "willReplaceOnChanges": true } }, @@ -4521,31 +4674,38 @@ "description": "Input properties used for looking up and filtering RealmEvents resources.\n", "properties": { "adminEventsDetailsEnabled": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, saved admin events will included detailed information for create/update requests. Defaults to `false`.\n" }, "adminEventsEnabled": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, admin events are saved to the database, making them available through the admin console. Defaults to `false`.\n" }, "enabledEventTypes": { "type": "array", "items": { "type": "string" - } + }, + "description": "The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types.\n" }, "eventsEnabled": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, events from `enabled_event_types` are saved to the database, making them available through the admin console. Defaults to `false`.\n" }, "eventsExpiration": { - "type": "integer" + "type": "integer", + "description": "The amount of time in seconds events will be saved in the database. Defaults to `0` or never.\n" }, "eventsListeners": { "type": "array", "items": { "type": "string" - } + }, + "description": "The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified.\n" }, "realmId": { "type": "string", + "description": "The name of the realm the event settings apply to.\n", "willReplaceOnChanges": true } }, @@ -5409,31 +5569,37 @@ } }, "keycloak:index/role:Role": { - "description": "## # keycloak.Role\n\nAllows for creating and managing roles within Keycloak.\n\nRoles allow you define privileges within Keycloak and map them to users\nand groups.\n\n### Example Usage (Realm role)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst realmRole = new keycloak.Role(\"realm_role\", {\n realmId: realm.id,\n name: \"my-realm-role\",\n description: \"My Realm Role\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nrealm_role = keycloak.Role(\"realm_role\",\n realm_id=realm.id,\n name=\"my-realm-role\",\n description=\"My Realm Role\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var realmRole = new Keycloak.Role(\"realm_role\", new()\n {\n RealmId = realm.Id,\n Name = \"my-realm-role\",\n Description = \"My Realm Role\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewRole(ctx, \"realm_role\", \u0026keycloak.RoleArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"my-realm-role\"),\n\t\t\tDescription: pulumi.String(\"My Realm Role\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.Role;\nimport com.pulumi.keycloak.RoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var realmRole = new Role(\"realmRole\", RoleArgs.builder()\n .realmId(realm.id())\n .name(\"my-realm-role\")\n .description(\"My Realm Role\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n realmRole:\n type: keycloak:Role\n name: realm_role\n properties:\n realmId: ${realm.id}\n name: my-realm-role\n description: My Realm Role\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Example Usage (Client role)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst client = new keycloak.openid.Client(\"client\", {\n realmId: realm.id,\n clientId: \"client\",\n name: \"client\",\n enabled: true,\n accessType: \"BEARER-ONLY\",\n});\nconst clientRole = new keycloak.Role(\"client_role\", {\n realmId: realm.id,\n clientId: clientKeycloakClient.id,\n name: \"my-client-role\",\n description: \"My Client Role\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nclient = keycloak.openid.Client(\"client\",\n realm_id=realm.id,\n client_id=\"client\",\n name=\"client\",\n enabled=True,\n access_type=\"BEARER-ONLY\")\nclient_role = keycloak.Role(\"client_role\",\n realm_id=realm.id,\n client_id=client_keycloak_client[\"id\"],\n name=\"my-client-role\",\n description=\"My Client Role\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var client = new Keycloak.OpenId.Client(\"client\", new()\n {\n RealmId = realm.Id,\n ClientId = \"client\",\n Name = \"client\",\n Enabled = true,\n AccessType = \"BEARER-ONLY\",\n });\n\n var clientRole = new Keycloak.Role(\"client_role\", new()\n {\n RealmId = realm.Id,\n ClientId = clientKeycloakClient.Id,\n Name = \"my-client-role\",\n Description = \"My Client Role\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewClient(ctx, \"client\", \u0026openid.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"client\"),\n\t\t\tName: pulumi.String(\"client\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tAccessType: pulumi.String(\"BEARER-ONLY\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewRole(ctx, \"client_role\", \u0026keycloak.RoleArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.Any(clientKeycloakClient.Id),\n\t\t\tName: pulumi.String(\"my-client-role\"),\n\t\t\tDescription: pulumi.String(\"My Client Role\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport com.pulumi.keycloak.Role;\nimport com.pulumi.keycloak.RoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var client = new Client(\"client\", ClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"client\")\n .name(\"client\")\n .enabled(true)\n .accessType(\"BEARER-ONLY\")\n .build());\n\n var clientRole = new Role(\"clientRole\", RoleArgs.builder()\n .realmId(realm.id())\n .clientId(clientKeycloakClient.id())\n .name(\"my-client-role\")\n .description(\"My Client Role\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n client:\n type: keycloak:openid:Client\n properties:\n realmId: ${realm.id}\n clientId: client\n name: client\n enabled: true\n accessType: BEARER-ONLY\n clientRole:\n type: keycloak:Role\n name: client_role\n properties:\n realmId: ${realm.id}\n clientId: ${clientKeycloakClient.id}\n name: my-client-role\n description: My Client Role\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Example Usage (Composite role)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\n// realm roles\nconst createRole = new keycloak.Role(\"create_role\", {\n realmId: realm.id,\n name: \"create\",\n});\nconst readRole = new keycloak.Role(\"read_role\", {\n realmId: realm.id,\n name: \"read\",\n});\nconst updateRole = new keycloak.Role(\"update_role\", {\n realmId: realm.id,\n name: \"update\",\n});\nconst deleteRole = new keycloak.Role(\"delete_role\", {\n realmId: realm.id,\n name: \"delete\",\n});\n// client role\nconst client = new keycloak.openid.Client(\"client\", {\n realmId: realm.id,\n clientId: \"client\",\n name: \"client\",\n enabled: true,\n accessType: \"BEARER-ONLY\",\n});\nconst clientRole = new keycloak.Role(\"client_role\", {\n realmId: realm.id,\n clientId: clientKeycloakClient.id,\n name: \"my-client-role\",\n description: \"My Client Role\",\n});\nconst adminRole = new keycloak.Role(\"admin_role\", {\n realmId: realm.id,\n name: \"admin\",\n compositeRoles: [\n \"{keycloak_role.create_role.id}\",\n \"{keycloak_role.read_role.id}\",\n \"{keycloak_role.update_role.id}\",\n \"{keycloak_role.delete_role.id}\",\n \"{keycloak_role.client_role.id}\",\n ],\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\n# realm roles\ncreate_role = keycloak.Role(\"create_role\",\n realm_id=realm.id,\n name=\"create\")\nread_role = keycloak.Role(\"read_role\",\n realm_id=realm.id,\n name=\"read\")\nupdate_role = keycloak.Role(\"update_role\",\n realm_id=realm.id,\n name=\"update\")\ndelete_role = keycloak.Role(\"delete_role\",\n realm_id=realm.id,\n name=\"delete\")\n# client role\nclient = keycloak.openid.Client(\"client\",\n realm_id=realm.id,\n client_id=\"client\",\n name=\"client\",\n enabled=True,\n access_type=\"BEARER-ONLY\")\nclient_role = keycloak.Role(\"client_role\",\n realm_id=realm.id,\n client_id=client_keycloak_client[\"id\"],\n name=\"my-client-role\",\n description=\"My Client Role\")\nadmin_role = keycloak.Role(\"admin_role\",\n realm_id=realm.id,\n name=\"admin\",\n composite_roles=[\n \"{keycloak_role.create_role.id}\",\n \"{keycloak_role.read_role.id}\",\n \"{keycloak_role.update_role.id}\",\n \"{keycloak_role.delete_role.id}\",\n \"{keycloak_role.client_role.id}\",\n ])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n // realm roles\n var createRole = new Keycloak.Role(\"create_role\", new()\n {\n RealmId = realm.Id,\n Name = \"create\",\n });\n\n var readRole = new Keycloak.Role(\"read_role\", new()\n {\n RealmId = realm.Id,\n Name = \"read\",\n });\n\n var updateRole = new Keycloak.Role(\"update_role\", new()\n {\n RealmId = realm.Id,\n Name = \"update\",\n });\n\n var deleteRole = new Keycloak.Role(\"delete_role\", new()\n {\n RealmId = realm.Id,\n Name = \"delete\",\n });\n\n // client role\n var client = new Keycloak.OpenId.Client(\"client\", new()\n {\n RealmId = realm.Id,\n ClientId = \"client\",\n Name = \"client\",\n Enabled = true,\n AccessType = \"BEARER-ONLY\",\n });\n\n var clientRole = new Keycloak.Role(\"client_role\", new()\n {\n RealmId = realm.Id,\n ClientId = clientKeycloakClient.Id,\n Name = \"my-client-role\",\n Description = \"My Client Role\",\n });\n\n var adminRole = new Keycloak.Role(\"admin_role\", new()\n {\n RealmId = realm.Id,\n Name = \"admin\",\n CompositeRoles = new[]\n {\n \"{keycloak_role.create_role.id}\",\n \"{keycloak_role.read_role.id}\",\n \"{keycloak_role.update_role.id}\",\n \"{keycloak_role.delete_role.id}\",\n \"{keycloak_role.client_role.id}\",\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t// realm roles\n\t\t_, err = keycloak.NewRole(ctx, \"create_role\", \u0026keycloak.RoleArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"create\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewRole(ctx, \"read_role\", \u0026keycloak.RoleArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"read\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewRole(ctx, \"update_role\", \u0026keycloak.RoleArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"update\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewRole(ctx, \"delete_role\", \u0026keycloak.RoleArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"delete\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t// client role\n\t\t_, err = openid.NewClient(ctx, \"client\", \u0026openid.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"client\"),\n\t\t\tName: pulumi.String(\"client\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tAccessType: pulumi.String(\"BEARER-ONLY\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewRole(ctx, \"client_role\", \u0026keycloak.RoleArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.Any(clientKeycloakClient.Id),\n\t\t\tName: pulumi.String(\"my-client-role\"),\n\t\t\tDescription: pulumi.String(\"My Client Role\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewRole(ctx, \"admin_role\", \u0026keycloak.RoleArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"admin\"),\n\t\t\tCompositeRoles: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"{keycloak_role.create_role.id}\"),\n\t\t\t\tpulumi.String(\"{keycloak_role.read_role.id}\"),\n\t\t\t\tpulumi.String(\"{keycloak_role.update_role.id}\"),\n\t\t\t\tpulumi.String(\"{keycloak_role.delete_role.id}\"),\n\t\t\t\tpulumi.String(\"{keycloak_role.client_role.id}\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.Role;\nimport com.pulumi.keycloak.RoleArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n // realm roles\n var createRole = new Role(\"createRole\", RoleArgs.builder()\n .realmId(realm.id())\n .name(\"create\")\n .build());\n\n var readRole = new Role(\"readRole\", RoleArgs.builder()\n .realmId(realm.id())\n .name(\"read\")\n .build());\n\n var updateRole = new Role(\"updateRole\", RoleArgs.builder()\n .realmId(realm.id())\n .name(\"update\")\n .build());\n\n var deleteRole = new Role(\"deleteRole\", RoleArgs.builder()\n .realmId(realm.id())\n .name(\"delete\")\n .build());\n\n // client role\n var client = new Client(\"client\", ClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"client\")\n .name(\"client\")\n .enabled(true)\n .accessType(\"BEARER-ONLY\")\n .build());\n\n var clientRole = new Role(\"clientRole\", RoleArgs.builder()\n .realmId(realm.id())\n .clientId(clientKeycloakClient.id())\n .name(\"my-client-role\")\n .description(\"My Client Role\")\n .build());\n\n var adminRole = new Role(\"adminRole\", RoleArgs.builder()\n .realmId(realm.id())\n .name(\"admin\")\n .compositeRoles( \n \"{keycloak_role.create_role.id}\",\n \"{keycloak_role.read_role.id}\",\n \"{keycloak_role.update_role.id}\",\n \"{keycloak_role.delete_role.id}\",\n \"{keycloak_role.client_role.id}\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n # realm roles\n createRole:\n type: keycloak:Role\n name: create_role\n properties:\n realmId: ${realm.id}\n name: create\n readRole:\n type: keycloak:Role\n name: read_role\n properties:\n realmId: ${realm.id}\n name: read\n updateRole:\n type: keycloak:Role\n name: update_role\n properties:\n realmId: ${realm.id}\n name: update\n deleteRole:\n type: keycloak:Role\n name: delete_role\n properties:\n realmId: ${realm.id}\n name: delete\n # client role\n client:\n type: keycloak:openid:Client\n properties:\n realmId: ${realm.id}\n clientId: client\n name: client\n enabled: true\n accessType: BEARER-ONLY\n clientRole:\n type: keycloak:Role\n name: client_role\n properties:\n realmId: ${realm.id}\n clientId: ${clientKeycloakClient.id}\n name: my-client-role\n description: My Client Role\n adminRole:\n type: keycloak:Role\n name: admin_role\n properties:\n realmId: ${realm.id}\n name: admin\n compositeRoles:\n - '{keycloak_role.create_role.id}'\n - '{keycloak_role.read_role.id}'\n - '{keycloak_role.update_role.id}'\n - '{keycloak_role.delete_role.id}'\n - '{keycloak_role.client_role.id}'\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm_id` - (Required) The realm this role exists within.\n- `client_id` - (Optional) When specified, this role will be created as\n a client role attached to the client with the provided ID\n- `name` - (Required) The name of the role\n- `description` - (Optional) The description of the role\n- `composite_roles` - (Optional) When specified, this role will be a\n composite role, composed of all roles that have an ID present within\n this list.\n\n\n### Import\n\nRoles can be imported using the format `{{realm_id}}/{{role_id}}`, where\n`role_id` is the unique ID that Keycloak assigns to the role. The ID is\nnot easy to find in the GUI, but it appears in the URL when editing the\nrole.\n\nExample:\n\n```bash\n$ terraform import keycloak_role.role my-realm/7e8cf32a-8acb-4d34-89c4-04fb1d10ccad\n```\n", + "description": "Allows for creating and managing roles within Keycloak.\n\nRoles allow you define privileges within Keycloak and map them to users and groups.\n\n## Example Usage\n\n### Realm Role)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst realmRole = new keycloak.Role(\"realm_role\", {\n realmId: realm.id,\n name: \"my-realm-role\",\n description: \"My Realm Role\",\n attributes: {\n key: \"value\",\n multivalue: \"value1##value2\",\n },\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nrealm_role = keycloak.Role(\"realm_role\",\n realm_id=realm.id,\n name=\"my-realm-role\",\n description=\"My Realm Role\",\n attributes={\n \"key\": \"value\",\n \"multivalue\": \"value1##value2\",\n })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var realmRole = new Keycloak.Role(\"realm_role\", new()\n {\n RealmId = realm.Id,\n Name = \"my-realm-role\",\n Description = \"My Realm Role\",\n Attributes = \n {\n { \"key\", \"value\" },\n { \"multivalue\", \"value1##value2\" },\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewRole(ctx, \"realm_role\", \u0026keycloak.RoleArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"my-realm-role\"),\n\t\t\tDescription: pulumi.String(\"My Realm Role\"),\n\t\t\tAttributes: pulumi.StringMap{\n\t\t\t\t\"key\": pulumi.String(\"value\"),\n\t\t\t\t\"multivalue\": pulumi.String(\"value1##value2\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.Role;\nimport com.pulumi.keycloak.RoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var realmRole = new Role(\"realmRole\", RoleArgs.builder()\n .realmId(realm.id())\n .name(\"my-realm-role\")\n .description(\"My Realm Role\")\n .attributes(Map.ofEntries(\n Map.entry(\"key\", \"value\"),\n Map.entry(\"multivalue\", \"value1##value2\")\n ))\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n realmRole:\n type: keycloak:Role\n name: realm_role\n properties:\n realmId: ${realm.id}\n name: my-realm-role\n description: My Realm Role\n attributes:\n key: value\n multivalue: value1##value2\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n\n### Client Role)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst openidClient = new keycloak.openid.Client(\"openid_client\", {\n realmId: realm.id,\n clientId: \"client\",\n name: \"client\",\n enabled: true,\n accessType: \"CONFIDENTIAL\",\n validRedirectUris: [\"http://localhost:8080/openid-callback\"],\n});\nconst clientRole = new keycloak.Role(\"client_role\", {\n realmId: realm.id,\n clientId: openidClientKeycloakClient.id,\n name: \"my-client-role\",\n description: \"My Client Role\",\n attributes: {\n key: \"value\",\n },\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nopenid_client = keycloak.openid.Client(\"openid_client\",\n realm_id=realm.id,\n client_id=\"client\",\n name=\"client\",\n enabled=True,\n access_type=\"CONFIDENTIAL\",\n valid_redirect_uris=[\"http://localhost:8080/openid-callback\"])\nclient_role = keycloak.Role(\"client_role\",\n realm_id=realm.id,\n client_id=openid_client_keycloak_client[\"id\"],\n name=\"my-client-role\",\n description=\"My Client Role\",\n attributes={\n \"key\": \"value\",\n })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var openidClient = new Keycloak.OpenId.Client(\"openid_client\", new()\n {\n RealmId = realm.Id,\n ClientId = \"client\",\n Name = \"client\",\n Enabled = true,\n AccessType = \"CONFIDENTIAL\",\n ValidRedirectUris = new[]\n {\n \"http://localhost:8080/openid-callback\",\n },\n });\n\n var clientRole = new Keycloak.Role(\"client_role\", new()\n {\n RealmId = realm.Id,\n ClientId = openidClientKeycloakClient.Id,\n Name = \"my-client-role\",\n Description = \"My Client Role\",\n Attributes = \n {\n { \"key\", \"value\" },\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewClient(ctx, \"openid_client\", \u0026openid.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"client\"),\n\t\t\tName: pulumi.String(\"client\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tAccessType: pulumi.String(\"CONFIDENTIAL\"),\n\t\t\tValidRedirectUris: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"http://localhost:8080/openid-callback\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewRole(ctx, \"client_role\", \u0026keycloak.RoleArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.Any(openidClientKeycloakClient.Id),\n\t\t\tName: pulumi.String(\"my-client-role\"),\n\t\t\tDescription: pulumi.String(\"My Client Role\"),\n\t\t\tAttributes: pulumi.StringMap{\n\t\t\t\t\"key\": pulumi.String(\"value\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport com.pulumi.keycloak.Role;\nimport com.pulumi.keycloak.RoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var openidClient = new Client(\"openidClient\", ClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"client\")\n .name(\"client\")\n .enabled(true)\n .accessType(\"CONFIDENTIAL\")\n .validRedirectUris(\"http://localhost:8080/openid-callback\")\n .build());\n\n var clientRole = new Role(\"clientRole\", RoleArgs.builder()\n .realmId(realm.id())\n .clientId(openidClientKeycloakClient.id())\n .name(\"my-client-role\")\n .description(\"My Client Role\")\n .attributes(Map.of(\"key\", \"value\"))\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n openidClient:\n type: keycloak:openid:Client\n name: openid_client\n properties:\n realmId: ${realm.id}\n clientId: client\n name: client\n enabled: true\n accessType: CONFIDENTIAL\n validRedirectUris:\n - http://localhost:8080/openid-callback\n clientRole:\n type: keycloak:Role\n name: client_role\n properties:\n realmId: ${realm.id}\n clientId: ${openidClientKeycloakClient.id}\n name: my-client-role\n description: My Client Role\n attributes:\n key: value\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n\n### Composite Role)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\n// realm roles\nconst createRole = new keycloak.Role(\"create_role\", {\n realmId: realm.id,\n name: \"create\",\n attributes: {\n key: \"value\",\n },\n});\nconst readRole = new keycloak.Role(\"read_role\", {\n realmId: realm.id,\n name: \"read\",\n attributes: {\n key: \"value\",\n },\n});\nconst updateRole = new keycloak.Role(\"update_role\", {\n realmId: realm.id,\n name: \"update\",\n attributes: {\n key: \"value\",\n },\n});\nconst deleteRole = new keycloak.Role(\"delete_role\", {\n realmId: realm.id,\n name: \"delete\",\n attributes: {\n key: \"value\",\n },\n});\n// client role\nconst openidClient = new keycloak.openid.Client(\"openid_client\", {\n realmId: realm.id,\n clientId: \"client\",\n name: \"client\",\n enabled: true,\n accessType: \"CONFIDENTIAL\",\n validRedirectUris: [\"http://localhost:8080/openid-callback\"],\n});\nconst clientRole = new keycloak.Role(\"client_role\", {\n realmId: realm.id,\n clientId: openidClientKeycloakClient.id,\n name: \"my-client-role\",\n description: \"My Client Role\",\n attributes: {\n key: \"value\",\n },\n});\nconst adminRole = new keycloak.Role(\"admin_role\", {\n realmId: realm.id,\n name: \"admin\",\n compositeRoles: [\n createRole.id,\n readRole.id,\n updateRole.id,\n deleteRole.id,\n clientRole.id,\n ],\n attributes: {\n key: \"value\",\n },\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\n# realm roles\ncreate_role = keycloak.Role(\"create_role\",\n realm_id=realm.id,\n name=\"create\",\n attributes={\n \"key\": \"value\",\n })\nread_role = keycloak.Role(\"read_role\",\n realm_id=realm.id,\n name=\"read\",\n attributes={\n \"key\": \"value\",\n })\nupdate_role = keycloak.Role(\"update_role\",\n realm_id=realm.id,\n name=\"update\",\n attributes={\n \"key\": \"value\",\n })\ndelete_role = keycloak.Role(\"delete_role\",\n realm_id=realm.id,\n name=\"delete\",\n attributes={\n \"key\": \"value\",\n })\n# client role\nopenid_client = keycloak.openid.Client(\"openid_client\",\n realm_id=realm.id,\n client_id=\"client\",\n name=\"client\",\n enabled=True,\n access_type=\"CONFIDENTIAL\",\n valid_redirect_uris=[\"http://localhost:8080/openid-callback\"])\nclient_role = keycloak.Role(\"client_role\",\n realm_id=realm.id,\n client_id=openid_client_keycloak_client[\"id\"],\n name=\"my-client-role\",\n description=\"My Client Role\",\n attributes={\n \"key\": \"value\",\n })\nadmin_role = keycloak.Role(\"admin_role\",\n realm_id=realm.id,\n name=\"admin\",\n composite_roles=[\n create_role.id,\n read_role.id,\n update_role.id,\n delete_role.id,\n client_role.id,\n ],\n attributes={\n \"key\": \"value\",\n })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n // realm roles\n var createRole = new Keycloak.Role(\"create_role\", new()\n {\n RealmId = realm.Id,\n Name = \"create\",\n Attributes = \n {\n { \"key\", \"value\" },\n },\n });\n\n var readRole = new Keycloak.Role(\"read_role\", new()\n {\n RealmId = realm.Id,\n Name = \"read\",\n Attributes = \n {\n { \"key\", \"value\" },\n },\n });\n\n var updateRole = new Keycloak.Role(\"update_role\", new()\n {\n RealmId = realm.Id,\n Name = \"update\",\n Attributes = \n {\n { \"key\", \"value\" },\n },\n });\n\n var deleteRole = new Keycloak.Role(\"delete_role\", new()\n {\n RealmId = realm.Id,\n Name = \"delete\",\n Attributes = \n {\n { \"key\", \"value\" },\n },\n });\n\n // client role\n var openidClient = new Keycloak.OpenId.Client(\"openid_client\", new()\n {\n RealmId = realm.Id,\n ClientId = \"client\",\n Name = \"client\",\n Enabled = true,\n AccessType = \"CONFIDENTIAL\",\n ValidRedirectUris = new[]\n {\n \"http://localhost:8080/openid-callback\",\n },\n });\n\n var clientRole = new Keycloak.Role(\"client_role\", new()\n {\n RealmId = realm.Id,\n ClientId = openidClientKeycloakClient.Id,\n Name = \"my-client-role\",\n Description = \"My Client Role\",\n Attributes = \n {\n { \"key\", \"value\" },\n },\n });\n\n var adminRole = new Keycloak.Role(\"admin_role\", new()\n {\n RealmId = realm.Id,\n Name = \"admin\",\n CompositeRoles = new[]\n {\n createRole.Id,\n readRole.Id,\n updateRole.Id,\n deleteRole.Id,\n clientRole.Id,\n },\n Attributes = \n {\n { \"key\", \"value\" },\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t// realm roles\n\t\tcreateRole, err := keycloak.NewRole(ctx, \"create_role\", \u0026keycloak.RoleArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"create\"),\n\t\t\tAttributes: pulumi.StringMap{\n\t\t\t\t\"key\": pulumi.String(\"value\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treadRole, err := keycloak.NewRole(ctx, \"read_role\", \u0026keycloak.RoleArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"read\"),\n\t\t\tAttributes: pulumi.StringMap{\n\t\t\t\t\"key\": pulumi.String(\"value\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tupdateRole, err := keycloak.NewRole(ctx, \"update_role\", \u0026keycloak.RoleArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"update\"),\n\t\t\tAttributes: pulumi.StringMap{\n\t\t\t\t\"key\": pulumi.String(\"value\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tdeleteRole, err := keycloak.NewRole(ctx, \"delete_role\", \u0026keycloak.RoleArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"delete\"),\n\t\t\tAttributes: pulumi.StringMap{\n\t\t\t\t\"key\": pulumi.String(\"value\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t// client role\n\t\t_, err = openid.NewClient(ctx, \"openid_client\", \u0026openid.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"client\"),\n\t\t\tName: pulumi.String(\"client\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tAccessType: pulumi.String(\"CONFIDENTIAL\"),\n\t\t\tValidRedirectUris: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"http://localhost:8080/openid-callback\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tclientRole, err := keycloak.NewRole(ctx, \"client_role\", \u0026keycloak.RoleArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.Any(openidClientKeycloakClient.Id),\n\t\t\tName: pulumi.String(\"my-client-role\"),\n\t\t\tDescription: pulumi.String(\"My Client Role\"),\n\t\t\tAttributes: pulumi.StringMap{\n\t\t\t\t\"key\": pulumi.String(\"value\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewRole(ctx, \"admin_role\", \u0026keycloak.RoleArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"admin\"),\n\t\t\tCompositeRoles: pulumi.StringArray{\n\t\t\t\tcreateRole.ID(),\n\t\t\t\treadRole.ID(),\n\t\t\t\tupdateRole.ID(),\n\t\t\t\tdeleteRole.ID(),\n\t\t\t\tclientRole.ID(),\n\t\t\t},\n\t\t\tAttributes: pulumi.StringMap{\n\t\t\t\t\"key\": pulumi.String(\"value\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.Role;\nimport com.pulumi.keycloak.RoleArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n // realm roles\n var createRole = new Role(\"createRole\", RoleArgs.builder()\n .realmId(realm.id())\n .name(\"create\")\n .attributes(Map.of(\"key\", \"value\"))\n .build());\n\n var readRole = new Role(\"readRole\", RoleArgs.builder()\n .realmId(realm.id())\n .name(\"read\")\n .attributes(Map.of(\"key\", \"value\"))\n .build());\n\n var updateRole = new Role(\"updateRole\", RoleArgs.builder()\n .realmId(realm.id())\n .name(\"update\")\n .attributes(Map.of(\"key\", \"value\"))\n .build());\n\n var deleteRole = new Role(\"deleteRole\", RoleArgs.builder()\n .realmId(realm.id())\n .name(\"delete\")\n .attributes(Map.of(\"key\", \"value\"))\n .build());\n\n // client role\n var openidClient = new Client(\"openidClient\", ClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"client\")\n .name(\"client\")\n .enabled(true)\n .accessType(\"CONFIDENTIAL\")\n .validRedirectUris(\"http://localhost:8080/openid-callback\")\n .build());\n\n var clientRole = new Role(\"clientRole\", RoleArgs.builder()\n .realmId(realm.id())\n .clientId(openidClientKeycloakClient.id())\n .name(\"my-client-role\")\n .description(\"My Client Role\")\n .attributes(Map.of(\"key\", \"value\"))\n .build());\n\n var adminRole = new Role(\"adminRole\", RoleArgs.builder()\n .realmId(realm.id())\n .name(\"admin\")\n .compositeRoles( \n createRole.id(),\n readRole.id(),\n updateRole.id(),\n deleteRole.id(),\n clientRole.id())\n .attributes(Map.of(\"key\", \"value\"))\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n # realm roles\n createRole:\n type: keycloak:Role\n name: create_role\n properties:\n realmId: ${realm.id}\n name: create\n attributes:\n key: value\n readRole:\n type: keycloak:Role\n name: read_role\n properties:\n realmId: ${realm.id}\n name: read\n attributes:\n key: value\n updateRole:\n type: keycloak:Role\n name: update_role\n properties:\n realmId: ${realm.id}\n name: update\n attributes:\n key: value\n deleteRole:\n type: keycloak:Role\n name: delete_role\n properties:\n realmId: ${realm.id}\n name: delete\n attributes:\n key: value\n # client role\n openidClient:\n type: keycloak:openid:Client\n name: openid_client\n properties:\n realmId: ${realm.id}\n clientId: client\n name: client\n enabled: true\n accessType: CONFIDENTIAL\n validRedirectUris:\n - http://localhost:8080/openid-callback\n clientRole:\n type: keycloak:Role\n name: client_role\n properties:\n realmId: ${realm.id}\n clientId: ${openidClientKeycloakClient.id}\n name: my-client-role\n description: My Client Role\n attributes:\n key: value\n adminRole:\n type: keycloak:Role\n name: admin_role\n properties:\n realmId: ${realm.id}\n name: admin\n compositeRoles:\n - ${createRole.id}\n - ${readRole.id}\n - ${updateRole.id}\n - ${deleteRole.id}\n - ${clientRole.id}\n attributes:\n key: value\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nRoles can be imported using the format `{{realm_id}}/{{role_id}}`, where `role_id` is the unique ID that Keycloak assigns\n\nto the role. The ID is not easy to find in the GUI, but it appears in the URL when editing the role.\n\nExample:\n\nbash\n\n```sh\n$ pulumi import keycloak:index/role:Role role my-realm/7e8cf32a-8acb-4d34-89c4-04fb1d10ccad\n```\n\n", "properties": { "attributes": { "type": "object", "additionalProperties": { "type": "string" - } + }, + "description": "A map representing attributes for the role. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars\n" }, "clientId": { - "type": "string" + "type": "string", + "description": "When specified, this role will be created as a client role attached to the client with the provided ID\n" }, "compositeRoles": { "type": "array", "items": { "type": "string" - } + }, + "description": "When specified, this role will be a composite role, composed of all roles that have an ID present within this list.\n" }, "description": { - "type": "string" + "type": "string", + "description": "The description of the role\n" }, "name": { - "type": "string" + "type": "string", + "description": "The name of the role\n" }, "realmId": { - "type": "string" + "type": "string", + "description": "The realm this role exists within.\n" } }, "required": [ @@ -5445,26 +5611,32 @@ "type": "object", "additionalProperties": { "type": "string" - } + }, + "description": "A map representing attributes for the role. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars\n" }, "clientId": { "type": "string", + "description": "When specified, this role will be created as a client role attached to the client with the provided ID\n", "willReplaceOnChanges": true }, "compositeRoles": { "type": "array", "items": { "type": "string" - } + }, + "description": "When specified, this role will be a composite role, composed of all roles that have an ID present within this list.\n" }, "description": { - "type": "string" + "type": "string", + "description": "The description of the role\n" }, "name": { - "type": "string" + "type": "string", + "description": "The name of the role\n" }, "realmId": { "type": "string", + "description": "The realm this role exists within.\n", "willReplaceOnChanges": true } }, @@ -5478,26 +5650,32 @@ "type": "object", "additionalProperties": { "type": "string" - } + }, + "description": "A map representing attributes for the role. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars\n" }, "clientId": { "type": "string", + "description": "When specified, this role will be created as a client role attached to the client with the provided ID\n", "willReplaceOnChanges": true }, "compositeRoles": { "type": "array", "items": { "type": "string" - } + }, + "description": "When specified, this role will be a composite role, composed of all roles that have an ID present within this list.\n" }, "description": { - "type": "string" + "type": "string", + "description": "The description of the role\n" }, "name": { - "type": "string" + "type": "string", + "description": "The name of the role\n" }, "realmId": { "type": "string", + "description": "The realm this role exists within.\n", "willReplaceOnChanges": true } }, @@ -5505,49 +5683,60 @@ } }, "keycloak:index/user:User": { - "description": "## # keycloak.User\n\nAllows for creating and managing Users within Keycloak.\n\nThis resource was created primarily to enable the acceptance tests for the `keycloak.Group` resource.\nCreating users within Keycloak is not recommended. Instead, users should be federated from external sources\nby configuring user federation providers or identity providers.\n\n### Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst user = new keycloak.User(\"user\", {\n realmId: realm.id,\n username: \"bob\",\n enabled: true,\n email: \"bob@domain.com\",\n firstName: \"Bob\",\n lastName: \"Bobson\",\n});\nconst userWithInitialPassword = new keycloak.User(\"user_with_initial_password\", {\n realmId: realm.id,\n username: \"alice\",\n enabled: true,\n email: \"alice@domain.com\",\n firstName: \"Alice\",\n lastName: \"Aliceberg\",\n initialPassword: {\n value: \"some password\",\n temporary: true,\n },\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nuser = keycloak.User(\"user\",\n realm_id=realm.id,\n username=\"bob\",\n enabled=True,\n email=\"bob@domain.com\",\n first_name=\"Bob\",\n last_name=\"Bobson\")\nuser_with_initial_password = keycloak.User(\"user_with_initial_password\",\n realm_id=realm.id,\n username=\"alice\",\n enabled=True,\n email=\"alice@domain.com\",\n first_name=\"Alice\",\n last_name=\"Aliceberg\",\n initial_password={\n \"value\": \"some password\",\n \"temporary\": True,\n })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var user = new Keycloak.User(\"user\", new()\n {\n RealmId = realm.Id,\n Username = \"bob\",\n Enabled = true,\n Email = \"bob@domain.com\",\n FirstName = \"Bob\",\n LastName = \"Bobson\",\n });\n\n var userWithInitialPassword = new Keycloak.User(\"user_with_initial_password\", new()\n {\n RealmId = realm.Id,\n Username = \"alice\",\n Enabled = true,\n Email = \"alice@domain.com\",\n FirstName = \"Alice\",\n LastName = \"Aliceberg\",\n InitialPassword = new Keycloak.Inputs.UserInitialPasswordArgs\n {\n Value = \"some password\",\n Temporary = true,\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewUser(ctx, \"user\", \u0026keycloak.UserArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tUsername: pulumi.String(\"bob\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tEmail: pulumi.String(\"bob@domain.com\"),\n\t\t\tFirstName: pulumi.String(\"Bob\"),\n\t\t\tLastName: pulumi.String(\"Bobson\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewUser(ctx, \"user_with_initial_password\", \u0026keycloak.UserArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tUsername: pulumi.String(\"alice\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tEmail: pulumi.String(\"alice@domain.com\"),\n\t\t\tFirstName: pulumi.String(\"Alice\"),\n\t\t\tLastName: pulumi.String(\"Aliceberg\"),\n\t\t\tInitialPassword: \u0026keycloak.UserInitialPasswordArgs{\n\t\t\t\tValue: pulumi.String(\"some password\"),\n\t\t\t\tTemporary: pulumi.Bool(true),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.User;\nimport com.pulumi.keycloak.UserArgs;\nimport com.pulumi.keycloak.inputs.UserInitialPasswordArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var user = new User(\"user\", UserArgs.builder()\n .realmId(realm.id())\n .username(\"bob\")\n .enabled(true)\n .email(\"bob@domain.com\")\n .firstName(\"Bob\")\n .lastName(\"Bobson\")\n .build());\n\n var userWithInitialPassword = new User(\"userWithInitialPassword\", UserArgs.builder()\n .realmId(realm.id())\n .username(\"alice\")\n .enabled(true)\n .email(\"alice@domain.com\")\n .firstName(\"Alice\")\n .lastName(\"Aliceberg\")\n .initialPassword(UserInitialPasswordArgs.builder()\n .value(\"some password\")\n .temporary(true)\n .build())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n user:\n type: keycloak:User\n properties:\n realmId: ${realm.id}\n username: bob\n enabled: true\n email: bob@domain.com\n firstName: Bob\n lastName: Bobson\n userWithInitialPassword:\n type: keycloak:User\n name: user_with_initial_password\n properties:\n realmId: ${realm.id}\n username: alice\n enabled: true\n email: alice@domain.com\n firstName: Alice\n lastName: Aliceberg\n initialPassword:\n value: some password\n temporary: true\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm_id` - (Required) The realm this user belongs to.\n- `username` - (Required) The unique username of this user.\n- `initial_password` (Optional) When given, the user's initial password will be set.\n This attribute is only respected during initial user creation.\n - `value` (Required) The initial password.\n - `temporary` (Optional) If set to `true`, the initial password is set up for renewal on first use. Default to `false`.\n- `enabled` - (Optional) When false, this user cannot log in. Defaults to `true`.\n- `email` - (Optional) The user's email.\n- `first_name` - (Optional) The user's first name.\n- `last_name` - (Optional) The user's last name.\n\n### Import\n\nUsers can be imported using the format `{{realm_id}}/{{user_id}}`, where `user_id` is the unique ID that Keycloak\nassigns to the user upon creation. This value can be found in the GUI when editing the user.\n\nExample:\n\n```bash\n$ terraform import keycloak_user.user my-realm/60c3f971-b1d3-4b3a-9035-d16d7540a5e4\n```\n", + "description": "Allows for creating and managing Users within Keycloak.\n\nThis resource was created primarily to enable the acceptance tests for the `keycloak.Group` resource. Creating users within\nKeycloak is not recommended. Instead, users should be federated from external sources by configuring user federation providers\nor identity providers.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst user = new keycloak.User(\"user\", {\n realmId: realm.id,\n username: \"bob\",\n enabled: true,\n email: \"bob@domain.com\",\n firstName: \"Bob\",\n lastName: \"Bobson\",\n});\nconst userWithInitialPassword = new keycloak.User(\"user_with_initial_password\", {\n realmId: realm.id,\n username: \"alice\",\n enabled: true,\n email: \"alice@domain.com\",\n firstName: \"Alice\",\n lastName: \"Aliceberg\",\n attributes: {\n foo: \"bar\",\n multivalue: \"value1##value2\",\n },\n initialPassword: {\n value: \"some password\",\n temporary: true,\n },\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nuser = keycloak.User(\"user\",\n realm_id=realm.id,\n username=\"bob\",\n enabled=True,\n email=\"bob@domain.com\",\n first_name=\"Bob\",\n last_name=\"Bobson\")\nuser_with_initial_password = keycloak.User(\"user_with_initial_password\",\n realm_id=realm.id,\n username=\"alice\",\n enabled=True,\n email=\"alice@domain.com\",\n first_name=\"Alice\",\n last_name=\"Aliceberg\",\n attributes={\n \"foo\": \"bar\",\n \"multivalue\": \"value1##value2\",\n },\n initial_password={\n \"value\": \"some password\",\n \"temporary\": True,\n })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var user = new Keycloak.User(\"user\", new()\n {\n RealmId = realm.Id,\n Username = \"bob\",\n Enabled = true,\n Email = \"bob@domain.com\",\n FirstName = \"Bob\",\n LastName = \"Bobson\",\n });\n\n var userWithInitialPassword = new Keycloak.User(\"user_with_initial_password\", new()\n {\n RealmId = realm.Id,\n Username = \"alice\",\n Enabled = true,\n Email = \"alice@domain.com\",\n FirstName = \"Alice\",\n LastName = \"Aliceberg\",\n Attributes = \n {\n { \"foo\", \"bar\" },\n { \"multivalue\", \"value1##value2\" },\n },\n InitialPassword = new Keycloak.Inputs.UserInitialPasswordArgs\n {\n Value = \"some password\",\n Temporary = true,\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewUser(ctx, \"user\", \u0026keycloak.UserArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tUsername: pulumi.String(\"bob\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tEmail: pulumi.String(\"bob@domain.com\"),\n\t\t\tFirstName: pulumi.String(\"Bob\"),\n\t\t\tLastName: pulumi.String(\"Bobson\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewUser(ctx, \"user_with_initial_password\", \u0026keycloak.UserArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tUsername: pulumi.String(\"alice\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tEmail: pulumi.String(\"alice@domain.com\"),\n\t\t\tFirstName: pulumi.String(\"Alice\"),\n\t\t\tLastName: pulumi.String(\"Aliceberg\"),\n\t\t\tAttributes: pulumi.StringMap{\n\t\t\t\t\"foo\": pulumi.String(\"bar\"),\n\t\t\t\t\"multivalue\": pulumi.String(\"value1##value2\"),\n\t\t\t},\n\t\t\tInitialPassword: \u0026keycloak.UserInitialPasswordArgs{\n\t\t\t\tValue: pulumi.String(\"some password\"),\n\t\t\t\tTemporary: pulumi.Bool(true),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.User;\nimport com.pulumi.keycloak.UserArgs;\nimport com.pulumi.keycloak.inputs.UserInitialPasswordArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var user = new User(\"user\", UserArgs.builder()\n .realmId(realm.id())\n .username(\"bob\")\n .enabled(true)\n .email(\"bob@domain.com\")\n .firstName(\"Bob\")\n .lastName(\"Bobson\")\n .build());\n\n var userWithInitialPassword = new User(\"userWithInitialPassword\", UserArgs.builder()\n .realmId(realm.id())\n .username(\"alice\")\n .enabled(true)\n .email(\"alice@domain.com\")\n .firstName(\"Alice\")\n .lastName(\"Aliceberg\")\n .attributes(Map.ofEntries(\n Map.entry(\"foo\", \"bar\"),\n Map.entry(\"multivalue\", \"value1##value2\")\n ))\n .initialPassword(UserInitialPasswordArgs.builder()\n .value(\"some password\")\n .temporary(true)\n .build())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n user:\n type: keycloak:User\n properties:\n realmId: ${realm.id}\n username: bob\n enabled: true\n email: bob@domain.com\n firstName: Bob\n lastName: Bobson\n userWithInitialPassword:\n type: keycloak:User\n name: user_with_initial_password\n properties:\n realmId: ${realm.id}\n username: alice\n enabled: true\n email: alice@domain.com\n firstName: Alice\n lastName: Aliceberg\n attributes:\n foo: bar\n multivalue: value1##value2\n initialPassword:\n value: some password\n temporary: true\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nUsers can be imported using the format `{{realm_id}}/{{user_id}}`, where `user_id` is the unique ID that Keycloak\n\nassigns to the user upon creation. This value can be found in the GUI when editing the user.\n\nExample:\n\nbash\n\n```sh\n$ pulumi import keycloak:index/user:User user my-realm/60c3f971-b1d3-4b3a-9035-d16d7540a5e4\n```\n\n", "properties": { "attributes": { "type": "object", "additionalProperties": { "type": "string" - } + }, + "description": "A map representing attributes for the user. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars\n" }, "email": { - "type": "string" + "type": "string", + "description": "The user's email.\n" }, "emailVerified": { - "type": "boolean" + "type": "boolean", + "description": "Whether the email address was validated or not. Default to `false`.\n" }, "enabled": { - "type": "boolean" + "type": "boolean", + "description": "When false, this user cannot log in. Defaults to `true`.\n" }, "federatedIdentities": { "type": "array", "items": { "$ref": "#/types/keycloak:index/UserFederatedIdentity:UserFederatedIdentity" - } + }, + "description": "When specified, the user will be linked to a federated identity provider. Refer to the federated user example for more details.\n" }, "firstName": { - "type": "string" + "type": "string", + "description": "The user's first name.\n" }, "initialPassword": { - "$ref": "#/types/keycloak:index/UserInitialPassword:UserInitialPassword" + "$ref": "#/types/keycloak:index/UserInitialPassword:UserInitialPassword", + "description": "When given, the user's initial password will be set. This attribute is only respected during initial user creation.\n" }, "lastName": { - "type": "string" + "type": "string", + "description": "The user's last name.\n" }, "realmId": { - "type": "string" + "type": "string", + "description": "The realm this user belongs to.\n" }, "requiredActions": { "type": "array", "items": { "type": "string" - } + }, + "description": "A list of required user actions.\n" }, "username": { - "type": "string" + "type": "string", + "description": "The unique username of this user.\n" } }, "required": [ @@ -5559,44 +5748,55 @@ "type": "object", "additionalProperties": { "type": "string" - } + }, + "description": "A map representing attributes for the user. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars\n" }, "email": { - "type": "string" + "type": "string", + "description": "The user's email.\n" }, "emailVerified": { - "type": "boolean" + "type": "boolean", + "description": "Whether the email address was validated or not. Default to `false`.\n" }, "enabled": { - "type": "boolean" + "type": "boolean", + "description": "When false, this user cannot log in. Defaults to `true`.\n" }, "federatedIdentities": { "type": "array", "items": { "$ref": "#/types/keycloak:index/UserFederatedIdentity:UserFederatedIdentity" - } + }, + "description": "When specified, the user will be linked to a federated identity provider. Refer to the federated user example for more details.\n" }, "firstName": { - "type": "string" + "type": "string", + "description": "The user's first name.\n" }, "initialPassword": { - "$ref": "#/types/keycloak:index/UserInitialPassword:UserInitialPassword" + "$ref": "#/types/keycloak:index/UserInitialPassword:UserInitialPassword", + "description": "When given, the user's initial password will be set. This attribute is only respected during initial user creation.\n" }, "lastName": { - "type": "string" + "type": "string", + "description": "The user's last name.\n" }, "realmId": { "type": "string", + "description": "The realm this user belongs to.\n", "willReplaceOnChanges": true }, "requiredActions": { "type": "array", "items": { "type": "string" - } + }, + "description": "A list of required user actions.\n" }, "username": { "type": "string", + "description": "The unique username of this user.\n", "willReplaceOnChanges": true } }, @@ -5611,44 +5811,55 @@ "type": "object", "additionalProperties": { "type": "string" - } + }, + "description": "A map representing attributes for the user. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars\n" }, "email": { - "type": "string" + "type": "string", + "description": "The user's email.\n" }, "emailVerified": { - "type": "boolean" + "type": "boolean", + "description": "Whether the email address was validated or not. Default to `false`.\n" }, "enabled": { - "type": "boolean" + "type": "boolean", + "description": "When false, this user cannot log in. Defaults to `true`.\n" }, "federatedIdentities": { "type": "array", "items": { "$ref": "#/types/keycloak:index/UserFederatedIdentity:UserFederatedIdentity" - } + }, + "description": "When specified, the user will be linked to a federated identity provider. Refer to the federated user example for more details.\n" }, "firstName": { - "type": "string" + "type": "string", + "description": "The user's first name.\n" }, "initialPassword": { - "$ref": "#/types/keycloak:index/UserInitialPassword:UserInitialPassword" + "$ref": "#/types/keycloak:index/UserInitialPassword:UserInitialPassword", + "description": "When given, the user's initial password will be set. This attribute is only respected during initial user creation.\n" }, "lastName": { - "type": "string" + "type": "string", + "description": "The user's last name.\n" }, "realmId": { "type": "string", + "description": "The realm this user belongs to.\n", "willReplaceOnChanges": true }, "requiredActions": { "type": "array", "items": { "type": "string" - } + }, + "description": "A list of required user actions.\n" }, "username": { "type": "string", + "description": "The unique username of this user.\n", "willReplaceOnChanges": true } }, @@ -6136,28 +6347,31 @@ } }, "keycloak:ldap/fullNameMapper:FullNameMapper": { - "description": "## # keycloak.ldap.FullNameMapper\n\nAllows for creating and managing full name mappers for Keycloak users federated\nvia LDAP.\n\nThe LDAP full name mapper can map a user's full name from an LDAP attribute\nto the first and last name attributes of a Keycloak user.\n\n### Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"test\",\n enabled: true,\n});\nconst ldapUserFederation = new keycloak.ldap.UserFederation(\"ldap_user_federation\", {\n name: \"openldap\",\n realmId: realm.id,\n usernameLdapAttribute: \"cn\",\n rdnLdapAttribute: \"cn\",\n uuidLdapAttribute: \"entryDN\",\n userObjectClasses: [\n \"simpleSecurityObject\",\n \"organizationalRole\",\n ],\n connectionUrl: \"ldap://openldap\",\n usersDn: \"dc=example,dc=org\",\n bindDn: \"cn=admin,dc=example,dc=org\",\n bindCredential: \"admin\",\n});\nconst ldapFullNameMapper = new keycloak.ldap.FullNameMapper(\"ldap_full_name_mapper\", {\n realmId: realm.id,\n ldapUserFederationId: ldapUserFederation.id,\n name: \"full-name-mapper\",\n ldapFullNameAttribute: \"cn\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"test\",\n enabled=True)\nldap_user_federation = keycloak.ldap.UserFederation(\"ldap_user_federation\",\n name=\"openldap\",\n realm_id=realm.id,\n username_ldap_attribute=\"cn\",\n rdn_ldap_attribute=\"cn\",\n uuid_ldap_attribute=\"entryDN\",\n user_object_classes=[\n \"simpleSecurityObject\",\n \"organizationalRole\",\n ],\n connection_url=\"ldap://openldap\",\n users_dn=\"dc=example,dc=org\",\n bind_dn=\"cn=admin,dc=example,dc=org\",\n bind_credential=\"admin\")\nldap_full_name_mapper = keycloak.ldap.FullNameMapper(\"ldap_full_name_mapper\",\n realm_id=realm.id,\n ldap_user_federation_id=ldap_user_federation.id,\n name=\"full-name-mapper\",\n ldap_full_name_attribute=\"cn\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"test\",\n Enabled = true,\n });\n\n var ldapUserFederation = new Keycloak.Ldap.UserFederation(\"ldap_user_federation\", new()\n {\n Name = \"openldap\",\n RealmId = realm.Id,\n UsernameLdapAttribute = \"cn\",\n RdnLdapAttribute = \"cn\",\n UuidLdapAttribute = \"entryDN\",\n UserObjectClasses = new[]\n {\n \"simpleSecurityObject\",\n \"organizationalRole\",\n },\n ConnectionUrl = \"ldap://openldap\",\n UsersDn = \"dc=example,dc=org\",\n BindDn = \"cn=admin,dc=example,dc=org\",\n BindCredential = \"admin\",\n });\n\n var ldapFullNameMapper = new Keycloak.Ldap.FullNameMapper(\"ldap_full_name_mapper\", new()\n {\n RealmId = realm.Id,\n LdapUserFederationId = ldapUserFederation.Id,\n Name = \"full-name-mapper\",\n LdapFullNameAttribute = \"cn\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/ldap\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"test\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tldapUserFederation, err := ldap.NewUserFederation(ctx, \"ldap_user_federation\", \u0026ldap.UserFederationArgs{\n\t\t\tName: pulumi.String(\"openldap\"),\n\t\t\tRealmId: realm.ID(),\n\t\t\tUsernameLdapAttribute: pulumi.String(\"cn\"),\n\t\t\tRdnLdapAttribute: pulumi.String(\"cn\"),\n\t\t\tUuidLdapAttribute: pulumi.String(\"entryDN\"),\n\t\t\tUserObjectClasses: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"simpleSecurityObject\"),\n\t\t\t\tpulumi.String(\"organizationalRole\"),\n\t\t\t},\n\t\t\tConnectionUrl: pulumi.String(\"ldap://openldap\"),\n\t\t\tUsersDn: pulumi.String(\"dc=example,dc=org\"),\n\t\t\tBindDn: pulumi.String(\"cn=admin,dc=example,dc=org\"),\n\t\t\tBindCredential: pulumi.String(\"admin\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = ldap.NewFullNameMapper(ctx, \"ldap_full_name_mapper\", \u0026ldap.FullNameMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tLdapUserFederationId: ldapUserFederation.ID(),\n\t\t\tName: pulumi.String(\"full-name-mapper\"),\n\t\t\tLdapFullNameAttribute: pulumi.String(\"cn\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.ldap.UserFederation;\nimport com.pulumi.keycloak.ldap.UserFederationArgs;\nimport com.pulumi.keycloak.ldap.FullNameMapper;\nimport com.pulumi.keycloak.ldap.FullNameMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"test\")\n .enabled(true)\n .build());\n\n var ldapUserFederation = new UserFederation(\"ldapUserFederation\", UserFederationArgs.builder()\n .name(\"openldap\")\n .realmId(realm.id())\n .usernameLdapAttribute(\"cn\")\n .rdnLdapAttribute(\"cn\")\n .uuidLdapAttribute(\"entryDN\")\n .userObjectClasses( \n \"simpleSecurityObject\",\n \"organizationalRole\")\n .connectionUrl(\"ldap://openldap\")\n .usersDn(\"dc=example,dc=org\")\n .bindDn(\"cn=admin,dc=example,dc=org\")\n .bindCredential(\"admin\")\n .build());\n\n var ldapFullNameMapper = new FullNameMapper(\"ldapFullNameMapper\", FullNameMapperArgs.builder()\n .realmId(realm.id())\n .ldapUserFederationId(ldapUserFederation.id())\n .name(\"full-name-mapper\")\n .ldapFullNameAttribute(\"cn\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: test\n enabled: true\n ldapUserFederation:\n type: keycloak:ldap:UserFederation\n name: ldap_user_federation\n properties:\n name: openldap\n realmId: ${realm.id}\n usernameLdapAttribute: cn\n rdnLdapAttribute: cn\n uuidLdapAttribute: entryDN\n userObjectClasses:\n - simpleSecurityObject\n - organizationalRole\n connectionUrl: ldap://openldap\n usersDn: dc=example,dc=org\n bindDn: cn=admin,dc=example,dc=org\n bindCredential: admin\n ldapFullNameMapper:\n type: keycloak:ldap:FullNameMapper\n name: ldap_full_name_mapper\n properties:\n realmId: ${realm.id}\n ldapUserFederationId: ${ldapUserFederation.id}\n name: full-name-mapper\n ldapFullNameAttribute: cn\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm_id` - (Required) The realm that this LDAP mapper will exist in.\n- `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to.\n- `name` - (Required) Display name of this mapper when displayed in the console.\n- `ldap_full_name_attribute` - (Required) The name of the LDAP attribute containing the user's full name.\n- `read_only` - (Optional) When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`.\n- `write_only` - (Optional) When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`.\n\n### Import\n\nLDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`.\nThe ID of the LDAP user federation provider and the mapper can be found within\nthe Keycloak GUI, and they are typically GUIDs:\n\n```bash\n$ terraform import keycloak_ldap_full_name_mapper.ldap_full_name_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67\n```\n", + "description": "Allows for creating and managing full name mappers for Keycloak users federated via LDAP.\n\nThe LDAP full name mapper can map a user's full name from an LDAP attribute to the first and last name attributes of a\nKeycloak user.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst ldapUserFederation = new keycloak.ldap.UserFederation(\"ldap_user_federation\", {\n name: \"openldap\",\n realmId: realm.id,\n usernameLdapAttribute: \"cn\",\n rdnLdapAttribute: \"cn\",\n uuidLdapAttribute: \"entryDN\",\n userObjectClasses: [\n \"simpleSecurityObject\",\n \"organizationalRole\",\n ],\n connectionUrl: \"ldap://openldap\",\n usersDn: \"dc=example,dc=org\",\n bindDn: \"cn=admin,dc=example,dc=org\",\n bindCredential: \"admin\",\n});\nconst ldapFullNameMapper = new keycloak.ldap.FullNameMapper(\"ldap_full_name_mapper\", {\n realmId: realm.id,\n ldapUserFederationId: ldapUserFederation.id,\n name: \"full-name-mapper\",\n ldapFullNameAttribute: \"cn\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nldap_user_federation = keycloak.ldap.UserFederation(\"ldap_user_federation\",\n name=\"openldap\",\n realm_id=realm.id,\n username_ldap_attribute=\"cn\",\n rdn_ldap_attribute=\"cn\",\n uuid_ldap_attribute=\"entryDN\",\n user_object_classes=[\n \"simpleSecurityObject\",\n \"organizationalRole\",\n ],\n connection_url=\"ldap://openldap\",\n users_dn=\"dc=example,dc=org\",\n bind_dn=\"cn=admin,dc=example,dc=org\",\n bind_credential=\"admin\")\nldap_full_name_mapper = keycloak.ldap.FullNameMapper(\"ldap_full_name_mapper\",\n realm_id=realm.id,\n ldap_user_federation_id=ldap_user_federation.id,\n name=\"full-name-mapper\",\n ldap_full_name_attribute=\"cn\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var ldapUserFederation = new Keycloak.Ldap.UserFederation(\"ldap_user_federation\", new()\n {\n Name = \"openldap\",\n RealmId = realm.Id,\n UsernameLdapAttribute = \"cn\",\n RdnLdapAttribute = \"cn\",\n UuidLdapAttribute = \"entryDN\",\n UserObjectClasses = new[]\n {\n \"simpleSecurityObject\",\n \"organizationalRole\",\n },\n ConnectionUrl = \"ldap://openldap\",\n UsersDn = \"dc=example,dc=org\",\n BindDn = \"cn=admin,dc=example,dc=org\",\n BindCredential = \"admin\",\n });\n\n var ldapFullNameMapper = new Keycloak.Ldap.FullNameMapper(\"ldap_full_name_mapper\", new()\n {\n RealmId = realm.Id,\n LdapUserFederationId = ldapUserFederation.Id,\n Name = \"full-name-mapper\",\n LdapFullNameAttribute = \"cn\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/ldap\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tldapUserFederation, err := ldap.NewUserFederation(ctx, \"ldap_user_federation\", \u0026ldap.UserFederationArgs{\n\t\t\tName: pulumi.String(\"openldap\"),\n\t\t\tRealmId: realm.ID(),\n\t\t\tUsernameLdapAttribute: pulumi.String(\"cn\"),\n\t\t\tRdnLdapAttribute: pulumi.String(\"cn\"),\n\t\t\tUuidLdapAttribute: pulumi.String(\"entryDN\"),\n\t\t\tUserObjectClasses: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"simpleSecurityObject\"),\n\t\t\t\tpulumi.String(\"organizationalRole\"),\n\t\t\t},\n\t\t\tConnectionUrl: pulumi.String(\"ldap://openldap\"),\n\t\t\tUsersDn: pulumi.String(\"dc=example,dc=org\"),\n\t\t\tBindDn: pulumi.String(\"cn=admin,dc=example,dc=org\"),\n\t\t\tBindCredential: pulumi.String(\"admin\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = ldap.NewFullNameMapper(ctx, \"ldap_full_name_mapper\", \u0026ldap.FullNameMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tLdapUserFederationId: ldapUserFederation.ID(),\n\t\t\tName: pulumi.String(\"full-name-mapper\"),\n\t\t\tLdapFullNameAttribute: pulumi.String(\"cn\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.ldap.UserFederation;\nimport com.pulumi.keycloak.ldap.UserFederationArgs;\nimport com.pulumi.keycloak.ldap.FullNameMapper;\nimport com.pulumi.keycloak.ldap.FullNameMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var ldapUserFederation = new UserFederation(\"ldapUserFederation\", UserFederationArgs.builder()\n .name(\"openldap\")\n .realmId(realm.id())\n .usernameLdapAttribute(\"cn\")\n .rdnLdapAttribute(\"cn\")\n .uuidLdapAttribute(\"entryDN\")\n .userObjectClasses( \n \"simpleSecurityObject\",\n \"organizationalRole\")\n .connectionUrl(\"ldap://openldap\")\n .usersDn(\"dc=example,dc=org\")\n .bindDn(\"cn=admin,dc=example,dc=org\")\n .bindCredential(\"admin\")\n .build());\n\n var ldapFullNameMapper = new FullNameMapper(\"ldapFullNameMapper\", FullNameMapperArgs.builder()\n .realmId(realm.id())\n .ldapUserFederationId(ldapUserFederation.id())\n .name(\"full-name-mapper\")\n .ldapFullNameAttribute(\"cn\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n ldapUserFederation:\n type: keycloak:ldap:UserFederation\n name: ldap_user_federation\n properties:\n name: openldap\n realmId: ${realm.id}\n usernameLdapAttribute: cn\n rdnLdapAttribute: cn\n uuidLdapAttribute: entryDN\n userObjectClasses:\n - simpleSecurityObject\n - organizationalRole\n connectionUrl: ldap://openldap\n usersDn: dc=example,dc=org\n bindDn: cn=admin,dc=example,dc=org\n bindCredential: admin\n ldapFullNameMapper:\n type: keycloak:ldap:FullNameMapper\n name: ldap_full_name_mapper\n properties:\n realmId: ${realm.id}\n ldapUserFederationId: ${ldapUserFederation.id}\n name: full-name-mapper\n ldapFullNameAttribute: cn\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nLDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`.\n\nThe ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs.\n\nExample:\n\nbash\n\n```sh\n$ pulumi import keycloak:ldap/fullNameMapper:FullNameMapper ldap_full_name_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67\n```\n\n", "properties": { "ldapFullNameAttribute": { - "type": "string" + "type": "string", + "description": "The name of the LDAP attribute containing the user's full name.\n" }, "ldapUserFederationId": { "type": "string", - "description": "The ldap user federation provider to attach this mapper to.\n" + "description": "The ID of the LDAP user federation provider to attach this mapper to.\n" }, "name": { "type": "string", - "description": "Display name of the mapper when displayed in the console.\n" + "description": "Display name of this mapper when displayed in the console.\n" }, "readOnly": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`.\n" }, "realmId": { "type": "string", - "description": "The realm in which the ldap user federation provider exists.\n" + "description": "The realm that this LDAP mapper will exist in.\n" }, "writeOnly": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`.\n" } }, "required": [ @@ -6168,27 +6382,30 @@ ], "inputProperties": { "ldapFullNameAttribute": { - "type": "string" + "type": "string", + "description": "The name of the LDAP attribute containing the user's full name.\n" }, "ldapUserFederationId": { "type": "string", - "description": "The ldap user federation provider to attach this mapper to.\n", + "description": "The ID of the LDAP user federation provider to attach this mapper to.\n", "willReplaceOnChanges": true }, "name": { "type": "string", - "description": "Display name of the mapper when displayed in the console.\n" + "description": "Display name of this mapper when displayed in the console.\n" }, "readOnly": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`.\n" }, "realmId": { "type": "string", - "description": "The realm in which the ldap user federation provider exists.\n", + "description": "The realm that this LDAP mapper will exist in.\n", "willReplaceOnChanges": true }, "writeOnly": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`.\n" } }, "requiredInputs": [ @@ -6200,97 +6417,115 @@ "description": "Input properties used for looking up and filtering FullNameMapper resources.\n", "properties": { "ldapFullNameAttribute": { - "type": "string" + "type": "string", + "description": "The name of the LDAP attribute containing the user's full name.\n" }, "ldapUserFederationId": { "type": "string", - "description": "The ldap user federation provider to attach this mapper to.\n", + "description": "The ID of the LDAP user federation provider to attach this mapper to.\n", "willReplaceOnChanges": true }, "name": { "type": "string", - "description": "Display name of the mapper when displayed in the console.\n" + "description": "Display name of this mapper when displayed in the console.\n" }, "readOnly": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`.\n" }, "realmId": { "type": "string", - "description": "The realm in which the ldap user federation provider exists.\n", + "description": "The realm that this LDAP mapper will exist in.\n", "willReplaceOnChanges": true }, "writeOnly": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`.\n" } }, "type": "object" } }, "keycloak:ldap/groupMapper:GroupMapper": { - "description": "## # keycloak.ldap.GroupMapper\n\nAllows for creating and managing group mappers for Keycloak users federated\nvia LDAP.\n\nThe LDAP group mapper can be used to map an LDAP user's groups from some DN\nto Keycloak groups. This group mapper will also create the groups within Keycloak\nif they do not already exist.\n\n### Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"test\",\n enabled: true,\n});\nconst ldapUserFederation = new keycloak.ldap.UserFederation(\"ldap_user_federation\", {\n name: \"openldap\",\n realmId: realm.id,\n usernameLdapAttribute: \"cn\",\n rdnLdapAttribute: \"cn\",\n uuidLdapAttribute: \"entryDN\",\n userObjectClasses: [\n \"simpleSecurityObject\",\n \"organizationalRole\",\n ],\n connectionUrl: \"ldap://openldap\",\n usersDn: \"dc=example,dc=org\",\n bindDn: \"cn=admin,dc=example,dc=org\",\n bindCredential: \"admin\",\n});\nconst ldapGroupMapper = new keycloak.ldap.GroupMapper(\"ldap_group_mapper\", {\n realmId: realm.id,\n ldapUserFederationId: ldapUserFederation.id,\n name: \"group-mapper\",\n ldapGroupsDn: \"dc=example,dc=org\",\n groupNameLdapAttribute: \"cn\",\n groupObjectClasses: [\"groupOfNames\"],\n membershipAttributeType: \"DN\",\n membershipLdapAttribute: \"member\",\n membershipUserLdapAttribute: \"cn\",\n memberofLdapAttribute: \"memberOf\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"test\",\n enabled=True)\nldap_user_federation = keycloak.ldap.UserFederation(\"ldap_user_federation\",\n name=\"openldap\",\n realm_id=realm.id,\n username_ldap_attribute=\"cn\",\n rdn_ldap_attribute=\"cn\",\n uuid_ldap_attribute=\"entryDN\",\n user_object_classes=[\n \"simpleSecurityObject\",\n \"organizationalRole\",\n ],\n connection_url=\"ldap://openldap\",\n users_dn=\"dc=example,dc=org\",\n bind_dn=\"cn=admin,dc=example,dc=org\",\n bind_credential=\"admin\")\nldap_group_mapper = keycloak.ldap.GroupMapper(\"ldap_group_mapper\",\n realm_id=realm.id,\n ldap_user_federation_id=ldap_user_federation.id,\n name=\"group-mapper\",\n ldap_groups_dn=\"dc=example,dc=org\",\n group_name_ldap_attribute=\"cn\",\n group_object_classes=[\"groupOfNames\"],\n membership_attribute_type=\"DN\",\n membership_ldap_attribute=\"member\",\n membership_user_ldap_attribute=\"cn\",\n memberof_ldap_attribute=\"memberOf\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"test\",\n Enabled = true,\n });\n\n var ldapUserFederation = new Keycloak.Ldap.UserFederation(\"ldap_user_federation\", new()\n {\n Name = \"openldap\",\n RealmId = realm.Id,\n UsernameLdapAttribute = \"cn\",\n RdnLdapAttribute = \"cn\",\n UuidLdapAttribute = \"entryDN\",\n UserObjectClasses = new[]\n {\n \"simpleSecurityObject\",\n \"organizationalRole\",\n },\n ConnectionUrl = \"ldap://openldap\",\n UsersDn = \"dc=example,dc=org\",\n BindDn = \"cn=admin,dc=example,dc=org\",\n BindCredential = \"admin\",\n });\n\n var ldapGroupMapper = new Keycloak.Ldap.GroupMapper(\"ldap_group_mapper\", new()\n {\n RealmId = realm.Id,\n LdapUserFederationId = ldapUserFederation.Id,\n Name = \"group-mapper\",\n LdapGroupsDn = \"dc=example,dc=org\",\n GroupNameLdapAttribute = \"cn\",\n GroupObjectClasses = new[]\n {\n \"groupOfNames\",\n },\n MembershipAttributeType = \"DN\",\n MembershipLdapAttribute = \"member\",\n MembershipUserLdapAttribute = \"cn\",\n MemberofLdapAttribute = \"memberOf\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/ldap\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"test\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tldapUserFederation, err := ldap.NewUserFederation(ctx, \"ldap_user_federation\", \u0026ldap.UserFederationArgs{\n\t\t\tName: pulumi.String(\"openldap\"),\n\t\t\tRealmId: realm.ID(),\n\t\t\tUsernameLdapAttribute: pulumi.String(\"cn\"),\n\t\t\tRdnLdapAttribute: pulumi.String(\"cn\"),\n\t\t\tUuidLdapAttribute: pulumi.String(\"entryDN\"),\n\t\t\tUserObjectClasses: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"simpleSecurityObject\"),\n\t\t\t\tpulumi.String(\"organizationalRole\"),\n\t\t\t},\n\t\t\tConnectionUrl: pulumi.String(\"ldap://openldap\"),\n\t\t\tUsersDn: pulumi.String(\"dc=example,dc=org\"),\n\t\t\tBindDn: pulumi.String(\"cn=admin,dc=example,dc=org\"),\n\t\t\tBindCredential: pulumi.String(\"admin\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = ldap.NewGroupMapper(ctx, \"ldap_group_mapper\", \u0026ldap.GroupMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tLdapUserFederationId: ldapUserFederation.ID(),\n\t\t\tName: pulumi.String(\"group-mapper\"),\n\t\t\tLdapGroupsDn: pulumi.String(\"dc=example,dc=org\"),\n\t\t\tGroupNameLdapAttribute: pulumi.String(\"cn\"),\n\t\t\tGroupObjectClasses: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"groupOfNames\"),\n\t\t\t},\n\t\t\tMembershipAttributeType: pulumi.String(\"DN\"),\n\t\t\tMembershipLdapAttribute: pulumi.String(\"member\"),\n\t\t\tMembershipUserLdapAttribute: pulumi.String(\"cn\"),\n\t\t\tMemberofLdapAttribute: pulumi.String(\"memberOf\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.ldap.UserFederation;\nimport com.pulumi.keycloak.ldap.UserFederationArgs;\nimport com.pulumi.keycloak.ldap.GroupMapper;\nimport com.pulumi.keycloak.ldap.GroupMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"test\")\n .enabled(true)\n .build());\n\n var ldapUserFederation = new UserFederation(\"ldapUserFederation\", UserFederationArgs.builder()\n .name(\"openldap\")\n .realmId(realm.id())\n .usernameLdapAttribute(\"cn\")\n .rdnLdapAttribute(\"cn\")\n .uuidLdapAttribute(\"entryDN\")\n .userObjectClasses( \n \"simpleSecurityObject\",\n \"organizationalRole\")\n .connectionUrl(\"ldap://openldap\")\n .usersDn(\"dc=example,dc=org\")\n .bindDn(\"cn=admin,dc=example,dc=org\")\n .bindCredential(\"admin\")\n .build());\n\n var ldapGroupMapper = new GroupMapper(\"ldapGroupMapper\", GroupMapperArgs.builder()\n .realmId(realm.id())\n .ldapUserFederationId(ldapUserFederation.id())\n .name(\"group-mapper\")\n .ldapGroupsDn(\"dc=example,dc=org\")\n .groupNameLdapAttribute(\"cn\")\n .groupObjectClasses(\"groupOfNames\")\n .membershipAttributeType(\"DN\")\n .membershipLdapAttribute(\"member\")\n .membershipUserLdapAttribute(\"cn\")\n .memberofLdapAttribute(\"memberOf\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: test\n enabled: true\n ldapUserFederation:\n type: keycloak:ldap:UserFederation\n name: ldap_user_federation\n properties:\n name: openldap\n realmId: ${realm.id}\n usernameLdapAttribute: cn\n rdnLdapAttribute: cn\n uuidLdapAttribute: entryDN\n userObjectClasses:\n - simpleSecurityObject\n - organizationalRole\n connectionUrl: ldap://openldap\n usersDn: dc=example,dc=org\n bindDn: cn=admin,dc=example,dc=org\n bindCredential: admin\n ldapGroupMapper:\n type: keycloak:ldap:GroupMapper\n name: ldap_group_mapper\n properties:\n realmId: ${realm.id}\n ldapUserFederationId: ${ldapUserFederation.id}\n name: group-mapper\n ldapGroupsDn: dc=example,dc=org\n groupNameLdapAttribute: cn\n groupObjectClasses:\n - groupOfNames\n membershipAttributeType: DN\n membershipLdapAttribute: member\n membershipUserLdapAttribute: cn\n memberofLdapAttribute: memberOf\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm_id` - (Required) The realm that this LDAP mapper will exist in.\n- `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to.\n- `name` - (Required) Display name of this mapper when displayed in the console.\n- `ldap_groups_dn` - (Required) The LDAP DN where groups can be found.\n- `group_name_ldap_attribute` - (Required) The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`.\n- `group_object_classes` - (Required) Array of strings representing the object classes for the group. Must contain at least one.\n- `preserve_group_inheritance` - (Optional) When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak.\n- `ignore_missing_groups` - (Optional) When `true`, missing groups in the hierarchy will be ignored.\n- `membership_ldap_attribute` - (Required) The name of the LDAP attribute that is used for membership mappings.\n- `membership_attribute_type` - (Optional) Can be one of `DN` or `UID`. Defaults to `DN`.\n- `membership_user_ldap_attribute` - (Required) The name of the LDAP attribute on a user that is used for membership mappings.\n- `groups_ldap_filter` - (Optional) When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`.\n- `mode` - (Optional) Can be one of `READ_ONLY` or `LDAP_ONLY`. Defaults to `READ_ONLY`.\n- `user_roles_retrieve_strategy` - (Optional) Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`.\n- `memberof_ldap_attribute` - (Optional) Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`.\n- `mapped_group_attributes` - (Optional) Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group.\n- `drop_non_existing_groups_during_sync` - (Optional) When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`.\n\n### Import\n\nLDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`.\nThe ID of the LDAP user federation provider and the mapper can be found within\nthe Keycloak GUI, and they are typically GUIDs:\n\n```bash\n$ terraform import keycloak_ldap_group_mapper.ldap_group_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67\n```\n", + "description": "Allows for creating and managing group mappers for Keycloak users federated via LDAP.\n\nThe LDAP group mapper can be used to map an LDAP user's groups from some DN to Keycloak groups. This group mapper will also\ncreate the groups within Keycloak if they do not already exist.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst ldapUserFederation = new keycloak.ldap.UserFederation(\"ldap_user_federation\", {\n name: \"openldap\",\n realmId: realm.id,\n usernameLdapAttribute: \"cn\",\n rdnLdapAttribute: \"cn\",\n uuidLdapAttribute: \"entryDN\",\n userObjectClasses: [\n \"simpleSecurityObject\",\n \"organizationalRole\",\n ],\n connectionUrl: \"ldap://openldap\",\n usersDn: \"dc=example,dc=org\",\n bindDn: \"cn=admin,dc=example,dc=org\",\n bindCredential: \"admin\",\n});\nconst ldapGroupMapper = new keycloak.ldap.GroupMapper(\"ldap_group_mapper\", {\n realmId: realm.id,\n ldapUserFederationId: ldapUserFederation.id,\n name: \"group-mapper\",\n ldapGroupsDn: \"dc=example,dc=org\",\n groupNameLdapAttribute: \"cn\",\n groupObjectClasses: [\"groupOfNames\"],\n membershipAttributeType: \"DN\",\n membershipLdapAttribute: \"member\",\n membershipUserLdapAttribute: \"cn\",\n memberofLdapAttribute: \"memberOf\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nldap_user_federation = keycloak.ldap.UserFederation(\"ldap_user_federation\",\n name=\"openldap\",\n realm_id=realm.id,\n username_ldap_attribute=\"cn\",\n rdn_ldap_attribute=\"cn\",\n uuid_ldap_attribute=\"entryDN\",\n user_object_classes=[\n \"simpleSecurityObject\",\n \"organizationalRole\",\n ],\n connection_url=\"ldap://openldap\",\n users_dn=\"dc=example,dc=org\",\n bind_dn=\"cn=admin,dc=example,dc=org\",\n bind_credential=\"admin\")\nldap_group_mapper = keycloak.ldap.GroupMapper(\"ldap_group_mapper\",\n realm_id=realm.id,\n ldap_user_federation_id=ldap_user_federation.id,\n name=\"group-mapper\",\n ldap_groups_dn=\"dc=example,dc=org\",\n group_name_ldap_attribute=\"cn\",\n group_object_classes=[\"groupOfNames\"],\n membership_attribute_type=\"DN\",\n membership_ldap_attribute=\"member\",\n membership_user_ldap_attribute=\"cn\",\n memberof_ldap_attribute=\"memberOf\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var ldapUserFederation = new Keycloak.Ldap.UserFederation(\"ldap_user_federation\", new()\n {\n Name = \"openldap\",\n RealmId = realm.Id,\n UsernameLdapAttribute = \"cn\",\n RdnLdapAttribute = \"cn\",\n UuidLdapAttribute = \"entryDN\",\n UserObjectClasses = new[]\n {\n \"simpleSecurityObject\",\n \"organizationalRole\",\n },\n ConnectionUrl = \"ldap://openldap\",\n UsersDn = \"dc=example,dc=org\",\n BindDn = \"cn=admin,dc=example,dc=org\",\n BindCredential = \"admin\",\n });\n\n var ldapGroupMapper = new Keycloak.Ldap.GroupMapper(\"ldap_group_mapper\", new()\n {\n RealmId = realm.Id,\n LdapUserFederationId = ldapUserFederation.Id,\n Name = \"group-mapper\",\n LdapGroupsDn = \"dc=example,dc=org\",\n GroupNameLdapAttribute = \"cn\",\n GroupObjectClasses = new[]\n {\n \"groupOfNames\",\n },\n MembershipAttributeType = \"DN\",\n MembershipLdapAttribute = \"member\",\n MembershipUserLdapAttribute = \"cn\",\n MemberofLdapAttribute = \"memberOf\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/ldap\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tldapUserFederation, err := ldap.NewUserFederation(ctx, \"ldap_user_federation\", \u0026ldap.UserFederationArgs{\n\t\t\tName: pulumi.String(\"openldap\"),\n\t\t\tRealmId: realm.ID(),\n\t\t\tUsernameLdapAttribute: pulumi.String(\"cn\"),\n\t\t\tRdnLdapAttribute: pulumi.String(\"cn\"),\n\t\t\tUuidLdapAttribute: pulumi.String(\"entryDN\"),\n\t\t\tUserObjectClasses: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"simpleSecurityObject\"),\n\t\t\t\tpulumi.String(\"organizationalRole\"),\n\t\t\t},\n\t\t\tConnectionUrl: pulumi.String(\"ldap://openldap\"),\n\t\t\tUsersDn: pulumi.String(\"dc=example,dc=org\"),\n\t\t\tBindDn: pulumi.String(\"cn=admin,dc=example,dc=org\"),\n\t\t\tBindCredential: pulumi.String(\"admin\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = ldap.NewGroupMapper(ctx, \"ldap_group_mapper\", \u0026ldap.GroupMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tLdapUserFederationId: ldapUserFederation.ID(),\n\t\t\tName: pulumi.String(\"group-mapper\"),\n\t\t\tLdapGroupsDn: pulumi.String(\"dc=example,dc=org\"),\n\t\t\tGroupNameLdapAttribute: pulumi.String(\"cn\"),\n\t\t\tGroupObjectClasses: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"groupOfNames\"),\n\t\t\t},\n\t\t\tMembershipAttributeType: pulumi.String(\"DN\"),\n\t\t\tMembershipLdapAttribute: pulumi.String(\"member\"),\n\t\t\tMembershipUserLdapAttribute: pulumi.String(\"cn\"),\n\t\t\tMemberofLdapAttribute: pulumi.String(\"memberOf\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.ldap.UserFederation;\nimport com.pulumi.keycloak.ldap.UserFederationArgs;\nimport com.pulumi.keycloak.ldap.GroupMapper;\nimport com.pulumi.keycloak.ldap.GroupMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var ldapUserFederation = new UserFederation(\"ldapUserFederation\", UserFederationArgs.builder()\n .name(\"openldap\")\n .realmId(realm.id())\n .usernameLdapAttribute(\"cn\")\n .rdnLdapAttribute(\"cn\")\n .uuidLdapAttribute(\"entryDN\")\n .userObjectClasses( \n \"simpleSecurityObject\",\n \"organizationalRole\")\n .connectionUrl(\"ldap://openldap\")\n .usersDn(\"dc=example,dc=org\")\n .bindDn(\"cn=admin,dc=example,dc=org\")\n .bindCredential(\"admin\")\n .build());\n\n var ldapGroupMapper = new GroupMapper(\"ldapGroupMapper\", GroupMapperArgs.builder()\n .realmId(realm.id())\n .ldapUserFederationId(ldapUserFederation.id())\n .name(\"group-mapper\")\n .ldapGroupsDn(\"dc=example,dc=org\")\n .groupNameLdapAttribute(\"cn\")\n .groupObjectClasses(\"groupOfNames\")\n .membershipAttributeType(\"DN\")\n .membershipLdapAttribute(\"member\")\n .membershipUserLdapAttribute(\"cn\")\n .memberofLdapAttribute(\"memberOf\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n ldapUserFederation:\n type: keycloak:ldap:UserFederation\n name: ldap_user_federation\n properties:\n name: openldap\n realmId: ${realm.id}\n usernameLdapAttribute: cn\n rdnLdapAttribute: cn\n uuidLdapAttribute: entryDN\n userObjectClasses:\n - simpleSecurityObject\n - organizationalRole\n connectionUrl: ldap://openldap\n usersDn: dc=example,dc=org\n bindDn: cn=admin,dc=example,dc=org\n bindCredential: admin\n ldapGroupMapper:\n type: keycloak:ldap:GroupMapper\n name: ldap_group_mapper\n properties:\n realmId: ${realm.id}\n ldapUserFederationId: ${ldapUserFederation.id}\n name: group-mapper\n ldapGroupsDn: dc=example,dc=org\n groupNameLdapAttribute: cn\n groupObjectClasses:\n - groupOfNames\n membershipAttributeType: DN\n membershipLdapAttribute: member\n membershipUserLdapAttribute: cn\n memberofLdapAttribute: memberOf\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nLDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`.\n\nThe ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs.\n\nExample:\n\nbash\n\n```sh\n$ pulumi import keycloak:ldap/groupMapper:GroupMapper ldap_group_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67\n```\n\n", "properties": { "dropNonExistingGroupsDuringSync": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`.\n" }, "groupNameLdapAttribute": { - "type": "string" + "type": "string", + "description": "The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`.\n" }, "groupObjectClasses": { "type": "array", "items": { "type": "string" - } + }, + "description": "List of strings representing the object classes for the group. Must contain at least one.\n" }, "groupsLdapFilter": { - "type": "string" + "type": "string", + "description": "When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`.\n" }, "groupsPath": { - "type": "string" + "type": "string", + "description": "Keycloak group path the LDAP groups are added to. For example if value `/Applications/App1` is used, then LDAP groups will be available in Keycloak under group `App1`, which is the child of top level group `Applications`. The configured group path must already exist in Keycloak when creating this mapper.\n" }, "ignoreMissingGroups": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, missing groups in the hierarchy will be ignored.\n" }, "ldapGroupsDn": { - "type": "string" + "type": "string", + "description": "The LDAP DN where groups can be found.\n" }, "ldapUserFederationId": { "type": "string", - "description": "The ldap user federation provider to attach this mapper to.\n" + "description": "The ID of the LDAP user federation provider to attach this mapper to.\n" }, "mappedGroupAttributes": { "type": "array", "items": { "type": "string" - } + }, + "description": "Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group.\n" }, "memberofLdapAttribute": { - "type": "string" + "type": "string", + "description": "Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`.\n" }, "membershipAttributeType": { - "type": "string" + "type": "string", + "description": "Can be one of `DN` or `UID`. Defaults to `DN`.\n" }, "membershipLdapAttribute": { - "type": "string" + "type": "string", + "description": "The name of the LDAP attribute that is used for membership mappings.\n" }, "membershipUserLdapAttribute": { - "type": "string" + "type": "string", + "description": "The name of the LDAP attribute on a user that is used for membership mappings.\n" }, "mode": { - "type": "string" + "type": "string", + "description": "Can be one of `READ_ONLY`, `LDAP_ONLY` or `IMPORT`. Defaults to `READ_ONLY`.\n" }, "name": { "type": "string", - "description": "Display name of the mapper when displayed in the console.\n" + "description": "Display name of this mapper when displayed in the console.\n" }, "preserveGroupInheritance": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak.\n" }, "realmId": { "type": "string", - "description": "The realm in which the ldap user federation provider exists.\n" + "description": "The realm that this LDAP mapper will exist in.\n" }, "userRolesRetrieveStrategy": { - "type": "string" + "type": "string", + "description": "Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`.\n" } }, "required": [ @@ -6306,69 +6541,84 @@ ], "inputProperties": { "dropNonExistingGroupsDuringSync": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`.\n" }, "groupNameLdapAttribute": { - "type": "string" + "type": "string", + "description": "The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`.\n" }, "groupObjectClasses": { "type": "array", "items": { "type": "string" - } + }, + "description": "List of strings representing the object classes for the group. Must contain at least one.\n" }, "groupsLdapFilter": { - "type": "string" + "type": "string", + "description": "When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`.\n" }, "groupsPath": { - "type": "string" + "type": "string", + "description": "Keycloak group path the LDAP groups are added to. For example if value `/Applications/App1` is used, then LDAP groups will be available in Keycloak under group `App1`, which is the child of top level group `Applications`. The configured group path must already exist in Keycloak when creating this mapper.\n" }, "ignoreMissingGroups": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, missing groups in the hierarchy will be ignored.\n" }, "ldapGroupsDn": { - "type": "string" + "type": "string", + "description": "The LDAP DN where groups can be found.\n" }, "ldapUserFederationId": { "type": "string", - "description": "The ldap user federation provider to attach this mapper to.\n", + "description": "The ID of the LDAP user federation provider to attach this mapper to.\n", "willReplaceOnChanges": true }, "mappedGroupAttributes": { "type": "array", "items": { "type": "string" - } + }, + "description": "Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group.\n" }, "memberofLdapAttribute": { - "type": "string" + "type": "string", + "description": "Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`.\n" }, "membershipAttributeType": { - "type": "string" + "type": "string", + "description": "Can be one of `DN` or `UID`. Defaults to `DN`.\n" }, "membershipLdapAttribute": { - "type": "string" + "type": "string", + "description": "The name of the LDAP attribute that is used for membership mappings.\n" }, "membershipUserLdapAttribute": { - "type": "string" + "type": "string", + "description": "The name of the LDAP attribute on a user that is used for membership mappings.\n" }, "mode": { - "type": "string" + "type": "string", + "description": "Can be one of `READ_ONLY`, `LDAP_ONLY` or `IMPORT`. Defaults to `READ_ONLY`.\n" }, "name": { "type": "string", - "description": "Display name of the mapper when displayed in the console.\n" + "description": "Display name of this mapper when displayed in the console.\n" }, "preserveGroupInheritance": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak.\n" }, "realmId": { "type": "string", - "description": "The realm in which the ldap user federation provider exists.\n", + "description": "The realm that this LDAP mapper will exist in.\n", "willReplaceOnChanges": true }, "userRolesRetrieveStrategy": { - "type": "string" + "type": "string", + "description": "Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`.\n" } }, "requiredInputs": [ @@ -6384,69 +6634,84 @@ "description": "Input properties used for looking up and filtering GroupMapper resources.\n", "properties": { "dropNonExistingGroupsDuringSync": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`.\n" }, "groupNameLdapAttribute": { - "type": "string" + "type": "string", + "description": "The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`.\n" }, "groupObjectClasses": { "type": "array", "items": { "type": "string" - } + }, + "description": "List of strings representing the object classes for the group. Must contain at least one.\n" }, "groupsLdapFilter": { - "type": "string" + "type": "string", + "description": "When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`.\n" }, "groupsPath": { - "type": "string" + "type": "string", + "description": "Keycloak group path the LDAP groups are added to. For example if value `/Applications/App1` is used, then LDAP groups will be available in Keycloak under group `App1`, which is the child of top level group `Applications`. The configured group path must already exist in Keycloak when creating this mapper.\n" }, "ignoreMissingGroups": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, missing groups in the hierarchy will be ignored.\n" }, "ldapGroupsDn": { - "type": "string" + "type": "string", + "description": "The LDAP DN where groups can be found.\n" }, "ldapUserFederationId": { "type": "string", - "description": "The ldap user federation provider to attach this mapper to.\n", + "description": "The ID of the LDAP user federation provider to attach this mapper to.\n", "willReplaceOnChanges": true }, "mappedGroupAttributes": { "type": "array", "items": { "type": "string" - } + }, + "description": "Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group.\n" }, "memberofLdapAttribute": { - "type": "string" + "type": "string", + "description": "Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`.\n" }, "membershipAttributeType": { - "type": "string" + "type": "string", + "description": "Can be one of `DN` or `UID`. Defaults to `DN`.\n" }, "membershipLdapAttribute": { - "type": "string" + "type": "string", + "description": "The name of the LDAP attribute that is used for membership mappings.\n" }, "membershipUserLdapAttribute": { - "type": "string" + "type": "string", + "description": "The name of the LDAP attribute on a user that is used for membership mappings.\n" }, "mode": { - "type": "string" + "type": "string", + "description": "Can be one of `READ_ONLY`, `LDAP_ONLY` or `IMPORT`. Defaults to `READ_ONLY`.\n" }, "name": { "type": "string", - "description": "Display name of the mapper when displayed in the console.\n" + "description": "Display name of this mapper when displayed in the console.\n" }, "preserveGroupInheritance": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak.\n" }, "realmId": { "type": "string", - "description": "The realm in which the ldap user federation provider exists.\n", + "description": "The realm that this LDAP mapper will exist in.\n", "willReplaceOnChanges": true }, "userRolesRetrieveStrategy": { - "type": "string" + "type": "string", + "description": "Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`.\n" } }, "type": "object" @@ -6625,23 +6890,23 @@ } }, "keycloak:ldap/hardcodedRoleMapper:HardcodedRoleMapper": { - "description": "## # keycloak.ldap.HardcodedRoleMapper\n\nThis mapper will grant a specified Keycloak role to each Keycloak user linked with LDAP.\n\n### Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"test\",\n enabled: true,\n});\nconst ldapUserFederation = new keycloak.ldap.UserFederation(\"ldap_user_federation\", {\n name: \"openldap\",\n realmId: realm.id,\n usernameLdapAttribute: \"cn\",\n rdnLdapAttribute: \"cn\",\n uuidLdapAttribute: \"entryDN\",\n userObjectClasses: [\n \"simpleSecurityObject\",\n \"organizationalRole\",\n ],\n connectionUrl: \"ldap://openldap\",\n usersDn: \"dc=example,dc=org\",\n bindDn: \"cn=admin,dc=example,dc=org\",\n bindCredential: \"admin\",\n});\nconst assignAdminRoleToAllUsers = new keycloak.ldap.HardcodedRoleMapper(\"assign_admin_role_to_all_users\", {\n realmId: realm.id,\n ldapUserFederationId: ldapUserFederation.id,\n name: \"assign-admin-role-to-all-users\",\n role: \"admin\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"test\",\n enabled=True)\nldap_user_federation = keycloak.ldap.UserFederation(\"ldap_user_federation\",\n name=\"openldap\",\n realm_id=realm.id,\n username_ldap_attribute=\"cn\",\n rdn_ldap_attribute=\"cn\",\n uuid_ldap_attribute=\"entryDN\",\n user_object_classes=[\n \"simpleSecurityObject\",\n \"organizationalRole\",\n ],\n connection_url=\"ldap://openldap\",\n users_dn=\"dc=example,dc=org\",\n bind_dn=\"cn=admin,dc=example,dc=org\",\n bind_credential=\"admin\")\nassign_admin_role_to_all_users = keycloak.ldap.HardcodedRoleMapper(\"assign_admin_role_to_all_users\",\n realm_id=realm.id,\n ldap_user_federation_id=ldap_user_federation.id,\n name=\"assign-admin-role-to-all-users\",\n role=\"admin\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"test\",\n Enabled = true,\n });\n\n var ldapUserFederation = new Keycloak.Ldap.UserFederation(\"ldap_user_federation\", new()\n {\n Name = \"openldap\",\n RealmId = realm.Id,\n UsernameLdapAttribute = \"cn\",\n RdnLdapAttribute = \"cn\",\n UuidLdapAttribute = \"entryDN\",\n UserObjectClasses = new[]\n {\n \"simpleSecurityObject\",\n \"organizationalRole\",\n },\n ConnectionUrl = \"ldap://openldap\",\n UsersDn = \"dc=example,dc=org\",\n BindDn = \"cn=admin,dc=example,dc=org\",\n BindCredential = \"admin\",\n });\n\n var assignAdminRoleToAllUsers = new Keycloak.Ldap.HardcodedRoleMapper(\"assign_admin_role_to_all_users\", new()\n {\n RealmId = realm.Id,\n LdapUserFederationId = ldapUserFederation.Id,\n Name = \"assign-admin-role-to-all-users\",\n Role = \"admin\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/ldap\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"test\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tldapUserFederation, err := ldap.NewUserFederation(ctx, \"ldap_user_federation\", \u0026ldap.UserFederationArgs{\n\t\t\tName: pulumi.String(\"openldap\"),\n\t\t\tRealmId: realm.ID(),\n\t\t\tUsernameLdapAttribute: pulumi.String(\"cn\"),\n\t\t\tRdnLdapAttribute: pulumi.String(\"cn\"),\n\t\t\tUuidLdapAttribute: pulumi.String(\"entryDN\"),\n\t\t\tUserObjectClasses: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"simpleSecurityObject\"),\n\t\t\t\tpulumi.String(\"organizationalRole\"),\n\t\t\t},\n\t\t\tConnectionUrl: pulumi.String(\"ldap://openldap\"),\n\t\t\tUsersDn: pulumi.String(\"dc=example,dc=org\"),\n\t\t\tBindDn: pulumi.String(\"cn=admin,dc=example,dc=org\"),\n\t\t\tBindCredential: pulumi.String(\"admin\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = ldap.NewHardcodedRoleMapper(ctx, \"assign_admin_role_to_all_users\", \u0026ldap.HardcodedRoleMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tLdapUserFederationId: ldapUserFederation.ID(),\n\t\t\tName: pulumi.String(\"assign-admin-role-to-all-users\"),\n\t\t\tRole: pulumi.String(\"admin\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.ldap.UserFederation;\nimport com.pulumi.keycloak.ldap.UserFederationArgs;\nimport com.pulumi.keycloak.ldap.HardcodedRoleMapper;\nimport com.pulumi.keycloak.ldap.HardcodedRoleMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"test\")\n .enabled(true)\n .build());\n\n var ldapUserFederation = new UserFederation(\"ldapUserFederation\", UserFederationArgs.builder()\n .name(\"openldap\")\n .realmId(realm.id())\n .usernameLdapAttribute(\"cn\")\n .rdnLdapAttribute(\"cn\")\n .uuidLdapAttribute(\"entryDN\")\n .userObjectClasses( \n \"simpleSecurityObject\",\n \"organizationalRole\")\n .connectionUrl(\"ldap://openldap\")\n .usersDn(\"dc=example,dc=org\")\n .bindDn(\"cn=admin,dc=example,dc=org\")\n .bindCredential(\"admin\")\n .build());\n\n var assignAdminRoleToAllUsers = new HardcodedRoleMapper(\"assignAdminRoleToAllUsers\", HardcodedRoleMapperArgs.builder()\n .realmId(realm.id())\n .ldapUserFederationId(ldapUserFederation.id())\n .name(\"assign-admin-role-to-all-users\")\n .role(\"admin\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: test\n enabled: true\n ldapUserFederation:\n type: keycloak:ldap:UserFederation\n name: ldap_user_federation\n properties:\n name: openldap\n realmId: ${realm.id}\n usernameLdapAttribute: cn\n rdnLdapAttribute: cn\n uuidLdapAttribute: entryDN\n userObjectClasses:\n - simpleSecurityObject\n - organizationalRole\n connectionUrl: ldap://openldap\n usersDn: dc=example,dc=org\n bindDn: cn=admin,dc=example,dc=org\n bindCredential: admin\n assignAdminRoleToAllUsers:\n type: keycloak:ldap:HardcodedRoleMapper\n name: assign_admin_role_to_all_users\n properties:\n realmId: ${realm.id}\n ldapUserFederationId: ${ldapUserFederation.id}\n name: assign-admin-role-to-all-users\n role: admin\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm_id` - (Required) The realm that this LDAP mapper will exist in.\n- `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to.\n- `name` - (Required) Display name of this mapper when displayed in the console.\n- `role` - (Required) The role which should be assigned to the users.\n\n### Import\n\nLDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`.\nThe ID of the LDAP user federation provider and the mapper can be found within\nthe Keycloak GUI, and they are typically GUIDs:\n\n```bash\n$ terraform import keycloak_ldap_hardcoded_role_mapper.ldap_hardcoded_role_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67\n```\n", + "description": "Allows for creating and managing hardcoded role mappers for Keycloak users federated via LDAP.\n\nThe LDAP hardcoded role mapper will grant a specified Keycloak role to each Keycloak user linked with LDAP.\n\n## Example Usage\n\n### Realm Role)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst ldapUserFederation = new keycloak.ldap.UserFederation(\"ldap_user_federation\", {\n name: \"openldap\",\n realmId: realm.id,\n usernameLdapAttribute: \"cn\",\n rdnLdapAttribute: \"cn\",\n uuidLdapAttribute: \"entryDN\",\n userObjectClasses: [\n \"simpleSecurityObject\",\n \"organizationalRole\",\n ],\n connectionUrl: \"ldap://openldap\",\n usersDn: \"dc=example,dc=org\",\n bindDn: \"cn=admin,dc=example,dc=org\",\n bindCredential: \"admin\",\n});\nconst realmAdminRole = new keycloak.Role(\"realm_admin_role\", {\n realmId: realm.id,\n name: \"my-admin-role\",\n description: \"My Realm Role\",\n});\nconst assignAdminRoleToAllUsers = new keycloak.ldap.HardcodedRoleMapper(\"assign_admin_role_to_all_users\", {\n realmId: realm.id,\n ldapUserFederationId: ldapUserFederation.id,\n name: \"assign-admin-role-to-all-users\",\n role: realmAdminRole.name,\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nldap_user_federation = keycloak.ldap.UserFederation(\"ldap_user_federation\",\n name=\"openldap\",\n realm_id=realm.id,\n username_ldap_attribute=\"cn\",\n rdn_ldap_attribute=\"cn\",\n uuid_ldap_attribute=\"entryDN\",\n user_object_classes=[\n \"simpleSecurityObject\",\n \"organizationalRole\",\n ],\n connection_url=\"ldap://openldap\",\n users_dn=\"dc=example,dc=org\",\n bind_dn=\"cn=admin,dc=example,dc=org\",\n bind_credential=\"admin\")\nrealm_admin_role = keycloak.Role(\"realm_admin_role\",\n realm_id=realm.id,\n name=\"my-admin-role\",\n description=\"My Realm Role\")\nassign_admin_role_to_all_users = keycloak.ldap.HardcodedRoleMapper(\"assign_admin_role_to_all_users\",\n realm_id=realm.id,\n ldap_user_federation_id=ldap_user_federation.id,\n name=\"assign-admin-role-to-all-users\",\n role=realm_admin_role.name)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var ldapUserFederation = new Keycloak.Ldap.UserFederation(\"ldap_user_federation\", new()\n {\n Name = \"openldap\",\n RealmId = realm.Id,\n UsernameLdapAttribute = \"cn\",\n RdnLdapAttribute = \"cn\",\n UuidLdapAttribute = \"entryDN\",\n UserObjectClasses = new[]\n {\n \"simpleSecurityObject\",\n \"organizationalRole\",\n },\n ConnectionUrl = \"ldap://openldap\",\n UsersDn = \"dc=example,dc=org\",\n BindDn = \"cn=admin,dc=example,dc=org\",\n BindCredential = \"admin\",\n });\n\n var realmAdminRole = new Keycloak.Role(\"realm_admin_role\", new()\n {\n RealmId = realm.Id,\n Name = \"my-admin-role\",\n Description = \"My Realm Role\",\n });\n\n var assignAdminRoleToAllUsers = new Keycloak.Ldap.HardcodedRoleMapper(\"assign_admin_role_to_all_users\", new()\n {\n RealmId = realm.Id,\n LdapUserFederationId = ldapUserFederation.Id,\n Name = \"assign-admin-role-to-all-users\",\n Role = realmAdminRole.Name,\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/ldap\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tldapUserFederation, err := ldap.NewUserFederation(ctx, \"ldap_user_federation\", \u0026ldap.UserFederationArgs{\n\t\t\tName: pulumi.String(\"openldap\"),\n\t\t\tRealmId: realm.ID(),\n\t\t\tUsernameLdapAttribute: pulumi.String(\"cn\"),\n\t\t\tRdnLdapAttribute: pulumi.String(\"cn\"),\n\t\t\tUuidLdapAttribute: pulumi.String(\"entryDN\"),\n\t\t\tUserObjectClasses: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"simpleSecurityObject\"),\n\t\t\t\tpulumi.String(\"organizationalRole\"),\n\t\t\t},\n\t\t\tConnectionUrl: pulumi.String(\"ldap://openldap\"),\n\t\t\tUsersDn: pulumi.String(\"dc=example,dc=org\"),\n\t\t\tBindDn: pulumi.String(\"cn=admin,dc=example,dc=org\"),\n\t\t\tBindCredential: pulumi.String(\"admin\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\trealmAdminRole, err := keycloak.NewRole(ctx, \"realm_admin_role\", \u0026keycloak.RoleArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"my-admin-role\"),\n\t\t\tDescription: pulumi.String(\"My Realm Role\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = ldap.NewHardcodedRoleMapper(ctx, \"assign_admin_role_to_all_users\", \u0026ldap.HardcodedRoleMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tLdapUserFederationId: ldapUserFederation.ID(),\n\t\t\tName: pulumi.String(\"assign-admin-role-to-all-users\"),\n\t\t\tRole: realmAdminRole.Name,\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.ldap.UserFederation;\nimport com.pulumi.keycloak.ldap.UserFederationArgs;\nimport com.pulumi.keycloak.Role;\nimport com.pulumi.keycloak.RoleArgs;\nimport com.pulumi.keycloak.ldap.HardcodedRoleMapper;\nimport com.pulumi.keycloak.ldap.HardcodedRoleMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var ldapUserFederation = new UserFederation(\"ldapUserFederation\", UserFederationArgs.builder()\n .name(\"openldap\")\n .realmId(realm.id())\n .usernameLdapAttribute(\"cn\")\n .rdnLdapAttribute(\"cn\")\n .uuidLdapAttribute(\"entryDN\")\n .userObjectClasses( \n \"simpleSecurityObject\",\n \"organizationalRole\")\n .connectionUrl(\"ldap://openldap\")\n .usersDn(\"dc=example,dc=org\")\n .bindDn(\"cn=admin,dc=example,dc=org\")\n .bindCredential(\"admin\")\n .build());\n\n var realmAdminRole = new Role(\"realmAdminRole\", RoleArgs.builder()\n .realmId(realm.id())\n .name(\"my-admin-role\")\n .description(\"My Realm Role\")\n .build());\n\n var assignAdminRoleToAllUsers = new HardcodedRoleMapper(\"assignAdminRoleToAllUsers\", HardcodedRoleMapperArgs.builder()\n .realmId(realm.id())\n .ldapUserFederationId(ldapUserFederation.id())\n .name(\"assign-admin-role-to-all-users\")\n .role(realmAdminRole.name())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n ldapUserFederation:\n type: keycloak:ldap:UserFederation\n name: ldap_user_federation\n properties:\n name: openldap\n realmId: ${realm.id}\n usernameLdapAttribute: cn\n rdnLdapAttribute: cn\n uuidLdapAttribute: entryDN\n userObjectClasses:\n - simpleSecurityObject\n - organizationalRole\n connectionUrl: ldap://openldap\n usersDn: dc=example,dc=org\n bindDn: cn=admin,dc=example,dc=org\n bindCredential: admin\n realmAdminRole:\n type: keycloak:Role\n name: realm_admin_role\n properties:\n realmId: ${realm.id}\n name: my-admin-role\n description: My Realm Role\n assignAdminRoleToAllUsers:\n type: keycloak:ldap:HardcodedRoleMapper\n name: assign_admin_role_to_all_users\n properties:\n realmId: ${realm.id}\n ldapUserFederationId: ${ldapUserFederation.id}\n name: assign-admin-role-to-all-users\n role: ${realmAdminRole.name}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n\n### Client Role)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst ldapUserFederation = new keycloak.ldap.UserFederation(\"ldap_user_federation\", {\n name: \"openldap\",\n realmId: realm.id,\n usernameLdapAttribute: \"cn\",\n rdnLdapAttribute: \"cn\",\n uuidLdapAttribute: \"entryDN\",\n userObjectClasses: [\n \"simpleSecurityObject\",\n \"organizationalRole\",\n ],\n connectionUrl: \"ldap://openldap\",\n usersDn: \"dc=example,dc=org\",\n bindDn: \"cn=admin,dc=example,dc=org\",\n bindCredential: \"admin\",\n});\n// data sources aren't technically necessary here, but they are helpful for demonstration purposes\nconst realmManagement = keycloak.openid.getClientOutput({\n realmId: realm.id,\n clientId: \"realm-management\",\n});\nconst createClient = pulumi.all([realm.id, realmManagement]).apply(([id, realmManagement]) =\u003e keycloak.getRoleOutput({\n realmId: id,\n clientId: realmManagement.id,\n name: \"create-client\",\n}));\nconst assignAdminRoleToAllUsers = new keycloak.ldap.HardcodedRoleMapper(\"assign_admin_role_to_all_users\", {\n realmId: realm.id,\n ldapUserFederationId: ldapUserFederation.id,\n name: \"assign-admin-role-to-all-users\",\n role: pulumi.all([realmManagement, createClient]).apply(([realmManagement, createClient]) =\u003e `${realmManagement.clientId}.${createClient.name}`),\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nldap_user_federation = keycloak.ldap.UserFederation(\"ldap_user_federation\",\n name=\"openldap\",\n realm_id=realm.id,\n username_ldap_attribute=\"cn\",\n rdn_ldap_attribute=\"cn\",\n uuid_ldap_attribute=\"entryDN\",\n user_object_classes=[\n \"simpleSecurityObject\",\n \"organizationalRole\",\n ],\n connection_url=\"ldap://openldap\",\n users_dn=\"dc=example,dc=org\",\n bind_dn=\"cn=admin,dc=example,dc=org\",\n bind_credential=\"admin\")\n# data sources aren't technically necessary here, but they are helpful for demonstration purposes\nrealm_management = keycloak.openid.get_client_output(realm_id=realm.id,\n client_id=\"realm-management\")\ncreate_client = pulumi.Output.all(\n id=realm.id,\n realm_management=realm_management\n).apply(lambda resolved_outputs: keycloak.get_role_output(realm_id=resolved_outputs['id'],\n client_id=realm_management.id,\n name=\"create-client\"))\n\nassign_admin_role_to_all_users = keycloak.ldap.HardcodedRoleMapper(\"assign_admin_role_to_all_users\",\n realm_id=realm.id,\n ldap_user_federation_id=ldap_user_federation.id,\n name=\"assign-admin-role-to-all-users\",\n role=pulumi.Output.all(\n realm_management=realm_management,\n create_client=create_client\n).apply(lambda resolved_outputs: f\"{realm_management.client_id}.{create_client.name}\")\n)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var ldapUserFederation = new Keycloak.Ldap.UserFederation(\"ldap_user_federation\", new()\n {\n Name = \"openldap\",\n RealmId = realm.Id,\n UsernameLdapAttribute = \"cn\",\n RdnLdapAttribute = \"cn\",\n UuidLdapAttribute = \"entryDN\",\n UserObjectClasses = new[]\n {\n \"simpleSecurityObject\",\n \"organizationalRole\",\n },\n ConnectionUrl = \"ldap://openldap\",\n UsersDn = \"dc=example,dc=org\",\n BindDn = \"cn=admin,dc=example,dc=org\",\n BindCredential = \"admin\",\n });\n\n // data sources aren't technically necessary here, but they are helpful for demonstration purposes\n var realmManagement = Keycloak.OpenId.GetClient.Invoke(new()\n {\n RealmId = realm.Id,\n ClientId = \"realm-management\",\n });\n\n var createClient = Keycloak.GetRole.Invoke(new()\n {\n RealmId = realm.Id,\n ClientId = realmManagement.Apply(getClientResult =\u003e getClientResult.Id),\n Name = \"create-client\",\n });\n\n var assignAdminRoleToAllUsers = new Keycloak.Ldap.HardcodedRoleMapper(\"assign_admin_role_to_all_users\", new()\n {\n RealmId = realm.Id,\n LdapUserFederationId = ldapUserFederation.Id,\n Name = \"assign-admin-role-to-all-users\",\n Role = Output.Tuple(realmManagement, createClient).Apply(values =\u003e\n {\n var realmManagement = values.Item1;\n var createClient = values.Item2;\n return $\"{realmManagement.Apply(getClientResult =\u003e getClientResult.ClientId)}.{createClient.Apply(getRoleResult =\u003e getRoleResult.Name)}\";\n }),\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/ldap\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tldapUserFederation, err := ldap.NewUserFederation(ctx, \"ldap_user_federation\", \u0026ldap.UserFederationArgs{\n\t\t\tName: pulumi.String(\"openldap\"),\n\t\t\tRealmId: realm.ID(),\n\t\t\tUsernameLdapAttribute: pulumi.String(\"cn\"),\n\t\t\tRdnLdapAttribute: pulumi.String(\"cn\"),\n\t\t\tUuidLdapAttribute: pulumi.String(\"entryDN\"),\n\t\t\tUserObjectClasses: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"simpleSecurityObject\"),\n\t\t\t\tpulumi.String(\"organizationalRole\"),\n\t\t\t},\n\t\t\tConnectionUrl: pulumi.String(\"ldap://openldap\"),\n\t\t\tUsersDn: pulumi.String(\"dc=example,dc=org\"),\n\t\t\tBindDn: pulumi.String(\"cn=admin,dc=example,dc=org\"),\n\t\t\tBindCredential: pulumi.String(\"admin\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t// data sources aren't technically necessary here, but they are helpful for demonstration purposes\n\t\trealmManagement := openid.LookupClientOutput(ctx, openid.GetClientOutputArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"realm-management\"),\n\t\t}, nil)\n\t\tcreateClient := pulumi.All(realm.ID(), realmManagement).ApplyT(func(_args []interface{}) (keycloak.GetRoleResult, error) {\n\t\t\tid := _args[0].(string)\n\t\t\trealmManagement := _args[1].(openid.GetClientResult)\n\t\t\treturn keycloak.GetRoleResult(interface{}(keycloak.LookupRoleOutput(ctx, keycloak.GetRoleOutputArgs{\n\t\t\t\tRealmId: id,\n\t\t\t\tClientId: realmManagement.Id,\n\t\t\t\tName: \"create-client\",\n\t\t\t}, nil))), nil\n\t\t}).(keycloak.GetRoleResultOutput)\n\t\t_, err = ldap.NewHardcodedRoleMapper(ctx, \"assign_admin_role_to_all_users\", \u0026ldap.HardcodedRoleMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tLdapUserFederationId: ldapUserFederation.ID(),\n\t\t\tName: pulumi.String(\"assign-admin-role-to-all-users\"),\n\t\t\tRole: pulumi.All(realmManagement, createClient).ApplyT(func(_args []interface{}) (string, error) {\n\t\t\t\trealmManagement := _args[0].(openid.GetClientResult)\n\t\t\t\tcreateClient := _args[1].(keycloak.GetRoleResult)\n\t\t\t\treturn fmt.Sprintf(\"%v.%v\", realmManagement.ClientId, createClient.Name), nil\n\t\t\t}).(pulumi.StringOutput),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.ldap.UserFederation;\nimport com.pulumi.keycloak.ldap.UserFederationArgs;\nimport com.pulumi.keycloak.openid.OpenidFunctions;\nimport com.pulumi.keycloak.openid.inputs.GetClientArgs;\nimport com.pulumi.keycloak.KeycloakFunctions;\nimport com.pulumi.keycloak.inputs.GetRoleArgs;\nimport com.pulumi.keycloak.ldap.HardcodedRoleMapper;\nimport com.pulumi.keycloak.ldap.HardcodedRoleMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var ldapUserFederation = new UserFederation(\"ldapUserFederation\", UserFederationArgs.builder()\n .name(\"openldap\")\n .realmId(realm.id())\n .usernameLdapAttribute(\"cn\")\n .rdnLdapAttribute(\"cn\")\n .uuidLdapAttribute(\"entryDN\")\n .userObjectClasses( \n \"simpleSecurityObject\",\n \"organizationalRole\")\n .connectionUrl(\"ldap://openldap\")\n .usersDn(\"dc=example,dc=org\")\n .bindDn(\"cn=admin,dc=example,dc=org\")\n .bindCredential(\"admin\")\n .build());\n\n // data sources aren't technically necessary here, but they are helpful for demonstration purposes\n final var realmManagement = OpenidFunctions.getClient(GetClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"realm-management\")\n .build());\n\n final var createClient = KeycloakFunctions.getRole(GetRoleArgs.builder()\n .realmId(realm.id())\n .clientId(realmManagement.applyValue(getClientResult -\u003e getClientResult).applyValue(realmManagement -\u003e realmManagement.applyValue(getClientResult -\u003e getClientResult.id())))\n .name(\"create-client\")\n .build());\n\n var assignAdminRoleToAllUsers = new HardcodedRoleMapper(\"assignAdminRoleToAllUsers\", HardcodedRoleMapperArgs.builder()\n .realmId(realm.id())\n .ldapUserFederationId(ldapUserFederation.id())\n .name(\"assign-admin-role-to-all-users\")\n .role(Output.tuple(realmManagement.applyValue(getClientResult -\u003e getClientResult), createClient.applyValue(getRoleResult -\u003e getRoleResult)).applyValue(values -\u003e {\n var realmManagement = values.t1;\n var createClient = values.t2;\n return String.format(\"%s.%s\", realmManagement.applyValue(getClientResult -\u003e getClientResult.clientId()),createClient.applyValue(getRoleResult -\u003e getRoleResult.name()));\n }))\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n ldapUserFederation:\n type: keycloak:ldap:UserFederation\n name: ldap_user_federation\n properties:\n name: openldap\n realmId: ${realm.id}\n usernameLdapAttribute: cn\n rdnLdapAttribute: cn\n uuidLdapAttribute: entryDN\n userObjectClasses:\n - simpleSecurityObject\n - organizationalRole\n connectionUrl: ldap://openldap\n usersDn: dc=example,dc=org\n bindDn: cn=admin,dc=example,dc=org\n bindCredential: admin\n assignAdminRoleToAllUsers:\n type: keycloak:ldap:HardcodedRoleMapper\n name: assign_admin_role_to_all_users\n properties:\n realmId: ${realm.id}\n ldapUserFederationId: ${ldapUserFederation.id}\n name: assign-admin-role-to-all-users\n role: ${realmManagement.clientId}.${createClient.name}\nvariables:\n # data sources aren't technically necessary here, but they are helpful for demonstration purposes\n realmManagement:\n fn::invoke:\n Function: keycloak:openid:getClient\n Arguments:\n realmId: ${realm.id}\n clientId: realm-management\n createClient:\n fn::invoke:\n Function: keycloak:getRole\n Arguments:\n realmId: ${realm.id}\n clientId: ${realmManagement.id}\n name: create-client\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nLDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`.\n\nThe ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs.\n\nExample:\n\nbash\n\n```sh\n$ pulumi import keycloak:ldap/hardcodedRoleMapper:HardcodedRoleMapper assign_admin_role_to_all_users my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67\n```\n\n", "properties": { "ldapUserFederationId": { "type": "string", - "description": "The ldap user federation provider to attach this mapper to.\n" + "description": "The ID of the LDAP user federation provider to attach this mapper to.\n" }, "name": { "type": "string", - "description": "Display name of the mapper when displayed in the console.\n" + "description": "Display name of this mapper when displayed in the console.\n" }, "realmId": { "type": "string", - "description": "The realm in which the ldap user federation provider exists.\n" + "description": "The realm that this LDAP mapper will exist in.\n" }, "role": { "type": "string", - "description": "Role to grant to user.\n" + "description": "The name of the role which should be assigned to the users. Client roles should use the format `{{client_id}}.{{client_role_name}}`.\n" } }, "required": [ @@ -6653,21 +6918,21 @@ "inputProperties": { "ldapUserFederationId": { "type": "string", - "description": "The ldap user federation provider to attach this mapper to.\n", + "description": "The ID of the LDAP user federation provider to attach this mapper to.\n", "willReplaceOnChanges": true }, "name": { "type": "string", - "description": "Display name of the mapper when displayed in the console.\n" + "description": "Display name of this mapper when displayed in the console.\n" }, "realmId": { "type": "string", - "description": "The realm in which the ldap user federation provider exists.\n", + "description": "The realm that this LDAP mapper will exist in.\n", "willReplaceOnChanges": true }, "role": { "type": "string", - "description": "Role to grant to user.\n", + "description": "The name of the role which should be assigned to the users. Client roles should use the format `{{client_id}}.{{client_role_name}}`.\n", "willReplaceOnChanges": true } }, @@ -6681,21 +6946,21 @@ "properties": { "ldapUserFederationId": { "type": "string", - "description": "The ldap user federation provider to attach this mapper to.\n", + "description": "The ID of the LDAP user federation provider to attach this mapper to.\n", "willReplaceOnChanges": true }, "name": { "type": "string", - "description": "Display name of the mapper when displayed in the console.\n" + "description": "Display name of this mapper when displayed in the console.\n" }, "realmId": { "type": "string", - "description": "The realm in which the ldap user federation provider exists.\n", + "description": "The realm that this LDAP mapper will exist in.\n", "willReplaceOnChanges": true }, "role": { "type": "string", - "description": "Role to grant to user.\n", + "description": "The name of the role which should be assigned to the users. Client roles should use the format `{{client_id}}.{{client_role_name}}`.\n", "willReplaceOnChanges": true } }, @@ -6765,22 +7030,23 @@ } }, "keycloak:ldap/msadUserAccountControlMapper:MsadUserAccountControlMapper": { - "description": "## # keycloak.ldap.MsadUserAccountControlMapper\n\nAllows for creating and managing MSAD user account control mappers for Keycloak\nusers federated via LDAP.\n\nThe MSAD (Microsoft Active Directory) user account control mapper is specific\nto LDAP user federation providers that are pulling from AD, and it can propagate\nAD user state to Keycloak in order to enforce settings like expired passwords\nor disabled accounts.\n\n### Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"test\",\n enabled: true,\n});\nconst ldapUserFederation = new keycloak.ldap.UserFederation(\"ldap_user_federation\", {\n name: \"ad\",\n realmId: realm.id,\n usernameLdapAttribute: \"cn\",\n rdnLdapAttribute: \"cn\",\n uuidLdapAttribute: \"objectGUID\",\n userObjectClasses: [\n \"person\",\n \"organizationalPerson\",\n \"user\",\n ],\n connectionUrl: \"ldap://my-ad-server\",\n usersDn: \"dc=example,dc=org\",\n bindDn: \"cn=admin,dc=example,dc=org\",\n bindCredential: \"admin\",\n});\nconst msadUserAccountControlMapper = new keycloak.ldap.MsadUserAccountControlMapper(\"msad_user_account_control_mapper\", {\n realmId: realm.id,\n ldapUserFederationId: ldapUserFederation.id,\n name: \"msad-user-account-control-mapper\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"test\",\n enabled=True)\nldap_user_federation = keycloak.ldap.UserFederation(\"ldap_user_federation\",\n name=\"ad\",\n realm_id=realm.id,\n username_ldap_attribute=\"cn\",\n rdn_ldap_attribute=\"cn\",\n uuid_ldap_attribute=\"objectGUID\",\n user_object_classes=[\n \"person\",\n \"organizationalPerson\",\n \"user\",\n ],\n connection_url=\"ldap://my-ad-server\",\n users_dn=\"dc=example,dc=org\",\n bind_dn=\"cn=admin,dc=example,dc=org\",\n bind_credential=\"admin\")\nmsad_user_account_control_mapper = keycloak.ldap.MsadUserAccountControlMapper(\"msad_user_account_control_mapper\",\n realm_id=realm.id,\n ldap_user_federation_id=ldap_user_federation.id,\n name=\"msad-user-account-control-mapper\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"test\",\n Enabled = true,\n });\n\n var ldapUserFederation = new Keycloak.Ldap.UserFederation(\"ldap_user_federation\", new()\n {\n Name = \"ad\",\n RealmId = realm.Id,\n UsernameLdapAttribute = \"cn\",\n RdnLdapAttribute = \"cn\",\n UuidLdapAttribute = \"objectGUID\",\n UserObjectClasses = new[]\n {\n \"person\",\n \"organizationalPerson\",\n \"user\",\n },\n ConnectionUrl = \"ldap://my-ad-server\",\n UsersDn = \"dc=example,dc=org\",\n BindDn = \"cn=admin,dc=example,dc=org\",\n BindCredential = \"admin\",\n });\n\n var msadUserAccountControlMapper = new Keycloak.Ldap.MsadUserAccountControlMapper(\"msad_user_account_control_mapper\", new()\n {\n RealmId = realm.Id,\n LdapUserFederationId = ldapUserFederation.Id,\n Name = \"msad-user-account-control-mapper\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/ldap\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"test\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tldapUserFederation, err := ldap.NewUserFederation(ctx, \"ldap_user_federation\", \u0026ldap.UserFederationArgs{\n\t\t\tName: pulumi.String(\"ad\"),\n\t\t\tRealmId: realm.ID(),\n\t\t\tUsernameLdapAttribute: pulumi.String(\"cn\"),\n\t\t\tRdnLdapAttribute: pulumi.String(\"cn\"),\n\t\t\tUuidLdapAttribute: pulumi.String(\"objectGUID\"),\n\t\t\tUserObjectClasses: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"person\"),\n\t\t\t\tpulumi.String(\"organizationalPerson\"),\n\t\t\t\tpulumi.String(\"user\"),\n\t\t\t},\n\t\t\tConnectionUrl: pulumi.String(\"ldap://my-ad-server\"),\n\t\t\tUsersDn: pulumi.String(\"dc=example,dc=org\"),\n\t\t\tBindDn: pulumi.String(\"cn=admin,dc=example,dc=org\"),\n\t\t\tBindCredential: pulumi.String(\"admin\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = ldap.NewMsadUserAccountControlMapper(ctx, \"msad_user_account_control_mapper\", \u0026ldap.MsadUserAccountControlMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tLdapUserFederationId: ldapUserFederation.ID(),\n\t\t\tName: pulumi.String(\"msad-user-account-control-mapper\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.ldap.UserFederation;\nimport com.pulumi.keycloak.ldap.UserFederationArgs;\nimport com.pulumi.keycloak.ldap.MsadUserAccountControlMapper;\nimport com.pulumi.keycloak.ldap.MsadUserAccountControlMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"test\")\n .enabled(true)\n .build());\n\n var ldapUserFederation = new UserFederation(\"ldapUserFederation\", UserFederationArgs.builder()\n .name(\"ad\")\n .realmId(realm.id())\n .usernameLdapAttribute(\"cn\")\n .rdnLdapAttribute(\"cn\")\n .uuidLdapAttribute(\"objectGUID\")\n .userObjectClasses( \n \"person\",\n \"organizationalPerson\",\n \"user\")\n .connectionUrl(\"ldap://my-ad-server\")\n .usersDn(\"dc=example,dc=org\")\n .bindDn(\"cn=admin,dc=example,dc=org\")\n .bindCredential(\"admin\")\n .build());\n\n var msadUserAccountControlMapper = new MsadUserAccountControlMapper(\"msadUserAccountControlMapper\", MsadUserAccountControlMapperArgs.builder()\n .realmId(realm.id())\n .ldapUserFederationId(ldapUserFederation.id())\n .name(\"msad-user-account-control-mapper\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: test\n enabled: true\n ldapUserFederation:\n type: keycloak:ldap:UserFederation\n name: ldap_user_federation\n properties:\n name: ad\n realmId: ${realm.id}\n usernameLdapAttribute: cn\n rdnLdapAttribute: cn\n uuidLdapAttribute: objectGUID\n userObjectClasses:\n - person\n - organizationalPerson\n - user\n connectionUrl: ldap://my-ad-server\n usersDn: dc=example,dc=org\n bindDn: cn=admin,dc=example,dc=org\n bindCredential: admin\n msadUserAccountControlMapper:\n type: keycloak:ldap:MsadUserAccountControlMapper\n name: msad_user_account_control_mapper\n properties:\n realmId: ${realm.id}\n ldapUserFederationId: ${ldapUserFederation.id}\n name: msad-user-account-control-mapper\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm_id` - (Required) The realm that this LDAP mapper will exist in.\n- `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to.\n- `name` - (Required) Display name of this mapper when displayed in the console.\n- `ldap_password_policy_hints_enabled` - (Optional) When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`.\n\n### Import\n\nLDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`.\nThe ID of the LDAP user federation provider and the mapper can be found within\nthe Keycloak GUI, and they are typically GUIDs:\n\n```bash\n$ terraform import keycloak_ldap_msad_user_account_control_mapper.msad_user_account_control_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67\n```\n", + "description": "Allows for creating and managing MSAD user account control mappers for Keycloak\nusers federated via LDAP.\n\nThe MSAD (Microsoft Active Directory) user account control mapper is specific\nto LDAP user federation providers that are pulling from AD, and it can propagate\nAD user state to Keycloak in order to enforce settings like expired passwords\nor disabled accounts.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst ldapUserFederation = new keycloak.ldap.UserFederation(\"ldap_user_federation\", {\n name: \"ad\",\n realmId: realm.id,\n usernameLdapAttribute: \"cn\",\n rdnLdapAttribute: \"cn\",\n uuidLdapAttribute: \"objectGUID\",\n userObjectClasses: [\n \"person\",\n \"organizationalPerson\",\n \"user\",\n ],\n connectionUrl: \"ldap://my-ad-server\",\n usersDn: \"dc=example,dc=org\",\n bindDn: \"cn=admin,dc=example,dc=org\",\n bindCredential: \"admin\",\n});\nconst msadUserAccountControlMapper = new keycloak.ldap.MsadUserAccountControlMapper(\"msad_user_account_control_mapper\", {\n realmId: realm.id,\n ldapUserFederationId: ldapUserFederation.id,\n name: \"msad-user-account-control-mapper\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nldap_user_federation = keycloak.ldap.UserFederation(\"ldap_user_federation\",\n name=\"ad\",\n realm_id=realm.id,\n username_ldap_attribute=\"cn\",\n rdn_ldap_attribute=\"cn\",\n uuid_ldap_attribute=\"objectGUID\",\n user_object_classes=[\n \"person\",\n \"organizationalPerson\",\n \"user\",\n ],\n connection_url=\"ldap://my-ad-server\",\n users_dn=\"dc=example,dc=org\",\n bind_dn=\"cn=admin,dc=example,dc=org\",\n bind_credential=\"admin\")\nmsad_user_account_control_mapper = keycloak.ldap.MsadUserAccountControlMapper(\"msad_user_account_control_mapper\",\n realm_id=realm.id,\n ldap_user_federation_id=ldap_user_federation.id,\n name=\"msad-user-account-control-mapper\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var ldapUserFederation = new Keycloak.Ldap.UserFederation(\"ldap_user_federation\", new()\n {\n Name = \"ad\",\n RealmId = realm.Id,\n UsernameLdapAttribute = \"cn\",\n RdnLdapAttribute = \"cn\",\n UuidLdapAttribute = \"objectGUID\",\n UserObjectClasses = new[]\n {\n \"person\",\n \"organizationalPerson\",\n \"user\",\n },\n ConnectionUrl = \"ldap://my-ad-server\",\n UsersDn = \"dc=example,dc=org\",\n BindDn = \"cn=admin,dc=example,dc=org\",\n BindCredential = \"admin\",\n });\n\n var msadUserAccountControlMapper = new Keycloak.Ldap.MsadUserAccountControlMapper(\"msad_user_account_control_mapper\", new()\n {\n RealmId = realm.Id,\n LdapUserFederationId = ldapUserFederation.Id,\n Name = \"msad-user-account-control-mapper\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/ldap\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tldapUserFederation, err := ldap.NewUserFederation(ctx, \"ldap_user_federation\", \u0026ldap.UserFederationArgs{\n\t\t\tName: pulumi.String(\"ad\"),\n\t\t\tRealmId: realm.ID(),\n\t\t\tUsernameLdapAttribute: pulumi.String(\"cn\"),\n\t\t\tRdnLdapAttribute: pulumi.String(\"cn\"),\n\t\t\tUuidLdapAttribute: pulumi.String(\"objectGUID\"),\n\t\t\tUserObjectClasses: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"person\"),\n\t\t\t\tpulumi.String(\"organizationalPerson\"),\n\t\t\t\tpulumi.String(\"user\"),\n\t\t\t},\n\t\t\tConnectionUrl: pulumi.String(\"ldap://my-ad-server\"),\n\t\t\tUsersDn: pulumi.String(\"dc=example,dc=org\"),\n\t\t\tBindDn: pulumi.String(\"cn=admin,dc=example,dc=org\"),\n\t\t\tBindCredential: pulumi.String(\"admin\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = ldap.NewMsadUserAccountControlMapper(ctx, \"msad_user_account_control_mapper\", \u0026ldap.MsadUserAccountControlMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tLdapUserFederationId: ldapUserFederation.ID(),\n\t\t\tName: pulumi.String(\"msad-user-account-control-mapper\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.ldap.UserFederation;\nimport com.pulumi.keycloak.ldap.UserFederationArgs;\nimport com.pulumi.keycloak.ldap.MsadUserAccountControlMapper;\nimport com.pulumi.keycloak.ldap.MsadUserAccountControlMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var ldapUserFederation = new UserFederation(\"ldapUserFederation\", UserFederationArgs.builder()\n .name(\"ad\")\n .realmId(realm.id())\n .usernameLdapAttribute(\"cn\")\n .rdnLdapAttribute(\"cn\")\n .uuidLdapAttribute(\"objectGUID\")\n .userObjectClasses( \n \"person\",\n \"organizationalPerson\",\n \"user\")\n .connectionUrl(\"ldap://my-ad-server\")\n .usersDn(\"dc=example,dc=org\")\n .bindDn(\"cn=admin,dc=example,dc=org\")\n .bindCredential(\"admin\")\n .build());\n\n var msadUserAccountControlMapper = new MsadUserAccountControlMapper(\"msadUserAccountControlMapper\", MsadUserAccountControlMapperArgs.builder()\n .realmId(realm.id())\n .ldapUserFederationId(ldapUserFederation.id())\n .name(\"msad-user-account-control-mapper\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n ldapUserFederation:\n type: keycloak:ldap:UserFederation\n name: ldap_user_federation\n properties:\n name: ad\n realmId: ${realm.id}\n usernameLdapAttribute: cn\n rdnLdapAttribute: cn\n uuidLdapAttribute: objectGUID\n userObjectClasses:\n - person\n - organizationalPerson\n - user\n connectionUrl: ldap://my-ad-server\n usersDn: dc=example,dc=org\n bindDn: cn=admin,dc=example,dc=org\n bindCredential: admin\n msadUserAccountControlMapper:\n type: keycloak:ldap:MsadUserAccountControlMapper\n name: msad_user_account_control_mapper\n properties:\n realmId: ${realm.id}\n ldapUserFederationId: ${ldapUserFederation.id}\n name: msad-user-account-control-mapper\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nLDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`.\n\nThe ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs.\n\nExample:\n\nbash\n\n```sh\n$ pulumi import keycloak:ldap/msadUserAccountControlMapper:MsadUserAccountControlMapper msad_user_account_control_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67\n```\n\n", "properties": { "ldapPasswordPolicyHintsEnabled": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`.\n" }, "ldapUserFederationId": { "type": "string", - "description": "The ldap user federation provider to attach this mapper to.\n" + "description": "The ID of the LDAP user federation provider to attach this mapper to.\n" }, "name": { "type": "string", - "description": "Display name of the mapper when displayed in the console.\n" + "description": "Display name of this mapper when displayed in the console.\n" }, "realmId": { "type": "string", - "description": "The realm in which the ldap user federation provider exists.\n" + "description": "The realm that this LDAP mapper will exist in.\n" } }, "required": [ @@ -6790,20 +7056,21 @@ ], "inputProperties": { "ldapPasswordPolicyHintsEnabled": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`.\n" }, "ldapUserFederationId": { "type": "string", - "description": "The ldap user federation provider to attach this mapper to.\n", + "description": "The ID of the LDAP user federation provider to attach this mapper to.\n", "willReplaceOnChanges": true }, "name": { "type": "string", - "description": "Display name of the mapper when displayed in the console.\n" + "description": "Display name of this mapper when displayed in the console.\n" }, "realmId": { "type": "string", - "description": "The realm in which the ldap user federation provider exists.\n", + "description": "The realm that this LDAP mapper will exist in.\n", "willReplaceOnChanges": true } }, @@ -6815,20 +7082,21 @@ "description": "Input properties used for looking up and filtering MsadUserAccountControlMapper resources.\n", "properties": { "ldapPasswordPolicyHintsEnabled": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`.\n" }, "ldapUserFederationId": { "type": "string", - "description": "The ldap user federation provider to attach this mapper to.\n", + "description": "The ID of the LDAP user federation provider to attach this mapper to.\n", "willReplaceOnChanges": true }, "name": { "type": "string", - "description": "Display name of the mapper when displayed in the console.\n" + "description": "Display name of this mapper when displayed in the console.\n" }, "realmId": { "type": "string", - "description": "The realm in which the ldap user federation provider exists.\n", + "description": "The realm that this LDAP mapper will exist in.\n", "willReplaceOnChanges": true } }, @@ -7061,47 +7329,47 @@ } }, "keycloak:ldap/userAttributeMapper:UserAttributeMapper": { - "description": "## # keycloak.ldap.UserAttributeMapper\n\nAllows for creating and managing user attribute mappers for Keycloak users\nfederated via LDAP.\n\nThe LDAP user attribute mapper can be used to map a single LDAP attribute\nto an attribute on the Keycloak user model.\n\n### Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"test\",\n enabled: true,\n});\nconst ldapUserFederation = new keycloak.ldap.UserFederation(\"ldap_user_federation\", {\n name: \"openldap\",\n realmId: realm.id,\n usernameLdapAttribute: \"cn\",\n rdnLdapAttribute: \"cn\",\n uuidLdapAttribute: \"entryDN\",\n userObjectClasses: [\n \"simpleSecurityObject\",\n \"organizationalRole\",\n ],\n connectionUrl: \"ldap://openldap\",\n usersDn: \"dc=example,dc=org\",\n bindDn: \"cn=admin,dc=example,dc=org\",\n bindCredential: \"admin\",\n});\nconst ldapUserAttributeMapper = new keycloak.ldap.UserAttributeMapper(\"ldap_user_attribute_mapper\", {\n realmId: realm.id,\n ldapUserFederationId: ldapUserFederation.id,\n name: \"user-attribute-mapper\",\n userModelAttribute: \"foo\",\n ldapAttribute: \"bar\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"test\",\n enabled=True)\nldap_user_federation = keycloak.ldap.UserFederation(\"ldap_user_federation\",\n name=\"openldap\",\n realm_id=realm.id,\n username_ldap_attribute=\"cn\",\n rdn_ldap_attribute=\"cn\",\n uuid_ldap_attribute=\"entryDN\",\n user_object_classes=[\n \"simpleSecurityObject\",\n \"organizationalRole\",\n ],\n connection_url=\"ldap://openldap\",\n users_dn=\"dc=example,dc=org\",\n bind_dn=\"cn=admin,dc=example,dc=org\",\n bind_credential=\"admin\")\nldap_user_attribute_mapper = keycloak.ldap.UserAttributeMapper(\"ldap_user_attribute_mapper\",\n realm_id=realm.id,\n ldap_user_federation_id=ldap_user_federation.id,\n name=\"user-attribute-mapper\",\n user_model_attribute=\"foo\",\n ldap_attribute=\"bar\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"test\",\n Enabled = true,\n });\n\n var ldapUserFederation = new Keycloak.Ldap.UserFederation(\"ldap_user_federation\", new()\n {\n Name = \"openldap\",\n RealmId = realm.Id,\n UsernameLdapAttribute = \"cn\",\n RdnLdapAttribute = \"cn\",\n UuidLdapAttribute = \"entryDN\",\n UserObjectClasses = new[]\n {\n \"simpleSecurityObject\",\n \"organizationalRole\",\n },\n ConnectionUrl = \"ldap://openldap\",\n UsersDn = \"dc=example,dc=org\",\n BindDn = \"cn=admin,dc=example,dc=org\",\n BindCredential = \"admin\",\n });\n\n var ldapUserAttributeMapper = new Keycloak.Ldap.UserAttributeMapper(\"ldap_user_attribute_mapper\", new()\n {\n RealmId = realm.Id,\n LdapUserFederationId = ldapUserFederation.Id,\n Name = \"user-attribute-mapper\",\n UserModelAttribute = \"foo\",\n LdapAttribute = \"bar\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/ldap\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"test\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tldapUserFederation, err := ldap.NewUserFederation(ctx, \"ldap_user_federation\", \u0026ldap.UserFederationArgs{\n\t\t\tName: pulumi.String(\"openldap\"),\n\t\t\tRealmId: realm.ID(),\n\t\t\tUsernameLdapAttribute: pulumi.String(\"cn\"),\n\t\t\tRdnLdapAttribute: pulumi.String(\"cn\"),\n\t\t\tUuidLdapAttribute: pulumi.String(\"entryDN\"),\n\t\t\tUserObjectClasses: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"simpleSecurityObject\"),\n\t\t\t\tpulumi.String(\"organizationalRole\"),\n\t\t\t},\n\t\t\tConnectionUrl: pulumi.String(\"ldap://openldap\"),\n\t\t\tUsersDn: pulumi.String(\"dc=example,dc=org\"),\n\t\t\tBindDn: pulumi.String(\"cn=admin,dc=example,dc=org\"),\n\t\t\tBindCredential: pulumi.String(\"admin\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = ldap.NewUserAttributeMapper(ctx, \"ldap_user_attribute_mapper\", \u0026ldap.UserAttributeMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tLdapUserFederationId: ldapUserFederation.ID(),\n\t\t\tName: pulumi.String(\"user-attribute-mapper\"),\n\t\t\tUserModelAttribute: pulumi.String(\"foo\"),\n\t\t\tLdapAttribute: pulumi.String(\"bar\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.ldap.UserFederation;\nimport com.pulumi.keycloak.ldap.UserFederationArgs;\nimport com.pulumi.keycloak.ldap.UserAttributeMapper;\nimport com.pulumi.keycloak.ldap.UserAttributeMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"test\")\n .enabled(true)\n .build());\n\n var ldapUserFederation = new UserFederation(\"ldapUserFederation\", UserFederationArgs.builder()\n .name(\"openldap\")\n .realmId(realm.id())\n .usernameLdapAttribute(\"cn\")\n .rdnLdapAttribute(\"cn\")\n .uuidLdapAttribute(\"entryDN\")\n .userObjectClasses( \n \"simpleSecurityObject\",\n \"organizationalRole\")\n .connectionUrl(\"ldap://openldap\")\n .usersDn(\"dc=example,dc=org\")\n .bindDn(\"cn=admin,dc=example,dc=org\")\n .bindCredential(\"admin\")\n .build());\n\n var ldapUserAttributeMapper = new UserAttributeMapper(\"ldapUserAttributeMapper\", UserAttributeMapperArgs.builder()\n .realmId(realm.id())\n .ldapUserFederationId(ldapUserFederation.id())\n .name(\"user-attribute-mapper\")\n .userModelAttribute(\"foo\")\n .ldapAttribute(\"bar\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: test\n enabled: true\n ldapUserFederation:\n type: keycloak:ldap:UserFederation\n name: ldap_user_federation\n properties:\n name: openldap\n realmId: ${realm.id}\n usernameLdapAttribute: cn\n rdnLdapAttribute: cn\n uuidLdapAttribute: entryDN\n userObjectClasses:\n - simpleSecurityObject\n - organizationalRole\n connectionUrl: ldap://openldap\n usersDn: dc=example,dc=org\n bindDn: cn=admin,dc=example,dc=org\n bindCredential: admin\n ldapUserAttributeMapper:\n type: keycloak:ldap:UserAttributeMapper\n name: ldap_user_attribute_mapper\n properties:\n realmId: ${realm.id}\n ldapUserFederationId: ${ldapUserFederation.id}\n name: user-attribute-mapper\n userModelAttribute: foo\n ldapAttribute: bar\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm_id` - (Required) The realm that this LDAP mapper will exist in.\n- `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to.\n- `name` - (Required) Display name of this mapper when displayed in the console.\n- `user_model_attribute` - (Required) Name of the user property or attribute you want to map the LDAP attribute into.\n- `ldap_attribute` - (Required) Name of the mapped attribute on the LDAP object.\n- `read_only` - (Optional) When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`.\n- `always_read_value_from_ldap` - (Optional) When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`.\n- `is_mandatory_in_ldap` - (Optional) When `true`, this attribute must exist in LDAP. Defaults to `false`.\n\n### Import\n\nLDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`.\nThe ID of the LDAP user federation provider and the mapper can be found within\nthe Keycloak GUI, and they are typically GUIDs:\n\n```bash\n$ terraform import keycloak_ldap_user_attribute_mapper.ldap_user_attribute_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67\n```\n", + "description": "Allows for creating and managing user attribute mappers for Keycloak users\nfederated via LDAP.\n\nThe LDAP user attribute mapper can be used to map a single LDAP attribute\nto an attribute on the Keycloak user model.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst ldapUserFederation = new keycloak.ldap.UserFederation(\"ldap_user_federation\", {\n name: \"openldap\",\n realmId: realm.id,\n usernameLdapAttribute: \"cn\",\n rdnLdapAttribute: \"cn\",\n uuidLdapAttribute: \"entryDN\",\n userObjectClasses: [\n \"simpleSecurityObject\",\n \"organizationalRole\",\n ],\n connectionUrl: \"ldap://openldap\",\n usersDn: \"dc=example,dc=org\",\n bindDn: \"cn=admin,dc=example,dc=org\",\n bindCredential: \"admin\",\n});\nconst ldapUserAttributeMapper = new keycloak.ldap.UserAttributeMapper(\"ldap_user_attribute_mapper\", {\n realmId: realm.id,\n ldapUserFederationId: ldapUserFederation.id,\n name: \"user-attribute-mapper\",\n userModelAttribute: \"foo\",\n ldapAttribute: \"bar\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nldap_user_federation = keycloak.ldap.UserFederation(\"ldap_user_federation\",\n name=\"openldap\",\n realm_id=realm.id,\n username_ldap_attribute=\"cn\",\n rdn_ldap_attribute=\"cn\",\n uuid_ldap_attribute=\"entryDN\",\n user_object_classes=[\n \"simpleSecurityObject\",\n \"organizationalRole\",\n ],\n connection_url=\"ldap://openldap\",\n users_dn=\"dc=example,dc=org\",\n bind_dn=\"cn=admin,dc=example,dc=org\",\n bind_credential=\"admin\")\nldap_user_attribute_mapper = keycloak.ldap.UserAttributeMapper(\"ldap_user_attribute_mapper\",\n realm_id=realm.id,\n ldap_user_federation_id=ldap_user_federation.id,\n name=\"user-attribute-mapper\",\n user_model_attribute=\"foo\",\n ldap_attribute=\"bar\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var ldapUserFederation = new Keycloak.Ldap.UserFederation(\"ldap_user_federation\", new()\n {\n Name = \"openldap\",\n RealmId = realm.Id,\n UsernameLdapAttribute = \"cn\",\n RdnLdapAttribute = \"cn\",\n UuidLdapAttribute = \"entryDN\",\n UserObjectClasses = new[]\n {\n \"simpleSecurityObject\",\n \"organizationalRole\",\n },\n ConnectionUrl = \"ldap://openldap\",\n UsersDn = \"dc=example,dc=org\",\n BindDn = \"cn=admin,dc=example,dc=org\",\n BindCredential = \"admin\",\n });\n\n var ldapUserAttributeMapper = new Keycloak.Ldap.UserAttributeMapper(\"ldap_user_attribute_mapper\", new()\n {\n RealmId = realm.Id,\n LdapUserFederationId = ldapUserFederation.Id,\n Name = \"user-attribute-mapper\",\n UserModelAttribute = \"foo\",\n LdapAttribute = \"bar\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/ldap\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tldapUserFederation, err := ldap.NewUserFederation(ctx, \"ldap_user_federation\", \u0026ldap.UserFederationArgs{\n\t\t\tName: pulumi.String(\"openldap\"),\n\t\t\tRealmId: realm.ID(),\n\t\t\tUsernameLdapAttribute: pulumi.String(\"cn\"),\n\t\t\tRdnLdapAttribute: pulumi.String(\"cn\"),\n\t\t\tUuidLdapAttribute: pulumi.String(\"entryDN\"),\n\t\t\tUserObjectClasses: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"simpleSecurityObject\"),\n\t\t\t\tpulumi.String(\"organizationalRole\"),\n\t\t\t},\n\t\t\tConnectionUrl: pulumi.String(\"ldap://openldap\"),\n\t\t\tUsersDn: pulumi.String(\"dc=example,dc=org\"),\n\t\t\tBindDn: pulumi.String(\"cn=admin,dc=example,dc=org\"),\n\t\t\tBindCredential: pulumi.String(\"admin\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = ldap.NewUserAttributeMapper(ctx, \"ldap_user_attribute_mapper\", \u0026ldap.UserAttributeMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tLdapUserFederationId: ldapUserFederation.ID(),\n\t\t\tName: pulumi.String(\"user-attribute-mapper\"),\n\t\t\tUserModelAttribute: pulumi.String(\"foo\"),\n\t\t\tLdapAttribute: pulumi.String(\"bar\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.ldap.UserFederation;\nimport com.pulumi.keycloak.ldap.UserFederationArgs;\nimport com.pulumi.keycloak.ldap.UserAttributeMapper;\nimport com.pulumi.keycloak.ldap.UserAttributeMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var ldapUserFederation = new UserFederation(\"ldapUserFederation\", UserFederationArgs.builder()\n .name(\"openldap\")\n .realmId(realm.id())\n .usernameLdapAttribute(\"cn\")\n .rdnLdapAttribute(\"cn\")\n .uuidLdapAttribute(\"entryDN\")\n .userObjectClasses( \n \"simpleSecurityObject\",\n \"organizationalRole\")\n .connectionUrl(\"ldap://openldap\")\n .usersDn(\"dc=example,dc=org\")\n .bindDn(\"cn=admin,dc=example,dc=org\")\n .bindCredential(\"admin\")\n .build());\n\n var ldapUserAttributeMapper = new UserAttributeMapper(\"ldapUserAttributeMapper\", UserAttributeMapperArgs.builder()\n .realmId(realm.id())\n .ldapUserFederationId(ldapUserFederation.id())\n .name(\"user-attribute-mapper\")\n .userModelAttribute(\"foo\")\n .ldapAttribute(\"bar\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n ldapUserFederation:\n type: keycloak:ldap:UserFederation\n name: ldap_user_federation\n properties:\n name: openldap\n realmId: ${realm.id}\n usernameLdapAttribute: cn\n rdnLdapAttribute: cn\n uuidLdapAttribute: entryDN\n userObjectClasses:\n - simpleSecurityObject\n - organizationalRole\n connectionUrl: ldap://openldap\n usersDn: dc=example,dc=org\n bindDn: cn=admin,dc=example,dc=org\n bindCredential: admin\n ldapUserAttributeMapper:\n type: keycloak:ldap:UserAttributeMapper\n name: ldap_user_attribute_mapper\n properties:\n realmId: ${realm.id}\n ldapUserFederationId: ${ldapUserFederation.id}\n name: user-attribute-mapper\n userModelAttribute: foo\n ldapAttribute: bar\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nLDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`.\n\nThe ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs.\n\nExample:\n\nbash\n\n```sh\n$ pulumi import keycloak:ldap/userAttributeMapper:UserAttributeMapper ldap_user_attribute_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67\n```\n\n", "properties": { "alwaysReadValueFromLdap": { "type": "boolean", - "description": "When true, the value fetched from LDAP will override the value stored in Keycloak.\n" + "description": "When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`.\n" }, "attributeDefaultValue": { "type": "string", - "description": "Default value to set in LDAP if is_mandatory_in_ldap and the value is empty\n" + "description": "Default value to set in LDAP if `is_mandatory_in_ldap` is true and the value is empty.\n" }, "isBinaryAttribute": { "type": "boolean", - "description": "Should be true for binary LDAP attributes\n" + "description": "Should be true for binary LDAP attributes.\n" }, "isMandatoryInLdap": { "type": "boolean", - "description": "When true, this attribute must exist in LDAP.\n" + "description": "When `true`, this attribute must exist in LDAP. Defaults to `false`.\n" }, "ldapAttribute": { "type": "string", - "description": "Name of the mapped attribute on LDAP object.\n" + "description": "Name of the mapped attribute on the LDAP object.\n" }, "ldapUserFederationId": { "type": "string", - "description": "The ldap user federation provider to attach this mapper to.\n" + "description": "The ID of the LDAP user federation provider to attach this mapper to.\n" }, "name": { "type": "string", - "description": "Display name of the mapper when displayed in the console.\n" + "description": "Display name of this mapper when displayed in the console.\n" }, "readOnly": { "type": "boolean", - "description": "When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak.\n" + "description": "When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`.\n" }, "realmId": { "type": "string", - "description": "The realm in which the ldap user federation provider exists.\n" + "description": "The realm that this LDAP mapper will exist in.\n" }, "userModelAttribute": { "type": "string", - "description": "Name of the UserModel property or attribute you want to map the LDAP attribute into.\n" + "description": "Name of the user property or attribute you want to map the LDAP attribute into.\n" } }, "required": [ @@ -7114,45 +7382,45 @@ "inputProperties": { "alwaysReadValueFromLdap": { "type": "boolean", - "description": "When true, the value fetched from LDAP will override the value stored in Keycloak.\n" + "description": "When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`.\n" }, "attributeDefaultValue": { "type": "string", - "description": "Default value to set in LDAP if is_mandatory_in_ldap and the value is empty\n" + "description": "Default value to set in LDAP if `is_mandatory_in_ldap` is true and the value is empty.\n" }, "isBinaryAttribute": { "type": "boolean", - "description": "Should be true for binary LDAP attributes\n" + "description": "Should be true for binary LDAP attributes.\n" }, "isMandatoryInLdap": { "type": "boolean", - "description": "When true, this attribute must exist in LDAP.\n" + "description": "When `true`, this attribute must exist in LDAP. Defaults to `false`.\n" }, "ldapAttribute": { "type": "string", - "description": "Name of the mapped attribute on LDAP object.\n" + "description": "Name of the mapped attribute on the LDAP object.\n" }, "ldapUserFederationId": { "type": "string", - "description": "The ldap user federation provider to attach this mapper to.\n", + "description": "The ID of the LDAP user federation provider to attach this mapper to.\n", "willReplaceOnChanges": true }, "name": { "type": "string", - "description": "Display name of the mapper when displayed in the console.\n" + "description": "Display name of this mapper when displayed in the console.\n" }, "readOnly": { "type": "boolean", - "description": "When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak.\n" + "description": "When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`.\n" }, "realmId": { "type": "string", - "description": "The realm in which the ldap user federation provider exists.\n", + "description": "The realm that this LDAP mapper will exist in.\n", "willReplaceOnChanges": true }, "userModelAttribute": { "type": "string", - "description": "Name of the UserModel property or attribute you want to map the LDAP attribute into.\n" + "description": "Name of the user property or attribute you want to map the LDAP attribute into.\n" } }, "requiredInputs": [ @@ -7166,77 +7434,77 @@ "properties": { "alwaysReadValueFromLdap": { "type": "boolean", - "description": "When true, the value fetched from LDAP will override the value stored in Keycloak.\n" + "description": "When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`.\n" }, "attributeDefaultValue": { "type": "string", - "description": "Default value to set in LDAP if is_mandatory_in_ldap and the value is empty\n" + "description": "Default value to set in LDAP if `is_mandatory_in_ldap` is true and the value is empty.\n" }, "isBinaryAttribute": { "type": "boolean", - "description": "Should be true for binary LDAP attributes\n" + "description": "Should be true for binary LDAP attributes.\n" }, "isMandatoryInLdap": { "type": "boolean", - "description": "When true, this attribute must exist in LDAP.\n" + "description": "When `true`, this attribute must exist in LDAP. Defaults to `false`.\n" }, "ldapAttribute": { "type": "string", - "description": "Name of the mapped attribute on LDAP object.\n" + "description": "Name of the mapped attribute on the LDAP object.\n" }, "ldapUserFederationId": { "type": "string", - "description": "The ldap user federation provider to attach this mapper to.\n", + "description": "The ID of the LDAP user federation provider to attach this mapper to.\n", "willReplaceOnChanges": true }, "name": { "type": "string", - "description": "Display name of the mapper when displayed in the console.\n" + "description": "Display name of this mapper when displayed in the console.\n" }, "readOnly": { "type": "boolean", - "description": "When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak.\n" + "description": "When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`.\n" }, "realmId": { "type": "string", - "description": "The realm in which the ldap user federation provider exists.\n", + "description": "The realm that this LDAP mapper will exist in.\n", "willReplaceOnChanges": true }, "userModelAttribute": { "type": "string", - "description": "Name of the UserModel property or attribute you want to map the LDAP attribute into.\n" + "description": "Name of the user property or attribute you want to map the LDAP attribute into.\n" } }, "type": "object" } }, "keycloak:ldap/userFederation:UserFederation": { - "description": "## # keycloak.ldap.UserFederation\n\nAllows for creating and managing LDAP user federation providers within Keycloak.\n\nKeycloak can use an LDAP user federation provider to federate users to Keycloak\nfrom a directory system such as LDAP or Active Directory. Federated users\nwill exist within the realm and will be able to log in to clients. Federated\nusers can have their attributes defined using mappers.\n\n### Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"test\",\n enabled: true,\n});\nconst ldapUserFederation = new keycloak.ldap.UserFederation(\"ldap_user_federation\", {\n name: \"openldap\",\n realmId: realm.id,\n enabled: true,\n usernameLdapAttribute: \"cn\",\n rdnLdapAttribute: \"cn\",\n uuidLdapAttribute: \"entryDN\",\n userObjectClasses: [\n \"simpleSecurityObject\",\n \"organizationalRole\",\n ],\n connectionUrl: \"ldap://openldap\",\n usersDn: \"dc=example,dc=org\",\n bindDn: \"cn=admin,dc=example,dc=org\",\n bindCredential: \"admin\",\n connectionTimeout: \"5s\",\n readTimeout: \"10s\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"test\",\n enabled=True)\nldap_user_federation = keycloak.ldap.UserFederation(\"ldap_user_federation\",\n name=\"openldap\",\n realm_id=realm.id,\n enabled=True,\n username_ldap_attribute=\"cn\",\n rdn_ldap_attribute=\"cn\",\n uuid_ldap_attribute=\"entryDN\",\n user_object_classes=[\n \"simpleSecurityObject\",\n \"organizationalRole\",\n ],\n connection_url=\"ldap://openldap\",\n users_dn=\"dc=example,dc=org\",\n bind_dn=\"cn=admin,dc=example,dc=org\",\n bind_credential=\"admin\",\n connection_timeout=\"5s\",\n read_timeout=\"10s\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"test\",\n Enabled = true,\n });\n\n var ldapUserFederation = new Keycloak.Ldap.UserFederation(\"ldap_user_federation\", new()\n {\n Name = \"openldap\",\n RealmId = realm.Id,\n Enabled = true,\n UsernameLdapAttribute = \"cn\",\n RdnLdapAttribute = \"cn\",\n UuidLdapAttribute = \"entryDN\",\n UserObjectClasses = new[]\n {\n \"simpleSecurityObject\",\n \"organizationalRole\",\n },\n ConnectionUrl = \"ldap://openldap\",\n UsersDn = \"dc=example,dc=org\",\n BindDn = \"cn=admin,dc=example,dc=org\",\n BindCredential = \"admin\",\n ConnectionTimeout = \"5s\",\n ReadTimeout = \"10s\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/ldap\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"test\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = ldap.NewUserFederation(ctx, \"ldap_user_federation\", \u0026ldap.UserFederationArgs{\n\t\t\tName: pulumi.String(\"openldap\"),\n\t\t\tRealmId: realm.ID(),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tUsernameLdapAttribute: pulumi.String(\"cn\"),\n\t\t\tRdnLdapAttribute: pulumi.String(\"cn\"),\n\t\t\tUuidLdapAttribute: pulumi.String(\"entryDN\"),\n\t\t\tUserObjectClasses: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"simpleSecurityObject\"),\n\t\t\t\tpulumi.String(\"organizationalRole\"),\n\t\t\t},\n\t\t\tConnectionUrl: pulumi.String(\"ldap://openldap\"),\n\t\t\tUsersDn: pulumi.String(\"dc=example,dc=org\"),\n\t\t\tBindDn: pulumi.String(\"cn=admin,dc=example,dc=org\"),\n\t\t\tBindCredential: pulumi.String(\"admin\"),\n\t\t\tConnectionTimeout: pulumi.String(\"5s\"),\n\t\t\tReadTimeout: pulumi.String(\"10s\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.ldap.UserFederation;\nimport com.pulumi.keycloak.ldap.UserFederationArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"test\")\n .enabled(true)\n .build());\n\n var ldapUserFederation = new UserFederation(\"ldapUserFederation\", UserFederationArgs.builder()\n .name(\"openldap\")\n .realmId(realm.id())\n .enabled(true)\n .usernameLdapAttribute(\"cn\")\n .rdnLdapAttribute(\"cn\")\n .uuidLdapAttribute(\"entryDN\")\n .userObjectClasses( \n \"simpleSecurityObject\",\n \"organizationalRole\")\n .connectionUrl(\"ldap://openldap\")\n .usersDn(\"dc=example,dc=org\")\n .bindDn(\"cn=admin,dc=example,dc=org\")\n .bindCredential(\"admin\")\n .connectionTimeout(\"5s\")\n .readTimeout(\"10s\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: test\n enabled: true\n ldapUserFederation:\n type: keycloak:ldap:UserFederation\n name: ldap_user_federation\n properties:\n name: openldap\n realmId: ${realm.id}\n enabled: true\n usernameLdapAttribute: cn\n rdnLdapAttribute: cn\n uuidLdapAttribute: entryDN\n userObjectClasses:\n - simpleSecurityObject\n - organizationalRole\n connectionUrl: ldap://openldap\n usersDn: dc=example,dc=org\n bindDn: cn=admin,dc=example,dc=org\n bindCredential: admin\n connectionTimeout: 5s\n readTimeout: 10s\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm_id` - (Required) The realm that this provider will provide user federation for.\n- `name` - (Required) Display name of the provider when displayed in the console.\n- `enabled` - (Optional) When `false`, this provider will not be used when performing queries for users. Defaults to `true`.\n- `priority` - (Optional) Priority of this provider when looking up users. Lower values are first. Defaults to `0`.\n- `import_enabled` - (Optional) When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`.\n- `edit_mode` - (Optional) Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`.\n- `sync_registrations` - (Optional) When `true`, newly created users will be synced back to LDAP. Defaults to `false`.\n- `vendor` - (Optional) Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OPTIONAL`.\n- `username_ldap_attribute` - (Required) Name of the LDAP attribute to use as the Keycloak username.\n- `rdn_ldap_attribute` - (Required) Name of the LDAP attribute to use as the relative distinguished name.\n- `uuid_ldap_attribute` - (Required) Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.\n- `user_object_classes` - (Required) Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.\n- `connection_url` - (Required) Connection URL to the LDAP server.\n- `users_dn` - (Required) Full DN of LDAP tree where your users are.\n- `bind_dn` - (Optional) DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bind_credential` is set.\n- `bind_credential` - (Optional) Password of LDAP admin. This attribute must be set if `bind_dn` is set.\n- `custom_user_search_filter` - (Optional) Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`.\n- `search_scope` - (Optional) Can be one of `ONE_LEVEL` or `SUBTREE`:\n - `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`.\n - `SUBTREE`: Search entire LDAP subtree.\n- `validate_password_policy` - (Optional) When `true`, Keycloak will validate passwords using the realm policy before updating it.\n- `use_truststore_spi` - (Optional) Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`:\n - `ALWAYS` - Always use the truststore SPI for LDAP connections.\n - `NEVER` - Never use the truststore SPI for LDAP connections.\n - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol.\n- `connection_timeout` - (Optional) LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String).\n- `read_timeout` - (Optional) LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String).\n- `pagination` - (Optional) When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`.\n- `batch_size_for_sync` - (Optional) The number of users to sync within a single transaction. Defaults to `1000`.\n- `full_sync_period` - (Optional) How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.\n- `changed_sync_period` - (Optional) How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.\n- `cache_policy` - (Optional) Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`.\n\n### Import\n\nLDAP user federation providers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}`.\nThe ID of the LDAP user federation provider can be found within the Keycloak GUI and is typically a GUID:\n\n```bash\n$ terraform import keycloak_ldap_user_federation.ldap_user_federation my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860\n```\n", + "description": "Allows for creating and managing LDAP user federation providers within Keycloak.\n\nKeycloak can use an LDAP user federation provider to federate users to Keycloak\nfrom a directory system such as LDAP or Active Directory. Federated users\nwill exist within the realm and will be able to log in to clients. Federated\nusers can have their attributes defined using mappers.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst ldapUserFederation = new keycloak.ldap.UserFederation(\"ldap_user_federation\", {\n name: \"openldap\",\n realmId: realm.id,\n enabled: true,\n usernameLdapAttribute: \"cn\",\n rdnLdapAttribute: \"cn\",\n uuidLdapAttribute: \"entryDN\",\n userObjectClasses: [\n \"simpleSecurityObject\",\n \"organizationalRole\",\n ],\n connectionUrl: \"ldap://openldap\",\n usersDn: \"dc=example,dc=org\",\n bindDn: \"cn=admin,dc=example,dc=org\",\n bindCredential: \"admin\",\n connectionTimeout: \"5s\",\n readTimeout: \"10s\",\n kerberos: {\n kerberosRealm: \"FOO.LOCAL\",\n serverPrincipal: \"HTTP/host.foo.com@FOO.LOCAL\",\n keyTab: \"/etc/host.keytab\",\n },\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nldap_user_federation = keycloak.ldap.UserFederation(\"ldap_user_federation\",\n name=\"openldap\",\n realm_id=realm.id,\n enabled=True,\n username_ldap_attribute=\"cn\",\n rdn_ldap_attribute=\"cn\",\n uuid_ldap_attribute=\"entryDN\",\n user_object_classes=[\n \"simpleSecurityObject\",\n \"organizationalRole\",\n ],\n connection_url=\"ldap://openldap\",\n users_dn=\"dc=example,dc=org\",\n bind_dn=\"cn=admin,dc=example,dc=org\",\n bind_credential=\"admin\",\n connection_timeout=\"5s\",\n read_timeout=\"10s\",\n kerberos={\n \"kerberos_realm\": \"FOO.LOCAL\",\n \"server_principal\": \"HTTP/host.foo.com@FOO.LOCAL\",\n \"key_tab\": \"/etc/host.keytab\",\n })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var ldapUserFederation = new Keycloak.Ldap.UserFederation(\"ldap_user_federation\", new()\n {\n Name = \"openldap\",\n RealmId = realm.Id,\n Enabled = true,\n UsernameLdapAttribute = \"cn\",\n RdnLdapAttribute = \"cn\",\n UuidLdapAttribute = \"entryDN\",\n UserObjectClasses = new[]\n {\n \"simpleSecurityObject\",\n \"organizationalRole\",\n },\n ConnectionUrl = \"ldap://openldap\",\n UsersDn = \"dc=example,dc=org\",\n BindDn = \"cn=admin,dc=example,dc=org\",\n BindCredential = \"admin\",\n ConnectionTimeout = \"5s\",\n ReadTimeout = \"10s\",\n Kerberos = new Keycloak.Ldap.Inputs.UserFederationKerberosArgs\n {\n KerberosRealm = \"FOO.LOCAL\",\n ServerPrincipal = \"HTTP/host.foo.com@FOO.LOCAL\",\n KeyTab = \"/etc/host.keytab\",\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/ldap\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = ldap.NewUserFederation(ctx, \"ldap_user_federation\", \u0026ldap.UserFederationArgs{\n\t\t\tName: pulumi.String(\"openldap\"),\n\t\t\tRealmId: realm.ID(),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tUsernameLdapAttribute: pulumi.String(\"cn\"),\n\t\t\tRdnLdapAttribute: pulumi.String(\"cn\"),\n\t\t\tUuidLdapAttribute: pulumi.String(\"entryDN\"),\n\t\t\tUserObjectClasses: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"simpleSecurityObject\"),\n\t\t\t\tpulumi.String(\"organizationalRole\"),\n\t\t\t},\n\t\t\tConnectionUrl: pulumi.String(\"ldap://openldap\"),\n\t\t\tUsersDn: pulumi.String(\"dc=example,dc=org\"),\n\t\t\tBindDn: pulumi.String(\"cn=admin,dc=example,dc=org\"),\n\t\t\tBindCredential: pulumi.String(\"admin\"),\n\t\t\tConnectionTimeout: pulumi.String(\"5s\"),\n\t\t\tReadTimeout: pulumi.String(\"10s\"),\n\t\t\tKerberos: \u0026ldap.UserFederationKerberosArgs{\n\t\t\t\tKerberosRealm: pulumi.String(\"FOO.LOCAL\"),\n\t\t\t\tServerPrincipal: pulumi.String(\"HTTP/host.foo.com@FOO.LOCAL\"),\n\t\t\t\tKeyTab: pulumi.String(\"/etc/host.keytab\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.ldap.UserFederation;\nimport com.pulumi.keycloak.ldap.UserFederationArgs;\nimport com.pulumi.keycloak.ldap.inputs.UserFederationKerberosArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var ldapUserFederation = new UserFederation(\"ldapUserFederation\", UserFederationArgs.builder()\n .name(\"openldap\")\n .realmId(realm.id())\n .enabled(true)\n .usernameLdapAttribute(\"cn\")\n .rdnLdapAttribute(\"cn\")\n .uuidLdapAttribute(\"entryDN\")\n .userObjectClasses( \n \"simpleSecurityObject\",\n \"organizationalRole\")\n .connectionUrl(\"ldap://openldap\")\n .usersDn(\"dc=example,dc=org\")\n .bindDn(\"cn=admin,dc=example,dc=org\")\n .bindCredential(\"admin\")\n .connectionTimeout(\"5s\")\n .readTimeout(\"10s\")\n .kerberos(UserFederationKerberosArgs.builder()\n .kerberosRealm(\"FOO.LOCAL\")\n .serverPrincipal(\"HTTP/host.foo.com@FOO.LOCAL\")\n .keyTab(\"/etc/host.keytab\")\n .build())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n ldapUserFederation:\n type: keycloak:ldap:UserFederation\n name: ldap_user_federation\n properties:\n name: openldap\n realmId: ${realm.id}\n enabled: true\n usernameLdapAttribute: cn\n rdnLdapAttribute: cn\n uuidLdapAttribute: entryDN\n userObjectClasses:\n - simpleSecurityObject\n - organizationalRole\n connectionUrl: ldap://openldap\n usersDn: dc=example,dc=org\n bindDn: cn=admin,dc=example,dc=org\n bindCredential: admin\n connectionTimeout: 5s\n readTimeout: 10s\n kerberos:\n kerberosRealm: FOO.LOCAL\n serverPrincipal: HTTP/host.foo.com@FOO.LOCAL\n keyTab: /etc/host.keytab\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nLDAP user federation providers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}`.\n\nThe ID of the LDAP user federation provider can be found within the Keycloak GUI and is typically a GUID:\n\nbash\n\n```sh\n$ pulumi import keycloak:ldap/userFederation:UserFederation ldap_user_federation my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860\n```\n\n", "properties": { "batchSizeForSync": { "type": "integer", - "description": "The number of users to sync within a single transaction.\n" + "description": "The number of users to sync within a single transaction. Defaults to `1000`.\n" }, "bindCredential": { "type": "string", - "description": "Password of LDAP admin.\n", + "description": "Password of LDAP admin. This attribute must be set if `bind_dn` is set.\n", "secret": true }, "bindDn": { "type": "string", - "description": "DN of LDAP admin, which will be used by Keycloak to access LDAP server.\n" + "description": "DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bind_credential` is set.\n" }, "cache": { "$ref": "#/types/keycloak:ldap/UserFederationCache:UserFederationCache", - "description": "Settings regarding cache policy for this realm.\n" + "description": "A block containing the cache settings.\n" }, "changedSyncPeriod": { "type": "integer", - "description": "How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users\nsync.\n" + "description": "How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.\n" }, "connectionTimeout": { "type": "string", - "description": "LDAP connection timeout (duration string)\n" + "description": "LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String).\n" }, "connectionUrl": { "type": "string", @@ -7244,19 +7512,19 @@ }, "customUserSearchFilter": { "type": "string", - "description": "Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'.\n" + "description": "Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`.\n" }, "deleteDefaultMappers": { "type": "boolean", - "description": "When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP\nuser federation provider.\n" + "description": "When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to `false`.\n" }, "editMode": { "type": "string", - "description": "READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP.\n" + "description": "Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`.\n" }, "enabled": { "type": "boolean", - "description": "When false, this provider will not be used when performing queries for users.\n" + "description": "When `false`, this provider will not be used when performing queries for users. Defaults to `true`.\n" }, "fullSyncPeriod": { "type": "integer", @@ -7264,11 +7532,11 @@ }, "importEnabled": { "type": "boolean", - "description": "When true, LDAP users will be imported into the Keycloak database.\n" + "description": "When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`.\n" }, "kerberos": { "$ref": "#/types/keycloak:ldap/UserFederationKerberos:UserFederationKerberos", - "description": "Settings regarding kerberos authentication for this realm.\n" + "description": "A block containing the kerberos settings.\n" }, "name": { "type": "string", @@ -7276,11 +7544,11 @@ }, "pagination": { "type": "boolean", - "description": "When true, Keycloak assumes the LDAP server supports pagination.\n" + "description": "When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`.\n" }, "priority": { "type": "integer", - "description": "Priority of this provider when looking up users. Lower values are first.\n" + "description": "Priority of this provider when looking up users. Lower values are first. Defaults to `0`.\n" }, "rdnLdapAttribute": { "type": "string", @@ -7288,23 +7556,23 @@ }, "readTimeout": { "type": "string", - "description": "LDAP read timeout (duration string)\n" + "description": "LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String).\n" }, "realmId": { "type": "string", - "description": "The realm this provider will provide user federation for.\n" + "description": "The realm that this provider will provide user federation for.\n" }, "searchScope": { "type": "string", - "description": "ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.\n" + "description": "Can be one of `ONE_LEVEL` or `SUBTREE`:\n- `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`.\n- `SUBTREE`: Search entire LDAP subtree.\n" }, "startTls": { "type": "boolean", - "description": "When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.\n" + "description": "When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.\n" }, "syncRegistrations": { "type": "boolean", - "description": "When true, newly created users will be synced back to LDAP.\n" + "description": "When `true`, newly created users will be synced back to LDAP. Defaults to `false`.\n" }, "trustEmail": { "type": "boolean", @@ -7315,14 +7583,15 @@ "description": "When `true`, use the LDAPv3 Password Modify Extended Operation (RFC-3062).\n" }, "useTruststoreSpi": { - "type": "string" + "type": "string", + "description": "Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`:\n- `ALWAYS` - Always use the truststore SPI for LDAP connections.\n- `NEVER` - Never use the truststore SPI for LDAP connections.\n- `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol.\n" }, "userObjectClasses": { "type": "array", "items": { "type": "string" }, - "description": "All values of LDAP objectClass attribute for users in LDAP.\n" + "description": "Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.\n" }, "usernameLdapAttribute": { "type": "string", @@ -7338,11 +7607,11 @@ }, "validatePasswordPolicy": { "type": "boolean", - "description": "When true, Keycloak will validate passwords using the realm policy before updating it.\n" + "description": "When `true`, Keycloak will validate passwords using the realm policy before updating it.\n" }, "vendor": { "type": "string", - "description": "LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required.\n" + "description": "Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`.\n" } }, "required": [ @@ -7358,28 +7627,28 @@ "inputProperties": { "batchSizeForSync": { "type": "integer", - "description": "The number of users to sync within a single transaction.\n" + "description": "The number of users to sync within a single transaction. Defaults to `1000`.\n" }, "bindCredential": { "type": "string", - "description": "Password of LDAP admin.\n", + "description": "Password of LDAP admin. This attribute must be set if `bind_dn` is set.\n", "secret": true }, "bindDn": { "type": "string", - "description": "DN of LDAP admin, which will be used by Keycloak to access LDAP server.\n" + "description": "DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bind_credential` is set.\n" }, "cache": { "$ref": "#/types/keycloak:ldap/UserFederationCache:UserFederationCache", - "description": "Settings regarding cache policy for this realm.\n" + "description": "A block containing the cache settings.\n" }, "changedSyncPeriod": { "type": "integer", - "description": "How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users\nsync.\n" + "description": "How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.\n" }, "connectionTimeout": { "type": "string", - "description": "LDAP connection timeout (duration string)\n" + "description": "LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String).\n" }, "connectionUrl": { "type": "string", @@ -7387,20 +7656,20 @@ }, "customUserSearchFilter": { "type": "string", - "description": "Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'.\n" + "description": "Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`.\n" }, "deleteDefaultMappers": { "type": "boolean", - "description": "When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP\nuser federation provider.\n", + "description": "When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to `false`.\n", "willReplaceOnChanges": true }, "editMode": { "type": "string", - "description": "READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP.\n" + "description": "Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`.\n" }, "enabled": { "type": "boolean", - "description": "When false, this provider will not be used when performing queries for users.\n" + "description": "When `false`, this provider will not be used when performing queries for users. Defaults to `true`.\n" }, "fullSyncPeriod": { "type": "integer", @@ -7408,11 +7677,11 @@ }, "importEnabled": { "type": "boolean", - "description": "When true, LDAP users will be imported into the Keycloak database.\n" + "description": "When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`.\n" }, "kerberos": { "$ref": "#/types/keycloak:ldap/UserFederationKerberos:UserFederationKerberos", - "description": "Settings regarding kerberos authentication for this realm.\n" + "description": "A block containing the kerberos settings.\n" }, "name": { "type": "string", @@ -7420,11 +7689,11 @@ }, "pagination": { "type": "boolean", - "description": "When true, Keycloak assumes the LDAP server supports pagination.\n" + "description": "When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`.\n" }, "priority": { "type": "integer", - "description": "Priority of this provider when looking up users. Lower values are first.\n" + "description": "Priority of this provider when looking up users. Lower values are first. Defaults to `0`.\n" }, "rdnLdapAttribute": { "type": "string", @@ -7432,24 +7701,24 @@ }, "readTimeout": { "type": "string", - "description": "LDAP read timeout (duration string)\n" + "description": "LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String).\n" }, "realmId": { "type": "string", - "description": "The realm this provider will provide user federation for.\n", + "description": "The realm that this provider will provide user federation for.\n", "willReplaceOnChanges": true }, "searchScope": { "type": "string", - "description": "ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.\n" + "description": "Can be one of `ONE_LEVEL` or `SUBTREE`:\n- `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`.\n- `SUBTREE`: Search entire LDAP subtree.\n" }, "startTls": { "type": "boolean", - "description": "When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.\n" + "description": "When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.\n" }, "syncRegistrations": { "type": "boolean", - "description": "When true, newly created users will be synced back to LDAP.\n" + "description": "When `true`, newly created users will be synced back to LDAP. Defaults to `false`.\n" }, "trustEmail": { "type": "boolean", @@ -7460,14 +7729,15 @@ "description": "When `true`, use the LDAPv3 Password Modify Extended Operation (RFC-3062).\n" }, "useTruststoreSpi": { - "type": "string" + "type": "string", + "description": "Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`:\n- `ALWAYS` - Always use the truststore SPI for LDAP connections.\n- `NEVER` - Never use the truststore SPI for LDAP connections.\n- `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol.\n" }, "userObjectClasses": { "type": "array", "items": { "type": "string" }, - "description": "All values of LDAP objectClass attribute for users in LDAP.\n" + "description": "Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.\n" }, "usernameLdapAttribute": { "type": "string", @@ -7483,11 +7753,11 @@ }, "validatePasswordPolicy": { "type": "boolean", - "description": "When true, Keycloak will validate passwords using the realm policy before updating it.\n" + "description": "When `true`, Keycloak will validate passwords using the realm policy before updating it.\n" }, "vendor": { "type": "string", - "description": "LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required.\n" + "description": "Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`.\n" } }, "requiredInputs": [ @@ -7504,28 +7774,28 @@ "properties": { "batchSizeForSync": { "type": "integer", - "description": "The number of users to sync within a single transaction.\n" + "description": "The number of users to sync within a single transaction. Defaults to `1000`.\n" }, "bindCredential": { "type": "string", - "description": "Password of LDAP admin.\n", + "description": "Password of LDAP admin. This attribute must be set if `bind_dn` is set.\n", "secret": true }, "bindDn": { "type": "string", - "description": "DN of LDAP admin, which will be used by Keycloak to access LDAP server.\n" + "description": "DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bind_credential` is set.\n" }, "cache": { "$ref": "#/types/keycloak:ldap/UserFederationCache:UserFederationCache", - "description": "Settings regarding cache policy for this realm.\n" + "description": "A block containing the cache settings.\n" }, "changedSyncPeriod": { "type": "integer", - "description": "How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users\nsync.\n" + "description": "How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.\n" }, "connectionTimeout": { "type": "string", - "description": "LDAP connection timeout (duration string)\n" + "description": "LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String).\n" }, "connectionUrl": { "type": "string", @@ -7533,20 +7803,20 @@ }, "customUserSearchFilter": { "type": "string", - "description": "Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'.\n" + "description": "Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`.\n" }, "deleteDefaultMappers": { "type": "boolean", - "description": "When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP\nuser federation provider.\n", + "description": "When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to `false`.\n", "willReplaceOnChanges": true }, "editMode": { "type": "string", - "description": "READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP.\n" + "description": "Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`.\n" }, "enabled": { "type": "boolean", - "description": "When false, this provider will not be used when performing queries for users.\n" + "description": "When `false`, this provider will not be used when performing queries for users. Defaults to `true`.\n" }, "fullSyncPeriod": { "type": "integer", @@ -7554,11 +7824,11 @@ }, "importEnabled": { "type": "boolean", - "description": "When true, LDAP users will be imported into the Keycloak database.\n" + "description": "When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`.\n" }, "kerberos": { "$ref": "#/types/keycloak:ldap/UserFederationKerberos:UserFederationKerberos", - "description": "Settings regarding kerberos authentication for this realm.\n" + "description": "A block containing the kerberos settings.\n" }, "name": { "type": "string", @@ -7566,11 +7836,11 @@ }, "pagination": { "type": "boolean", - "description": "When true, Keycloak assumes the LDAP server supports pagination.\n" + "description": "When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`.\n" }, "priority": { "type": "integer", - "description": "Priority of this provider when looking up users. Lower values are first.\n" + "description": "Priority of this provider when looking up users. Lower values are first. Defaults to `0`.\n" }, "rdnLdapAttribute": { "type": "string", @@ -7578,24 +7848,24 @@ }, "readTimeout": { "type": "string", - "description": "LDAP read timeout (duration string)\n" + "description": "LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String).\n" }, "realmId": { "type": "string", - "description": "The realm this provider will provide user federation for.\n", + "description": "The realm that this provider will provide user federation for.\n", "willReplaceOnChanges": true }, "searchScope": { "type": "string", - "description": "ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.\n" + "description": "Can be one of `ONE_LEVEL` or `SUBTREE`:\n- `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`.\n- `SUBTREE`: Search entire LDAP subtree.\n" }, "startTls": { "type": "boolean", - "description": "When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.\n" + "description": "When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.\n" }, "syncRegistrations": { "type": "boolean", - "description": "When true, newly created users will be synced back to LDAP.\n" + "description": "When `true`, newly created users will be synced back to LDAP. Defaults to `false`.\n" }, "trustEmail": { "type": "boolean", @@ -7606,14 +7876,15 @@ "description": "When `true`, use the LDAPv3 Password Modify Extended Operation (RFC-3062).\n" }, "useTruststoreSpi": { - "type": "string" + "type": "string", + "description": "Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`:\n- `ALWAYS` - Always use the truststore SPI for LDAP connections.\n- `NEVER` - Never use the truststore SPI for LDAP connections.\n- `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol.\n" }, "userObjectClasses": { "type": "array", "items": { "type": "string" }, - "description": "All values of LDAP objectClass attribute for users in LDAP.\n" + "description": "Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.\n" }, "usernameLdapAttribute": { "type": "string", @@ -7629,11 +7900,11 @@ }, "validatePasswordPolicy": { "type": "boolean", - "description": "When true, Keycloak will validate passwords using the realm policy before updating it.\n" + "description": "When `true`, Keycloak will validate passwords using the realm policy before updating it.\n" }, "vendor": { "type": "string", - "description": "LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required.\n" + "description": "Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`.\n" } }, "type": "object" @@ -8392,39 +8663,39 @@ } }, "keycloak:openid/audienceProtocolMapper:AudienceProtocolMapper": { - "description": "## # keycloak.openid.AudienceProtocolMapper\n\nAllows for creating and managing audience protocol mappers within\nKeycloak. This mapper was added in Keycloak v4.6.0.Final.\n\nAudience protocol mappers allow you add audiences to the `aud` claim\nwithin issued tokens. The audience can be a custom string, or it can be\nmapped to the ID of a pre-existing client.\n\n### Example Usage (Client)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst openidClient = new keycloak.openid.Client(\"openid_client\", {\n realmId: realm.id,\n clientId: \"test-client\",\n name: \"test client\",\n enabled: true,\n accessType: \"CONFIDENTIAL\",\n validRedirectUris: [\"http://localhost:8080/openid-callback\"],\n});\nconst audienceMapper = new keycloak.openid.AudienceProtocolMapper(\"audience_mapper\", {\n realmId: realm.id,\n clientId: openidClient.id,\n name: \"audience-mapper\",\n includedCustomAudience: \"foo\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nopenid_client = keycloak.openid.Client(\"openid_client\",\n realm_id=realm.id,\n client_id=\"test-client\",\n name=\"test client\",\n enabled=True,\n access_type=\"CONFIDENTIAL\",\n valid_redirect_uris=[\"http://localhost:8080/openid-callback\"])\naudience_mapper = keycloak.openid.AudienceProtocolMapper(\"audience_mapper\",\n realm_id=realm.id,\n client_id=openid_client.id,\n name=\"audience-mapper\",\n included_custom_audience=\"foo\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var openidClient = new Keycloak.OpenId.Client(\"openid_client\", new()\n {\n RealmId = realm.Id,\n ClientId = \"test-client\",\n Name = \"test client\",\n Enabled = true,\n AccessType = \"CONFIDENTIAL\",\n ValidRedirectUris = new[]\n {\n \"http://localhost:8080/openid-callback\",\n },\n });\n\n var audienceMapper = new Keycloak.OpenId.AudienceProtocolMapper(\"audience_mapper\", new()\n {\n RealmId = realm.Id,\n ClientId = openidClient.Id,\n Name = \"audience-mapper\",\n IncludedCustomAudience = \"foo\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\topenidClient, err := openid.NewClient(ctx, \"openid_client\", \u0026openid.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"test-client\"),\n\t\t\tName: pulumi.String(\"test client\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tAccessType: pulumi.String(\"CONFIDENTIAL\"),\n\t\t\tValidRedirectUris: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"http://localhost:8080/openid-callback\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewAudienceProtocolMapper(ctx, \"audience_mapper\", \u0026openid.AudienceProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: openidClient.ID(),\n\t\t\tName: pulumi.String(\"audience-mapper\"),\n\t\t\tIncludedCustomAudience: pulumi.String(\"foo\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport com.pulumi.keycloak.openid.AudienceProtocolMapper;\nimport com.pulumi.keycloak.openid.AudienceProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var openidClient = new Client(\"openidClient\", ClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"test-client\")\n .name(\"test client\")\n .enabled(true)\n .accessType(\"CONFIDENTIAL\")\n .validRedirectUris(\"http://localhost:8080/openid-callback\")\n .build());\n\n var audienceMapper = new AudienceProtocolMapper(\"audienceMapper\", AudienceProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientId(openidClient.id())\n .name(\"audience-mapper\")\n .includedCustomAudience(\"foo\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n openidClient:\n type: keycloak:openid:Client\n name: openid_client\n properties:\n realmId: ${realm.id}\n clientId: test-client\n name: test client\n enabled: true\n accessType: CONFIDENTIAL\n validRedirectUris:\n - http://localhost:8080/openid-callback\n audienceMapper:\n type: keycloak:openid:AudienceProtocolMapper\n name: audience_mapper\n properties:\n realmId: ${realm.id}\n clientId: ${openidClient.id}\n name: audience-mapper\n includedCustomAudience: foo\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Example Usage (Client Scope)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst clientScope = new keycloak.openid.ClientScope(\"client_scope\", {\n realmId: realm.id,\n name: \"test-client-scope\",\n});\nconst audienceMapper = new keycloak.openid.AudienceProtocolMapper(\"audience_mapper\", {\n realmId: realm.id,\n clientScopeId: clientScope.id,\n name: \"audience-mapper\",\n includedCustomAudience: \"foo\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nclient_scope = keycloak.openid.ClientScope(\"client_scope\",\n realm_id=realm.id,\n name=\"test-client-scope\")\naudience_mapper = keycloak.openid.AudienceProtocolMapper(\"audience_mapper\",\n realm_id=realm.id,\n client_scope_id=client_scope.id,\n name=\"audience-mapper\",\n included_custom_audience=\"foo\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var clientScope = new Keycloak.OpenId.ClientScope(\"client_scope\", new()\n {\n RealmId = realm.Id,\n Name = \"test-client-scope\",\n });\n\n var audienceMapper = new Keycloak.OpenId.AudienceProtocolMapper(\"audience_mapper\", new()\n {\n RealmId = realm.Id,\n ClientScopeId = clientScope.Id,\n Name = \"audience-mapper\",\n IncludedCustomAudience = \"foo\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tclientScope, err := openid.NewClientScope(ctx, \"client_scope\", \u0026openid.ClientScopeArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"test-client-scope\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewAudienceProtocolMapper(ctx, \"audience_mapper\", \u0026openid.AudienceProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientScopeId: clientScope.ID(),\n\t\t\tName: pulumi.String(\"audience-mapper\"),\n\t\t\tIncludedCustomAudience: pulumi.String(\"foo\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.ClientScope;\nimport com.pulumi.keycloak.openid.ClientScopeArgs;\nimport com.pulumi.keycloak.openid.AudienceProtocolMapper;\nimport com.pulumi.keycloak.openid.AudienceProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var clientScope = new ClientScope(\"clientScope\", ClientScopeArgs.builder()\n .realmId(realm.id())\n .name(\"test-client-scope\")\n .build());\n\n var audienceMapper = new AudienceProtocolMapper(\"audienceMapper\", AudienceProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientScopeId(clientScope.id())\n .name(\"audience-mapper\")\n .includedCustomAudience(\"foo\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n clientScope:\n type: keycloak:openid:ClientScope\n name: client_scope\n properties:\n realmId: ${realm.id}\n name: test-client-scope\n audienceMapper:\n type: keycloak:openid:AudienceProtocolMapper\n name: audience_mapper\n properties:\n realmId: ${realm.id}\n clientScopeId: ${clientScope.id}\n name: audience-mapper\n includedCustomAudience: foo\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm_id` - (Required) The realm this protocol mapper exists within.\n- `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to.\n- `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to.\n- `name` - (Required) The display name of this protocol mapper in the GUI.\n- `included_client_audience` - (Required if `included_custom_audience` is not specified) A client ID to include within the token's `aud` claim.\n- `included_custom_audience` - (Required if `included_client_audience` is not specified) A custom audience to include within the token's `aud` claim.\n- `add_to_id_token` - (Optional) Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`.\n- `add_to_access_token` - (Optional) Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`.\n\n### Import\n\nProtocol mappers can be imported using one of the following formats:\n- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}`\n- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}`\n\nExample:\n\n```bash\n$ terraform import keycloak_openid_audience_protocol_mapper.audience_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n$ terraform import keycloak_openid_audience_protocol_mapper.audience_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n", + "description": "Allows for creating and managing audience protocol mappers within Keycloak.\n\nAudience protocol mappers allow you add audiences to the `aud` claim within issued tokens. The audience can be a custom\nstring, or it can be mapped to the ID of a pre-existing client.\n\n## Example Usage\n\n### Client)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst openidClient = new keycloak.openid.Client(\"openid_client\", {\n realmId: realm.id,\n clientId: \"client\",\n name: \"client\",\n enabled: true,\n accessType: \"CONFIDENTIAL\",\n validRedirectUris: [\"http://localhost:8080/openid-callback\"],\n});\nconst audienceMapper = new keycloak.openid.AudienceProtocolMapper(\"audience_mapper\", {\n realmId: realm.id,\n clientId: openidClient.id,\n name: \"audience-mapper\",\n includedCustomAudience: \"foo\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nopenid_client = keycloak.openid.Client(\"openid_client\",\n realm_id=realm.id,\n client_id=\"client\",\n name=\"client\",\n enabled=True,\n access_type=\"CONFIDENTIAL\",\n valid_redirect_uris=[\"http://localhost:8080/openid-callback\"])\naudience_mapper = keycloak.openid.AudienceProtocolMapper(\"audience_mapper\",\n realm_id=realm.id,\n client_id=openid_client.id,\n name=\"audience-mapper\",\n included_custom_audience=\"foo\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var openidClient = new Keycloak.OpenId.Client(\"openid_client\", new()\n {\n RealmId = realm.Id,\n ClientId = \"client\",\n Name = \"client\",\n Enabled = true,\n AccessType = \"CONFIDENTIAL\",\n ValidRedirectUris = new[]\n {\n \"http://localhost:8080/openid-callback\",\n },\n });\n\n var audienceMapper = new Keycloak.OpenId.AudienceProtocolMapper(\"audience_mapper\", new()\n {\n RealmId = realm.Id,\n ClientId = openidClient.Id,\n Name = \"audience-mapper\",\n IncludedCustomAudience = \"foo\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\topenidClient, err := openid.NewClient(ctx, \"openid_client\", \u0026openid.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"client\"),\n\t\t\tName: pulumi.String(\"client\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tAccessType: pulumi.String(\"CONFIDENTIAL\"),\n\t\t\tValidRedirectUris: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"http://localhost:8080/openid-callback\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewAudienceProtocolMapper(ctx, \"audience_mapper\", \u0026openid.AudienceProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: openidClient.ID(),\n\t\t\tName: pulumi.String(\"audience-mapper\"),\n\t\t\tIncludedCustomAudience: pulumi.String(\"foo\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport com.pulumi.keycloak.openid.AudienceProtocolMapper;\nimport com.pulumi.keycloak.openid.AudienceProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var openidClient = new Client(\"openidClient\", ClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"client\")\n .name(\"client\")\n .enabled(true)\n .accessType(\"CONFIDENTIAL\")\n .validRedirectUris(\"http://localhost:8080/openid-callback\")\n .build());\n\n var audienceMapper = new AudienceProtocolMapper(\"audienceMapper\", AudienceProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientId(openidClient.id())\n .name(\"audience-mapper\")\n .includedCustomAudience(\"foo\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n openidClient:\n type: keycloak:openid:Client\n name: openid_client\n properties:\n realmId: ${realm.id}\n clientId: client\n name: client\n enabled: true\n accessType: CONFIDENTIAL\n validRedirectUris:\n - http://localhost:8080/openid-callback\n audienceMapper:\n type: keycloak:openid:AudienceProtocolMapper\n name: audience_mapper\n properties:\n realmId: ${realm.id}\n clientId: ${openidClient.id}\n name: audience-mapper\n includedCustomAudience: foo\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n\n### Client Scope)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst clientScope = new keycloak.openid.ClientScope(\"client_scope\", {\n realmId: realm.id,\n name: \"test-client-scope\",\n});\nconst audienceMapper = new keycloak.openid.AudienceProtocolMapper(\"audience_mapper\", {\n realmId: realm.id,\n clientScopeId: clientScope.id,\n name: \"audience-mapper\",\n includedCustomAudience: \"foo\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nclient_scope = keycloak.openid.ClientScope(\"client_scope\",\n realm_id=realm.id,\n name=\"test-client-scope\")\naudience_mapper = keycloak.openid.AudienceProtocolMapper(\"audience_mapper\",\n realm_id=realm.id,\n client_scope_id=client_scope.id,\n name=\"audience-mapper\",\n included_custom_audience=\"foo\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var clientScope = new Keycloak.OpenId.ClientScope(\"client_scope\", new()\n {\n RealmId = realm.Id,\n Name = \"test-client-scope\",\n });\n\n var audienceMapper = new Keycloak.OpenId.AudienceProtocolMapper(\"audience_mapper\", new()\n {\n RealmId = realm.Id,\n ClientScopeId = clientScope.Id,\n Name = \"audience-mapper\",\n IncludedCustomAudience = \"foo\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tclientScope, err := openid.NewClientScope(ctx, \"client_scope\", \u0026openid.ClientScopeArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"test-client-scope\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewAudienceProtocolMapper(ctx, \"audience_mapper\", \u0026openid.AudienceProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientScopeId: clientScope.ID(),\n\t\t\tName: pulumi.String(\"audience-mapper\"),\n\t\t\tIncludedCustomAudience: pulumi.String(\"foo\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.ClientScope;\nimport com.pulumi.keycloak.openid.ClientScopeArgs;\nimport com.pulumi.keycloak.openid.AudienceProtocolMapper;\nimport com.pulumi.keycloak.openid.AudienceProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var clientScope = new ClientScope(\"clientScope\", ClientScopeArgs.builder()\n .realmId(realm.id())\n .name(\"test-client-scope\")\n .build());\n\n var audienceMapper = new AudienceProtocolMapper(\"audienceMapper\", AudienceProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientScopeId(clientScope.id())\n .name(\"audience-mapper\")\n .includedCustomAudience(\"foo\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n clientScope:\n type: keycloak:openid:ClientScope\n name: client_scope\n properties:\n realmId: ${realm.id}\n name: test-client-scope\n audienceMapper:\n type: keycloak:openid:AudienceProtocolMapper\n name: audience_mapper\n properties:\n realmId: ${realm.id}\n clientScopeId: ${clientScope.id}\n name: audience-mapper\n includedCustomAudience: foo\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nProtocol mappers can be imported using one of the following formats:\n\n- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}`\n\n- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}`\n\nExample:\n\nbash\n\n```sh\n$ pulumi import keycloak:openid/audienceProtocolMapper:AudienceProtocolMapper audience_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n\n```sh\n$ pulumi import keycloak:openid/audienceProtocolMapper:AudienceProtocolMapper audience_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n\n", "properties": { "addToAccessToken": { "type": "boolean", - "description": "Indicates if this claim should be added to the access token.\n" + "description": "Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`.\n" }, "addToIdToken": { "type": "boolean", - "description": "Indicates if this claim should be added to the id token.\n" + "description": "Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`.\n" }, "clientId": { "type": "string", - "description": "The mapper's associated client. Cannot be used at the same time as client_scope_id.\n" + "description": "The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified.\n" }, "clientScopeId": { "type": "string", - "description": "The mapper's associated client scope. Cannot be used at the same time as client_id.\n" + "description": "The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified.\n" }, "includedClientAudience": { "type": "string", - "description": "A client ID to include within the token's `aud` claim. Cannot be used with included_custom_audience\n" + "description": "A client ID to include within the token's `aud` claim. Conflicts with `included_custom_audience`. One of `included_client_audience` or `included_custom_audience` must be specified.\n" }, "includedCustomAudience": { "type": "string", - "description": "A custom audience to include within the token's `aud` claim. Cannot be used with included_custom_audience\n" + "description": "A custom audience to include within the token's `aud` claim. Conflicts with `included_client_audience`. One of `included_client_audience` or `included_custom_audience` must be specified.\n" }, "name": { "type": "string", - "description": "A human-friendly name that will appear in the Keycloak console.\n" + "description": "The display name of this protocol mapper in the GUI.\n" }, "realmId": { "type": "string", - "description": "The realm id where the associated client or client scope exists.\n" + "description": "The realm this protocol mapper exists within.\n" } }, "required": [ @@ -8434,37 +8705,37 @@ "inputProperties": { "addToAccessToken": { "type": "boolean", - "description": "Indicates if this claim should be added to the access token.\n" + "description": "Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`.\n" }, "addToIdToken": { "type": "boolean", - "description": "Indicates if this claim should be added to the id token.\n" + "description": "Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`.\n" }, "clientId": { "type": "string", - "description": "The mapper's associated client. Cannot be used at the same time as client_scope_id.\n", + "description": "The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "clientScopeId": { "type": "string", - "description": "The mapper's associated client scope. Cannot be used at the same time as client_id.\n", + "description": "The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "includedClientAudience": { "type": "string", - "description": "A client ID to include within the token's `aud` claim. Cannot be used with included_custom_audience\n" + "description": "A client ID to include within the token's `aud` claim. Conflicts with `included_custom_audience`. One of `included_client_audience` or `included_custom_audience` must be specified.\n" }, "includedCustomAudience": { "type": "string", - "description": "A custom audience to include within the token's `aud` claim. Cannot be used with included_custom_audience\n" + "description": "A custom audience to include within the token's `aud` claim. Conflicts with `included_client_audience`. One of `included_client_audience` or `included_custom_audience` must be specified.\n" }, "name": { "type": "string", - "description": "A human-friendly name that will appear in the Keycloak console.\n" + "description": "The display name of this protocol mapper in the GUI.\n" }, "realmId": { "type": "string", - "description": "The realm id where the associated client or client scope exists.\n", + "description": "The realm this protocol mapper exists within.\n", "willReplaceOnChanges": true } }, @@ -8476,37 +8747,37 @@ "properties": { "addToAccessToken": { "type": "boolean", - "description": "Indicates if this claim should be added to the access token.\n" + "description": "Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`.\n" }, "addToIdToken": { "type": "boolean", - "description": "Indicates if this claim should be added to the id token.\n" + "description": "Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`.\n" }, "clientId": { "type": "string", - "description": "The mapper's associated client. Cannot be used at the same time as client_scope_id.\n", + "description": "The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "clientScopeId": { "type": "string", - "description": "The mapper's associated client scope. Cannot be used at the same time as client_id.\n", + "description": "The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "includedClientAudience": { "type": "string", - "description": "A client ID to include within the token's `aud` claim. Cannot be used with included_custom_audience\n" + "description": "A client ID to include within the token's `aud` claim. Conflicts with `included_custom_audience`. One of `included_client_audience` or `included_custom_audience` must be specified.\n" }, "includedCustomAudience": { "type": "string", - "description": "A custom audience to include within the token's `aud` claim. Cannot be used with included_custom_audience\n" + "description": "A custom audience to include within the token's `aud` claim. Conflicts with `included_client_audience`. One of `included_client_audience` or `included_custom_audience` must be specified.\n" }, "name": { "type": "string", - "description": "A human-friendly name that will appear in the Keycloak console.\n" + "description": "The display name of this protocol mapper in the GUI.\n" }, "realmId": { "type": "string", - "description": "The realm id where the associated client or client scope exists.\n", + "description": "The realm this protocol mapper exists within.\n", "willReplaceOnChanges": true } }, @@ -8672,77 +8943,100 @@ "deprecationMessage": "keycloak.openid/audienceresolveprotocolmappter.AudienceResolveProtocolMappter has been deprecated in favor of keycloak.openid/audienceresolveprotocolmapper.AudienceResolveProtocolMapper" }, "keycloak:openid/client:Client": { - "description": "## # keycloak.openid.Client\n\nAllows for creating and managing Keycloak clients that use the OpenID Connect protocol.\n\nClients are entities that can use Keycloak for user authentication. Typically,\nclients are applications that redirect users to Keycloak for authentication\nin order to take advantage of Keycloak's user sessions for SSO.\n\n### Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst openidClient = new keycloak.openid.Client(\"openid_client\", {\n realmId: realm.id,\n clientId: \"test-client\",\n name: \"test client\",\n enabled: true,\n accessType: \"CONFIDENTIAL\",\n validRedirectUris: [\"http://localhost:8080/openid-callback\"],\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nopenid_client = keycloak.openid.Client(\"openid_client\",\n realm_id=realm.id,\n client_id=\"test-client\",\n name=\"test client\",\n enabled=True,\n access_type=\"CONFIDENTIAL\",\n valid_redirect_uris=[\"http://localhost:8080/openid-callback\"])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var openidClient = new Keycloak.OpenId.Client(\"openid_client\", new()\n {\n RealmId = realm.Id,\n ClientId = \"test-client\",\n Name = \"test client\",\n Enabled = true,\n AccessType = \"CONFIDENTIAL\",\n ValidRedirectUris = new[]\n {\n \"http://localhost:8080/openid-callback\",\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewClient(ctx, \"openid_client\", \u0026openid.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"test-client\"),\n\t\t\tName: pulumi.String(\"test client\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tAccessType: pulumi.String(\"CONFIDENTIAL\"),\n\t\t\tValidRedirectUris: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"http://localhost:8080/openid-callback\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var openidClient = new Client(\"openidClient\", ClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"test-client\")\n .name(\"test client\")\n .enabled(true)\n .accessType(\"CONFIDENTIAL\")\n .validRedirectUris(\"http://localhost:8080/openid-callback\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n openidClient:\n type: keycloak:openid:Client\n name: openid_client\n properties:\n realmId: ${realm.id}\n clientId: test-client\n name: test client\n enabled: true\n accessType: CONFIDENTIAL\n validRedirectUris:\n - http://localhost:8080/openid-callback\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm_id` - (Required) The realm this client is attached to.\n- `client_id` - (Required) The unique ID of this client, referenced in the URI during authentication and in issued tokens.\n- `name` - (Optional) The display name of this client in the GUI.\n- `enabled` - (Optional) When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`.\n- `description` - (Optional) The description of this client in the GUI.\n- `access_type` - (Required) Specifies the type of client, which can be one of the following:\n - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating.\n This client should be used for applications using the Authorization Code or Client Credentials grant flows.\n - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect\n URIs for security. This client should be used for applications using the Implicit grant flow.\n - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests.\n- `client_secret` - (Optional) The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and\nshould be treated with the same care as a password. If omitted, Keycloak will generate a GUID for this attribute.\n- `standard_flow_enabled` - (Optional) When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`.\n- `implicit_flow_enabled` - (Optional) When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`.\n- `direct_access_grants_enabled` - (Optional) When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`.\n- `service_accounts_enabled` - (Optional) When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`.\n- `valid_redirect_uris` - (Optional) A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple\nwildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled`\nis set to `true`.\n- `web_origins` - (Optional) A list of allowed CORS origins. `+` can be used to permit all valid redirect URIs, and `*` can be used to permit all origins.\n- `admin_url` - (Optional) URL to the admin interface of the client.\n- `base_url` - (Optional) Default URL to use when the auth server needs to redirect or link back to the client.\n- `pkce_code_challenge_method` - (Optional) The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``.\n- `full_scope_allowed` - (Optional) - Allow to include all roles mappings in the access token.\n\n### Attributes Reference\n\nIn addition to the arguments listed above, the following computed attributes are exported:\n\n- `service_account_user_id` - When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.\n\n\n### Import\n\nClients can be imported using the format `{{realm_id}}/{{client_keycloak_id}}`, where `client_keycloak_id` is the unique ID that Keycloak\nassigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID.\n\nExample:\n\n```bash\n$ terraform import keycloak_openid_client.openid_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352\n```\n", + "description": "Allows for creating and managing Keycloak clients that use the OpenID Connect protocol.\n\nClients are entities that can use Keycloak for user authentication. Typically,\nclients are applications that redirect users to Keycloak for authentication\nin order to take advantage of Keycloak's user sessions for SSO.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst openidClient = new keycloak.openid.Client(\"openid_client\", {\n realmId: realm.id,\n clientId: \"test-client\",\n name: \"test client\",\n enabled: true,\n accessType: \"CONFIDENTIAL\",\n validRedirectUris: [\"http://localhost:8080/openid-callback\"],\n loginTheme: \"keycloak\",\n extraConfig: {\n key1: \"value1\",\n key2: \"value2\",\n },\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nopenid_client = keycloak.openid.Client(\"openid_client\",\n realm_id=realm.id,\n client_id=\"test-client\",\n name=\"test client\",\n enabled=True,\n access_type=\"CONFIDENTIAL\",\n valid_redirect_uris=[\"http://localhost:8080/openid-callback\"],\n login_theme=\"keycloak\",\n extra_config={\n \"key1\": \"value1\",\n \"key2\": \"value2\",\n })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var openidClient = new Keycloak.OpenId.Client(\"openid_client\", new()\n {\n RealmId = realm.Id,\n ClientId = \"test-client\",\n Name = \"test client\",\n Enabled = true,\n AccessType = \"CONFIDENTIAL\",\n ValidRedirectUris = new[]\n {\n \"http://localhost:8080/openid-callback\",\n },\n LoginTheme = \"keycloak\",\n ExtraConfig = \n {\n { \"key1\", \"value1\" },\n { \"key2\", \"value2\" },\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewClient(ctx, \"openid_client\", \u0026openid.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"test-client\"),\n\t\t\tName: pulumi.String(\"test client\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tAccessType: pulumi.String(\"CONFIDENTIAL\"),\n\t\t\tValidRedirectUris: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"http://localhost:8080/openid-callback\"),\n\t\t\t},\n\t\t\tLoginTheme: pulumi.String(\"keycloak\"),\n\t\t\tExtraConfig: pulumi.StringMap{\n\t\t\t\t\"key1\": pulumi.String(\"value1\"),\n\t\t\t\t\"key2\": pulumi.String(\"value2\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var openidClient = new Client(\"openidClient\", ClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"test-client\")\n .name(\"test client\")\n .enabled(true)\n .accessType(\"CONFIDENTIAL\")\n .validRedirectUris(\"http://localhost:8080/openid-callback\")\n .loginTheme(\"keycloak\")\n .extraConfig(Map.ofEntries(\n Map.entry(\"key1\", \"value1\"),\n Map.entry(\"key2\", \"value2\")\n ))\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n openidClient:\n type: keycloak:openid:Client\n name: openid_client\n properties:\n realmId: ${realm.id}\n clientId: test-client\n name: test client\n enabled: true\n accessType: CONFIDENTIAL\n validRedirectUris:\n - http://localhost:8080/openid-callback\n loginTheme: keycloak\n extraConfig:\n key1: value1\n key2: value2\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nClients can be imported using the format `{{realm_id}}/{{client_keycloak_id}}`, where `client_keycloak_id` is the unique ID that Keycloak\n\nassigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID.\n\nExample:\n\nbash\n\n```sh\n$ pulumi import keycloak:openid/client:Client openid_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352\n```\n\n", "properties": { "accessTokenLifespan": { - "type": "string" + "type": "string", + "description": "The amount of time in seconds before an access token expires. This will override the default for the realm.\n" }, "accessType": { - "type": "string" + "type": "string", + "description": "Specifies the type of client, which can be one of the following:\n- `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating.\nThis client should be used for applications using the Authorization Code or Client Credentials grant flows.\n- `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect\nURIs for security. This client should be used for applications using the Implicit grant flow.\n- `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests.\n" }, "adminUrl": { - "type": "string" + "type": "string", + "description": "URL to the admin interface of the client.\n" }, "authenticationFlowBindingOverrides": { - "$ref": "#/types/keycloak:openid/ClientAuthenticationFlowBindingOverrides:ClientAuthenticationFlowBindingOverrides" + "$ref": "#/types/keycloak:openid/ClientAuthenticationFlowBindingOverrides:ClientAuthenticationFlowBindingOverrides", + "description": "Override realm authentication flow bindings\n" }, "authorization": { - "$ref": "#/types/keycloak:openid/ClientAuthorization:ClientAuthorization" + "$ref": "#/types/keycloak:openid/ClientAuthorization:ClientAuthorization", + "description": "When this block is present, fine-grained authorization will be enabled for this client. The client's `access_type` must be `CONFIDENTIAL`, and `service_accounts_enabled` must be `true`. This block has the following arguments:\n" }, "backchannelLogoutRevokeOfflineSessions": { - "type": "boolean" + "type": "boolean", + "description": "Specifying whether a \"revoke_offline_access\" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.\n" }, "backchannelLogoutSessionRequired": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`.\n" }, "backchannelLogoutUrl": { - "type": "string" + "type": "string", + "description": "The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.\n" }, "baseUrl": { - "type": "string" + "type": "string", + "description": "Default URL to use when the auth server needs to redirect or link back to the client.\n" }, "clientAuthenticatorType": { - "type": "string" + "type": "string", + "description": "Defaults to `client-secret`. The authenticator type for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types:\n- `client-secret` (Default) Use client id and client secret to authenticate client.\n- `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = \u003calg\u003e`\n- `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extra_config` with `attributes.x509.subjectdn = \u003csubjectDn\u003e`\n- `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = \u003calg\u003e`\n" }, "clientId": { - "type": "string" + "type": "string", + "description": "The Client ID for this client, referenced in the URI during authentication and in issued tokens.\n" }, "clientOfflineSessionIdleTimeout": { - "type": "string" + "type": "string", + "description": "Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.\n" }, "clientOfflineSessionMaxLifespan": { - "type": "string" + "type": "string", + "description": "Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.\n" }, "clientSecret": { "type": "string", + "description": "The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.\n", "secret": true }, "clientSessionIdleTimeout": { - "type": "string" + "type": "string", + "description": "Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.\n" }, "clientSessionMaxLifespan": { - "type": "string" + "type": "string", + "description": "Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.\n" }, "consentRequired": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, users have to consent to client access. Defaults to `false`.\n" }, "consentScreenText": { - "type": "string" + "type": "string", + "description": "The text to display on the consent screen about permissions specific to this client. This is applicable only when `display_on_consent_screen` is `true`.\n" }, "description": { - "type": "string" + "type": "string", + "description": "The description of this client in the GUI.\n" }, "directAccessGrantsEnabled": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`.\n" }, "displayOnConsentScreen": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consent_required` is `true`.\n" }, "enabled": { - "type": "boolean" + "type": "boolean", + "description": "When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`.\n" }, "excludeSessionStateFromAuthResponse": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, the parameter `session_state` will not be included in OpenID Connect Authentication Response.\n" }, "extraConfig": { "type": "object", @@ -8751,79 +9045,101 @@ } }, "frontchannelLogoutEnabled": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannel_logout_url`. Defaults to `false`.\n" }, "frontchannelLogoutUrl": { - "type": "string" + "type": "string", + "description": "The frontchannel logout url. This is applicable only when `frontchannel_logout_enabled` is `true`.\n" }, "fullScopeAllowed": { - "type": "boolean" + "type": "boolean", + "description": "Allow to include all roles mappings in the access token.\n" }, "implicitFlowEnabled": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`.\n" }, "import": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, the client with the specified `client_id` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`.\n" }, "loginTheme": { - "type": "string" + "type": "string", + "description": "The client login theme. This will override the default theme for the realm.\n" }, "name": { - "type": "string" + "type": "string", + "description": "The display name of this client in the GUI.\n" }, "oauth2DeviceAuthorizationGrantEnabled": { - "type": "boolean" + "type": "boolean", + "description": "Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.\n" }, "oauth2DeviceCodeLifespan": { - "type": "string" + "type": "string", + "description": "The maximum amount of time a client has to finish the device code flow before it expires.\n" }, "oauth2DevicePollingInterval": { - "type": "string" + "type": "string", + "description": "The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.\n" }, "pkceCodeChallengeMethod": { - "type": "string" + "type": "string", + "description": "The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``.\n" }, "realmId": { - "type": "string" + "type": "string", + "description": "The realm this client is attached to.\n" }, "resourceServerId": { - "type": "string" + "type": "string", + "description": "(Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the `.id` attribute).\n" }, "rootUrl": { - "type": "string" + "type": "string", + "description": "When specified, this URL is prepended to any relative URLs found within `valid_redirect_uris`, `web_origins`, and `admin_url`. NOTE: Due to limitations in the Keycloak API, when the `root_url` attribute is used, the `valid_redirect_uris`, `web_origins`, and `admin_url` attributes will be required.\n" }, "serviceAccountUserId": { - "type": "string" + "type": "string", + "description": "(Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.\n" }, "serviceAccountsEnabled": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`.\n" }, "standardFlowEnabled": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`.\n" }, "useRefreshTokens": { - "type": "boolean" + "type": "boolean", + "description": "If this is `true`, a refresh_token will be created and added to the token response. If this is `false` then no refresh_token will be generated. Defaults to `true`.\n" }, "useRefreshTokensClientCredentials": { - "type": "boolean" + "type": "boolean", + "description": "If this is `true`, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is `false` then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`.\n" }, "validPostLogoutRedirectUris": { "type": "array", "items": { "type": "string" - } + }, + "description": "A list of valid URIs a browser is permitted to redirect to after a successful logout.\n" }, "validRedirectUris": { "type": "array", "items": { "type": "string" - } + }, + "description": "A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple\nwildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled`\nis set to `true`.\n" }, "webOrigins": { "type": "array", "items": { "type": "string" - } + }, + "description": "A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`.\"\n" } }, "required": [ @@ -8858,74 +9174,97 @@ ], "inputProperties": { "accessTokenLifespan": { - "type": "string" + "type": "string", + "description": "The amount of time in seconds before an access token expires. This will override the default for the realm.\n" }, "accessType": { - "type": "string" + "type": "string", + "description": "Specifies the type of client, which can be one of the following:\n- `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating.\nThis client should be used for applications using the Authorization Code or Client Credentials grant flows.\n- `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect\nURIs for security. This client should be used for applications using the Implicit grant flow.\n- `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests.\n" }, "adminUrl": { - "type": "string" + "type": "string", + "description": "URL to the admin interface of the client.\n" }, "authenticationFlowBindingOverrides": { - "$ref": "#/types/keycloak:openid/ClientAuthenticationFlowBindingOverrides:ClientAuthenticationFlowBindingOverrides" + "$ref": "#/types/keycloak:openid/ClientAuthenticationFlowBindingOverrides:ClientAuthenticationFlowBindingOverrides", + "description": "Override realm authentication flow bindings\n" }, "authorization": { - "$ref": "#/types/keycloak:openid/ClientAuthorization:ClientAuthorization" + "$ref": "#/types/keycloak:openid/ClientAuthorization:ClientAuthorization", + "description": "When this block is present, fine-grained authorization will be enabled for this client. The client's `access_type` must be `CONFIDENTIAL`, and `service_accounts_enabled` must be `true`. This block has the following arguments:\n" }, "backchannelLogoutRevokeOfflineSessions": { - "type": "boolean" + "type": "boolean", + "description": "Specifying whether a \"revoke_offline_access\" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.\n" }, "backchannelLogoutSessionRequired": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`.\n" }, "backchannelLogoutUrl": { - "type": "string" + "type": "string", + "description": "The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.\n" }, "baseUrl": { - "type": "string" + "type": "string", + "description": "Default URL to use when the auth server needs to redirect or link back to the client.\n" }, "clientAuthenticatorType": { - "type": "string" + "type": "string", + "description": "Defaults to `client-secret`. The authenticator type for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types:\n- `client-secret` (Default) Use client id and client secret to authenticate client.\n- `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = \u003calg\u003e`\n- `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extra_config` with `attributes.x509.subjectdn = \u003csubjectDn\u003e`\n- `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = \u003calg\u003e`\n" }, "clientId": { - "type": "string" + "type": "string", + "description": "The Client ID for this client, referenced in the URI during authentication and in issued tokens.\n" }, "clientOfflineSessionIdleTimeout": { - "type": "string" + "type": "string", + "description": "Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.\n" }, "clientOfflineSessionMaxLifespan": { - "type": "string" + "type": "string", + "description": "Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.\n" }, "clientSecret": { "type": "string", + "description": "The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.\n", "secret": true }, "clientSessionIdleTimeout": { - "type": "string" + "type": "string", + "description": "Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.\n" }, "clientSessionMaxLifespan": { - "type": "string" + "type": "string", + "description": "Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.\n" }, "consentRequired": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, users have to consent to client access. Defaults to `false`.\n" }, "consentScreenText": { - "type": "string" + "type": "string", + "description": "The text to display on the consent screen about permissions specific to this client. This is applicable only when `display_on_consent_screen` is `true`.\n" }, "description": { - "type": "string" + "type": "string", + "description": "The description of this client in the GUI.\n" }, "directAccessGrantsEnabled": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`.\n" }, "displayOnConsentScreen": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consent_required` is `true`.\n" }, "enabled": { - "type": "boolean" + "type": "boolean", + "description": "When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`.\n" }, "excludeSessionStateFromAuthResponse": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, the parameter `session_state` will not be included in OpenID Connect Authentication Response.\n" }, "extraConfig": { "type": "object", @@ -8934,75 +9273,95 @@ } }, "frontchannelLogoutEnabled": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannel_logout_url`. Defaults to `false`.\n" }, "frontchannelLogoutUrl": { - "type": "string" + "type": "string", + "description": "The frontchannel logout url. This is applicable only when `frontchannel_logout_enabled` is `true`.\n" }, "fullScopeAllowed": { - "type": "boolean" + "type": "boolean", + "description": "Allow to include all roles mappings in the access token.\n" }, "implicitFlowEnabled": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`.\n" }, "import": { "type": "boolean", + "description": "When `true`, the client with the specified `client_id` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`.\n", "willReplaceOnChanges": true }, "loginTheme": { - "type": "string" + "type": "string", + "description": "The client login theme. This will override the default theme for the realm.\n" }, "name": { - "type": "string" + "type": "string", + "description": "The display name of this client in the GUI.\n" }, "oauth2DeviceAuthorizationGrantEnabled": { - "type": "boolean" + "type": "boolean", + "description": "Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.\n" }, "oauth2DeviceCodeLifespan": { - "type": "string" + "type": "string", + "description": "The maximum amount of time a client has to finish the device code flow before it expires.\n" }, "oauth2DevicePollingInterval": { - "type": "string" + "type": "string", + "description": "The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.\n" }, "pkceCodeChallengeMethod": { - "type": "string" + "type": "string", + "description": "The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``.\n" }, "realmId": { "type": "string", + "description": "The realm this client is attached to.\n", "willReplaceOnChanges": true }, "rootUrl": { - "type": "string" + "type": "string", + "description": "When specified, this URL is prepended to any relative URLs found within `valid_redirect_uris`, `web_origins`, and `admin_url`. NOTE: Due to limitations in the Keycloak API, when the `root_url` attribute is used, the `valid_redirect_uris`, `web_origins`, and `admin_url` attributes will be required.\n" }, "serviceAccountsEnabled": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`.\n" }, "standardFlowEnabled": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`.\n" }, "useRefreshTokens": { - "type": "boolean" + "type": "boolean", + "description": "If this is `true`, a refresh_token will be created and added to the token response. If this is `false` then no refresh_token will be generated. Defaults to `true`.\n" }, "useRefreshTokensClientCredentials": { - "type": "boolean" + "type": "boolean", + "description": "If this is `true`, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is `false` then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`.\n" }, "validPostLogoutRedirectUris": { "type": "array", "items": { "type": "string" - } + }, + "description": "A list of valid URIs a browser is permitted to redirect to after a successful logout.\n" }, "validRedirectUris": { "type": "array", "items": { "type": "string" - } + }, + "description": "A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple\nwildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled`\nis set to `true`.\n" }, "webOrigins": { "type": "array", "items": { "type": "string" - } + }, + "description": "A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`.\"\n" } }, "requiredInputs": [ @@ -9014,74 +9373,97 @@ "description": "Input properties used for looking up and filtering Client resources.\n", "properties": { "accessTokenLifespan": { - "type": "string" + "type": "string", + "description": "The amount of time in seconds before an access token expires. This will override the default for the realm.\n" }, "accessType": { - "type": "string" + "type": "string", + "description": "Specifies the type of client, which can be one of the following:\n- `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating.\nThis client should be used for applications using the Authorization Code or Client Credentials grant flows.\n- `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect\nURIs for security. This client should be used for applications using the Implicit grant flow.\n- `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests.\n" }, "adminUrl": { - "type": "string" + "type": "string", + "description": "URL to the admin interface of the client.\n" }, "authenticationFlowBindingOverrides": { - "$ref": "#/types/keycloak:openid/ClientAuthenticationFlowBindingOverrides:ClientAuthenticationFlowBindingOverrides" + "$ref": "#/types/keycloak:openid/ClientAuthenticationFlowBindingOverrides:ClientAuthenticationFlowBindingOverrides", + "description": "Override realm authentication flow bindings\n" }, "authorization": { - "$ref": "#/types/keycloak:openid/ClientAuthorization:ClientAuthorization" + "$ref": "#/types/keycloak:openid/ClientAuthorization:ClientAuthorization", + "description": "When this block is present, fine-grained authorization will be enabled for this client. The client's `access_type` must be `CONFIDENTIAL`, and `service_accounts_enabled` must be `true`. This block has the following arguments:\n" }, "backchannelLogoutRevokeOfflineSessions": { - "type": "boolean" + "type": "boolean", + "description": "Specifying whether a \"revoke_offline_access\" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.\n" }, "backchannelLogoutSessionRequired": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`.\n" }, "backchannelLogoutUrl": { - "type": "string" + "type": "string", + "description": "The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.\n" }, "baseUrl": { - "type": "string" + "type": "string", + "description": "Default URL to use when the auth server needs to redirect or link back to the client.\n" }, "clientAuthenticatorType": { - "type": "string" + "type": "string", + "description": "Defaults to `client-secret`. The authenticator type for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types:\n- `client-secret` (Default) Use client id and client secret to authenticate client.\n- `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = \u003calg\u003e`\n- `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extra_config` with `attributes.x509.subjectdn = \u003csubjectDn\u003e`\n- `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = \u003calg\u003e`\n" }, "clientId": { - "type": "string" + "type": "string", + "description": "The Client ID for this client, referenced in the URI during authentication and in issued tokens.\n" }, "clientOfflineSessionIdleTimeout": { - "type": "string" + "type": "string", + "description": "Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.\n" }, "clientOfflineSessionMaxLifespan": { - "type": "string" + "type": "string", + "description": "Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.\n" }, "clientSecret": { "type": "string", + "description": "The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.\n", "secret": true }, "clientSessionIdleTimeout": { - "type": "string" + "type": "string", + "description": "Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.\n" }, "clientSessionMaxLifespan": { - "type": "string" + "type": "string", + "description": "Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.\n" }, "consentRequired": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, users have to consent to client access. Defaults to `false`.\n" }, "consentScreenText": { - "type": "string" + "type": "string", + "description": "The text to display on the consent screen about permissions specific to this client. This is applicable only when `display_on_consent_screen` is `true`.\n" }, "description": { - "type": "string" + "type": "string", + "description": "The description of this client in the GUI.\n" }, "directAccessGrantsEnabled": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`.\n" }, "displayOnConsentScreen": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consent_required` is `true`.\n" }, "enabled": { - "type": "boolean" + "type": "boolean", + "description": "When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`.\n" }, "excludeSessionStateFromAuthResponse": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, the parameter `session_state` will not be included in OpenID Connect Authentication Response.\n" }, "extraConfig": { "type": "object", @@ -9090,81 +9472,103 @@ } }, "frontchannelLogoutEnabled": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannel_logout_url`. Defaults to `false`.\n" }, "frontchannelLogoutUrl": { - "type": "string" + "type": "string", + "description": "The frontchannel logout url. This is applicable only when `frontchannel_logout_enabled` is `true`.\n" }, "fullScopeAllowed": { - "type": "boolean" + "type": "boolean", + "description": "Allow to include all roles mappings in the access token.\n" }, "implicitFlowEnabled": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`.\n" }, "import": { "type": "boolean", + "description": "When `true`, the client with the specified `client_id` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`.\n", "willReplaceOnChanges": true }, "loginTheme": { - "type": "string" + "type": "string", + "description": "The client login theme. This will override the default theme for the realm.\n" }, "name": { - "type": "string" + "type": "string", + "description": "The display name of this client in the GUI.\n" }, "oauth2DeviceAuthorizationGrantEnabled": { - "type": "boolean" + "type": "boolean", + "description": "Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.\n" }, "oauth2DeviceCodeLifespan": { - "type": "string" + "type": "string", + "description": "The maximum amount of time a client has to finish the device code flow before it expires.\n" }, "oauth2DevicePollingInterval": { - "type": "string" + "type": "string", + "description": "The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.\n" }, "pkceCodeChallengeMethod": { - "type": "string" + "type": "string", + "description": "The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``.\n" }, "realmId": { "type": "string", + "description": "The realm this client is attached to.\n", "willReplaceOnChanges": true }, "resourceServerId": { - "type": "string" + "type": "string", + "description": "(Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the `.id` attribute).\n" }, "rootUrl": { - "type": "string" + "type": "string", + "description": "When specified, this URL is prepended to any relative URLs found within `valid_redirect_uris`, `web_origins`, and `admin_url`. NOTE: Due to limitations in the Keycloak API, when the `root_url` attribute is used, the `valid_redirect_uris`, `web_origins`, and `admin_url` attributes will be required.\n" }, "serviceAccountUserId": { - "type": "string" + "type": "string", + "description": "(Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.\n" }, "serviceAccountsEnabled": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`.\n" }, "standardFlowEnabled": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`.\n" }, "useRefreshTokens": { - "type": "boolean" + "type": "boolean", + "description": "If this is `true`, a refresh_token will be created and added to the token response. If this is `false` then no refresh_token will be generated. Defaults to `true`.\n" }, "useRefreshTokensClientCredentials": { - "type": "boolean" + "type": "boolean", + "description": "If this is `true`, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is `false` then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`.\n" }, "validPostLogoutRedirectUris": { "type": "array", "items": { "type": "string" - } + }, + "description": "A list of valid URIs a browser is permitted to redirect to after a successful logout.\n" }, "validRedirectUris": { "type": "array", "items": { "type": "string" - } + }, + "description": "A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple\nwildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled`\nis set to `true`.\n" }, "webOrigins": { "type": "array", "items": { "type": "string" - } + }, + "description": "A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`.\"\n" } }, "type": "object" @@ -9623,19 +10027,22 @@ } }, "keycloak:openid/clientDefaultScopes:ClientDefaultScopes": { - "description": "## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst client = new keycloak.openid.Client(\"client\", {\n realmId: realm.id,\n clientId: \"test-client\",\n accessType: \"CONFIDENTIAL\",\n});\nconst clientScope = new keycloak.openid.ClientScope(\"client_scope\", {\n realmId: realm.id,\n name: \"test-client-scope\",\n});\nconst clientDefaultScopes = new keycloak.openid.ClientDefaultScopes(\"client_default_scopes\", {\n realmId: realm.id,\n clientId: client.id,\n defaultScopes: [\n \"profile\",\n \"email\",\n \"roles\",\n \"web-origins\",\n clientScope.name,\n ],\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nclient = keycloak.openid.Client(\"client\",\n realm_id=realm.id,\n client_id=\"test-client\",\n access_type=\"CONFIDENTIAL\")\nclient_scope = keycloak.openid.ClientScope(\"client_scope\",\n realm_id=realm.id,\n name=\"test-client-scope\")\nclient_default_scopes = keycloak.openid.ClientDefaultScopes(\"client_default_scopes\",\n realm_id=realm.id,\n client_id=client.id,\n default_scopes=[\n \"profile\",\n \"email\",\n \"roles\",\n \"web-origins\",\n client_scope.name,\n ])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var client = new Keycloak.OpenId.Client(\"client\", new()\n {\n RealmId = realm.Id,\n ClientId = \"test-client\",\n AccessType = \"CONFIDENTIAL\",\n });\n\n var clientScope = new Keycloak.OpenId.ClientScope(\"client_scope\", new()\n {\n RealmId = realm.Id,\n Name = \"test-client-scope\",\n });\n\n var clientDefaultScopes = new Keycloak.OpenId.ClientDefaultScopes(\"client_default_scopes\", new()\n {\n RealmId = realm.Id,\n ClientId = client.Id,\n DefaultScopes = new[]\n {\n \"profile\",\n \"email\",\n \"roles\",\n \"web-origins\",\n clientScope.Name,\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tclient, err := openid.NewClient(ctx, \"client\", \u0026openid.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"test-client\"),\n\t\t\tAccessType: pulumi.String(\"CONFIDENTIAL\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tclientScope, err := openid.NewClientScope(ctx, \"client_scope\", \u0026openid.ClientScopeArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"test-client-scope\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewClientDefaultScopes(ctx, \"client_default_scopes\", \u0026openid.ClientDefaultScopesArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: client.ID(),\n\t\t\tDefaultScopes: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"profile\"),\n\t\t\t\tpulumi.String(\"email\"),\n\t\t\t\tpulumi.String(\"roles\"),\n\t\t\t\tpulumi.String(\"web-origins\"),\n\t\t\t\tclientScope.Name,\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport com.pulumi.keycloak.openid.ClientScope;\nimport com.pulumi.keycloak.openid.ClientScopeArgs;\nimport com.pulumi.keycloak.openid.ClientDefaultScopes;\nimport com.pulumi.keycloak.openid.ClientDefaultScopesArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var client = new Client(\"client\", ClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"test-client\")\n .accessType(\"CONFIDENTIAL\")\n .build());\n\n var clientScope = new ClientScope(\"clientScope\", ClientScopeArgs.builder()\n .realmId(realm.id())\n .name(\"test-client-scope\")\n .build());\n\n var clientDefaultScopes = new ClientDefaultScopes(\"clientDefaultScopes\", ClientDefaultScopesArgs.builder()\n .realmId(realm.id())\n .clientId(client.id())\n .defaultScopes( \n \"profile\",\n \"email\",\n \"roles\",\n \"web-origins\",\n clientScope.name())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n client:\n type: keycloak:openid:Client\n properties:\n realmId: ${realm.id}\n clientId: test-client\n accessType: CONFIDENTIAL\n clientScope:\n type: keycloak:openid:ClientScope\n name: client_scope\n properties:\n realmId: ${realm.id}\n name: test-client-scope\n clientDefaultScopes:\n type: keycloak:openid:ClientDefaultScopes\n name: client_default_scopes\n properties:\n realmId: ${realm.id}\n clientId: ${client.id}\n defaultScopes:\n - profile\n - email\n - roles\n - web-origins\n - ${clientScope.name}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm_id` - (Required) The realm this client and scopes exists in.\n- `client_id` - (Required) The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak.\n- `default_scopes` - (Required) An array of client scope names to attach to this client.\n\n### Import\n\nThis resource does not support import. Instead of importing, feel free to create this resource\nas if it did not already exist on the server.\n", + "description": "## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst client = new keycloak.openid.Client(\"client\", {\n realmId: realm.id,\n clientId: \"test-client\",\n accessType: \"CONFIDENTIAL\",\n});\nconst clientScope = new keycloak.openid.ClientScope(\"client_scope\", {\n realmId: realm.id,\n name: \"test-client-scope\",\n});\nconst clientDefaultScopes = new keycloak.openid.ClientDefaultScopes(\"client_default_scopes\", {\n realmId: realm.id,\n clientId: client.id,\n defaultScopes: [\n \"profile\",\n \"email\",\n \"roles\",\n \"web-origins\",\n clientScope.name,\n ],\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nclient = keycloak.openid.Client(\"client\",\n realm_id=realm.id,\n client_id=\"test-client\",\n access_type=\"CONFIDENTIAL\")\nclient_scope = keycloak.openid.ClientScope(\"client_scope\",\n realm_id=realm.id,\n name=\"test-client-scope\")\nclient_default_scopes = keycloak.openid.ClientDefaultScopes(\"client_default_scopes\",\n realm_id=realm.id,\n client_id=client.id,\n default_scopes=[\n \"profile\",\n \"email\",\n \"roles\",\n \"web-origins\",\n client_scope.name,\n ])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var client = new Keycloak.OpenId.Client(\"client\", new()\n {\n RealmId = realm.Id,\n ClientId = \"test-client\",\n AccessType = \"CONFIDENTIAL\",\n });\n\n var clientScope = new Keycloak.OpenId.ClientScope(\"client_scope\", new()\n {\n RealmId = realm.Id,\n Name = \"test-client-scope\",\n });\n\n var clientDefaultScopes = new Keycloak.OpenId.ClientDefaultScopes(\"client_default_scopes\", new()\n {\n RealmId = realm.Id,\n ClientId = client.Id,\n DefaultScopes = new[]\n {\n \"profile\",\n \"email\",\n \"roles\",\n \"web-origins\",\n clientScope.Name,\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tclient, err := openid.NewClient(ctx, \"client\", \u0026openid.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"test-client\"),\n\t\t\tAccessType: pulumi.String(\"CONFIDENTIAL\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tclientScope, err := openid.NewClientScope(ctx, \"client_scope\", \u0026openid.ClientScopeArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"test-client-scope\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewClientDefaultScopes(ctx, \"client_default_scopes\", \u0026openid.ClientDefaultScopesArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: client.ID(),\n\t\t\tDefaultScopes: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"profile\"),\n\t\t\t\tpulumi.String(\"email\"),\n\t\t\t\tpulumi.String(\"roles\"),\n\t\t\t\tpulumi.String(\"web-origins\"),\n\t\t\t\tclientScope.Name,\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport com.pulumi.keycloak.openid.ClientScope;\nimport com.pulumi.keycloak.openid.ClientScopeArgs;\nimport com.pulumi.keycloak.openid.ClientDefaultScopes;\nimport com.pulumi.keycloak.openid.ClientDefaultScopesArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var client = new Client(\"client\", ClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"test-client\")\n .accessType(\"CONFIDENTIAL\")\n .build());\n\n var clientScope = new ClientScope(\"clientScope\", ClientScopeArgs.builder()\n .realmId(realm.id())\n .name(\"test-client-scope\")\n .build());\n\n var clientDefaultScopes = new ClientDefaultScopes(\"clientDefaultScopes\", ClientDefaultScopesArgs.builder()\n .realmId(realm.id())\n .clientId(client.id())\n .defaultScopes( \n \"profile\",\n \"email\",\n \"roles\",\n \"web-origins\",\n clientScope.name())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n client:\n type: keycloak:openid:Client\n properties:\n realmId: ${realm.id}\n clientId: test-client\n accessType: CONFIDENTIAL\n clientScope:\n type: keycloak:openid:ClientScope\n name: client_scope\n properties:\n realmId: ${realm.id}\n name: test-client-scope\n clientDefaultScopes:\n type: keycloak:openid:ClientDefaultScopes\n name: client_default_scopes\n properties:\n realmId: ${realm.id}\n clientId: ${client.id}\n defaultScopes:\n - profile\n - email\n - roles\n - web-origins\n - ${clientScope.name}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nThis resource does not support import. Instead of importing, feel free to create this resource\n\nas if it did not already exist on the server.\n\n", "properties": { "clientId": { - "type": "string" + "type": "string", + "description": "The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak.\n" }, "defaultScopes": { "type": "array", "items": { "type": "string" - } + }, + "description": "An array of client scope names to attach to this client.\n" }, "realmId": { - "type": "string" + "type": "string", + "description": "The realm this client and scopes exists in.\n" } }, "required": [ @@ -9646,16 +10053,19 @@ "inputProperties": { "clientId": { "type": "string", + "description": "The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak.\n", "willReplaceOnChanges": true }, "defaultScopes": { "type": "array", "items": { "type": "string" - } + }, + "description": "An array of client scope names to attach to this client.\n" }, "realmId": { "type": "string", + "description": "The realm this client and scopes exists in.\n", "willReplaceOnChanges": true } }, @@ -9669,16 +10079,19 @@ "properties": { "clientId": { "type": "string", + "description": "The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak.\n", "willReplaceOnChanges": true }, "defaultScopes": { "type": "array", "items": { "type": "string" - } + }, + "description": "An array of client scope names to attach to this client.\n" }, "realmId": { "type": "string", + "description": "The realm this client and scopes exists in.\n", "willReplaceOnChanges": true } }, @@ -9889,19 +10302,22 @@ } }, "keycloak:openid/clientOptionalScopes:ClientOptionalScopes": { - "description": "## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst client = new keycloak.openid.Client(\"client\", {\n realmId: realm.id,\n clientId: \"test-client\",\n accessType: \"CONFIDENTIAL\",\n});\nconst clientScope = new keycloak.openid.ClientScope(\"client_scope\", {\n realmId: realm.id,\n name: \"test-client-scope\",\n});\nconst clientOptionalScopes = new keycloak.openid.ClientOptionalScopes(\"client_optional_scopes\", {\n realmId: realm.id,\n clientId: client.id,\n optionalScopes: [\n \"address\",\n \"phone\",\n \"offline_access\",\n clientScope.name,\n ],\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nclient = keycloak.openid.Client(\"client\",\n realm_id=realm.id,\n client_id=\"test-client\",\n access_type=\"CONFIDENTIAL\")\nclient_scope = keycloak.openid.ClientScope(\"client_scope\",\n realm_id=realm.id,\n name=\"test-client-scope\")\nclient_optional_scopes = keycloak.openid.ClientOptionalScopes(\"client_optional_scopes\",\n realm_id=realm.id,\n client_id=client.id,\n optional_scopes=[\n \"address\",\n \"phone\",\n \"offline_access\",\n client_scope.name,\n ])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var client = new Keycloak.OpenId.Client(\"client\", new()\n {\n RealmId = realm.Id,\n ClientId = \"test-client\",\n AccessType = \"CONFIDENTIAL\",\n });\n\n var clientScope = new Keycloak.OpenId.ClientScope(\"client_scope\", new()\n {\n RealmId = realm.Id,\n Name = \"test-client-scope\",\n });\n\n var clientOptionalScopes = new Keycloak.OpenId.ClientOptionalScopes(\"client_optional_scopes\", new()\n {\n RealmId = realm.Id,\n ClientId = client.Id,\n OptionalScopes = new[]\n {\n \"address\",\n \"phone\",\n \"offline_access\",\n clientScope.Name,\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tclient, err := openid.NewClient(ctx, \"client\", \u0026openid.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"test-client\"),\n\t\t\tAccessType: pulumi.String(\"CONFIDENTIAL\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tclientScope, err := openid.NewClientScope(ctx, \"client_scope\", \u0026openid.ClientScopeArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"test-client-scope\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewClientOptionalScopes(ctx, \"client_optional_scopes\", \u0026openid.ClientOptionalScopesArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: client.ID(),\n\t\t\tOptionalScopes: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"address\"),\n\t\t\t\tpulumi.String(\"phone\"),\n\t\t\t\tpulumi.String(\"offline_access\"),\n\t\t\t\tclientScope.Name,\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport com.pulumi.keycloak.openid.ClientScope;\nimport com.pulumi.keycloak.openid.ClientScopeArgs;\nimport com.pulumi.keycloak.openid.ClientOptionalScopes;\nimport com.pulumi.keycloak.openid.ClientOptionalScopesArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var client = new Client(\"client\", ClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"test-client\")\n .accessType(\"CONFIDENTIAL\")\n .build());\n\n var clientScope = new ClientScope(\"clientScope\", ClientScopeArgs.builder()\n .realmId(realm.id())\n .name(\"test-client-scope\")\n .build());\n\n var clientOptionalScopes = new ClientOptionalScopes(\"clientOptionalScopes\", ClientOptionalScopesArgs.builder()\n .realmId(realm.id())\n .clientId(client.id())\n .optionalScopes( \n \"address\",\n \"phone\",\n \"offline_access\",\n clientScope.name())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n client:\n type: keycloak:openid:Client\n properties:\n realmId: ${realm.id}\n clientId: test-client\n accessType: CONFIDENTIAL\n clientScope:\n type: keycloak:openid:ClientScope\n name: client_scope\n properties:\n realmId: ${realm.id}\n name: test-client-scope\n clientOptionalScopes:\n type: keycloak:openid:ClientOptionalScopes\n name: client_optional_scopes\n properties:\n realmId: ${realm.id}\n clientId: ${client.id}\n optionalScopes:\n - address\n - phone\n - offline_access\n - ${clientScope.name}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm_id` - (Required) The realm this client and scopes exists in.\n- `client_id` - (Required) The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak.\n- `optional_scopes` - (Required) An array of client scope names to attach to this client as optional scopes.\n\n### Import\n\nThis resource does not support import. Instead of importing, feel free to create this resource\nas if it did not already exist on the server.\n", + "description": "## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst client = new keycloak.openid.Client(\"client\", {\n realmId: realm.id,\n clientId: \"test-client\",\n accessType: \"CONFIDENTIAL\",\n});\nconst clientScope = new keycloak.openid.ClientScope(\"client_scope\", {\n realmId: realm.id,\n name: \"test-client-scope\",\n});\nconst clientOptionalScopes = new keycloak.openid.ClientOptionalScopes(\"client_optional_scopes\", {\n realmId: realm.id,\n clientId: client.id,\n optionalScopes: [\n \"address\",\n \"phone\",\n \"offline_access\",\n \"microprofile-jwt\",\n clientScope.name,\n ],\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nclient = keycloak.openid.Client(\"client\",\n realm_id=realm.id,\n client_id=\"test-client\",\n access_type=\"CONFIDENTIAL\")\nclient_scope = keycloak.openid.ClientScope(\"client_scope\",\n realm_id=realm.id,\n name=\"test-client-scope\")\nclient_optional_scopes = keycloak.openid.ClientOptionalScopes(\"client_optional_scopes\",\n realm_id=realm.id,\n client_id=client.id,\n optional_scopes=[\n \"address\",\n \"phone\",\n \"offline_access\",\n \"microprofile-jwt\",\n client_scope.name,\n ])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var client = new Keycloak.OpenId.Client(\"client\", new()\n {\n RealmId = realm.Id,\n ClientId = \"test-client\",\n AccessType = \"CONFIDENTIAL\",\n });\n\n var clientScope = new Keycloak.OpenId.ClientScope(\"client_scope\", new()\n {\n RealmId = realm.Id,\n Name = \"test-client-scope\",\n });\n\n var clientOptionalScopes = new Keycloak.OpenId.ClientOptionalScopes(\"client_optional_scopes\", new()\n {\n RealmId = realm.Id,\n ClientId = client.Id,\n OptionalScopes = new[]\n {\n \"address\",\n \"phone\",\n \"offline_access\",\n \"microprofile-jwt\",\n clientScope.Name,\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tclient, err := openid.NewClient(ctx, \"client\", \u0026openid.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"test-client\"),\n\t\t\tAccessType: pulumi.String(\"CONFIDENTIAL\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tclientScope, err := openid.NewClientScope(ctx, \"client_scope\", \u0026openid.ClientScopeArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"test-client-scope\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewClientOptionalScopes(ctx, \"client_optional_scopes\", \u0026openid.ClientOptionalScopesArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: client.ID(),\n\t\t\tOptionalScopes: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"address\"),\n\t\t\t\tpulumi.String(\"phone\"),\n\t\t\t\tpulumi.String(\"offline_access\"),\n\t\t\t\tpulumi.String(\"microprofile-jwt\"),\n\t\t\t\tclientScope.Name,\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport com.pulumi.keycloak.openid.ClientScope;\nimport com.pulumi.keycloak.openid.ClientScopeArgs;\nimport com.pulumi.keycloak.openid.ClientOptionalScopes;\nimport com.pulumi.keycloak.openid.ClientOptionalScopesArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var client = new Client(\"client\", ClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"test-client\")\n .accessType(\"CONFIDENTIAL\")\n .build());\n\n var clientScope = new ClientScope(\"clientScope\", ClientScopeArgs.builder()\n .realmId(realm.id())\n .name(\"test-client-scope\")\n .build());\n\n var clientOptionalScopes = new ClientOptionalScopes(\"clientOptionalScopes\", ClientOptionalScopesArgs.builder()\n .realmId(realm.id())\n .clientId(client.id())\n .optionalScopes( \n \"address\",\n \"phone\",\n \"offline_access\",\n \"microprofile-jwt\",\n clientScope.name())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n client:\n type: keycloak:openid:Client\n properties:\n realmId: ${realm.id}\n clientId: test-client\n accessType: CONFIDENTIAL\n clientScope:\n type: keycloak:openid:ClientScope\n name: client_scope\n properties:\n realmId: ${realm.id}\n name: test-client-scope\n clientOptionalScopes:\n type: keycloak:openid:ClientOptionalScopes\n name: client_optional_scopes\n properties:\n realmId: ${realm.id}\n clientId: ${client.id}\n optionalScopes:\n - address\n - phone\n - offline_access\n - microprofile-jwt\n - ${clientScope.name}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nThis resource does not support import. Instead of importing, feel free to create this resource\n\nas if it did not already exist on the server.\n\n", "properties": { "clientId": { - "type": "string" + "type": "string", + "description": "The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak.\n" }, "optionalScopes": { "type": "array", "items": { "type": "string" - } + }, + "description": "An array of client scope names to attach to this client as optional scopes.\n" }, "realmId": { - "type": "string" + "type": "string", + "description": "The realm this client and scopes exists in.\n" } }, "required": [ @@ -9912,16 +10328,19 @@ "inputProperties": { "clientId": { "type": "string", + "description": "The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak.\n", "willReplaceOnChanges": true }, "optionalScopes": { "type": "array", "items": { "type": "string" - } + }, + "description": "An array of client scope names to attach to this client as optional scopes.\n" }, "realmId": { "type": "string", + "description": "The realm this client and scopes exists in.\n", "willReplaceOnChanges": true } }, @@ -9935,16 +10354,19 @@ "properties": { "clientId": { "type": "string", + "description": "The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak.\n", "willReplaceOnChanges": true }, "optionalScopes": { "type": "array", "items": { "type": "string" - } + }, + "description": "An array of client scope names to attach to this client as optional scopes.\n" }, "realmId": { "type": "string", + "description": "The realm this client and scopes exists in.\n", "willReplaceOnChanges": true } }, @@ -10297,25 +10719,31 @@ } }, "keycloak:openid/clientScope:ClientScope": { - "description": "## # keycloak.openid.ClientScope\n\nAllows for creating and managing Keycloak client scopes that can be attached to\nclients that use the OpenID Connect protocol.\n\nClient Scopes can be used to share common protocol and role mappings between multiple\nclients within a realm. They can also be used by clients to conditionally request\nclaims or roles for a user based on the OAuth 2.0 `scope` parameter.\n\n### Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst openidClientScope = new keycloak.openid.ClientScope(\"openid_client_scope\", {\n realmId: realm.id,\n name: \"groups\",\n description: \"When requested, this scope will map a user's group memberships to a claim\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nopenid_client_scope = keycloak.openid.ClientScope(\"openid_client_scope\",\n realm_id=realm.id,\n name=\"groups\",\n description=\"When requested, this scope will map a user's group memberships to a claim\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var openidClientScope = new Keycloak.OpenId.ClientScope(\"openid_client_scope\", new()\n {\n RealmId = realm.Id,\n Name = \"groups\",\n Description = \"When requested, this scope will map a user's group memberships to a claim\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewClientScope(ctx, \"openid_client_scope\", \u0026openid.ClientScopeArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"groups\"),\n\t\t\tDescription: pulumi.String(\"When requested, this scope will map a user's group memberships to a claim\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.ClientScope;\nimport com.pulumi.keycloak.openid.ClientScopeArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var openidClientScope = new ClientScope(\"openidClientScope\", ClientScopeArgs.builder()\n .realmId(realm.id())\n .name(\"groups\")\n .description(\"When requested, this scope will map a user's group memberships to a claim\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n openidClientScope:\n type: keycloak:openid:ClientScope\n name: openid_client_scope\n properties:\n realmId: ${realm.id}\n name: groups\n description: When requested, this scope will map a user's group memberships to a claim\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm_id` - (Required) The realm this client scope belongs to.\n- `name` - (Required) The display name of this client scope in the GUI.\n- `description` - (Optional) The description of this client scope in the GUI.\n- `consent_screen_text` - (Optional) When set, a consent screen will be displayed to users\nauthenticating to clients with this scope attached. The consent screen will display the string\nvalue of this attribute.\n\n### Import\n\nClient scopes can be imported using the format `{{realm_id}}/{{client_scope_id}}`, where `client_scope_id` is the unique ID that Keycloak\nassigns to the client scope upon creation. This value can be found in the URI when editing this client scope in the GUI, and is typically a GUID.\n\nExample:\n\n```bash\n$ terraform import keycloak_openid_client_scope.openid_client_scope my-realm/8e8f7fe1-df9b-40ed-bed3-4597aa0dac52\n```\n", + "description": "Allows for creating and managing Keycloak client scopes that can be attached to clients that use the OpenID Connect protocol.\n\nClient Scopes can be used to share common protocol and role mappings between multiple clients within a realm. They can also\nbe used by clients to conditionally request claims or roles for a user based on the OAuth 2.0 `scope` parameter.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst openidClientScope = new keycloak.openid.ClientScope(\"openid_client_scope\", {\n realmId: realm.id,\n name: \"groups\",\n description: \"When requested, this scope will map a user's group memberships to a claim\",\n includeInTokenScope: true,\n guiOrder: 1,\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nopenid_client_scope = keycloak.openid.ClientScope(\"openid_client_scope\",\n realm_id=realm.id,\n name=\"groups\",\n description=\"When requested, this scope will map a user's group memberships to a claim\",\n include_in_token_scope=True,\n gui_order=1)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var openidClientScope = new Keycloak.OpenId.ClientScope(\"openid_client_scope\", new()\n {\n RealmId = realm.Id,\n Name = \"groups\",\n Description = \"When requested, this scope will map a user's group memberships to a claim\",\n IncludeInTokenScope = true,\n GuiOrder = 1,\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewClientScope(ctx, \"openid_client_scope\", \u0026openid.ClientScopeArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"groups\"),\n\t\t\tDescription: pulumi.String(\"When requested, this scope will map a user's group memberships to a claim\"),\n\t\t\tIncludeInTokenScope: pulumi.Bool(true),\n\t\t\tGuiOrder: pulumi.Int(1),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.ClientScope;\nimport com.pulumi.keycloak.openid.ClientScopeArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var openidClientScope = new ClientScope(\"openidClientScope\", ClientScopeArgs.builder()\n .realmId(realm.id())\n .name(\"groups\")\n .description(\"When requested, this scope will map a user's group memberships to a claim\")\n .includeInTokenScope(true)\n .guiOrder(1)\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n openidClientScope:\n type: keycloak:openid:ClientScope\n name: openid_client_scope\n properties:\n realmId: ${realm.id}\n name: groups\n description: When requested, this scope will map a user's group memberships to a claim\n includeInTokenScope: true\n guiOrder: 1\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nClient scopes can be imported using the format `{{realm_id}}/{{client_scope_id}}`, where `client_scope_id` is the unique ID that Keycloak\n\nassigns to the client scope upon creation. This value can be found in the URI when editing this client scope in the GUI, and is typically a GUID.\n\nExample:\n\nbash\n\n```sh\n$ pulumi import keycloak:openid/clientScope:ClientScope openid_client_scope my-realm/8e8f7fe1-df9b-40ed-bed3-4597aa0dac52\n```\n\n", "properties": { "consentScreenText": { - "type": "string" + "type": "string", + "description": "When set, a consent screen will be displayed to users authenticating to clients with this scope attached. The consent screen will display the string value of this attribute.\n" }, "description": { - "type": "string" + "type": "string", + "description": "The description of this client scope in the GUI.\n" }, "guiOrder": { - "type": "integer" + "type": "integer", + "description": "Specify order of the client scope in GUI (such as in Consent page) as integer.\n" }, "includeInTokenScope": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response.\n" }, "name": { - "type": "string" + "type": "string", + "description": "The display name of this client scope in the GUI.\n" }, "realmId": { - "type": "string" + "type": "string", + "description": "The realm this client scope belongs to.\n" } }, "required": [ @@ -10324,22 +10752,28 @@ ], "inputProperties": { "consentScreenText": { - "type": "string" + "type": "string", + "description": "When set, a consent screen will be displayed to users authenticating to clients with this scope attached. The consent screen will display the string value of this attribute.\n" }, "description": { - "type": "string" + "type": "string", + "description": "The description of this client scope in the GUI.\n" }, "guiOrder": { - "type": "integer" + "type": "integer", + "description": "Specify order of the client scope in GUI (such as in Consent page) as integer.\n" }, "includeInTokenScope": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response.\n" }, "name": { - "type": "string" + "type": "string", + "description": "The display name of this client scope in the GUI.\n" }, "realmId": { "type": "string", + "description": "The realm this client scope belongs to.\n", "willReplaceOnChanges": true } }, @@ -10350,22 +10784,28 @@ "description": "Input properties used for looking up and filtering ClientScope resources.\n", "properties": { "consentScreenText": { - "type": "string" + "type": "string", + "description": "When set, a consent screen will be displayed to users authenticating to clients with this scope attached. The consent screen will display the string value of this attribute.\n" }, "description": { - "type": "string" + "type": "string", + "description": "The description of this client scope in the GUI.\n" }, "guiOrder": { - "type": "integer" + "type": "integer", + "description": "Specify order of the client scope in GUI (such as in Consent page) as integer.\n" }, "includeInTokenScope": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response.\n" }, "name": { - "type": "string" + "type": "string", + "description": "The display name of this client scope in the GUI.\n" }, "realmId": { "type": "string", + "description": "The realm this client scope belongs to.\n", "willReplaceOnChanges": true } }, @@ -10801,32 +11241,35 @@ } }, "keycloak:openid/fullNameProtocolMapper:FullNameProtocolMapper": { - "description": "## # keycloak.openid.FullNameProtocolMapper\n\nAllows for creating and managing full name protocol mappers within\nKeycloak.\n\nFull name protocol mappers allow you to map a user's first and last name\nto the OpenID Connect `name` claim in a token. Protocol mappers can be defined\nfor a single client, or they can be defined for a client scope which can\nbe shared between multiple different clients.\n\n### Example Usage (Client)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst openidClient = new keycloak.openid.Client(\"openid_client\", {\n realmId: realm.id,\n clientId: \"test-client\",\n name: \"test client\",\n enabled: true,\n accessType: \"CONFIDENTIAL\",\n validRedirectUris: [\"http://localhost:8080/openid-callback\"],\n});\nconst fullNameMapper = new keycloak.openid.FullNameProtocolMapper(\"full_name_mapper\", {\n realmId: realm.id,\n clientId: openidClient.id,\n name: \"full-name-mapper\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nopenid_client = keycloak.openid.Client(\"openid_client\",\n realm_id=realm.id,\n client_id=\"test-client\",\n name=\"test client\",\n enabled=True,\n access_type=\"CONFIDENTIAL\",\n valid_redirect_uris=[\"http://localhost:8080/openid-callback\"])\nfull_name_mapper = keycloak.openid.FullNameProtocolMapper(\"full_name_mapper\",\n realm_id=realm.id,\n client_id=openid_client.id,\n name=\"full-name-mapper\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var openidClient = new Keycloak.OpenId.Client(\"openid_client\", new()\n {\n RealmId = realm.Id,\n ClientId = \"test-client\",\n Name = \"test client\",\n Enabled = true,\n AccessType = \"CONFIDENTIAL\",\n ValidRedirectUris = new[]\n {\n \"http://localhost:8080/openid-callback\",\n },\n });\n\n var fullNameMapper = new Keycloak.OpenId.FullNameProtocolMapper(\"full_name_mapper\", new()\n {\n RealmId = realm.Id,\n ClientId = openidClient.Id,\n Name = \"full-name-mapper\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\topenidClient, err := openid.NewClient(ctx, \"openid_client\", \u0026openid.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"test-client\"),\n\t\t\tName: pulumi.String(\"test client\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tAccessType: pulumi.String(\"CONFIDENTIAL\"),\n\t\t\tValidRedirectUris: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"http://localhost:8080/openid-callback\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewFullNameProtocolMapper(ctx, \"full_name_mapper\", \u0026openid.FullNameProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: openidClient.ID(),\n\t\t\tName: pulumi.String(\"full-name-mapper\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport com.pulumi.keycloak.openid.FullNameProtocolMapper;\nimport com.pulumi.keycloak.openid.FullNameProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var openidClient = new Client(\"openidClient\", ClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"test-client\")\n .name(\"test client\")\n .enabled(true)\n .accessType(\"CONFIDENTIAL\")\n .validRedirectUris(\"http://localhost:8080/openid-callback\")\n .build());\n\n var fullNameMapper = new FullNameProtocolMapper(\"fullNameMapper\", FullNameProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientId(openidClient.id())\n .name(\"full-name-mapper\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n openidClient:\n type: keycloak:openid:Client\n name: openid_client\n properties:\n realmId: ${realm.id}\n clientId: test-client\n name: test client\n enabled: true\n accessType: CONFIDENTIAL\n validRedirectUris:\n - http://localhost:8080/openid-callback\n fullNameMapper:\n type: keycloak:openid:FullNameProtocolMapper\n name: full_name_mapper\n properties:\n realmId: ${realm.id}\n clientId: ${openidClient.id}\n name: full-name-mapper\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Example Usage (Client Scope)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst clientScope = new keycloak.openid.ClientScope(\"client_scope\", {\n realmId: realm.id,\n name: \"test-client-scope\",\n});\nconst fullNameMapper = new keycloak.openid.FullNameProtocolMapper(\"full_name_mapper\", {\n realmId: realm.id,\n clientScopeId: clientScope.id,\n name: \"full-name-mapper\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nclient_scope = keycloak.openid.ClientScope(\"client_scope\",\n realm_id=realm.id,\n name=\"test-client-scope\")\nfull_name_mapper = keycloak.openid.FullNameProtocolMapper(\"full_name_mapper\",\n realm_id=realm.id,\n client_scope_id=client_scope.id,\n name=\"full-name-mapper\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var clientScope = new Keycloak.OpenId.ClientScope(\"client_scope\", new()\n {\n RealmId = realm.Id,\n Name = \"test-client-scope\",\n });\n\n var fullNameMapper = new Keycloak.OpenId.FullNameProtocolMapper(\"full_name_mapper\", new()\n {\n RealmId = realm.Id,\n ClientScopeId = clientScope.Id,\n Name = \"full-name-mapper\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tclientScope, err := openid.NewClientScope(ctx, \"client_scope\", \u0026openid.ClientScopeArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"test-client-scope\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewFullNameProtocolMapper(ctx, \"full_name_mapper\", \u0026openid.FullNameProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientScopeId: clientScope.ID(),\n\t\t\tName: pulumi.String(\"full-name-mapper\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.ClientScope;\nimport com.pulumi.keycloak.openid.ClientScopeArgs;\nimport com.pulumi.keycloak.openid.FullNameProtocolMapper;\nimport com.pulumi.keycloak.openid.FullNameProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var clientScope = new ClientScope(\"clientScope\", ClientScopeArgs.builder()\n .realmId(realm.id())\n .name(\"test-client-scope\")\n .build());\n\n var fullNameMapper = new FullNameProtocolMapper(\"fullNameMapper\", FullNameProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientScopeId(clientScope.id())\n .name(\"full-name-mapper\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n clientScope:\n type: keycloak:openid:ClientScope\n name: client_scope\n properties:\n realmId: ${realm.id}\n name: test-client-scope\n fullNameMapper:\n type: keycloak:openid:FullNameProtocolMapper\n name: full_name_mapper\n properties:\n realmId: ${realm.id}\n clientScopeId: ${clientScope.id}\n name: full-name-mapper\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm_id` - (Required) The realm this protocol mapper exists within.\n- `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to.\n- `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to.\n- `name` - (Required) The display name of this protocol mapper in the GUI.\n- `add_to_id_token` - (Optional) Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`.\n- `add_to_access_token` - (Optional) Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`.\n- `add_to_userinfo` - (Optional) Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`.\n\n### Import\n\nProtocol mappers can be imported using one of the following formats:\n- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}`\n- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}`\n\nExample:\n\n```bash\n$ terraform import keycloak_openid_full_name_protocol_mapper.full_name_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n$ terraform import keycloak_openid_full_name_protocol_mapper.full_name_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n", + "description": "Allows for creating and managing full name protocol mappers within Keycloak.\n\nFull name protocol mappers allow you to map a user's first and last name to the OpenID Connect `name` claim in a token.\n\nProtocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between\nmultiple different clients.\n\n## Example Usage\n\n### Client)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst openidClient = new keycloak.openid.Client(\"openid_client\", {\n realmId: realm.id,\n clientId: \"client\",\n name: \"client\",\n enabled: true,\n accessType: \"CONFIDENTIAL\",\n validRedirectUris: [\"http://localhost:8080/openid-callback\"],\n});\nconst fullNameMapper = new keycloak.openid.FullNameProtocolMapper(\"full_name_mapper\", {\n realmId: realm.id,\n clientId: openidClient.id,\n name: \"full-name-mapper\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nopenid_client = keycloak.openid.Client(\"openid_client\",\n realm_id=realm.id,\n client_id=\"client\",\n name=\"client\",\n enabled=True,\n access_type=\"CONFIDENTIAL\",\n valid_redirect_uris=[\"http://localhost:8080/openid-callback\"])\nfull_name_mapper = keycloak.openid.FullNameProtocolMapper(\"full_name_mapper\",\n realm_id=realm.id,\n client_id=openid_client.id,\n name=\"full-name-mapper\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var openidClient = new Keycloak.OpenId.Client(\"openid_client\", new()\n {\n RealmId = realm.Id,\n ClientId = \"client\",\n Name = \"client\",\n Enabled = true,\n AccessType = \"CONFIDENTIAL\",\n ValidRedirectUris = new[]\n {\n \"http://localhost:8080/openid-callback\",\n },\n });\n\n var fullNameMapper = new Keycloak.OpenId.FullNameProtocolMapper(\"full_name_mapper\", new()\n {\n RealmId = realm.Id,\n ClientId = openidClient.Id,\n Name = \"full-name-mapper\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\topenidClient, err := openid.NewClient(ctx, \"openid_client\", \u0026openid.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"client\"),\n\t\t\tName: pulumi.String(\"client\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tAccessType: pulumi.String(\"CONFIDENTIAL\"),\n\t\t\tValidRedirectUris: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"http://localhost:8080/openid-callback\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewFullNameProtocolMapper(ctx, \"full_name_mapper\", \u0026openid.FullNameProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: openidClient.ID(),\n\t\t\tName: pulumi.String(\"full-name-mapper\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport com.pulumi.keycloak.openid.FullNameProtocolMapper;\nimport com.pulumi.keycloak.openid.FullNameProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var openidClient = new Client(\"openidClient\", ClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"client\")\n .name(\"client\")\n .enabled(true)\n .accessType(\"CONFIDENTIAL\")\n .validRedirectUris(\"http://localhost:8080/openid-callback\")\n .build());\n\n var fullNameMapper = new FullNameProtocolMapper(\"fullNameMapper\", FullNameProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientId(openidClient.id())\n .name(\"full-name-mapper\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n openidClient:\n type: keycloak:openid:Client\n name: openid_client\n properties:\n realmId: ${realm.id}\n clientId: client\n name: client\n enabled: true\n accessType: CONFIDENTIAL\n validRedirectUris:\n - http://localhost:8080/openid-callback\n fullNameMapper:\n type: keycloak:openid:FullNameProtocolMapper\n name: full_name_mapper\n properties:\n realmId: ${realm.id}\n clientId: ${openidClient.id}\n name: full-name-mapper\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n\n### Client Scope)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst clientScope = new keycloak.openid.ClientScope(\"client_scope\", {\n realmId: realm.id,\n name: \"client-scope\",\n});\nconst fullNameMapper = new keycloak.openid.FullNameProtocolMapper(\"full_name_mapper\", {\n realmId: realm.id,\n clientScopeId: clientScope.id,\n name: \"full-name-mapper\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nclient_scope = keycloak.openid.ClientScope(\"client_scope\",\n realm_id=realm.id,\n name=\"client-scope\")\nfull_name_mapper = keycloak.openid.FullNameProtocolMapper(\"full_name_mapper\",\n realm_id=realm.id,\n client_scope_id=client_scope.id,\n name=\"full-name-mapper\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var clientScope = new Keycloak.OpenId.ClientScope(\"client_scope\", new()\n {\n RealmId = realm.Id,\n Name = \"client-scope\",\n });\n\n var fullNameMapper = new Keycloak.OpenId.FullNameProtocolMapper(\"full_name_mapper\", new()\n {\n RealmId = realm.Id,\n ClientScopeId = clientScope.Id,\n Name = \"full-name-mapper\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tclientScope, err := openid.NewClientScope(ctx, \"client_scope\", \u0026openid.ClientScopeArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"client-scope\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewFullNameProtocolMapper(ctx, \"full_name_mapper\", \u0026openid.FullNameProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientScopeId: clientScope.ID(),\n\t\t\tName: pulumi.String(\"full-name-mapper\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.ClientScope;\nimport com.pulumi.keycloak.openid.ClientScopeArgs;\nimport com.pulumi.keycloak.openid.FullNameProtocolMapper;\nimport com.pulumi.keycloak.openid.FullNameProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var clientScope = new ClientScope(\"clientScope\", ClientScopeArgs.builder()\n .realmId(realm.id())\n .name(\"client-scope\")\n .build());\n\n var fullNameMapper = new FullNameProtocolMapper(\"fullNameMapper\", FullNameProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientScopeId(clientScope.id())\n .name(\"full-name-mapper\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n clientScope:\n type: keycloak:openid:ClientScope\n name: client_scope\n properties:\n realmId: ${realm.id}\n name: client-scope\n fullNameMapper:\n type: keycloak:openid:FullNameProtocolMapper\n name: full_name_mapper\n properties:\n realmId: ${realm.id}\n clientScopeId: ${clientScope.id}\n name: full-name-mapper\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nProtocol mappers can be imported using one of the following formats:\n\n- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}`\n\n- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}`\n\nExample:\n\nbash\n\n```sh\n$ pulumi import keycloak:openid/fullNameProtocolMapper:FullNameProtocolMapper full_name_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n\n```sh\n$ pulumi import keycloak:openid/fullNameProtocolMapper:FullNameProtocolMapper full_name_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n\n", "properties": { "addToAccessToken": { - "type": "boolean" + "type": "boolean", + "description": "Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`.\n" }, "addToIdToken": { - "type": "boolean" + "type": "boolean", + "description": "Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`.\n" }, "addToUserinfo": { - "type": "boolean" + "type": "boolean", + "description": "Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`.\n" }, "clientId": { "type": "string", - "description": "The mapper's associated client. Cannot be used at the same time as client_scope_id.\n" + "description": "The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified.\n" }, "clientScopeId": { "type": "string", - "description": "The mapper's associated client scope. Cannot be used at the same time as client_id.\n" + "description": "The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified.\n" }, "name": { "type": "string", - "description": "A human-friendly name that will appear in the Keycloak console.\n" + "description": "The display name of this protocol mapper in the GUI.\n" }, "realmId": { "type": "string", - "description": "The realm id where the associated client or client scope exists.\n" + "description": "The realm this protocol mapper exists within.\n" } }, "required": [ @@ -10835,32 +11278,35 @@ ], "inputProperties": { "addToAccessToken": { - "type": "boolean" + "type": "boolean", + "description": "Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`.\n" }, "addToIdToken": { - "type": "boolean" + "type": "boolean", + "description": "Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`.\n" }, "addToUserinfo": { - "type": "boolean" + "type": "boolean", + "description": "Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`.\n" }, "clientId": { "type": "string", - "description": "The mapper's associated client. Cannot be used at the same time as client_scope_id.\n", + "description": "The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "clientScopeId": { "type": "string", - "description": "The mapper's associated client scope. Cannot be used at the same time as client_id.\n", + "description": "The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "name": { "type": "string", - "description": "A human-friendly name that will appear in the Keycloak console.\n", + "description": "The display name of this protocol mapper in the GUI.\n", "willReplaceOnChanges": true }, "realmId": { "type": "string", - "description": "The realm id where the associated client or client scope exists.\n", + "description": "The realm this protocol mapper exists within.\n", "willReplaceOnChanges": true } }, @@ -10871,32 +11317,35 @@ "description": "Input properties used for looking up and filtering FullNameProtocolMapper resources.\n", "properties": { "addToAccessToken": { - "type": "boolean" + "type": "boolean", + "description": "Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`.\n" }, "addToIdToken": { - "type": "boolean" + "type": "boolean", + "description": "Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`.\n" }, "addToUserinfo": { - "type": "boolean" + "type": "boolean", + "description": "Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`.\n" }, "clientId": { "type": "string", - "description": "The mapper's associated client. Cannot be used at the same time as client_scope_id.\n", + "description": "The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "clientScopeId": { "type": "string", - "description": "The mapper's associated client scope. Cannot be used at the same time as client_id.\n", + "description": "The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "name": { "type": "string", - "description": "A human-friendly name that will appear in the Keycloak console.\n", + "description": "The display name of this protocol mapper in the GUI.\n", "willReplaceOnChanges": true }, "realmId": { "type": "string", - "description": "The realm id where the associated client or client scope exists.\n", + "description": "The realm this protocol mapper exists within.\n", "willReplaceOnChanges": true } }, @@ -10904,38 +11353,43 @@ } }, "keycloak:openid/groupMembershipProtocolMapper:GroupMembershipProtocolMapper": { - "description": "## # keycloak.openid.GroupMembershipProtocolMapper\n\nAllows for creating and managing group membership protocol mappers within\nKeycloak.\n\nGroup membership protocol mappers allow you to map a user's group memberships\nto a claim in a token. Protocol mappers can be defined for a single client,\nor they can be defined for a client scope which can be shared between multiple\ndifferent clients.\n\n### Example Usage (Client)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst openidClient = new keycloak.openid.Client(\"openid_client\", {\n realmId: realm.id,\n clientId: \"test-client\",\n name: \"test client\",\n enabled: true,\n accessType: \"CONFIDENTIAL\",\n validRedirectUris: [\"http://localhost:8080/openid-callback\"],\n});\nconst groupMembershipMapper = new keycloak.openid.GroupMembershipProtocolMapper(\"group_membership_mapper\", {\n realmId: realm.id,\n clientId: openidClient.id,\n name: \"group-membership-mapper\",\n claimName: \"groups\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nopenid_client = keycloak.openid.Client(\"openid_client\",\n realm_id=realm.id,\n client_id=\"test-client\",\n name=\"test client\",\n enabled=True,\n access_type=\"CONFIDENTIAL\",\n valid_redirect_uris=[\"http://localhost:8080/openid-callback\"])\ngroup_membership_mapper = keycloak.openid.GroupMembershipProtocolMapper(\"group_membership_mapper\",\n realm_id=realm.id,\n client_id=openid_client.id,\n name=\"group-membership-mapper\",\n claim_name=\"groups\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var openidClient = new Keycloak.OpenId.Client(\"openid_client\", new()\n {\n RealmId = realm.Id,\n ClientId = \"test-client\",\n Name = \"test client\",\n Enabled = true,\n AccessType = \"CONFIDENTIAL\",\n ValidRedirectUris = new[]\n {\n \"http://localhost:8080/openid-callback\",\n },\n });\n\n var groupMembershipMapper = new Keycloak.OpenId.GroupMembershipProtocolMapper(\"group_membership_mapper\", new()\n {\n RealmId = realm.Id,\n ClientId = openidClient.Id,\n Name = \"group-membership-mapper\",\n ClaimName = \"groups\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\topenidClient, err := openid.NewClient(ctx, \"openid_client\", \u0026openid.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"test-client\"),\n\t\t\tName: pulumi.String(\"test client\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tAccessType: pulumi.String(\"CONFIDENTIAL\"),\n\t\t\tValidRedirectUris: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"http://localhost:8080/openid-callback\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewGroupMembershipProtocolMapper(ctx, \"group_membership_mapper\", \u0026openid.GroupMembershipProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: openidClient.ID(),\n\t\t\tName: pulumi.String(\"group-membership-mapper\"),\n\t\t\tClaimName: pulumi.String(\"groups\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport com.pulumi.keycloak.openid.GroupMembershipProtocolMapper;\nimport com.pulumi.keycloak.openid.GroupMembershipProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var openidClient = new Client(\"openidClient\", ClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"test-client\")\n .name(\"test client\")\n .enabled(true)\n .accessType(\"CONFIDENTIAL\")\n .validRedirectUris(\"http://localhost:8080/openid-callback\")\n .build());\n\n var groupMembershipMapper = new GroupMembershipProtocolMapper(\"groupMembershipMapper\", GroupMembershipProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientId(openidClient.id())\n .name(\"group-membership-mapper\")\n .claimName(\"groups\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n openidClient:\n type: keycloak:openid:Client\n name: openid_client\n properties:\n realmId: ${realm.id}\n clientId: test-client\n name: test client\n enabled: true\n accessType: CONFIDENTIAL\n validRedirectUris:\n - http://localhost:8080/openid-callback\n groupMembershipMapper:\n type: keycloak:openid:GroupMembershipProtocolMapper\n name: group_membership_mapper\n properties:\n realmId: ${realm.id}\n clientId: ${openidClient.id}\n name: group-membership-mapper\n claimName: groups\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Example Usage (Client Scope)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst clientScope = new keycloak.openid.ClientScope(\"client_scope\", {\n realmId: realm.id,\n name: \"test-client-scope\",\n});\nconst groupMembershipMapper = new keycloak.openid.GroupMembershipProtocolMapper(\"group_membership_mapper\", {\n realmId: realm.id,\n clientScopeId: clientScope.id,\n name: \"group-membership-mapper\",\n claimName: \"groups\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nclient_scope = keycloak.openid.ClientScope(\"client_scope\",\n realm_id=realm.id,\n name=\"test-client-scope\")\ngroup_membership_mapper = keycloak.openid.GroupMembershipProtocolMapper(\"group_membership_mapper\",\n realm_id=realm.id,\n client_scope_id=client_scope.id,\n name=\"group-membership-mapper\",\n claim_name=\"groups\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var clientScope = new Keycloak.OpenId.ClientScope(\"client_scope\", new()\n {\n RealmId = realm.Id,\n Name = \"test-client-scope\",\n });\n\n var groupMembershipMapper = new Keycloak.OpenId.GroupMembershipProtocolMapper(\"group_membership_mapper\", new()\n {\n RealmId = realm.Id,\n ClientScopeId = clientScope.Id,\n Name = \"group-membership-mapper\",\n ClaimName = \"groups\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tclientScope, err := openid.NewClientScope(ctx, \"client_scope\", \u0026openid.ClientScopeArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"test-client-scope\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewGroupMembershipProtocolMapper(ctx, \"group_membership_mapper\", \u0026openid.GroupMembershipProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientScopeId: clientScope.ID(),\n\t\t\tName: pulumi.String(\"group-membership-mapper\"),\n\t\t\tClaimName: pulumi.String(\"groups\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.ClientScope;\nimport com.pulumi.keycloak.openid.ClientScopeArgs;\nimport com.pulumi.keycloak.openid.GroupMembershipProtocolMapper;\nimport com.pulumi.keycloak.openid.GroupMembershipProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var clientScope = new ClientScope(\"clientScope\", ClientScopeArgs.builder()\n .realmId(realm.id())\n .name(\"test-client-scope\")\n .build());\n\n var groupMembershipMapper = new GroupMembershipProtocolMapper(\"groupMembershipMapper\", GroupMembershipProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientScopeId(clientScope.id())\n .name(\"group-membership-mapper\")\n .claimName(\"groups\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n clientScope:\n type: keycloak:openid:ClientScope\n name: client_scope\n properties:\n realmId: ${realm.id}\n name: test-client-scope\n groupMembershipMapper:\n type: keycloak:openid:GroupMembershipProtocolMapper\n name: group_membership_mapper\n properties:\n realmId: ${realm.id}\n clientScopeId: ${clientScope.id}\n name: group-membership-mapper\n claimName: groups\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm_id` - (Required) The realm this protocol mapper exists within.\n- `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to.\n- `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to.\n- `name` - (Required) The display name of this protocol mapper in the GUI.\n- `claim_name` - (Required) The name of the claim to insert into a token.\n- `full_path` - (Optional) Indicates whether the full path of the group including its parents will be used. Defaults to `true`.\n- `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`.\n- `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`.\n- `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`.\n\n### Import\n\nProtocol mappers can be imported using one of the following formats:\n- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}`\n- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}`\n\nExample:\n\n```bash\n$ terraform import keycloak_openid_group_membership_protocol_mapper.group_membership_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n$ terraform import keycloak_openid_group_membership_protocol_mapper.group_membership_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n", + "description": "Allows for creating and managing group membership protocol mappers within Keycloak.\n\nGroup membership protocol mappers allow you to map a user's group memberships to a claim in a token.\n\nProtocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between\nmultiple different clients.\n\n## Example Usage\n\n### Client)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst openidClient = new keycloak.openid.Client(\"openid_client\", {\n realmId: realm.id,\n clientId: \"client\",\n name: \"client\",\n enabled: true,\n accessType: \"CONFIDENTIAL\",\n validRedirectUris: [\"http://localhost:8080/openid-callback\"],\n});\nconst groupMembershipMapper = new keycloak.openid.GroupMembershipProtocolMapper(\"group_membership_mapper\", {\n realmId: realm.id,\n clientId: openidClient.id,\n name: \"group-membership-mapper\",\n claimName: \"groups\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nopenid_client = keycloak.openid.Client(\"openid_client\",\n realm_id=realm.id,\n client_id=\"client\",\n name=\"client\",\n enabled=True,\n access_type=\"CONFIDENTIAL\",\n valid_redirect_uris=[\"http://localhost:8080/openid-callback\"])\ngroup_membership_mapper = keycloak.openid.GroupMembershipProtocolMapper(\"group_membership_mapper\",\n realm_id=realm.id,\n client_id=openid_client.id,\n name=\"group-membership-mapper\",\n claim_name=\"groups\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var openidClient = new Keycloak.OpenId.Client(\"openid_client\", new()\n {\n RealmId = realm.Id,\n ClientId = \"client\",\n Name = \"client\",\n Enabled = true,\n AccessType = \"CONFIDENTIAL\",\n ValidRedirectUris = new[]\n {\n \"http://localhost:8080/openid-callback\",\n },\n });\n\n var groupMembershipMapper = new Keycloak.OpenId.GroupMembershipProtocolMapper(\"group_membership_mapper\", new()\n {\n RealmId = realm.Id,\n ClientId = openidClient.Id,\n Name = \"group-membership-mapper\",\n ClaimName = \"groups\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\topenidClient, err := openid.NewClient(ctx, \"openid_client\", \u0026openid.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"client\"),\n\t\t\tName: pulumi.String(\"client\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tAccessType: pulumi.String(\"CONFIDENTIAL\"),\n\t\t\tValidRedirectUris: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"http://localhost:8080/openid-callback\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewGroupMembershipProtocolMapper(ctx, \"group_membership_mapper\", \u0026openid.GroupMembershipProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: openidClient.ID(),\n\t\t\tName: pulumi.String(\"group-membership-mapper\"),\n\t\t\tClaimName: pulumi.String(\"groups\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport com.pulumi.keycloak.openid.GroupMembershipProtocolMapper;\nimport com.pulumi.keycloak.openid.GroupMembershipProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var openidClient = new Client(\"openidClient\", ClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"client\")\n .name(\"client\")\n .enabled(true)\n .accessType(\"CONFIDENTIAL\")\n .validRedirectUris(\"http://localhost:8080/openid-callback\")\n .build());\n\n var groupMembershipMapper = new GroupMembershipProtocolMapper(\"groupMembershipMapper\", GroupMembershipProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientId(openidClient.id())\n .name(\"group-membership-mapper\")\n .claimName(\"groups\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n openidClient:\n type: keycloak:openid:Client\n name: openid_client\n properties:\n realmId: ${realm.id}\n clientId: client\n name: client\n enabled: true\n accessType: CONFIDENTIAL\n validRedirectUris:\n - http://localhost:8080/openid-callback\n groupMembershipMapper:\n type: keycloak:openid:GroupMembershipProtocolMapper\n name: group_membership_mapper\n properties:\n realmId: ${realm.id}\n clientId: ${openidClient.id}\n name: group-membership-mapper\n claimName: groups\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n\n### Client Scope)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst clientScope = new keycloak.openid.ClientScope(\"client_scope\", {\n realmId: realm.id,\n name: \"client-scope\",\n});\nconst groupMembershipMapper = new keycloak.openid.GroupMembershipProtocolMapper(\"group_membership_mapper\", {\n realmId: realm.id,\n clientScopeId: clientScope.id,\n name: \"group-membership-mapper\",\n claimName: \"groups\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nclient_scope = keycloak.openid.ClientScope(\"client_scope\",\n realm_id=realm.id,\n name=\"client-scope\")\ngroup_membership_mapper = keycloak.openid.GroupMembershipProtocolMapper(\"group_membership_mapper\",\n realm_id=realm.id,\n client_scope_id=client_scope.id,\n name=\"group-membership-mapper\",\n claim_name=\"groups\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var clientScope = new Keycloak.OpenId.ClientScope(\"client_scope\", new()\n {\n RealmId = realm.Id,\n Name = \"client-scope\",\n });\n\n var groupMembershipMapper = new Keycloak.OpenId.GroupMembershipProtocolMapper(\"group_membership_mapper\", new()\n {\n RealmId = realm.Id,\n ClientScopeId = clientScope.Id,\n Name = \"group-membership-mapper\",\n ClaimName = \"groups\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tclientScope, err := openid.NewClientScope(ctx, \"client_scope\", \u0026openid.ClientScopeArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"client-scope\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewGroupMembershipProtocolMapper(ctx, \"group_membership_mapper\", \u0026openid.GroupMembershipProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientScopeId: clientScope.ID(),\n\t\t\tName: pulumi.String(\"group-membership-mapper\"),\n\t\t\tClaimName: pulumi.String(\"groups\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.ClientScope;\nimport com.pulumi.keycloak.openid.ClientScopeArgs;\nimport com.pulumi.keycloak.openid.GroupMembershipProtocolMapper;\nimport com.pulumi.keycloak.openid.GroupMembershipProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var clientScope = new ClientScope(\"clientScope\", ClientScopeArgs.builder()\n .realmId(realm.id())\n .name(\"client-scope\")\n .build());\n\n var groupMembershipMapper = new GroupMembershipProtocolMapper(\"groupMembershipMapper\", GroupMembershipProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientScopeId(clientScope.id())\n .name(\"group-membership-mapper\")\n .claimName(\"groups\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n clientScope:\n type: keycloak:openid:ClientScope\n name: client_scope\n properties:\n realmId: ${realm.id}\n name: client-scope\n groupMembershipMapper:\n type: keycloak:openid:GroupMembershipProtocolMapper\n name: group_membership_mapper\n properties:\n realmId: ${realm.id}\n clientScopeId: ${clientScope.id}\n name: group-membership-mapper\n claimName: groups\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nProtocol mappers can be imported using one of the following formats:\n\n- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}`\n\n- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}`\n\nExample:\n\nbash\n\n```sh\n$ pulumi import keycloak:openid/groupMembershipProtocolMapper:GroupMembershipProtocolMapper group_membership_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n\n```sh\n$ pulumi import keycloak:openid/groupMembershipProtocolMapper:GroupMembershipProtocolMapper group_membership_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n\n", "properties": { "addToAccessToken": { - "type": "boolean" + "type": "boolean", + "description": "Indicates if the property should be added as a claim to the access token. Defaults to `true`.\n" }, "addToIdToken": { - "type": "boolean" + "type": "boolean", + "description": "Indicates if the property should be added as a claim to the id token. Defaults to `true`.\n" }, "addToUserinfo": { - "type": "boolean" + "type": "boolean", + "description": "Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`.\n" }, "claimName": { - "type": "string" + "type": "string", + "description": "The name of the claim to insert into a token.\n" }, "clientId": { "type": "string", - "description": "The mapper's associated client. Cannot be used at the same time as client_scope_id.\n" + "description": "The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified.\n" }, "clientScopeId": { "type": "string", - "description": "The mapper's associated client scope. Cannot be used at the same time as client_id.\n" + "description": "The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified.\n" }, "fullPath": { - "type": "boolean" + "type": "boolean", + "description": "Indicates whether the full path of the group including its parents will be used. Defaults to `true`.\n" }, "name": { "type": "string", - "description": "A human-friendly name that will appear in the Keycloak console.\n" + "description": "The display name of this protocol mapper in the GUI.\n" }, "realmId": { "type": "string", - "description": "The realm id where the associated client or client scope exists.\n" + "description": "The realm this protocol mapper exists within.\n" } }, "required": [ @@ -10945,38 +11399,43 @@ ], "inputProperties": { "addToAccessToken": { - "type": "boolean" + "type": "boolean", + "description": "Indicates if the property should be added as a claim to the access token. Defaults to `true`.\n" }, "addToIdToken": { - "type": "boolean" + "type": "boolean", + "description": "Indicates if the property should be added as a claim to the id token. Defaults to `true`.\n" }, "addToUserinfo": { - "type": "boolean" + "type": "boolean", + "description": "Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`.\n" }, "claimName": { - "type": "string" + "type": "string", + "description": "The name of the claim to insert into a token.\n" }, "clientId": { "type": "string", - "description": "The mapper's associated client. Cannot be used at the same time as client_scope_id.\n", + "description": "The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "clientScopeId": { "type": "string", - "description": "The mapper's associated client scope. Cannot be used at the same time as client_id.\n", + "description": "The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "fullPath": { - "type": "boolean" + "type": "boolean", + "description": "Indicates whether the full path of the group including its parents will be used. Defaults to `true`.\n" }, "name": { "type": "string", - "description": "A human-friendly name that will appear in the Keycloak console.\n", + "description": "The display name of this protocol mapper in the GUI.\n", "willReplaceOnChanges": true }, "realmId": { "type": "string", - "description": "The realm id where the associated client or client scope exists.\n", + "description": "The realm this protocol mapper exists within.\n", "willReplaceOnChanges": true } }, @@ -10988,38 +11447,43 @@ "description": "Input properties used for looking up and filtering GroupMembershipProtocolMapper resources.\n", "properties": { "addToAccessToken": { - "type": "boolean" + "type": "boolean", + "description": "Indicates if the property should be added as a claim to the access token. Defaults to `true`.\n" }, "addToIdToken": { - "type": "boolean" + "type": "boolean", + "description": "Indicates if the property should be added as a claim to the id token. Defaults to `true`.\n" }, "addToUserinfo": { - "type": "boolean" + "type": "boolean", + "description": "Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`.\n" }, "claimName": { - "type": "string" + "type": "string", + "description": "The name of the claim to insert into a token.\n" }, "clientId": { "type": "string", - "description": "The mapper's associated client. Cannot be used at the same time as client_scope_id.\n", + "description": "The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "clientScopeId": { "type": "string", - "description": "The mapper's associated client scope. Cannot be used at the same time as client_id.\n", + "description": "The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "fullPath": { - "type": "boolean" + "type": "boolean", + "description": "Indicates whether the full path of the group including its parents will be used. Defaults to `true`.\n" }, "name": { "type": "string", - "description": "A human-friendly name that will appear in the Keycloak console.\n", + "description": "The display name of this protocol mapper in the GUI.\n", "willReplaceOnChanges": true }, "realmId": { "type": "string", - "description": "The realm id where the associated client or client scope exists.\n", + "description": "The realm this protocol mapper exists within.\n", "willReplaceOnChanges": true } }, @@ -11027,45 +11491,47 @@ } }, "keycloak:openid/hardcodedClaimProtocolMapper:HardcodedClaimProtocolMapper": { - "description": "## # keycloak.openid.HardcodedClaimProtocolMapper\n\nAllows for creating and managing hardcoded claim protocol mappers within\nKeycloak.\n\nHardcoded claim protocol mappers allow you to define a claim with a hardcoded\nvalue. Protocol mappers can be defined for a single client, or they can\nbe defined for a client scope which can be shared between multiple different\nclients.\n\n### Example Usage (Client)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst openidClient = new keycloak.openid.Client(\"openid_client\", {\n realmId: realm.id,\n clientId: \"test-client\",\n name: \"test client\",\n enabled: true,\n accessType: \"CONFIDENTIAL\",\n validRedirectUris: [\"http://localhost:8080/openid-callback\"],\n});\nconst hardcodedClaimMapper = new keycloak.openid.HardcodedClaimProtocolMapper(\"hardcoded_claim_mapper\", {\n realmId: realm.id,\n clientId: openidClient.id,\n name: \"hardcoded-claim-mapper\",\n claimName: \"foo\",\n claimValue: \"bar\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nopenid_client = keycloak.openid.Client(\"openid_client\",\n realm_id=realm.id,\n client_id=\"test-client\",\n name=\"test client\",\n enabled=True,\n access_type=\"CONFIDENTIAL\",\n valid_redirect_uris=[\"http://localhost:8080/openid-callback\"])\nhardcoded_claim_mapper = keycloak.openid.HardcodedClaimProtocolMapper(\"hardcoded_claim_mapper\",\n realm_id=realm.id,\n client_id=openid_client.id,\n name=\"hardcoded-claim-mapper\",\n claim_name=\"foo\",\n claim_value=\"bar\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var openidClient = new Keycloak.OpenId.Client(\"openid_client\", new()\n {\n RealmId = realm.Id,\n ClientId = \"test-client\",\n Name = \"test client\",\n Enabled = true,\n AccessType = \"CONFIDENTIAL\",\n ValidRedirectUris = new[]\n {\n \"http://localhost:8080/openid-callback\",\n },\n });\n\n var hardcodedClaimMapper = new Keycloak.OpenId.HardcodedClaimProtocolMapper(\"hardcoded_claim_mapper\", new()\n {\n RealmId = realm.Id,\n ClientId = openidClient.Id,\n Name = \"hardcoded-claim-mapper\",\n ClaimName = \"foo\",\n ClaimValue = \"bar\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\topenidClient, err := openid.NewClient(ctx, \"openid_client\", \u0026openid.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"test-client\"),\n\t\t\tName: pulumi.String(\"test client\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tAccessType: pulumi.String(\"CONFIDENTIAL\"),\n\t\t\tValidRedirectUris: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"http://localhost:8080/openid-callback\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewHardcodedClaimProtocolMapper(ctx, \"hardcoded_claim_mapper\", \u0026openid.HardcodedClaimProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: openidClient.ID(),\n\t\t\tName: pulumi.String(\"hardcoded-claim-mapper\"),\n\t\t\tClaimName: pulumi.String(\"foo\"),\n\t\t\tClaimValue: pulumi.String(\"bar\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport com.pulumi.keycloak.openid.HardcodedClaimProtocolMapper;\nimport com.pulumi.keycloak.openid.HardcodedClaimProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var openidClient = new Client(\"openidClient\", ClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"test-client\")\n .name(\"test client\")\n .enabled(true)\n .accessType(\"CONFIDENTIAL\")\n .validRedirectUris(\"http://localhost:8080/openid-callback\")\n .build());\n\n var hardcodedClaimMapper = new HardcodedClaimProtocolMapper(\"hardcodedClaimMapper\", HardcodedClaimProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientId(openidClient.id())\n .name(\"hardcoded-claim-mapper\")\n .claimName(\"foo\")\n .claimValue(\"bar\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n openidClient:\n type: keycloak:openid:Client\n name: openid_client\n properties:\n realmId: ${realm.id}\n clientId: test-client\n name: test client\n enabled: true\n accessType: CONFIDENTIAL\n validRedirectUris:\n - http://localhost:8080/openid-callback\n hardcodedClaimMapper:\n type: keycloak:openid:HardcodedClaimProtocolMapper\n name: hardcoded_claim_mapper\n properties:\n realmId: ${realm.id}\n clientId: ${openidClient.id}\n name: hardcoded-claim-mapper\n claimName: foo\n claimValue: bar\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Example Usage (Client Scope)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst clientScope = new keycloak.openid.ClientScope(\"client_scope\", {\n realmId: realm.id,\n name: \"test-client-scope\",\n});\nconst hardcodedClaimMapper = new keycloak.openid.HardcodedClaimProtocolMapper(\"hardcoded_claim_mapper\", {\n realmId: realm.id,\n clientScopeId: clientScope.id,\n name: \"hardcoded-claim-mapper\",\n claimName: \"foo\",\n claimValue: \"bar\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nclient_scope = keycloak.openid.ClientScope(\"client_scope\",\n realm_id=realm.id,\n name=\"test-client-scope\")\nhardcoded_claim_mapper = keycloak.openid.HardcodedClaimProtocolMapper(\"hardcoded_claim_mapper\",\n realm_id=realm.id,\n client_scope_id=client_scope.id,\n name=\"hardcoded-claim-mapper\",\n claim_name=\"foo\",\n claim_value=\"bar\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var clientScope = new Keycloak.OpenId.ClientScope(\"client_scope\", new()\n {\n RealmId = realm.Id,\n Name = \"test-client-scope\",\n });\n\n var hardcodedClaimMapper = new Keycloak.OpenId.HardcodedClaimProtocolMapper(\"hardcoded_claim_mapper\", new()\n {\n RealmId = realm.Id,\n ClientScopeId = clientScope.Id,\n Name = \"hardcoded-claim-mapper\",\n ClaimName = \"foo\",\n ClaimValue = \"bar\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tclientScope, err := openid.NewClientScope(ctx, \"client_scope\", \u0026openid.ClientScopeArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"test-client-scope\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewHardcodedClaimProtocolMapper(ctx, \"hardcoded_claim_mapper\", \u0026openid.HardcodedClaimProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientScopeId: clientScope.ID(),\n\t\t\tName: pulumi.String(\"hardcoded-claim-mapper\"),\n\t\t\tClaimName: pulumi.String(\"foo\"),\n\t\t\tClaimValue: pulumi.String(\"bar\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.ClientScope;\nimport com.pulumi.keycloak.openid.ClientScopeArgs;\nimport com.pulumi.keycloak.openid.HardcodedClaimProtocolMapper;\nimport com.pulumi.keycloak.openid.HardcodedClaimProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var clientScope = new ClientScope(\"clientScope\", ClientScopeArgs.builder()\n .realmId(realm.id())\n .name(\"test-client-scope\")\n .build());\n\n var hardcodedClaimMapper = new HardcodedClaimProtocolMapper(\"hardcodedClaimMapper\", HardcodedClaimProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientScopeId(clientScope.id())\n .name(\"hardcoded-claim-mapper\")\n .claimName(\"foo\")\n .claimValue(\"bar\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n clientScope:\n type: keycloak:openid:ClientScope\n name: client_scope\n properties:\n realmId: ${realm.id}\n name: test-client-scope\n hardcodedClaimMapper:\n type: keycloak:openid:HardcodedClaimProtocolMapper\n name: hardcoded_claim_mapper\n properties:\n realmId: ${realm.id}\n clientScopeId: ${clientScope.id}\n name: hardcoded-claim-mapper\n claimName: foo\n claimValue: bar\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm_id` - (Required) The realm this protocol mapper exists within.\n- `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to.\n- `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to.\n- `name` - (Required) The display name of this protocol mapper in the GUI.\n- `claim_name` - (Required) The name of the claim to insert into a token.\n- `claim_value` - (Required) The hardcoded value of the claim.\n- `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`.\n- `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`.\n- `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`.\n- `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`.\n\n### Import\n\nProtocol mappers can be imported using one of the following formats:\n- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}`\n- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}`\n\nExample:\n\n```bash\n$ terraform import keycloak_openid_hardcoded_claim_protocol_mapper.hardcoded_claim_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n$ terraform import keycloak_openid_hardcoded_claim_protocol_mapper.hardcoded_claim_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n", + "description": "Allows for creating and managing hardcoded claim protocol mappers within Keycloak.\n\nHardcoded claim protocol mappers allow you to define a claim with a hardcoded value.\n\nProtocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between\nmultiple different clients.\n\n## Example Usage\n\n### Client)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst openidClient = new keycloak.openid.Client(\"openid_client\", {\n realmId: realm.id,\n clientId: \"client\",\n name: \"client\",\n enabled: true,\n accessType: \"CONFIDENTIAL\",\n validRedirectUris: [\"http://localhost:8080/openid-callback\"],\n});\nconst hardcodedClaimMapper = new keycloak.openid.HardcodedClaimProtocolMapper(\"hardcoded_claim_mapper\", {\n realmId: realm.id,\n clientId: openidClient.id,\n name: \"hardcoded-claim-mapper\",\n claimName: \"foo\",\n claimValue: \"bar\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nopenid_client = keycloak.openid.Client(\"openid_client\",\n realm_id=realm.id,\n client_id=\"client\",\n name=\"client\",\n enabled=True,\n access_type=\"CONFIDENTIAL\",\n valid_redirect_uris=[\"http://localhost:8080/openid-callback\"])\nhardcoded_claim_mapper = keycloak.openid.HardcodedClaimProtocolMapper(\"hardcoded_claim_mapper\",\n realm_id=realm.id,\n client_id=openid_client.id,\n name=\"hardcoded-claim-mapper\",\n claim_name=\"foo\",\n claim_value=\"bar\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var openidClient = new Keycloak.OpenId.Client(\"openid_client\", new()\n {\n RealmId = realm.Id,\n ClientId = \"client\",\n Name = \"client\",\n Enabled = true,\n AccessType = \"CONFIDENTIAL\",\n ValidRedirectUris = new[]\n {\n \"http://localhost:8080/openid-callback\",\n },\n });\n\n var hardcodedClaimMapper = new Keycloak.OpenId.HardcodedClaimProtocolMapper(\"hardcoded_claim_mapper\", new()\n {\n RealmId = realm.Id,\n ClientId = openidClient.Id,\n Name = \"hardcoded-claim-mapper\",\n ClaimName = \"foo\",\n ClaimValue = \"bar\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\topenidClient, err := openid.NewClient(ctx, \"openid_client\", \u0026openid.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"client\"),\n\t\t\tName: pulumi.String(\"client\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tAccessType: pulumi.String(\"CONFIDENTIAL\"),\n\t\t\tValidRedirectUris: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"http://localhost:8080/openid-callback\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewHardcodedClaimProtocolMapper(ctx, \"hardcoded_claim_mapper\", \u0026openid.HardcodedClaimProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: openidClient.ID(),\n\t\t\tName: pulumi.String(\"hardcoded-claim-mapper\"),\n\t\t\tClaimName: pulumi.String(\"foo\"),\n\t\t\tClaimValue: pulumi.String(\"bar\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport com.pulumi.keycloak.openid.HardcodedClaimProtocolMapper;\nimport com.pulumi.keycloak.openid.HardcodedClaimProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var openidClient = new Client(\"openidClient\", ClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"client\")\n .name(\"client\")\n .enabled(true)\n .accessType(\"CONFIDENTIAL\")\n .validRedirectUris(\"http://localhost:8080/openid-callback\")\n .build());\n\n var hardcodedClaimMapper = new HardcodedClaimProtocolMapper(\"hardcodedClaimMapper\", HardcodedClaimProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientId(openidClient.id())\n .name(\"hardcoded-claim-mapper\")\n .claimName(\"foo\")\n .claimValue(\"bar\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n openidClient:\n type: keycloak:openid:Client\n name: openid_client\n properties:\n realmId: ${realm.id}\n clientId: client\n name: client\n enabled: true\n accessType: CONFIDENTIAL\n validRedirectUris:\n - http://localhost:8080/openid-callback\n hardcodedClaimMapper:\n type: keycloak:openid:HardcodedClaimProtocolMapper\n name: hardcoded_claim_mapper\n properties:\n realmId: ${realm.id}\n clientId: ${openidClient.id}\n name: hardcoded-claim-mapper\n claimName: foo\n claimValue: bar\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n\n### Client Scope)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst clientScope = new keycloak.openid.ClientScope(\"client_scope\", {\n realmId: realm.id,\n name: \"client-scope\",\n});\nconst hardcodedClaimMapper = new keycloak.openid.HardcodedClaimProtocolMapper(\"hardcoded_claim_mapper\", {\n realmId: realm.id,\n clientScopeId: clientScope.id,\n name: \"hardcoded-claim-mapper\",\n claimName: \"foo\",\n claimValue: \"bar\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nclient_scope = keycloak.openid.ClientScope(\"client_scope\",\n realm_id=realm.id,\n name=\"client-scope\")\nhardcoded_claim_mapper = keycloak.openid.HardcodedClaimProtocolMapper(\"hardcoded_claim_mapper\",\n realm_id=realm.id,\n client_scope_id=client_scope.id,\n name=\"hardcoded-claim-mapper\",\n claim_name=\"foo\",\n claim_value=\"bar\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var clientScope = new Keycloak.OpenId.ClientScope(\"client_scope\", new()\n {\n RealmId = realm.Id,\n Name = \"client-scope\",\n });\n\n var hardcodedClaimMapper = new Keycloak.OpenId.HardcodedClaimProtocolMapper(\"hardcoded_claim_mapper\", new()\n {\n RealmId = realm.Id,\n ClientScopeId = clientScope.Id,\n Name = \"hardcoded-claim-mapper\",\n ClaimName = \"foo\",\n ClaimValue = \"bar\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tclientScope, err := openid.NewClientScope(ctx, \"client_scope\", \u0026openid.ClientScopeArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"client-scope\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewHardcodedClaimProtocolMapper(ctx, \"hardcoded_claim_mapper\", \u0026openid.HardcodedClaimProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientScopeId: clientScope.ID(),\n\t\t\tName: pulumi.String(\"hardcoded-claim-mapper\"),\n\t\t\tClaimName: pulumi.String(\"foo\"),\n\t\t\tClaimValue: pulumi.String(\"bar\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.ClientScope;\nimport com.pulumi.keycloak.openid.ClientScopeArgs;\nimport com.pulumi.keycloak.openid.HardcodedClaimProtocolMapper;\nimport com.pulumi.keycloak.openid.HardcodedClaimProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var clientScope = new ClientScope(\"clientScope\", ClientScopeArgs.builder()\n .realmId(realm.id())\n .name(\"client-scope\")\n .build());\n\n var hardcodedClaimMapper = new HardcodedClaimProtocolMapper(\"hardcodedClaimMapper\", HardcodedClaimProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientScopeId(clientScope.id())\n .name(\"hardcoded-claim-mapper\")\n .claimName(\"foo\")\n .claimValue(\"bar\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n clientScope:\n type: keycloak:openid:ClientScope\n name: client_scope\n properties:\n realmId: ${realm.id}\n name: client-scope\n hardcodedClaimMapper:\n type: keycloak:openid:HardcodedClaimProtocolMapper\n name: hardcoded_claim_mapper\n properties:\n realmId: ${realm.id}\n clientScopeId: ${clientScope.id}\n name: hardcoded-claim-mapper\n claimName: foo\n claimValue: bar\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nProtocol mappers can be imported using one of the following formats:\n\n- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}`\n\n- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}`\n\nExample:\n\nbash\n\n```sh\n$ pulumi import keycloak:openid/hardcodedClaimProtocolMapper:HardcodedClaimProtocolMapper hardcoded_claim_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n\n```sh\n$ pulumi import keycloak:openid/hardcodedClaimProtocolMapper:HardcodedClaimProtocolMapper hardcoded_claim_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n\n", "properties": { "addToAccessToken": { "type": "boolean", - "description": "Indicates if the attribute should be a claim in the access token.\n" + "description": "Indicates if the property should be added as a claim to the access token. Defaults to `true`.\n" }, "addToIdToken": { "type": "boolean", - "description": "Indicates if the attribute should be a claim in the id token.\n" + "description": "Indicates if the property should be added as a claim to the id token. Defaults to `true`.\n" }, "addToUserinfo": { "type": "boolean", - "description": "Indicates if the attribute should appear in the userinfo response body.\n" + "description": "Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`.\n" }, "claimName": { - "type": "string" + "type": "string", + "description": "The name of the claim to insert into a token.\n" }, "claimValue": { - "type": "string" + "type": "string", + "description": "The hardcoded value of the claim.\n" }, "claimValueType": { "type": "string", - "description": "Claim type used when serializing tokens.\n" + "description": "The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`.\n" }, "clientId": { "type": "string", - "description": "The mapper's associated client. Cannot be used at the same time as client_scope_id.\n" + "description": "The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified.\n" }, "clientScopeId": { "type": "string", - "description": "The mapper's associated client scope. Cannot be used at the same time as client_id.\n" + "description": "The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified.\n" }, "name": { "type": "string", - "description": "A human-friendly name that will appear in the Keycloak console.\n" + "description": "The display name of this protocol mapper in the GUI.\n" }, "realmId": { "type": "string", - "description": "The realm id where the associated client or client scope exists.\n" + "description": "The realm this protocol mapper exists within.\n" } }, "required": [ @@ -11077,43 +11543,45 @@ "inputProperties": { "addToAccessToken": { "type": "boolean", - "description": "Indicates if the attribute should be a claim in the access token.\n" + "description": "Indicates if the property should be added as a claim to the access token. Defaults to `true`.\n" }, "addToIdToken": { "type": "boolean", - "description": "Indicates if the attribute should be a claim in the id token.\n" + "description": "Indicates if the property should be added as a claim to the id token. Defaults to `true`.\n" }, "addToUserinfo": { "type": "boolean", - "description": "Indicates if the attribute should appear in the userinfo response body.\n" + "description": "Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`.\n" }, "claimName": { - "type": "string" + "type": "string", + "description": "The name of the claim to insert into a token.\n" }, "claimValue": { - "type": "string" + "type": "string", + "description": "The hardcoded value of the claim.\n" }, "claimValueType": { "type": "string", - "description": "Claim type used when serializing tokens.\n" + "description": "The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`.\n" }, "clientId": { "type": "string", - "description": "The mapper's associated client. Cannot be used at the same time as client_scope_id.\n", + "description": "The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "clientScopeId": { "type": "string", - "description": "The mapper's associated client scope. Cannot be used at the same time as client_id.\n", + "description": "The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "name": { "type": "string", - "description": "A human-friendly name that will appear in the Keycloak console.\n" + "description": "The display name of this protocol mapper in the GUI.\n" }, "realmId": { "type": "string", - "description": "The realm id where the associated client or client scope exists.\n", + "description": "The realm this protocol mapper exists within.\n", "willReplaceOnChanges": true } }, @@ -11127,43 +11595,45 @@ "properties": { "addToAccessToken": { "type": "boolean", - "description": "Indicates if the attribute should be a claim in the access token.\n" + "description": "Indicates if the property should be added as a claim to the access token. Defaults to `true`.\n" }, "addToIdToken": { "type": "boolean", - "description": "Indicates if the attribute should be a claim in the id token.\n" + "description": "Indicates if the property should be added as a claim to the id token. Defaults to `true`.\n" }, "addToUserinfo": { "type": "boolean", - "description": "Indicates if the attribute should appear in the userinfo response body.\n" + "description": "Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`.\n" }, "claimName": { - "type": "string" + "type": "string", + "description": "The name of the claim to insert into a token.\n" }, "claimValue": { - "type": "string" + "type": "string", + "description": "The hardcoded value of the claim.\n" }, "claimValueType": { "type": "string", - "description": "Claim type used when serializing tokens.\n" + "description": "The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`.\n" }, "clientId": { "type": "string", - "description": "The mapper's associated client. Cannot be used at the same time as client_scope_id.\n", + "description": "The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "clientScopeId": { "type": "string", - "description": "The mapper's associated client scope. Cannot be used at the same time as client_id.\n", + "description": "The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "name": { "type": "string", - "description": "A human-friendly name that will appear in the Keycloak console.\n" + "description": "The display name of this protocol mapper in the GUI.\n" }, "realmId": { "type": "string", - "description": "The realm id where the associated client or client scope exists.\n", + "description": "The realm this protocol mapper exists within.\n", "willReplaceOnChanges": true } }, @@ -11171,26 +11641,27 @@ } }, "keycloak:openid/hardcodedRoleProtocolMapper:HardcodedRoleProtocolMapper": { - "description": "## # keycloak.openid.HardcodedRoleProtocolMapper\n\nAllows for creating and managing hardcoded role protocol mappers within\nKeycloak.\n\nHardcoded role protocol mappers allow you to specify a single role to\nalways map to an access token for a client. Protocol mappers can be\ndefined for a single client, or they can be defined for a client scope\nwhich can be shared between multiple different clients.\n\n### Example Usage (Client)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst role = new keycloak.Role(\"role\", {\n realmId: realm.id,\n name: \"my-role\",\n});\nconst openidClient = new keycloak.openid.Client(\"openid_client\", {\n realmId: realm.id,\n clientId: \"test-client\",\n name: \"test client\",\n enabled: true,\n accessType: \"CONFIDENTIAL\",\n validRedirectUris: [\"http://localhost:8080/openid-callback\"],\n});\nconst hardcodedRoleMapper = new keycloak.openid.HardcodedRoleProtocolMapper(\"hardcoded_role_mapper\", {\n realmId: realm.id,\n clientId: openidClient.id,\n name: \"hardcoded-role-mapper\",\n roleId: role.id,\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nrole = keycloak.Role(\"role\",\n realm_id=realm.id,\n name=\"my-role\")\nopenid_client = keycloak.openid.Client(\"openid_client\",\n realm_id=realm.id,\n client_id=\"test-client\",\n name=\"test client\",\n enabled=True,\n access_type=\"CONFIDENTIAL\",\n valid_redirect_uris=[\"http://localhost:8080/openid-callback\"])\nhardcoded_role_mapper = keycloak.openid.HardcodedRoleProtocolMapper(\"hardcoded_role_mapper\",\n realm_id=realm.id,\n client_id=openid_client.id,\n name=\"hardcoded-role-mapper\",\n role_id=role.id)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var role = new Keycloak.Role(\"role\", new()\n {\n RealmId = realm.Id,\n Name = \"my-role\",\n });\n\n var openidClient = new Keycloak.OpenId.Client(\"openid_client\", new()\n {\n RealmId = realm.Id,\n ClientId = \"test-client\",\n Name = \"test client\",\n Enabled = true,\n AccessType = \"CONFIDENTIAL\",\n ValidRedirectUris = new[]\n {\n \"http://localhost:8080/openid-callback\",\n },\n });\n\n var hardcodedRoleMapper = new Keycloak.OpenId.HardcodedRoleProtocolMapper(\"hardcoded_role_mapper\", new()\n {\n RealmId = realm.Id,\n ClientId = openidClient.Id,\n Name = \"hardcoded-role-mapper\",\n RoleId = role.Id,\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\trole, err := keycloak.NewRole(ctx, \"role\", \u0026keycloak.RoleArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"my-role\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\topenidClient, err := openid.NewClient(ctx, \"openid_client\", \u0026openid.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"test-client\"),\n\t\t\tName: pulumi.String(\"test client\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tAccessType: pulumi.String(\"CONFIDENTIAL\"),\n\t\t\tValidRedirectUris: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"http://localhost:8080/openid-callback\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewHardcodedRoleProtocolMapper(ctx, \"hardcoded_role_mapper\", \u0026openid.HardcodedRoleProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: openidClient.ID(),\n\t\t\tName: pulumi.String(\"hardcoded-role-mapper\"),\n\t\t\tRoleId: role.ID(),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.Role;\nimport com.pulumi.keycloak.RoleArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport com.pulumi.keycloak.openid.HardcodedRoleProtocolMapper;\nimport com.pulumi.keycloak.openid.HardcodedRoleProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var role = new Role(\"role\", RoleArgs.builder()\n .realmId(realm.id())\n .name(\"my-role\")\n .build());\n\n var openidClient = new Client(\"openidClient\", ClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"test-client\")\n .name(\"test client\")\n .enabled(true)\n .accessType(\"CONFIDENTIAL\")\n .validRedirectUris(\"http://localhost:8080/openid-callback\")\n .build());\n\n var hardcodedRoleMapper = new HardcodedRoleProtocolMapper(\"hardcodedRoleMapper\", HardcodedRoleProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientId(openidClient.id())\n .name(\"hardcoded-role-mapper\")\n .roleId(role.id())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n role:\n type: keycloak:Role\n properties:\n realmId: ${realm.id}\n name: my-role\n openidClient:\n type: keycloak:openid:Client\n name: openid_client\n properties:\n realmId: ${realm.id}\n clientId: test-client\n name: test client\n enabled: true\n accessType: CONFIDENTIAL\n validRedirectUris:\n - http://localhost:8080/openid-callback\n hardcodedRoleMapper:\n type: keycloak:openid:HardcodedRoleProtocolMapper\n name: hardcoded_role_mapper\n properties:\n realmId: ${realm.id}\n clientId: ${openidClient.id}\n name: hardcoded-role-mapper\n roleId: ${role.id}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Example Usage (Client Scope)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst role = new keycloak.Role(\"role\", {\n realmId: realm.id,\n name: \"my-role\",\n});\nconst clientScope = new keycloak.openid.ClientScope(\"client_scope\", {\n realmId: realm.id,\n name: \"test-client-scope\",\n});\nconst hardcodedRoleMapper = new keycloak.openid.HardcodedRoleProtocolMapper(\"hardcoded_role_mapper\", {\n realmId: realm.id,\n clientScopeId: clientScope.id,\n name: \"hardcoded-role-mapper\",\n roleId: role.id,\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nrole = keycloak.Role(\"role\",\n realm_id=realm.id,\n name=\"my-role\")\nclient_scope = keycloak.openid.ClientScope(\"client_scope\",\n realm_id=realm.id,\n name=\"test-client-scope\")\nhardcoded_role_mapper = keycloak.openid.HardcodedRoleProtocolMapper(\"hardcoded_role_mapper\",\n realm_id=realm.id,\n client_scope_id=client_scope.id,\n name=\"hardcoded-role-mapper\",\n role_id=role.id)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var role = new Keycloak.Role(\"role\", new()\n {\n RealmId = realm.Id,\n Name = \"my-role\",\n });\n\n var clientScope = new Keycloak.OpenId.ClientScope(\"client_scope\", new()\n {\n RealmId = realm.Id,\n Name = \"test-client-scope\",\n });\n\n var hardcodedRoleMapper = new Keycloak.OpenId.HardcodedRoleProtocolMapper(\"hardcoded_role_mapper\", new()\n {\n RealmId = realm.Id,\n ClientScopeId = clientScope.Id,\n Name = \"hardcoded-role-mapper\",\n RoleId = role.Id,\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\trole, err := keycloak.NewRole(ctx, \"role\", \u0026keycloak.RoleArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"my-role\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tclientScope, err := openid.NewClientScope(ctx, \"client_scope\", \u0026openid.ClientScopeArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"test-client-scope\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewHardcodedRoleProtocolMapper(ctx, \"hardcoded_role_mapper\", \u0026openid.HardcodedRoleProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientScopeId: clientScope.ID(),\n\t\t\tName: pulumi.String(\"hardcoded-role-mapper\"),\n\t\t\tRoleId: role.ID(),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.Role;\nimport com.pulumi.keycloak.RoleArgs;\nimport com.pulumi.keycloak.openid.ClientScope;\nimport com.pulumi.keycloak.openid.ClientScopeArgs;\nimport com.pulumi.keycloak.openid.HardcodedRoleProtocolMapper;\nimport com.pulumi.keycloak.openid.HardcodedRoleProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var role = new Role(\"role\", RoleArgs.builder()\n .realmId(realm.id())\n .name(\"my-role\")\n .build());\n\n var clientScope = new ClientScope(\"clientScope\", ClientScopeArgs.builder()\n .realmId(realm.id())\n .name(\"test-client-scope\")\n .build());\n\n var hardcodedRoleMapper = new HardcodedRoleProtocolMapper(\"hardcodedRoleMapper\", HardcodedRoleProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientScopeId(clientScope.id())\n .name(\"hardcoded-role-mapper\")\n .roleId(role.id())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n role:\n type: keycloak:Role\n properties:\n realmId: ${realm.id}\n name: my-role\n clientScope:\n type: keycloak:openid:ClientScope\n name: client_scope\n properties:\n realmId: ${realm.id}\n name: test-client-scope\n hardcodedRoleMapper:\n type: keycloak:openid:HardcodedRoleProtocolMapper\n name: hardcoded_role_mapper\n properties:\n realmId: ${realm.id}\n clientScopeId: ${clientScope.id}\n name: hardcoded-role-mapper\n roleId: ${role.id}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm_id` - (Required) The realm this protocol mapper exists within.\n- `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to.\n- `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to.\n- `name` - (Required) The display name of this protocol mapper in the\n GUI.\n- `role_id` - (Required) The ID of the role to map to an access token.\n\n### Import\n\nProtocol mappers can be imported using one of the following formats:\n- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}`\n- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}`\n\nExample:\n\n```bash\n$ terraform import keycloak_openid_hardcoded_role_protocol_mapper.hardcoded_role_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n$ terraform import keycloak_openid_hardcoded_role_protocol_mapper.hardcoded_role_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n", + "description": "Allows for creating and managing hardcoded role protocol mappers within Keycloak.\n\nHardcoded role protocol mappers allow you to specify a single role to always map to an access token for a client.\n\nProtocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between\nmultiple different clients.\n\n## Example Usage\n\n### Client)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst role = new keycloak.Role(\"role\", {\n realmId: realm.id,\n name: \"my-role\",\n});\nconst openidClient = new keycloak.openid.Client(\"openid_client\", {\n realmId: realm.id,\n clientId: \"client\",\n name: \"client\",\n enabled: true,\n accessType: \"CONFIDENTIAL\",\n validRedirectUris: [\"http://localhost:8080/openid-callback\"],\n});\nconst hardcodedRoleMapper = new keycloak.openid.HardcodedRoleProtocolMapper(\"hardcoded_role_mapper\", {\n realmId: realm.id,\n clientId: openidClient.id,\n name: \"hardcoded-role-mapper\",\n roleId: role.id,\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nrole = keycloak.Role(\"role\",\n realm_id=realm.id,\n name=\"my-role\")\nopenid_client = keycloak.openid.Client(\"openid_client\",\n realm_id=realm.id,\n client_id=\"client\",\n name=\"client\",\n enabled=True,\n access_type=\"CONFIDENTIAL\",\n valid_redirect_uris=[\"http://localhost:8080/openid-callback\"])\nhardcoded_role_mapper = keycloak.openid.HardcodedRoleProtocolMapper(\"hardcoded_role_mapper\",\n realm_id=realm.id,\n client_id=openid_client.id,\n name=\"hardcoded-role-mapper\",\n role_id=role.id)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var role = new Keycloak.Role(\"role\", new()\n {\n RealmId = realm.Id,\n Name = \"my-role\",\n });\n\n var openidClient = new Keycloak.OpenId.Client(\"openid_client\", new()\n {\n RealmId = realm.Id,\n ClientId = \"client\",\n Name = \"client\",\n Enabled = true,\n AccessType = \"CONFIDENTIAL\",\n ValidRedirectUris = new[]\n {\n \"http://localhost:8080/openid-callback\",\n },\n });\n\n var hardcodedRoleMapper = new Keycloak.OpenId.HardcodedRoleProtocolMapper(\"hardcoded_role_mapper\", new()\n {\n RealmId = realm.Id,\n ClientId = openidClient.Id,\n Name = \"hardcoded-role-mapper\",\n RoleId = role.Id,\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\trole, err := keycloak.NewRole(ctx, \"role\", \u0026keycloak.RoleArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"my-role\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\topenidClient, err := openid.NewClient(ctx, \"openid_client\", \u0026openid.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"client\"),\n\t\t\tName: pulumi.String(\"client\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tAccessType: pulumi.String(\"CONFIDENTIAL\"),\n\t\t\tValidRedirectUris: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"http://localhost:8080/openid-callback\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewHardcodedRoleProtocolMapper(ctx, \"hardcoded_role_mapper\", \u0026openid.HardcodedRoleProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: openidClient.ID(),\n\t\t\tName: pulumi.String(\"hardcoded-role-mapper\"),\n\t\t\tRoleId: role.ID(),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.Role;\nimport com.pulumi.keycloak.RoleArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport com.pulumi.keycloak.openid.HardcodedRoleProtocolMapper;\nimport com.pulumi.keycloak.openid.HardcodedRoleProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var role = new Role(\"role\", RoleArgs.builder()\n .realmId(realm.id())\n .name(\"my-role\")\n .build());\n\n var openidClient = new Client(\"openidClient\", ClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"client\")\n .name(\"client\")\n .enabled(true)\n .accessType(\"CONFIDENTIAL\")\n .validRedirectUris(\"http://localhost:8080/openid-callback\")\n .build());\n\n var hardcodedRoleMapper = new HardcodedRoleProtocolMapper(\"hardcodedRoleMapper\", HardcodedRoleProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientId(openidClient.id())\n .name(\"hardcoded-role-mapper\")\n .roleId(role.id())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n role:\n type: keycloak:Role\n properties:\n realmId: ${realm.id}\n name: my-role\n openidClient:\n type: keycloak:openid:Client\n name: openid_client\n properties:\n realmId: ${realm.id}\n clientId: client\n name: client\n enabled: true\n accessType: CONFIDENTIAL\n validRedirectUris:\n - http://localhost:8080/openid-callback\n hardcodedRoleMapper:\n type: keycloak:openid:HardcodedRoleProtocolMapper\n name: hardcoded_role_mapper\n properties:\n realmId: ${realm.id}\n clientId: ${openidClient.id}\n name: hardcoded-role-mapper\n roleId: ${role.id}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n\n### Client Scope)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst role = new keycloak.Role(\"role\", {\n realmId: realm.id,\n name: \"my-role\",\n});\nconst clientScope = new keycloak.openid.ClientScope(\"client_scope\", {\n realmId: realm.id,\n name: \"client-scope\",\n});\nconst hardcodedRoleMapper = new keycloak.openid.HardcodedRoleProtocolMapper(\"hardcoded_role_mapper\", {\n realmId: realm.id,\n clientScopeId: clientScope.id,\n name: \"hardcoded-role-mapper\",\n roleId: role.id,\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nrole = keycloak.Role(\"role\",\n realm_id=realm.id,\n name=\"my-role\")\nclient_scope = keycloak.openid.ClientScope(\"client_scope\",\n realm_id=realm.id,\n name=\"client-scope\")\nhardcoded_role_mapper = keycloak.openid.HardcodedRoleProtocolMapper(\"hardcoded_role_mapper\",\n realm_id=realm.id,\n client_scope_id=client_scope.id,\n name=\"hardcoded-role-mapper\",\n role_id=role.id)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var role = new Keycloak.Role(\"role\", new()\n {\n RealmId = realm.Id,\n Name = \"my-role\",\n });\n\n var clientScope = new Keycloak.OpenId.ClientScope(\"client_scope\", new()\n {\n RealmId = realm.Id,\n Name = \"client-scope\",\n });\n\n var hardcodedRoleMapper = new Keycloak.OpenId.HardcodedRoleProtocolMapper(\"hardcoded_role_mapper\", new()\n {\n RealmId = realm.Id,\n ClientScopeId = clientScope.Id,\n Name = \"hardcoded-role-mapper\",\n RoleId = role.Id,\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\trole, err := keycloak.NewRole(ctx, \"role\", \u0026keycloak.RoleArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"my-role\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tclientScope, err := openid.NewClientScope(ctx, \"client_scope\", \u0026openid.ClientScopeArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"client-scope\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewHardcodedRoleProtocolMapper(ctx, \"hardcoded_role_mapper\", \u0026openid.HardcodedRoleProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientScopeId: clientScope.ID(),\n\t\t\tName: pulumi.String(\"hardcoded-role-mapper\"),\n\t\t\tRoleId: role.ID(),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.Role;\nimport com.pulumi.keycloak.RoleArgs;\nimport com.pulumi.keycloak.openid.ClientScope;\nimport com.pulumi.keycloak.openid.ClientScopeArgs;\nimport com.pulumi.keycloak.openid.HardcodedRoleProtocolMapper;\nimport com.pulumi.keycloak.openid.HardcodedRoleProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var role = new Role(\"role\", RoleArgs.builder()\n .realmId(realm.id())\n .name(\"my-role\")\n .build());\n\n var clientScope = new ClientScope(\"clientScope\", ClientScopeArgs.builder()\n .realmId(realm.id())\n .name(\"client-scope\")\n .build());\n\n var hardcodedRoleMapper = new HardcodedRoleProtocolMapper(\"hardcodedRoleMapper\", HardcodedRoleProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientScopeId(clientScope.id())\n .name(\"hardcoded-role-mapper\")\n .roleId(role.id())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n role:\n type: keycloak:Role\n properties:\n realmId: ${realm.id}\n name: my-role\n clientScope:\n type: keycloak:openid:ClientScope\n name: client_scope\n properties:\n realmId: ${realm.id}\n name: client-scope\n hardcodedRoleMapper:\n type: keycloak:openid:HardcodedRoleProtocolMapper\n name: hardcoded_role_mapper\n properties:\n realmId: ${realm.id}\n clientScopeId: ${clientScope.id}\n name: hardcoded-role-mapper\n roleId: ${role.id}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nProtocol mappers can be imported using one of the following formats:\n\n- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}`\n\n- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}`\n\nExample:\n\nbash\n\n```sh\n$ pulumi import keycloak:openid/hardcodedRoleProtocolMapper:HardcodedRoleProtocolMapper hardcoded_role_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n\n```sh\n$ pulumi import keycloak:openid/hardcodedRoleProtocolMapper:HardcodedRoleProtocolMapper hardcoded_role_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n\n", "properties": { "clientId": { "type": "string", - "description": "The mapper's associated client. Cannot be used at the same time as client_scope_id.\n" + "description": "The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified.\n" }, "clientScopeId": { "type": "string", - "description": "The mapper's associated client scope. Cannot be used at the same time as client_id.\n" + "description": "The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified.\n" }, "name": { "type": "string", - "description": "A human-friendly name that will appear in the Keycloak console.\n" + "description": "The display name of this protocol mapper in the GUI.\n" }, "realmId": { "type": "string", - "description": "The realm id where the associated client or client scope exists.\n" + "description": "The realm this protocol mapper exists within.\n" }, "roleId": { - "type": "string" + "type": "string", + "description": "The ID of the role to map to an access token.\n" } }, "required": [ @@ -11201,26 +11672,27 @@ "inputProperties": { "clientId": { "type": "string", - "description": "The mapper's associated client. Cannot be used at the same time as client_scope_id.\n", + "description": "The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "clientScopeId": { "type": "string", - "description": "The mapper's associated client scope. Cannot be used at the same time as client_id.\n", + "description": "The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "name": { "type": "string", - "description": "A human-friendly name that will appear in the Keycloak console.\n", + "description": "The display name of this protocol mapper in the GUI.\n", "willReplaceOnChanges": true }, "realmId": { "type": "string", - "description": "The realm id where the associated client or client scope exists.\n", + "description": "The realm this protocol mapper exists within.\n", "willReplaceOnChanges": true }, "roleId": { - "type": "string" + "type": "string", + "description": "The ID of the role to map to an access token.\n" } }, "requiredInputs": [ @@ -11232,26 +11704,27 @@ "properties": { "clientId": { "type": "string", - "description": "The mapper's associated client. Cannot be used at the same time as client_scope_id.\n", + "description": "The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "clientScopeId": { "type": "string", - "description": "The mapper's associated client scope. Cannot be used at the same time as client_id.\n", + "description": "The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "name": { "type": "string", - "description": "A human-friendly name that will appear in the Keycloak console.\n", + "description": "The display name of this protocol mapper in the GUI.\n", "willReplaceOnChanges": true }, "realmId": { "type": "string", - "description": "The realm id where the associated client or client scope exists.\n", + "description": "The realm this protocol mapper exists within.\n", "willReplaceOnChanges": true }, "roleId": { - "type": "string" + "type": "string", + "description": "The ID of the role to map to an access token.\n" } }, "type": "object" @@ -11420,53 +11893,55 @@ } }, "keycloak:openid/userAttributeProtocolMapper:UserAttributeProtocolMapper": { - "description": "## # keycloak.openid.UserAttributeProtocolMapper\n\nAllows for creating and managing user attribute protocol mappers within\nKeycloak.\n\nUser attribute protocol mappers allow you to map custom attributes defined\nfor a user within Keycloak to a claim in a token. Protocol mappers can be\ndefined for a single client, or they can be defined for a client scope which\ncan be shared between multiple different clients.\n\n### Example Usage (Client)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst openidClient = new keycloak.openid.Client(\"openid_client\", {\n realmId: realm.id,\n clientId: \"test-client\",\n name: \"test client\",\n enabled: true,\n accessType: \"CONFIDENTIAL\",\n validRedirectUris: [\"http://localhost:8080/openid-callback\"],\n});\nconst userAttributeMapper = new keycloak.openid.UserAttributeProtocolMapper(\"user_attribute_mapper\", {\n realmId: realm.id,\n clientId: openidClient.id,\n name: \"test-mapper\",\n userAttribute: \"foo\",\n claimName: \"bar\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nopenid_client = keycloak.openid.Client(\"openid_client\",\n realm_id=realm.id,\n client_id=\"test-client\",\n name=\"test client\",\n enabled=True,\n access_type=\"CONFIDENTIAL\",\n valid_redirect_uris=[\"http://localhost:8080/openid-callback\"])\nuser_attribute_mapper = keycloak.openid.UserAttributeProtocolMapper(\"user_attribute_mapper\",\n realm_id=realm.id,\n client_id=openid_client.id,\n name=\"test-mapper\",\n user_attribute=\"foo\",\n claim_name=\"bar\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var openidClient = new Keycloak.OpenId.Client(\"openid_client\", new()\n {\n RealmId = realm.Id,\n ClientId = \"test-client\",\n Name = \"test client\",\n Enabled = true,\n AccessType = \"CONFIDENTIAL\",\n ValidRedirectUris = new[]\n {\n \"http://localhost:8080/openid-callback\",\n },\n });\n\n var userAttributeMapper = new Keycloak.OpenId.UserAttributeProtocolMapper(\"user_attribute_mapper\", new()\n {\n RealmId = realm.Id,\n ClientId = openidClient.Id,\n Name = \"test-mapper\",\n UserAttribute = \"foo\",\n ClaimName = \"bar\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\topenidClient, err := openid.NewClient(ctx, \"openid_client\", \u0026openid.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"test-client\"),\n\t\t\tName: pulumi.String(\"test client\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tAccessType: pulumi.String(\"CONFIDENTIAL\"),\n\t\t\tValidRedirectUris: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"http://localhost:8080/openid-callback\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewUserAttributeProtocolMapper(ctx, \"user_attribute_mapper\", \u0026openid.UserAttributeProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: openidClient.ID(),\n\t\t\tName: pulumi.String(\"test-mapper\"),\n\t\t\tUserAttribute: pulumi.String(\"foo\"),\n\t\t\tClaimName: pulumi.String(\"bar\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport com.pulumi.keycloak.openid.UserAttributeProtocolMapper;\nimport com.pulumi.keycloak.openid.UserAttributeProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var openidClient = new Client(\"openidClient\", ClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"test-client\")\n .name(\"test client\")\n .enabled(true)\n .accessType(\"CONFIDENTIAL\")\n .validRedirectUris(\"http://localhost:8080/openid-callback\")\n .build());\n\n var userAttributeMapper = new UserAttributeProtocolMapper(\"userAttributeMapper\", UserAttributeProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientId(openidClient.id())\n .name(\"test-mapper\")\n .userAttribute(\"foo\")\n .claimName(\"bar\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n openidClient:\n type: keycloak:openid:Client\n name: openid_client\n properties:\n realmId: ${realm.id}\n clientId: test-client\n name: test client\n enabled: true\n accessType: CONFIDENTIAL\n validRedirectUris:\n - http://localhost:8080/openid-callback\n userAttributeMapper:\n type: keycloak:openid:UserAttributeProtocolMapper\n name: user_attribute_mapper\n properties:\n realmId: ${realm.id}\n clientId: ${openidClient.id}\n name: test-mapper\n userAttribute: foo\n claimName: bar\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Example Usage (Client Scope)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst clientScope = new keycloak.openid.ClientScope(\"client_scope\", {\n realmId: realm.id,\n name: \"test-client-scope\",\n});\nconst userAttributeMapper = new keycloak.openid.UserAttributeProtocolMapper(\"user_attribute_mapper\", {\n realmId: realm.id,\n clientScopeId: clientScope.id,\n name: \"test-mapper\",\n userAttribute: \"foo\",\n claimName: \"bar\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nclient_scope = keycloak.openid.ClientScope(\"client_scope\",\n realm_id=realm.id,\n name=\"test-client-scope\")\nuser_attribute_mapper = keycloak.openid.UserAttributeProtocolMapper(\"user_attribute_mapper\",\n realm_id=realm.id,\n client_scope_id=client_scope.id,\n name=\"test-mapper\",\n user_attribute=\"foo\",\n claim_name=\"bar\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var clientScope = new Keycloak.OpenId.ClientScope(\"client_scope\", new()\n {\n RealmId = realm.Id,\n Name = \"test-client-scope\",\n });\n\n var userAttributeMapper = new Keycloak.OpenId.UserAttributeProtocolMapper(\"user_attribute_mapper\", new()\n {\n RealmId = realm.Id,\n ClientScopeId = clientScope.Id,\n Name = \"test-mapper\",\n UserAttribute = \"foo\",\n ClaimName = \"bar\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tclientScope, err := openid.NewClientScope(ctx, \"client_scope\", \u0026openid.ClientScopeArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"test-client-scope\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewUserAttributeProtocolMapper(ctx, \"user_attribute_mapper\", \u0026openid.UserAttributeProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientScopeId: clientScope.ID(),\n\t\t\tName: pulumi.String(\"test-mapper\"),\n\t\t\tUserAttribute: pulumi.String(\"foo\"),\n\t\t\tClaimName: pulumi.String(\"bar\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.ClientScope;\nimport com.pulumi.keycloak.openid.ClientScopeArgs;\nimport com.pulumi.keycloak.openid.UserAttributeProtocolMapper;\nimport com.pulumi.keycloak.openid.UserAttributeProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var clientScope = new ClientScope(\"clientScope\", ClientScopeArgs.builder()\n .realmId(realm.id())\n .name(\"test-client-scope\")\n .build());\n\n var userAttributeMapper = new UserAttributeProtocolMapper(\"userAttributeMapper\", UserAttributeProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientScopeId(clientScope.id())\n .name(\"test-mapper\")\n .userAttribute(\"foo\")\n .claimName(\"bar\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n clientScope:\n type: keycloak:openid:ClientScope\n name: client_scope\n properties:\n realmId: ${realm.id}\n name: test-client-scope\n userAttributeMapper:\n type: keycloak:openid:UserAttributeProtocolMapper\n name: user_attribute_mapper\n properties:\n realmId: ${realm.id}\n clientScopeId: ${clientScope.id}\n name: test-mapper\n userAttribute: foo\n claimName: bar\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm_id` - (Required) The realm this protocol mapper exists within.\n- `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to.\n- `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to.\n- `name` - (Required) The display name of this protocol mapper in the GUI.\n- `user_attribute` - (Required) The custom user attribute to map a claim for.\n- `claim_name` - (Required) The name of the claim to insert into a token.\n- `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`.\n- `multivalued` - (Optional) Indicates whether this attribute is a single value or an array of values. Defaults to `false`.\n- `add_to_id_token` - (Optional) Indicates if the attribute should be added as a claim to the id token. Defaults to `true`.\n- `add_to_access_token` - (Optional) Indicates if the attribute should be added as a claim to the access token. Defaults to `true`.\n- `add_to_userinfo` - (Optional) Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`.\n\n### Import\n\nProtocol mappers can be imported using one of the following formats:\n- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}`\n- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}`\n\nExample:\n\n```bash\n$ terraform import keycloak_openid_user_attribute_protocol_mapper.user_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n$ terraform import keycloak_openid_user_attribute_protocol_mapper.user_attribute_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n", + "description": "Allows for creating and managing user attribute protocol mappers within Keycloak.\n\nUser attribute protocol mappers allow you to map custom attributes defined for a user within Keycloak to a claim in a token.\n\nProtocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between\nmultiple different clients.\n\n## Example Usage\n\n### Client)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst openidClient = new keycloak.openid.Client(\"openid_client\", {\n realmId: realm.id,\n clientId: \"client\",\n name: \"client\",\n enabled: true,\n accessType: \"CONFIDENTIAL\",\n validRedirectUris: [\"http://localhost:8080/openid-callback\"],\n});\nconst userAttributeMapper = new keycloak.openid.UserAttributeProtocolMapper(\"user_attribute_mapper\", {\n realmId: realm.id,\n clientId: openidClient.id,\n name: \"user-attribute-mapper\",\n userAttribute: \"foo\",\n claimName: \"bar\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nopenid_client = keycloak.openid.Client(\"openid_client\",\n realm_id=realm.id,\n client_id=\"client\",\n name=\"client\",\n enabled=True,\n access_type=\"CONFIDENTIAL\",\n valid_redirect_uris=[\"http://localhost:8080/openid-callback\"])\nuser_attribute_mapper = keycloak.openid.UserAttributeProtocolMapper(\"user_attribute_mapper\",\n realm_id=realm.id,\n client_id=openid_client.id,\n name=\"user-attribute-mapper\",\n user_attribute=\"foo\",\n claim_name=\"bar\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var openidClient = new Keycloak.OpenId.Client(\"openid_client\", new()\n {\n RealmId = realm.Id,\n ClientId = \"client\",\n Name = \"client\",\n Enabled = true,\n AccessType = \"CONFIDENTIAL\",\n ValidRedirectUris = new[]\n {\n \"http://localhost:8080/openid-callback\",\n },\n });\n\n var userAttributeMapper = new Keycloak.OpenId.UserAttributeProtocolMapper(\"user_attribute_mapper\", new()\n {\n RealmId = realm.Id,\n ClientId = openidClient.Id,\n Name = \"user-attribute-mapper\",\n UserAttribute = \"foo\",\n ClaimName = \"bar\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\topenidClient, err := openid.NewClient(ctx, \"openid_client\", \u0026openid.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"client\"),\n\t\t\tName: pulumi.String(\"client\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tAccessType: pulumi.String(\"CONFIDENTIAL\"),\n\t\t\tValidRedirectUris: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"http://localhost:8080/openid-callback\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewUserAttributeProtocolMapper(ctx, \"user_attribute_mapper\", \u0026openid.UserAttributeProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: openidClient.ID(),\n\t\t\tName: pulumi.String(\"user-attribute-mapper\"),\n\t\t\tUserAttribute: pulumi.String(\"foo\"),\n\t\t\tClaimName: pulumi.String(\"bar\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport com.pulumi.keycloak.openid.UserAttributeProtocolMapper;\nimport com.pulumi.keycloak.openid.UserAttributeProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var openidClient = new Client(\"openidClient\", ClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"client\")\n .name(\"client\")\n .enabled(true)\n .accessType(\"CONFIDENTIAL\")\n .validRedirectUris(\"http://localhost:8080/openid-callback\")\n .build());\n\n var userAttributeMapper = new UserAttributeProtocolMapper(\"userAttributeMapper\", UserAttributeProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientId(openidClient.id())\n .name(\"user-attribute-mapper\")\n .userAttribute(\"foo\")\n .claimName(\"bar\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n openidClient:\n type: keycloak:openid:Client\n name: openid_client\n properties:\n realmId: ${realm.id}\n clientId: client\n name: client\n enabled: true\n accessType: CONFIDENTIAL\n validRedirectUris:\n - http://localhost:8080/openid-callback\n userAttributeMapper:\n type: keycloak:openid:UserAttributeProtocolMapper\n name: user_attribute_mapper\n properties:\n realmId: ${realm.id}\n clientId: ${openidClient.id}\n name: user-attribute-mapper\n userAttribute: foo\n claimName: bar\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n\n### Client Scope)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst clientScope = new keycloak.openid.ClientScope(\"client_scope\", {\n realmId: realm.id,\n name: \"client-scope\",\n});\nconst userAttributeMapper = new keycloak.openid.UserAttributeProtocolMapper(\"user_attribute_mapper\", {\n realmId: realm.id,\n clientScopeId: clientScope.id,\n name: \"user-attribute-mapper\",\n userAttribute: \"foo\",\n claimName: \"bar\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nclient_scope = keycloak.openid.ClientScope(\"client_scope\",\n realm_id=realm.id,\n name=\"client-scope\")\nuser_attribute_mapper = keycloak.openid.UserAttributeProtocolMapper(\"user_attribute_mapper\",\n realm_id=realm.id,\n client_scope_id=client_scope.id,\n name=\"user-attribute-mapper\",\n user_attribute=\"foo\",\n claim_name=\"bar\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var clientScope = new Keycloak.OpenId.ClientScope(\"client_scope\", new()\n {\n RealmId = realm.Id,\n Name = \"client-scope\",\n });\n\n var userAttributeMapper = new Keycloak.OpenId.UserAttributeProtocolMapper(\"user_attribute_mapper\", new()\n {\n RealmId = realm.Id,\n ClientScopeId = clientScope.Id,\n Name = \"user-attribute-mapper\",\n UserAttribute = \"foo\",\n ClaimName = \"bar\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tclientScope, err := openid.NewClientScope(ctx, \"client_scope\", \u0026openid.ClientScopeArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"client-scope\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewUserAttributeProtocolMapper(ctx, \"user_attribute_mapper\", \u0026openid.UserAttributeProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientScopeId: clientScope.ID(),\n\t\t\tName: pulumi.String(\"user-attribute-mapper\"),\n\t\t\tUserAttribute: pulumi.String(\"foo\"),\n\t\t\tClaimName: pulumi.String(\"bar\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.ClientScope;\nimport com.pulumi.keycloak.openid.ClientScopeArgs;\nimport com.pulumi.keycloak.openid.UserAttributeProtocolMapper;\nimport com.pulumi.keycloak.openid.UserAttributeProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var clientScope = new ClientScope(\"clientScope\", ClientScopeArgs.builder()\n .realmId(realm.id())\n .name(\"client-scope\")\n .build());\n\n var userAttributeMapper = new UserAttributeProtocolMapper(\"userAttributeMapper\", UserAttributeProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientScopeId(clientScope.id())\n .name(\"user-attribute-mapper\")\n .userAttribute(\"foo\")\n .claimName(\"bar\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n clientScope:\n type: keycloak:openid:ClientScope\n name: client_scope\n properties:\n realmId: ${realm.id}\n name: client-scope\n userAttributeMapper:\n type: keycloak:openid:UserAttributeProtocolMapper\n name: user_attribute_mapper\n properties:\n realmId: ${realm.id}\n clientScopeId: ${clientScope.id}\n name: user-attribute-mapper\n userAttribute: foo\n claimName: bar\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nProtocol mappers can be imported using one of the following formats:\n\n- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}`\n\n- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}`\n\nExample:\n\nbash\n\n```sh\n$ pulumi import keycloak:openid/userAttributeProtocolMapper:UserAttributeProtocolMapper user_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n\n```sh\n$ pulumi import keycloak:openid/userAttributeProtocolMapper:UserAttributeProtocolMapper user_attribute_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n\n", "properties": { "addToAccessToken": { "type": "boolean", - "description": "Indicates if the attribute should be a claim in the access token.\n" + "description": "Indicates if the attribute should be added as a claim to the access token. Defaults to `true`.\n" }, "addToIdToken": { "type": "boolean", - "description": "Indicates if the attribute should be a claim in the id token.\n" + "description": "Indicates if the attribute should be added as a claim to the id token. Defaults to `true`.\n" }, "addToUserinfo": { "type": "boolean", - "description": "Indicates if the attribute should appear in the userinfo response body.\n" + "description": "Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`.\n" }, "aggregateAttributes": { "type": "boolean", - "description": "Indicates if attribute values should be aggregated within the group attributes\n" + "description": "Indicates whether this attribute is a single value or an array of values. Defaults to `false`.\n" }, "claimName": { - "type": "string" + "type": "string", + "description": "The name of the claim to insert into a token.\n" }, "claimValueType": { "type": "string", - "description": "Claim type used when serializing tokens.\n" + "description": "The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`.\n" }, "clientId": { "type": "string", - "description": "The mapper's associated client. Cannot be used at the same time as client_scope_id.\n" + "description": "The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified.\n" }, "clientScopeId": { "type": "string", - "description": "The mapper's associated client scope. Cannot be used at the same time as client_id.\n" + "description": "The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified.\n" }, "multivalued": { "type": "boolean", - "description": "Indicates whether this attribute is a single value or an array of values.\n" + "description": "Indicates whether this attribute is a single value or an array of values. Defaults to `false`.\n" }, "name": { "type": "string", - "description": "A human-friendly name that will appear in the Keycloak console.\n" + "description": "The display name of this protocol mapper in the GUI.\n" }, "realmId": { "type": "string", - "description": "The realm id where the associated client or client scope exists.\n" + "description": "The realm this protocol mapper exists within.\n" }, "userAttribute": { - "type": "string" + "type": "string", + "description": "The custom user attribute to map a claim for.\n" } }, "required": [ @@ -11478,52 +11953,54 @@ "inputProperties": { "addToAccessToken": { "type": "boolean", - "description": "Indicates if the attribute should be a claim in the access token.\n" + "description": "Indicates if the attribute should be added as a claim to the access token. Defaults to `true`.\n" }, "addToIdToken": { "type": "boolean", - "description": "Indicates if the attribute should be a claim in the id token.\n" + "description": "Indicates if the attribute should be added as a claim to the id token. Defaults to `true`.\n" }, "addToUserinfo": { "type": "boolean", - "description": "Indicates if the attribute should appear in the userinfo response body.\n" + "description": "Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`.\n" }, "aggregateAttributes": { "type": "boolean", - "description": "Indicates if attribute values should be aggregated within the group attributes\n" + "description": "Indicates whether this attribute is a single value or an array of values. Defaults to `false`.\n" }, "claimName": { - "type": "string" + "type": "string", + "description": "The name of the claim to insert into a token.\n" }, "claimValueType": { "type": "string", - "description": "Claim type used when serializing tokens.\n" + "description": "The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`.\n" }, "clientId": { "type": "string", - "description": "The mapper's associated client. Cannot be used at the same time as client_scope_id.\n", + "description": "The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "clientScopeId": { "type": "string", - "description": "The mapper's associated client scope. Cannot be used at the same time as client_id.\n", + "description": "The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "multivalued": { "type": "boolean", - "description": "Indicates whether this attribute is a single value or an array of values.\n" + "description": "Indicates whether this attribute is a single value or an array of values. Defaults to `false`.\n" }, "name": { "type": "string", - "description": "A human-friendly name that will appear in the Keycloak console.\n" + "description": "The display name of this protocol mapper in the GUI.\n" }, "realmId": { "type": "string", - "description": "The realm id where the associated client or client scope exists.\n", + "description": "The realm this protocol mapper exists within.\n", "willReplaceOnChanges": true }, "userAttribute": { - "type": "string" + "type": "string", + "description": "The custom user attribute to map a claim for.\n" } }, "requiredInputs": [ @@ -11536,52 +12013,54 @@ "properties": { "addToAccessToken": { "type": "boolean", - "description": "Indicates if the attribute should be a claim in the access token.\n" + "description": "Indicates if the attribute should be added as a claim to the access token. Defaults to `true`.\n" }, "addToIdToken": { "type": "boolean", - "description": "Indicates if the attribute should be a claim in the id token.\n" + "description": "Indicates if the attribute should be added as a claim to the id token. Defaults to `true`.\n" }, "addToUserinfo": { "type": "boolean", - "description": "Indicates if the attribute should appear in the userinfo response body.\n" + "description": "Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`.\n" }, "aggregateAttributes": { "type": "boolean", - "description": "Indicates if attribute values should be aggregated within the group attributes\n" + "description": "Indicates whether this attribute is a single value or an array of values. Defaults to `false`.\n" }, "claimName": { - "type": "string" + "type": "string", + "description": "The name of the claim to insert into a token.\n" }, "claimValueType": { "type": "string", - "description": "Claim type used when serializing tokens.\n" + "description": "The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`.\n" }, "clientId": { "type": "string", - "description": "The mapper's associated client. Cannot be used at the same time as client_scope_id.\n", + "description": "The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "clientScopeId": { "type": "string", - "description": "The mapper's associated client scope. Cannot be used at the same time as client_id.\n", + "description": "The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "multivalued": { "type": "boolean", - "description": "Indicates whether this attribute is a single value or an array of values.\n" + "description": "Indicates whether this attribute is a single value or an array of values. Defaults to `false`.\n" }, "name": { "type": "string", - "description": "A human-friendly name that will appear in the Keycloak console.\n" + "description": "The display name of this protocol mapper in the GUI.\n" }, "realmId": { "type": "string", - "description": "The realm id where the associated client or client scope exists.\n", + "description": "The realm this protocol mapper exists within.\n", "willReplaceOnChanges": true }, "userAttribute": { - "type": "string" + "type": "string", + "description": "The custom user attribute to map a claim for.\n" } }, "type": "object" @@ -11760,45 +12239,47 @@ } }, "keycloak:openid/userPropertyProtocolMapper:UserPropertyProtocolMapper": { - "description": "## # keycloak.openid.UserPropertyProtocolMapper\n\nAllows for creating and managing user property protocol mappers within\nKeycloak.\n\nUser property protocol mappers allow you to map built in properties defined\non the Keycloak user interface to a claim in a token. Protocol mappers can be\ndefined for a single client, or they can be defined for a client scope which\ncan be shared between multiple different clients.\n\n### Example Usage (Client)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst openidClient = new keycloak.openid.Client(\"openid_client\", {\n realmId: realm.id,\n clientId: \"test-client\",\n name: \"test client\",\n enabled: true,\n accessType: \"CONFIDENTIAL\",\n validRedirectUris: [\"http://localhost:8080/openid-callback\"],\n});\nconst userPropertyMapper = new keycloak.openid.UserPropertyProtocolMapper(\"user_property_mapper\", {\n realmId: realm.id,\n clientId: openidClient.id,\n name: \"test-mapper\",\n userProperty: \"email\",\n claimName: \"email\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nopenid_client = keycloak.openid.Client(\"openid_client\",\n realm_id=realm.id,\n client_id=\"test-client\",\n name=\"test client\",\n enabled=True,\n access_type=\"CONFIDENTIAL\",\n valid_redirect_uris=[\"http://localhost:8080/openid-callback\"])\nuser_property_mapper = keycloak.openid.UserPropertyProtocolMapper(\"user_property_mapper\",\n realm_id=realm.id,\n client_id=openid_client.id,\n name=\"test-mapper\",\n user_property=\"email\",\n claim_name=\"email\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var openidClient = new Keycloak.OpenId.Client(\"openid_client\", new()\n {\n RealmId = realm.Id,\n ClientId = \"test-client\",\n Name = \"test client\",\n Enabled = true,\n AccessType = \"CONFIDENTIAL\",\n ValidRedirectUris = new[]\n {\n \"http://localhost:8080/openid-callback\",\n },\n });\n\n var userPropertyMapper = new Keycloak.OpenId.UserPropertyProtocolMapper(\"user_property_mapper\", new()\n {\n RealmId = realm.Id,\n ClientId = openidClient.Id,\n Name = \"test-mapper\",\n UserProperty = \"email\",\n ClaimName = \"email\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\topenidClient, err := openid.NewClient(ctx, \"openid_client\", \u0026openid.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"test-client\"),\n\t\t\tName: pulumi.String(\"test client\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tAccessType: pulumi.String(\"CONFIDENTIAL\"),\n\t\t\tValidRedirectUris: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"http://localhost:8080/openid-callback\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewUserPropertyProtocolMapper(ctx, \"user_property_mapper\", \u0026openid.UserPropertyProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: openidClient.ID(),\n\t\t\tName: pulumi.String(\"test-mapper\"),\n\t\t\tUserProperty: pulumi.String(\"email\"),\n\t\t\tClaimName: pulumi.String(\"email\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport com.pulumi.keycloak.openid.UserPropertyProtocolMapper;\nimport com.pulumi.keycloak.openid.UserPropertyProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var openidClient = new Client(\"openidClient\", ClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"test-client\")\n .name(\"test client\")\n .enabled(true)\n .accessType(\"CONFIDENTIAL\")\n .validRedirectUris(\"http://localhost:8080/openid-callback\")\n .build());\n\n var userPropertyMapper = new UserPropertyProtocolMapper(\"userPropertyMapper\", UserPropertyProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientId(openidClient.id())\n .name(\"test-mapper\")\n .userProperty(\"email\")\n .claimName(\"email\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n openidClient:\n type: keycloak:openid:Client\n name: openid_client\n properties:\n realmId: ${realm.id}\n clientId: test-client\n name: test client\n enabled: true\n accessType: CONFIDENTIAL\n validRedirectUris:\n - http://localhost:8080/openid-callback\n userPropertyMapper:\n type: keycloak:openid:UserPropertyProtocolMapper\n name: user_property_mapper\n properties:\n realmId: ${realm.id}\n clientId: ${openidClient.id}\n name: test-mapper\n userProperty: email\n claimName: email\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Example Usage (Client Scope)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst clientScope = new keycloak.openid.ClientScope(\"client_scope\", {\n realmId: realm.id,\n name: \"test-client-scope\",\n});\nconst userPropertyMapper = new keycloak.openid.UserPropertyProtocolMapper(\"user_property_mapper\", {\n realmId: realm.id,\n clientScopeId: clientScope.id,\n name: \"test-mapper\",\n userProperty: \"email\",\n claimName: \"email\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nclient_scope = keycloak.openid.ClientScope(\"client_scope\",\n realm_id=realm.id,\n name=\"test-client-scope\")\nuser_property_mapper = keycloak.openid.UserPropertyProtocolMapper(\"user_property_mapper\",\n realm_id=realm.id,\n client_scope_id=client_scope.id,\n name=\"test-mapper\",\n user_property=\"email\",\n claim_name=\"email\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var clientScope = new Keycloak.OpenId.ClientScope(\"client_scope\", new()\n {\n RealmId = realm.Id,\n Name = \"test-client-scope\",\n });\n\n var userPropertyMapper = new Keycloak.OpenId.UserPropertyProtocolMapper(\"user_property_mapper\", new()\n {\n RealmId = realm.Id,\n ClientScopeId = clientScope.Id,\n Name = \"test-mapper\",\n UserProperty = \"email\",\n ClaimName = \"email\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tclientScope, err := openid.NewClientScope(ctx, \"client_scope\", \u0026openid.ClientScopeArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"test-client-scope\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewUserPropertyProtocolMapper(ctx, \"user_property_mapper\", \u0026openid.UserPropertyProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientScopeId: clientScope.ID(),\n\t\t\tName: pulumi.String(\"test-mapper\"),\n\t\t\tUserProperty: pulumi.String(\"email\"),\n\t\t\tClaimName: pulumi.String(\"email\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.ClientScope;\nimport com.pulumi.keycloak.openid.ClientScopeArgs;\nimport com.pulumi.keycloak.openid.UserPropertyProtocolMapper;\nimport com.pulumi.keycloak.openid.UserPropertyProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var clientScope = new ClientScope(\"clientScope\", ClientScopeArgs.builder()\n .realmId(realm.id())\n .name(\"test-client-scope\")\n .build());\n\n var userPropertyMapper = new UserPropertyProtocolMapper(\"userPropertyMapper\", UserPropertyProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientScopeId(clientScope.id())\n .name(\"test-mapper\")\n .userProperty(\"email\")\n .claimName(\"email\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n clientScope:\n type: keycloak:openid:ClientScope\n name: client_scope\n properties:\n realmId: ${realm.id}\n name: test-client-scope\n userPropertyMapper:\n type: keycloak:openid:UserPropertyProtocolMapper\n name: user_property_mapper\n properties:\n realmId: ${realm.id}\n clientScopeId: ${clientScope.id}\n name: test-mapper\n userProperty: email\n claimName: email\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm_id` - (Required) The realm this protocol mapper exists within.\n- `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to.\n- `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to.\n- `name` - (Required) The display name of this protocol mapper in the GUI.\n- `user_property` - (Required) The built in user property (such as email) to map a claim for.\n- `claim_name` - (Required) The name of the claim to insert into a token.\n- `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`.\n- `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`.\n- `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`.\n- `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`.\n\n### Import\n\nProtocol mappers can be imported using one of the following formats:\n- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}`\n- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}`\n\nExample:\n\n```bash\n$ terraform import keycloak_openid_user_property_protocol_mapper.user_property_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n$ terraform import keycloak_openid_user_property_protocol_mapper.user_property_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n", + "description": "Allows for creating and managing user property protocol mappers within Keycloak.\n\nUser property protocol mappers allow you to map built in properties defined on the Keycloak user interface to a claim in\na token.\n\nProtocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between\nmultiple different clients.\n\n## Example Usage\n\n### Client)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst openidClient = new keycloak.openid.Client(\"openid_client\", {\n realmId: realm.id,\n clientId: \"client\",\n name: \"client\",\n enabled: true,\n accessType: \"CONFIDENTIAL\",\n validRedirectUris: [\"http://localhost:8080/openid-callback\"],\n});\nconst userPropertyMapper = new keycloak.openid.UserPropertyProtocolMapper(\"user_property_mapper\", {\n realmId: realm.id,\n clientId: openidClient.id,\n name: \"user-property-mapper\",\n userProperty: \"email\",\n claimName: \"email\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nopenid_client = keycloak.openid.Client(\"openid_client\",\n realm_id=realm.id,\n client_id=\"client\",\n name=\"client\",\n enabled=True,\n access_type=\"CONFIDENTIAL\",\n valid_redirect_uris=[\"http://localhost:8080/openid-callback\"])\nuser_property_mapper = keycloak.openid.UserPropertyProtocolMapper(\"user_property_mapper\",\n realm_id=realm.id,\n client_id=openid_client.id,\n name=\"user-property-mapper\",\n user_property=\"email\",\n claim_name=\"email\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var openidClient = new Keycloak.OpenId.Client(\"openid_client\", new()\n {\n RealmId = realm.Id,\n ClientId = \"client\",\n Name = \"client\",\n Enabled = true,\n AccessType = \"CONFIDENTIAL\",\n ValidRedirectUris = new[]\n {\n \"http://localhost:8080/openid-callback\",\n },\n });\n\n var userPropertyMapper = new Keycloak.OpenId.UserPropertyProtocolMapper(\"user_property_mapper\", new()\n {\n RealmId = realm.Id,\n ClientId = openidClient.Id,\n Name = \"user-property-mapper\",\n UserProperty = \"email\",\n ClaimName = \"email\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\topenidClient, err := openid.NewClient(ctx, \"openid_client\", \u0026openid.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"client\"),\n\t\t\tName: pulumi.String(\"client\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tAccessType: pulumi.String(\"CONFIDENTIAL\"),\n\t\t\tValidRedirectUris: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"http://localhost:8080/openid-callback\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewUserPropertyProtocolMapper(ctx, \"user_property_mapper\", \u0026openid.UserPropertyProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: openidClient.ID(),\n\t\t\tName: pulumi.String(\"user-property-mapper\"),\n\t\t\tUserProperty: pulumi.String(\"email\"),\n\t\t\tClaimName: pulumi.String(\"email\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport com.pulumi.keycloak.openid.UserPropertyProtocolMapper;\nimport com.pulumi.keycloak.openid.UserPropertyProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var openidClient = new Client(\"openidClient\", ClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"client\")\n .name(\"client\")\n .enabled(true)\n .accessType(\"CONFIDENTIAL\")\n .validRedirectUris(\"http://localhost:8080/openid-callback\")\n .build());\n\n var userPropertyMapper = new UserPropertyProtocolMapper(\"userPropertyMapper\", UserPropertyProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientId(openidClient.id())\n .name(\"user-property-mapper\")\n .userProperty(\"email\")\n .claimName(\"email\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n openidClient:\n type: keycloak:openid:Client\n name: openid_client\n properties:\n realmId: ${realm.id}\n clientId: client\n name: client\n enabled: true\n accessType: CONFIDENTIAL\n validRedirectUris:\n - http://localhost:8080/openid-callback\n userPropertyMapper:\n type: keycloak:openid:UserPropertyProtocolMapper\n name: user_property_mapper\n properties:\n realmId: ${realm.id}\n clientId: ${openidClient.id}\n name: user-property-mapper\n userProperty: email\n claimName: email\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n\n### Client Scope)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst clientScope = new keycloak.openid.ClientScope(\"client_scope\", {\n realmId: realm.id,\n name: \"client-scope\",\n});\nconst userPropertyMapper = new keycloak.openid.UserPropertyProtocolMapper(\"user_property_mapper\", {\n realmId: realm.id,\n clientScopeId: clientScope.id,\n name: \"test-mapper\",\n userProperty: \"email\",\n claimName: \"email\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nclient_scope = keycloak.openid.ClientScope(\"client_scope\",\n realm_id=realm.id,\n name=\"client-scope\")\nuser_property_mapper = keycloak.openid.UserPropertyProtocolMapper(\"user_property_mapper\",\n realm_id=realm.id,\n client_scope_id=client_scope.id,\n name=\"test-mapper\",\n user_property=\"email\",\n claim_name=\"email\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var clientScope = new Keycloak.OpenId.ClientScope(\"client_scope\", new()\n {\n RealmId = realm.Id,\n Name = \"client-scope\",\n });\n\n var userPropertyMapper = new Keycloak.OpenId.UserPropertyProtocolMapper(\"user_property_mapper\", new()\n {\n RealmId = realm.Id,\n ClientScopeId = clientScope.Id,\n Name = \"test-mapper\",\n UserProperty = \"email\",\n ClaimName = \"email\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tclientScope, err := openid.NewClientScope(ctx, \"client_scope\", \u0026openid.ClientScopeArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"client-scope\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewUserPropertyProtocolMapper(ctx, \"user_property_mapper\", \u0026openid.UserPropertyProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientScopeId: clientScope.ID(),\n\t\t\tName: pulumi.String(\"test-mapper\"),\n\t\t\tUserProperty: pulumi.String(\"email\"),\n\t\t\tClaimName: pulumi.String(\"email\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.ClientScope;\nimport com.pulumi.keycloak.openid.ClientScopeArgs;\nimport com.pulumi.keycloak.openid.UserPropertyProtocolMapper;\nimport com.pulumi.keycloak.openid.UserPropertyProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var clientScope = new ClientScope(\"clientScope\", ClientScopeArgs.builder()\n .realmId(realm.id())\n .name(\"client-scope\")\n .build());\n\n var userPropertyMapper = new UserPropertyProtocolMapper(\"userPropertyMapper\", UserPropertyProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientScopeId(clientScope.id())\n .name(\"test-mapper\")\n .userProperty(\"email\")\n .claimName(\"email\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n clientScope:\n type: keycloak:openid:ClientScope\n name: client_scope\n properties:\n realmId: ${realm.id}\n name: client-scope\n userPropertyMapper:\n type: keycloak:openid:UserPropertyProtocolMapper\n name: user_property_mapper\n properties:\n realmId: ${realm.id}\n clientScopeId: ${clientScope.id}\n name: test-mapper\n userProperty: email\n claimName: email\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nProtocol mappers can be imported using one of the following formats:\n\n- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}`\n\n- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}`\n\nExample:\n\nbash\n\n```sh\n$ pulumi import keycloak:openid/userPropertyProtocolMapper:UserPropertyProtocolMapper user_property_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n\n```sh\n$ pulumi import keycloak:openid/userPropertyProtocolMapper:UserPropertyProtocolMapper user_property_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n\n", "properties": { "addToAccessToken": { "type": "boolean", - "description": "Indicates if the property should be a claim in the access token.\n" + "description": "Indicates if the property should be added as a claim to the access token. Defaults to `true`.\n" }, "addToIdToken": { "type": "boolean", - "description": "Indicates if the property should be a claim in the id token.\n" + "description": "Indicates if the property should be added as a claim to the id token. Defaults to `true`.\n" }, "addToUserinfo": { "type": "boolean", - "description": "Indicates if the property should appear in the userinfo response body.\n" + "description": "Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`.\n" }, "claimName": { - "type": "string" + "type": "string", + "description": "The name of the claim to insert into a token.\n" }, "claimValueType": { "type": "string", - "description": "Claim type used when serializing tokens.\n" + "description": "The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`.\n" }, "clientId": { "type": "string", - "description": "The mapper's associated client. Cannot be used at the same time as client_scope_id.\n" + "description": "The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified.\n" }, "clientScopeId": { "type": "string", - "description": "The mapper's associated client scope. Cannot be used at the same time as client_id.\n" + "description": "The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to.\n" }, "name": { "type": "string", - "description": "A human-friendly name that will appear in the Keycloak console.\n" + "description": "The display name of this protocol mapper in the GUI.\n" }, "realmId": { "type": "string", - "description": "The realm id where the associated client or client scope exists.\n" + "description": "The realm this protocol mapper exists within.\n" }, "userProperty": { - "type": "string" + "type": "string", + "description": "The built in user property (such as email) to map a claim for.\n" } }, "required": [ @@ -11810,44 +12291,46 @@ "inputProperties": { "addToAccessToken": { "type": "boolean", - "description": "Indicates if the property should be a claim in the access token.\n" + "description": "Indicates if the property should be added as a claim to the access token. Defaults to `true`.\n" }, "addToIdToken": { "type": "boolean", - "description": "Indicates if the property should be a claim in the id token.\n" + "description": "Indicates if the property should be added as a claim to the id token. Defaults to `true`.\n" }, "addToUserinfo": { "type": "boolean", - "description": "Indicates if the property should appear in the userinfo response body.\n" + "description": "Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`.\n" }, "claimName": { - "type": "string" + "type": "string", + "description": "The name of the claim to insert into a token.\n" }, "claimValueType": { "type": "string", - "description": "Claim type used when serializing tokens.\n" + "description": "The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`.\n" }, "clientId": { "type": "string", - "description": "The mapper's associated client. Cannot be used at the same time as client_scope_id.\n", + "description": "The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "clientScopeId": { "type": "string", - "description": "The mapper's associated client scope. Cannot be used at the same time as client_id.\n", + "description": "The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to.\n", "willReplaceOnChanges": true }, "name": { "type": "string", - "description": "A human-friendly name that will appear in the Keycloak console.\n" + "description": "The display name of this protocol mapper in the GUI.\n" }, "realmId": { "type": "string", - "description": "The realm id where the associated client or client scope exists.\n", + "description": "The realm this protocol mapper exists within.\n", "willReplaceOnChanges": true }, "userProperty": { - "type": "string" + "type": "string", + "description": "The built in user property (such as email) to map a claim for.\n" } }, "requiredInputs": [ @@ -11860,94 +12343,97 @@ "properties": { "addToAccessToken": { "type": "boolean", - "description": "Indicates if the property should be a claim in the access token.\n" + "description": "Indicates if the property should be added as a claim to the access token. Defaults to `true`.\n" }, "addToIdToken": { "type": "boolean", - "description": "Indicates if the property should be a claim in the id token.\n" + "description": "Indicates if the property should be added as a claim to the id token. Defaults to `true`.\n" }, "addToUserinfo": { "type": "boolean", - "description": "Indicates if the property should appear in the userinfo response body.\n" + "description": "Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`.\n" }, "claimName": { - "type": "string" + "type": "string", + "description": "The name of the claim to insert into a token.\n" }, "claimValueType": { "type": "string", - "description": "Claim type used when serializing tokens.\n" + "description": "The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`.\n" }, "clientId": { "type": "string", - "description": "The mapper's associated client. Cannot be used at the same time as client_scope_id.\n", + "description": "The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "clientScopeId": { "type": "string", - "description": "The mapper's associated client scope. Cannot be used at the same time as client_id.\n", + "description": "The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to.\n", "willReplaceOnChanges": true }, "name": { "type": "string", - "description": "A human-friendly name that will appear in the Keycloak console.\n" + "description": "The display name of this protocol mapper in the GUI.\n" }, "realmId": { "type": "string", - "description": "The realm id where the associated client or client scope exists.\n", + "description": "The realm this protocol mapper exists within.\n", "willReplaceOnChanges": true }, "userProperty": { - "type": "string" + "type": "string", + "description": "The built in user property (such as email) to map a claim for.\n" } }, "type": "object" } }, "keycloak:openid/userRealmRoleProtocolMapper:UserRealmRoleProtocolMapper": { - "description": "## # keycloak.openid.UserRealmRoleProtocolMapper\n\nAllows for creating and managing user realm role protocol mappers within\nKeycloak.\n\nUser realm role protocol mappers allow you to define a claim containing the list of the realm roles.\nProtocol mappers can be defined for a single client, or they can\nbe defined for a client scope which can be shared between multiple different\nclients.\n\n### Example Usage (Client)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst openidClient = new keycloak.openid.Client(\"openid_client\", {\n realmId: realm.id,\n clientId: \"test-client\",\n name: \"test client\",\n enabled: true,\n accessType: \"CONFIDENTIAL\",\n validRedirectUris: [\"http://localhost:8080/openid-callback\"],\n});\nconst userRealmRoleMapper = new keycloak.openid.UserRealmRoleProtocolMapper(\"user_realm_role_mapper\", {\n realmId: realm.id,\n clientId: openidClient.id,\n name: \"user-realm-role-mapper\",\n claimName: \"foo\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nopenid_client = keycloak.openid.Client(\"openid_client\",\n realm_id=realm.id,\n client_id=\"test-client\",\n name=\"test client\",\n enabled=True,\n access_type=\"CONFIDENTIAL\",\n valid_redirect_uris=[\"http://localhost:8080/openid-callback\"])\nuser_realm_role_mapper = keycloak.openid.UserRealmRoleProtocolMapper(\"user_realm_role_mapper\",\n realm_id=realm.id,\n client_id=openid_client.id,\n name=\"user-realm-role-mapper\",\n claim_name=\"foo\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var openidClient = new Keycloak.OpenId.Client(\"openid_client\", new()\n {\n RealmId = realm.Id,\n ClientId = \"test-client\",\n Name = \"test client\",\n Enabled = true,\n AccessType = \"CONFIDENTIAL\",\n ValidRedirectUris = new[]\n {\n \"http://localhost:8080/openid-callback\",\n },\n });\n\n var userRealmRoleMapper = new Keycloak.OpenId.UserRealmRoleProtocolMapper(\"user_realm_role_mapper\", new()\n {\n RealmId = realm.Id,\n ClientId = openidClient.Id,\n Name = \"user-realm-role-mapper\",\n ClaimName = \"foo\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\topenidClient, err := openid.NewClient(ctx, \"openid_client\", \u0026openid.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"test-client\"),\n\t\t\tName: pulumi.String(\"test client\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tAccessType: pulumi.String(\"CONFIDENTIAL\"),\n\t\t\tValidRedirectUris: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"http://localhost:8080/openid-callback\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewUserRealmRoleProtocolMapper(ctx, \"user_realm_role_mapper\", \u0026openid.UserRealmRoleProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: openidClient.ID(),\n\t\t\tName: pulumi.String(\"user-realm-role-mapper\"),\n\t\t\tClaimName: pulumi.String(\"foo\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport com.pulumi.keycloak.openid.UserRealmRoleProtocolMapper;\nimport com.pulumi.keycloak.openid.UserRealmRoleProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var openidClient = new Client(\"openidClient\", ClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"test-client\")\n .name(\"test client\")\n .enabled(true)\n .accessType(\"CONFIDENTIAL\")\n .validRedirectUris(\"http://localhost:8080/openid-callback\")\n .build());\n\n var userRealmRoleMapper = new UserRealmRoleProtocolMapper(\"userRealmRoleMapper\", UserRealmRoleProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientId(openidClient.id())\n .name(\"user-realm-role-mapper\")\n .claimName(\"foo\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n openidClient:\n type: keycloak:openid:Client\n name: openid_client\n properties:\n realmId: ${realm.id}\n clientId: test-client\n name: test client\n enabled: true\n accessType: CONFIDENTIAL\n validRedirectUris:\n - http://localhost:8080/openid-callback\n userRealmRoleMapper:\n type: keycloak:openid:UserRealmRoleProtocolMapper\n name: user_realm_role_mapper\n properties:\n realmId: ${realm.id}\n clientId: ${openidClient.id}\n name: user-realm-role-mapper\n claimName: foo\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Example Usage (Client Scope)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst clientScope = new keycloak.openid.ClientScope(\"client_scope\", {\n realmId: realm.id,\n name: \"test-client-scope\",\n});\nconst userRealmRoleMapper = new keycloak.openid.UserRealmRoleProtocolMapper(\"user_realm_role_mapper\", {\n realmId: realm.id,\n clientScopeId: clientScope.id,\n name: \"user-realm-role-mapper\",\n claimName: \"foo\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nclient_scope = keycloak.openid.ClientScope(\"client_scope\",\n realm_id=realm.id,\n name=\"test-client-scope\")\nuser_realm_role_mapper = keycloak.openid.UserRealmRoleProtocolMapper(\"user_realm_role_mapper\",\n realm_id=realm.id,\n client_scope_id=client_scope.id,\n name=\"user-realm-role-mapper\",\n claim_name=\"foo\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var clientScope = new Keycloak.OpenId.ClientScope(\"client_scope\", new()\n {\n RealmId = realm.Id,\n Name = \"test-client-scope\",\n });\n\n var userRealmRoleMapper = new Keycloak.OpenId.UserRealmRoleProtocolMapper(\"user_realm_role_mapper\", new()\n {\n RealmId = realm.Id,\n ClientScopeId = clientScope.Id,\n Name = \"user-realm-role-mapper\",\n ClaimName = \"foo\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tclientScope, err := openid.NewClientScope(ctx, \"client_scope\", \u0026openid.ClientScopeArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"test-client-scope\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewUserRealmRoleProtocolMapper(ctx, \"user_realm_role_mapper\", \u0026openid.UserRealmRoleProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientScopeId: clientScope.ID(),\n\t\t\tName: pulumi.String(\"user-realm-role-mapper\"),\n\t\t\tClaimName: pulumi.String(\"foo\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.ClientScope;\nimport com.pulumi.keycloak.openid.ClientScopeArgs;\nimport com.pulumi.keycloak.openid.UserRealmRoleProtocolMapper;\nimport com.pulumi.keycloak.openid.UserRealmRoleProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var clientScope = new ClientScope(\"clientScope\", ClientScopeArgs.builder()\n .realmId(realm.id())\n .name(\"test-client-scope\")\n .build());\n\n var userRealmRoleMapper = new UserRealmRoleProtocolMapper(\"userRealmRoleMapper\", UserRealmRoleProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientScopeId(clientScope.id())\n .name(\"user-realm-role-mapper\")\n .claimName(\"foo\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n clientScope:\n type: keycloak:openid:ClientScope\n name: client_scope\n properties:\n realmId: ${realm.id}\n name: test-client-scope\n userRealmRoleMapper:\n type: keycloak:openid:UserRealmRoleProtocolMapper\n name: user_realm_role_mapper\n properties:\n realmId: ${realm.id}\n clientScopeId: ${clientScope.id}\n name: user-realm-role-mapper\n claimName: foo\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm_id` - (Required) The realm this protocol mapper exists within.\n- `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to.\n- `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to.\n- `name` - (Required) The display name of this protocol mapper in the GUI.\n- `claim_name` - (Required) The name of the claim to insert into a token.\n- `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`.\n- `multivalued` - (Optional) Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `true`.\n- `realm_role_prefix` - (Optional) A prefix for each Realm Role.\n- `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`.\n- `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`.\n- `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`.\n\n### Import\n\nProtocol mappers can be imported using one of the following formats:\n- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}`\n- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}`\n\nExample:\n\n```bash\n$ terraform import keycloak_openid_user_realm_role_protocol_mapper.user_realm_role_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n$ terraform import keycloak_openid_user_realm_role_protocol_mapper.user_realm_role_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n", + "description": "Allows for creating and managing user realm role protocol mappers within Keycloak.\n\nUser realm role protocol mappers allow you to define a claim containing the list of the realm roles.\n\nProtocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between\nmultiple different clients.\n\n## Example Usage\n\n### Client)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst openidClient = new keycloak.openid.Client(\"openid_client\", {\n realmId: realm.id,\n clientId: \"client\",\n name: \"client\",\n enabled: true,\n accessType: \"CONFIDENTIAL\",\n validRedirectUris: [\"http://localhost:8080/openid-callback\"],\n});\nconst userRealmRoleMapper = new keycloak.openid.UserRealmRoleProtocolMapper(\"user_realm_role_mapper\", {\n realmId: realm.id,\n clientId: openidClient.id,\n name: \"user-realm-role-mapper\",\n claimName: \"foo\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nopenid_client = keycloak.openid.Client(\"openid_client\",\n realm_id=realm.id,\n client_id=\"client\",\n name=\"client\",\n enabled=True,\n access_type=\"CONFIDENTIAL\",\n valid_redirect_uris=[\"http://localhost:8080/openid-callback\"])\nuser_realm_role_mapper = keycloak.openid.UserRealmRoleProtocolMapper(\"user_realm_role_mapper\",\n realm_id=realm.id,\n client_id=openid_client.id,\n name=\"user-realm-role-mapper\",\n claim_name=\"foo\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var openidClient = new Keycloak.OpenId.Client(\"openid_client\", new()\n {\n RealmId = realm.Id,\n ClientId = \"client\",\n Name = \"client\",\n Enabled = true,\n AccessType = \"CONFIDENTIAL\",\n ValidRedirectUris = new[]\n {\n \"http://localhost:8080/openid-callback\",\n },\n });\n\n var userRealmRoleMapper = new Keycloak.OpenId.UserRealmRoleProtocolMapper(\"user_realm_role_mapper\", new()\n {\n RealmId = realm.Id,\n ClientId = openidClient.Id,\n Name = \"user-realm-role-mapper\",\n ClaimName = \"foo\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\topenidClient, err := openid.NewClient(ctx, \"openid_client\", \u0026openid.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"client\"),\n\t\t\tName: pulumi.String(\"client\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tAccessType: pulumi.String(\"CONFIDENTIAL\"),\n\t\t\tValidRedirectUris: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"http://localhost:8080/openid-callback\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewUserRealmRoleProtocolMapper(ctx, \"user_realm_role_mapper\", \u0026openid.UserRealmRoleProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: openidClient.ID(),\n\t\t\tName: pulumi.String(\"user-realm-role-mapper\"),\n\t\t\tClaimName: pulumi.String(\"foo\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport com.pulumi.keycloak.openid.UserRealmRoleProtocolMapper;\nimport com.pulumi.keycloak.openid.UserRealmRoleProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var openidClient = new Client(\"openidClient\", ClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"client\")\n .name(\"client\")\n .enabled(true)\n .accessType(\"CONFIDENTIAL\")\n .validRedirectUris(\"http://localhost:8080/openid-callback\")\n .build());\n\n var userRealmRoleMapper = new UserRealmRoleProtocolMapper(\"userRealmRoleMapper\", UserRealmRoleProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientId(openidClient.id())\n .name(\"user-realm-role-mapper\")\n .claimName(\"foo\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n openidClient:\n type: keycloak:openid:Client\n name: openid_client\n properties:\n realmId: ${realm.id}\n clientId: client\n name: client\n enabled: true\n accessType: CONFIDENTIAL\n validRedirectUris:\n - http://localhost:8080/openid-callback\n userRealmRoleMapper:\n type: keycloak:openid:UserRealmRoleProtocolMapper\n name: user_realm_role_mapper\n properties:\n realmId: ${realm.id}\n clientId: ${openidClient.id}\n name: user-realm-role-mapper\n claimName: foo\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n\n### Client Scope)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst clientScope = new keycloak.openid.ClientScope(\"client_scope\", {\n realmId: realm.id,\n name: \"test-client-scope\",\n});\nconst userRealmRoleMapper = new keycloak.openid.UserRealmRoleProtocolMapper(\"user_realm_role_mapper\", {\n realmId: realm.id,\n clientScopeId: clientScope.id,\n name: \"user-realm-role-mapper\",\n claimName: \"foo\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nclient_scope = keycloak.openid.ClientScope(\"client_scope\",\n realm_id=realm.id,\n name=\"test-client-scope\")\nuser_realm_role_mapper = keycloak.openid.UserRealmRoleProtocolMapper(\"user_realm_role_mapper\",\n realm_id=realm.id,\n client_scope_id=client_scope.id,\n name=\"user-realm-role-mapper\",\n claim_name=\"foo\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var clientScope = new Keycloak.OpenId.ClientScope(\"client_scope\", new()\n {\n RealmId = realm.Id,\n Name = \"test-client-scope\",\n });\n\n var userRealmRoleMapper = new Keycloak.OpenId.UserRealmRoleProtocolMapper(\"user_realm_role_mapper\", new()\n {\n RealmId = realm.Id,\n ClientScopeId = clientScope.Id,\n Name = \"user-realm-role-mapper\",\n ClaimName = \"foo\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tclientScope, err := openid.NewClientScope(ctx, \"client_scope\", \u0026openid.ClientScopeArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"test-client-scope\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewUserRealmRoleProtocolMapper(ctx, \"user_realm_role_mapper\", \u0026openid.UserRealmRoleProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientScopeId: clientScope.ID(),\n\t\t\tName: pulumi.String(\"user-realm-role-mapper\"),\n\t\t\tClaimName: pulumi.String(\"foo\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.ClientScope;\nimport com.pulumi.keycloak.openid.ClientScopeArgs;\nimport com.pulumi.keycloak.openid.UserRealmRoleProtocolMapper;\nimport com.pulumi.keycloak.openid.UserRealmRoleProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var clientScope = new ClientScope(\"clientScope\", ClientScopeArgs.builder()\n .realmId(realm.id())\n .name(\"test-client-scope\")\n .build());\n\n var userRealmRoleMapper = new UserRealmRoleProtocolMapper(\"userRealmRoleMapper\", UserRealmRoleProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientScopeId(clientScope.id())\n .name(\"user-realm-role-mapper\")\n .claimName(\"foo\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n clientScope:\n type: keycloak:openid:ClientScope\n name: client_scope\n properties:\n realmId: ${realm.id}\n name: test-client-scope\n userRealmRoleMapper:\n type: keycloak:openid:UserRealmRoleProtocolMapper\n name: user_realm_role_mapper\n properties:\n realmId: ${realm.id}\n clientScopeId: ${clientScope.id}\n name: user-realm-role-mapper\n claimName: foo\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nProtocol mappers can be imported using one of the following formats:\n\n- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}`\n\n- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}`\n\nExample:\n\nbash\n\n```sh\n$ pulumi import keycloak:openid/userRealmRoleProtocolMapper:UserRealmRoleProtocolMapper user_realm_role_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n\n```sh\n$ pulumi import keycloak:openid/userRealmRoleProtocolMapper:UserRealmRoleProtocolMapper user_realm_role_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n\n", "properties": { "addToAccessToken": { "type": "boolean", - "description": "Indicates if the attribute should be a claim in the access token.\n" + "description": "Indicates if the property should be added as a claim to the access token. Defaults to `true`.\n" }, "addToIdToken": { "type": "boolean", - "description": "Indicates if the attribute should be a claim in the id token.\n" + "description": "Indicates if the property should be added as a claim to the id token. Defaults to `true`.\n" }, "addToUserinfo": { "type": "boolean", - "description": "Indicates if the attribute should appear in the userinfo response body.\n" + "description": "Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`.\n" }, "claimName": { - "type": "string" + "type": "string", + "description": "The name of the claim to insert into a token.\n" }, "claimValueType": { "type": "string", - "description": "Claim type used when serializing tokens.\n" + "description": "The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`.\n" }, "clientId": { "type": "string", - "description": "The mapper's associated client. Cannot be used at the same time as client_scope_id.\n" + "description": "The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified.\n" }, "clientScopeId": { "type": "string", - "description": "The mapper's associated client scope. Cannot be used at the same time as client_id.\n" + "description": "The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified.\n" }, "multivalued": { "type": "boolean", - "description": "Indicates whether this attribute is a single value or an array of values.\n" + "description": "Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`.\n" }, "name": { "type": "string", - "description": "A human-friendly name that will appear in the Keycloak console.\n" + "description": "The display name of this protocol mapper in the GUI.\n" }, "realmId": { "type": "string", - "description": "The realm id where the associated client or client scope exists.\n" + "description": "The realm this protocol mapper exists within.\n" }, "realmRolePrefix": { "type": "string", - "description": "Prefix that will be added to each realm role.\n" + "description": "A prefix for each Realm Role.\n" } }, "required": [ @@ -11958,49 +12444,50 @@ "inputProperties": { "addToAccessToken": { "type": "boolean", - "description": "Indicates if the attribute should be a claim in the access token.\n" + "description": "Indicates if the property should be added as a claim to the access token. Defaults to `true`.\n" }, "addToIdToken": { "type": "boolean", - "description": "Indicates if the attribute should be a claim in the id token.\n" + "description": "Indicates if the property should be added as a claim to the id token. Defaults to `true`.\n" }, "addToUserinfo": { "type": "boolean", - "description": "Indicates if the attribute should appear in the userinfo response body.\n" + "description": "Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`.\n" }, "claimName": { - "type": "string" + "type": "string", + "description": "The name of the claim to insert into a token.\n" }, "claimValueType": { "type": "string", - "description": "Claim type used when serializing tokens.\n" + "description": "The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`.\n" }, "clientId": { "type": "string", - "description": "The mapper's associated client. Cannot be used at the same time as client_scope_id.\n", + "description": "The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "clientScopeId": { "type": "string", - "description": "The mapper's associated client scope. Cannot be used at the same time as client_id.\n", + "description": "The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "multivalued": { "type": "boolean", - "description": "Indicates whether this attribute is a single value or an array of values.\n" + "description": "Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`.\n" }, "name": { "type": "string", - "description": "A human-friendly name that will appear in the Keycloak console.\n" + "description": "The display name of this protocol mapper in the GUI.\n" }, "realmId": { "type": "string", - "description": "The realm id where the associated client or client scope exists.\n", + "description": "The realm this protocol mapper exists within.\n", "willReplaceOnChanges": true }, "realmRolePrefix": { "type": "string", - "description": "Prefix that will be added to each realm role.\n" + "description": "A prefix for each Realm Role.\n" } }, "requiredInputs": [ @@ -12012,49 +12499,50 @@ "properties": { "addToAccessToken": { "type": "boolean", - "description": "Indicates if the attribute should be a claim in the access token.\n" + "description": "Indicates if the property should be added as a claim to the access token. Defaults to `true`.\n" }, "addToIdToken": { "type": "boolean", - "description": "Indicates if the attribute should be a claim in the id token.\n" + "description": "Indicates if the property should be added as a claim to the id token. Defaults to `true`.\n" }, "addToUserinfo": { "type": "boolean", - "description": "Indicates if the attribute should appear in the userinfo response body.\n" + "description": "Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`.\n" }, "claimName": { - "type": "string" + "type": "string", + "description": "The name of the claim to insert into a token.\n" }, "claimValueType": { "type": "string", - "description": "Claim type used when serializing tokens.\n" + "description": "The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`.\n" }, "clientId": { "type": "string", - "description": "The mapper's associated client. Cannot be used at the same time as client_scope_id.\n", + "description": "The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "clientScopeId": { "type": "string", - "description": "The mapper's associated client scope. Cannot be used at the same time as client_id.\n", + "description": "The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "multivalued": { "type": "boolean", - "description": "Indicates whether this attribute is a single value or an array of values.\n" + "description": "Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`.\n" }, "name": { "type": "string", - "description": "A human-friendly name that will appear in the Keycloak console.\n" + "description": "The display name of this protocol mapper in the GUI.\n" }, "realmId": { "type": "string", - "description": "The realm id where the associated client or client scope exists.\n", + "description": "The realm this protocol mapper exists within.\n", "willReplaceOnChanges": true }, "realmRolePrefix": { "type": "string", - "description": "Prefix that will be added to each realm role.\n" + "description": "A prefix for each Realm Role.\n" } }, "type": "object" @@ -12197,43 +12685,55 @@ } }, "keycloak:saml/client:Client": { - "description": "## # keycloak.saml.Client\n\nAllows for creating and managing Keycloak clients that use the SAML protocol.\n\nClients are entities that can use Keycloak for user authentication. Typically,\nclients are applications that redirect users to Keycloak for authentication\nin order to take advantage of Keycloak's user sessions for SSO.\n\n### Import\n\nClients can be imported using the format `{{realm_id}}/{{client_keycloak_id}}`, where `client_keycloak_id` is the unique ID that Keycloak\nassigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID.\n\nExample:\n\n```bash\n$ terraform import keycloak_saml_client.saml_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352\n```\n", + "description": "Allows for creating and managing Keycloak clients that use the SAML protocol.\n\nClients are entities that can use Keycloak for user authentication. Typically, clients are applications that redirect users\nto Keycloak for authentication in order to take advantage of Keycloak's user sessions for SSO.\n\n## Import\n\nClients can be imported using the format `{{realm_id}}/{{client_keycloak_id}}`, where `client_keycloak_id` is the unique ID that Keycloak\n\nassigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID.\n\nExample:\n\nbash\n\n```sh\n$ pulumi import keycloak:saml/client:Client saml_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352\n```\n\n", "properties": { "assertionConsumerPostUrl": { - "type": "string" + "type": "string", + "description": "SAML POST Binding URL for the client's assertion consumer service (login responses).\n" }, "assertionConsumerRedirectUrl": { - "type": "string" + "type": "string", + "description": "SAML Redirect Binding URL for the client's assertion consumer service (login responses).\n" }, "authenticationFlowBindingOverrides": { - "$ref": "#/types/keycloak:saml/ClientAuthenticationFlowBindingOverrides:ClientAuthenticationFlowBindingOverrides" + "$ref": "#/types/keycloak:saml/ClientAuthenticationFlowBindingOverrides:ClientAuthenticationFlowBindingOverrides", + "description": "Override realm authentication flow bindings\n" }, "baseUrl": { - "type": "string" + "type": "string", + "description": "When specified, this URL will be used whenever Keycloak needs to link to this client.\n" }, "canonicalizationMethod": { - "type": "string" + "type": "string", + "description": "The Canonicalization Method for XML signatures. Should be one of \"EXCLUSIVE\", \"EXCLUSIVE_WITH_COMMENTS\", \"INCLUSIVE\", or \"INCLUSIVE_WITH_COMMENTS\". Defaults to \"EXCLUSIVE\".\n" }, "clientId": { - "type": "string" + "type": "string", + "description": "The unique ID of this client, referenced in the URI during authentication and in issued tokens.\n" }, "clientSignatureRequired": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signing_certificate` and `signing_private_key`. Defaults to `true`.\n" }, "description": { - "type": "string" + "type": "string", + "description": "The description of this client in the GUI.\n" }, "enabled": { - "type": "boolean" + "type": "boolean", + "description": "When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`.\n" }, "encryptAssertions": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to `false`.\n" }, "encryptionCertificate": { - "type": "string" + "type": "string", + "description": "If assertions for the client are encrypted, this certificate will be used for encryption.\n" }, "encryptionCertificateSha1": { - "type": "string" + "type": "string", + "description": "(Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.\n" }, "extraConfig": { "type": "object", @@ -12242,79 +12742,103 @@ } }, "forceNameIdFormat": { - "type": "boolean" + "type": "boolean", + "description": "Ignore requested NameID subject format and use the one defined in `name_id_format` instead. Defaults to `false`.\n" }, "forcePostBinding": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to `true`.\n" }, "frontChannelLogout": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, this client will require a browser redirect in order to perform a logout. Defaults to `true`.\n" }, "fullScopeAllowed": { - "type": "boolean" + "type": "boolean", + "description": "Allow to include all roles mappings in the access token\n" }, "idpInitiatedSsoRelayState": { - "type": "string" + "type": "string", + "description": "Relay state you want to send with SAML request when you want to do IDP Initiated SSO.\n" }, "idpInitiatedSsoUrlName": { - "type": "string" + "type": "string", + "description": "URL fragment name to reference client when you want to do IDP Initiated SSO.\n" }, "includeAuthnStatement": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, an `AuthnStatement` will be included in the SAML response. Defaults to `true`.\n" }, "loginTheme": { - "type": "string" + "type": "string", + "description": "The login theme of this client.\n" }, "logoutServicePostBindingUrl": { - "type": "string" + "type": "string", + "description": "SAML POST Binding URL for the client's single logout service.\n" }, "logoutServiceRedirectBindingUrl": { - "type": "string" + "type": "string", + "description": "SAML Redirect Binding URL for the client's single logout service.\n" }, "masterSamlProcessingUrl": { - "type": "string" + "type": "string", + "description": "When specified, this URL will be used for all SAML requests.\n" }, "name": { - "type": "string" + "type": "string", + "description": "The display name of this client in the GUI.\n" }, "nameIdFormat": { - "type": "string" + "type": "string", + "description": "Sets the Name ID format for the subject.\n" }, "realmId": { - "type": "string" + "type": "string", + "description": "The realm this client is attached to.\n" }, "rootUrl": { - "type": "string" + "type": "string", + "description": "When specified, this value is prepended to all relative URLs.\n" }, "signAssertions": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to `false`.\n" }, "signDocuments": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, the SAML document will be signed by Keycloak using the realm's private key. Defaults to `true`.\n" }, "signatureAlgorithm": { - "type": "string" + "type": "string", + "description": "The signature algorithm used to sign documents. Should be one of \"RSA_SHA1\", \"RSA_SHA256\", \"RSA_SHA256_MGF1, \"RSA_SHA512\", \"RSA_SHA512_MGF1\" or \"DSA_SHA1\".\n" }, "signatureKeyName": { - "type": "string" + "type": "string", + "description": "The value of the `KeyName` element within the signed SAML document. Should be one of \"NONE\", \"KEY_ID\", or \"CERT_SUBJECT\". Defaults to \"KEY_ID\".\n" }, "signingCertificate": { - "type": "string" + "type": "string", + "description": "If documents or assertions from the client are signed, this certificate will be used to verify the signature.\n" }, "signingCertificateSha1": { - "type": "string" + "type": "string", + "description": "(Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.\n" }, "signingPrivateKey": { - "type": "string" + "type": "string", + "description": "If documents or assertions from the client are signed, this private key will be used to verify the signature.\n" }, "signingPrivateKeySha1": { - "type": "string" + "type": "string", + "description": "(Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.\n" }, "validRedirectUris": { "type": "array", "items": { "type": "string" - } + }, + "description": "When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.\n" } }, "required": [ @@ -12331,37 +12855,48 @@ ], "inputProperties": { "assertionConsumerPostUrl": { - "type": "string" + "type": "string", + "description": "SAML POST Binding URL for the client's assertion consumer service (login responses).\n" }, "assertionConsumerRedirectUrl": { - "type": "string" + "type": "string", + "description": "SAML Redirect Binding URL for the client's assertion consumer service (login responses).\n" }, "authenticationFlowBindingOverrides": { - "$ref": "#/types/keycloak:saml/ClientAuthenticationFlowBindingOverrides:ClientAuthenticationFlowBindingOverrides" + "$ref": "#/types/keycloak:saml/ClientAuthenticationFlowBindingOverrides:ClientAuthenticationFlowBindingOverrides", + "description": "Override realm authentication flow bindings\n" }, "baseUrl": { - "type": "string" + "type": "string", + "description": "When specified, this URL will be used whenever Keycloak needs to link to this client.\n" }, "canonicalizationMethod": { - "type": "string" + "type": "string", + "description": "The Canonicalization Method for XML signatures. Should be one of \"EXCLUSIVE\", \"EXCLUSIVE_WITH_COMMENTS\", \"INCLUSIVE\", or \"INCLUSIVE_WITH_COMMENTS\". Defaults to \"EXCLUSIVE\".\n" }, "clientId": { - "type": "string" + "type": "string", + "description": "The unique ID of this client, referenced in the URI during authentication and in issued tokens.\n" }, "clientSignatureRequired": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signing_certificate` and `signing_private_key`. Defaults to `true`.\n" }, "description": { - "type": "string" + "type": "string", + "description": "The description of this client in the GUI.\n" }, "enabled": { - "type": "boolean" + "type": "boolean", + "description": "When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`.\n" }, "encryptAssertions": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to `false`.\n" }, "encryptionCertificate": { - "type": "string" + "type": "string", + "description": "If assertions for the client are encrypted, this certificate will be used for encryption.\n" }, "extraConfig": { "type": "object", @@ -12370,74 +12905,96 @@ } }, "forceNameIdFormat": { - "type": "boolean" + "type": "boolean", + "description": "Ignore requested NameID subject format and use the one defined in `name_id_format` instead. Defaults to `false`.\n" }, "forcePostBinding": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to `true`.\n" }, "frontChannelLogout": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, this client will require a browser redirect in order to perform a logout. Defaults to `true`.\n" }, "fullScopeAllowed": { - "type": "boolean" + "type": "boolean", + "description": "Allow to include all roles mappings in the access token\n" }, "idpInitiatedSsoRelayState": { - "type": "string" + "type": "string", + "description": "Relay state you want to send with SAML request when you want to do IDP Initiated SSO.\n" }, "idpInitiatedSsoUrlName": { - "type": "string" + "type": "string", + "description": "URL fragment name to reference client when you want to do IDP Initiated SSO.\n" }, "includeAuthnStatement": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, an `AuthnStatement` will be included in the SAML response. Defaults to `true`.\n" }, "loginTheme": { - "type": "string" + "type": "string", + "description": "The login theme of this client.\n" }, "logoutServicePostBindingUrl": { - "type": "string" + "type": "string", + "description": "SAML POST Binding URL for the client's single logout service.\n" }, "logoutServiceRedirectBindingUrl": { - "type": "string" + "type": "string", + "description": "SAML Redirect Binding URL for the client's single logout service.\n" }, "masterSamlProcessingUrl": { - "type": "string" + "type": "string", + "description": "When specified, this URL will be used for all SAML requests.\n" }, "name": { - "type": "string" + "type": "string", + "description": "The display name of this client in the GUI.\n" }, "nameIdFormat": { - "type": "string" + "type": "string", + "description": "Sets the Name ID format for the subject.\n" }, "realmId": { "type": "string", + "description": "The realm this client is attached to.\n", "willReplaceOnChanges": true }, "rootUrl": { - "type": "string" + "type": "string", + "description": "When specified, this value is prepended to all relative URLs.\n" }, "signAssertions": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to `false`.\n" }, "signDocuments": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, the SAML document will be signed by Keycloak using the realm's private key. Defaults to `true`.\n" }, "signatureAlgorithm": { - "type": "string" + "type": "string", + "description": "The signature algorithm used to sign documents. Should be one of \"RSA_SHA1\", \"RSA_SHA256\", \"RSA_SHA256_MGF1, \"RSA_SHA512\", \"RSA_SHA512_MGF1\" or \"DSA_SHA1\".\n" }, "signatureKeyName": { - "type": "string" + "type": "string", + "description": "The value of the `KeyName` element within the signed SAML document. Should be one of \"NONE\", \"KEY_ID\", or \"CERT_SUBJECT\". Defaults to \"KEY_ID\".\n" }, "signingCertificate": { - "type": "string" + "type": "string", + "description": "If documents or assertions from the client are signed, this certificate will be used to verify the signature.\n" }, "signingPrivateKey": { - "type": "string" + "type": "string", + "description": "If documents or assertions from the client are signed, this private key will be used to verify the signature.\n" }, "validRedirectUris": { "type": "array", "items": { "type": "string" - } + }, + "description": "When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.\n" } }, "requiredInputs": [ @@ -12448,40 +13005,52 @@ "description": "Input properties used for looking up and filtering Client resources.\n", "properties": { "assertionConsumerPostUrl": { - "type": "string" + "type": "string", + "description": "SAML POST Binding URL for the client's assertion consumer service (login responses).\n" }, "assertionConsumerRedirectUrl": { - "type": "string" + "type": "string", + "description": "SAML Redirect Binding URL for the client's assertion consumer service (login responses).\n" }, "authenticationFlowBindingOverrides": { - "$ref": "#/types/keycloak:saml/ClientAuthenticationFlowBindingOverrides:ClientAuthenticationFlowBindingOverrides" + "$ref": "#/types/keycloak:saml/ClientAuthenticationFlowBindingOverrides:ClientAuthenticationFlowBindingOverrides", + "description": "Override realm authentication flow bindings\n" }, "baseUrl": { - "type": "string" + "type": "string", + "description": "When specified, this URL will be used whenever Keycloak needs to link to this client.\n" }, "canonicalizationMethod": { - "type": "string" + "type": "string", + "description": "The Canonicalization Method for XML signatures. Should be one of \"EXCLUSIVE\", \"EXCLUSIVE_WITH_COMMENTS\", \"INCLUSIVE\", or \"INCLUSIVE_WITH_COMMENTS\". Defaults to \"EXCLUSIVE\".\n" }, "clientId": { - "type": "string" + "type": "string", + "description": "The unique ID of this client, referenced in the URI during authentication and in issued tokens.\n" }, "clientSignatureRequired": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signing_certificate` and `signing_private_key`. Defaults to `true`.\n" }, "description": { - "type": "string" + "type": "string", + "description": "The description of this client in the GUI.\n" }, "enabled": { - "type": "boolean" + "type": "boolean", + "description": "When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`.\n" }, "encryptAssertions": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to `false`.\n" }, "encryptionCertificate": { - "type": "string" + "type": "string", + "description": "If assertions for the client are encrypted, this certificate will be used for encryption.\n" }, "encryptionCertificateSha1": { - "type": "string" + "type": "string", + "description": "(Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.\n" }, "extraConfig": { "type": "object", @@ -12490,80 +13059,104 @@ } }, "forceNameIdFormat": { - "type": "boolean" + "type": "boolean", + "description": "Ignore requested NameID subject format and use the one defined in `name_id_format` instead. Defaults to `false`.\n" }, "forcePostBinding": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to `true`.\n" }, "frontChannelLogout": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, this client will require a browser redirect in order to perform a logout. Defaults to `true`.\n" }, "fullScopeAllowed": { - "type": "boolean" + "type": "boolean", + "description": "Allow to include all roles mappings in the access token\n" }, "idpInitiatedSsoRelayState": { - "type": "string" + "type": "string", + "description": "Relay state you want to send with SAML request when you want to do IDP Initiated SSO.\n" }, "idpInitiatedSsoUrlName": { - "type": "string" + "type": "string", + "description": "URL fragment name to reference client when you want to do IDP Initiated SSO.\n" }, "includeAuthnStatement": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, an `AuthnStatement` will be included in the SAML response. Defaults to `true`.\n" }, "loginTheme": { - "type": "string" + "type": "string", + "description": "The login theme of this client.\n" }, "logoutServicePostBindingUrl": { - "type": "string" + "type": "string", + "description": "SAML POST Binding URL for the client's single logout service.\n" }, "logoutServiceRedirectBindingUrl": { - "type": "string" + "type": "string", + "description": "SAML Redirect Binding URL for the client's single logout service.\n" }, "masterSamlProcessingUrl": { - "type": "string" + "type": "string", + "description": "When specified, this URL will be used for all SAML requests.\n" }, "name": { - "type": "string" + "type": "string", + "description": "The display name of this client in the GUI.\n" }, "nameIdFormat": { - "type": "string" + "type": "string", + "description": "Sets the Name ID format for the subject.\n" }, "realmId": { "type": "string", + "description": "The realm this client is attached to.\n", "willReplaceOnChanges": true }, "rootUrl": { - "type": "string" + "type": "string", + "description": "When specified, this value is prepended to all relative URLs.\n" }, "signAssertions": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to `false`.\n" }, "signDocuments": { - "type": "boolean" + "type": "boolean", + "description": "When `true`, the SAML document will be signed by Keycloak using the realm's private key. Defaults to `true`.\n" }, "signatureAlgorithm": { - "type": "string" + "type": "string", + "description": "The signature algorithm used to sign documents. Should be one of \"RSA_SHA1\", \"RSA_SHA256\", \"RSA_SHA256_MGF1, \"RSA_SHA512\", \"RSA_SHA512_MGF1\" or \"DSA_SHA1\".\n" }, "signatureKeyName": { - "type": "string" + "type": "string", + "description": "The value of the `KeyName` element within the signed SAML document. Should be one of \"NONE\", \"KEY_ID\", or \"CERT_SUBJECT\". Defaults to \"KEY_ID\".\n" }, "signingCertificate": { - "type": "string" + "type": "string", + "description": "If documents or assertions from the client are signed, this certificate will be used to verify the signature.\n" }, "signingCertificateSha1": { - "type": "string" + "type": "string", + "description": "(Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.\n" }, "signingPrivateKey": { - "type": "string" + "type": "string", + "description": "If documents or assertions from the client are signed, this private key will be used to verify the signature.\n" }, "signingPrivateKeySha1": { - "type": "string" + "type": "string", + "description": "(Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.\n" }, "validRedirectUris": { "type": "array", "items": { "type": "string" - } + }, + "description": "When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.\n" } }, "type": "object" @@ -12724,49 +13317,49 @@ } }, "keycloak:saml/identityProvider:IdentityProvider": { - "description": "## # keycloak.saml.IdentityProvider\n\nAllows to create and manage SAML Identity Providers within Keycloak.\n\nSAML (Security Assertion Markup Language) identity providers allows to authenticate through a third-party system, using SAML standard.\n\n### Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realmIdentityProvider = new keycloak.saml.IdentityProvider(\"realm_identity_provider\", {\n realm: \"my-realm\",\n alias: \"my-idp\",\n singleSignOnServiceUrl: \"https://domain.com/adfs/ls/\",\n singleLogoutServiceUrl: \"https://domain.com/adfs/ls/?wa=wsignout1.0\",\n backchannelSupported: true,\n postBindingResponse: true,\n postBindingLogout: true,\n postBindingAuthnRequest: true,\n storeToken: false,\n trustEmail: true,\n forceAuthn: true,\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm_identity_provider = keycloak.saml.IdentityProvider(\"realm_identity_provider\",\n realm=\"my-realm\",\n alias=\"my-idp\",\n single_sign_on_service_url=\"https://domain.com/adfs/ls/\",\n single_logout_service_url=\"https://domain.com/adfs/ls/?wa=wsignout1.0\",\n backchannel_supported=True,\n post_binding_response=True,\n post_binding_logout=True,\n post_binding_authn_request=True,\n store_token=False,\n trust_email=True,\n force_authn=True)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realmIdentityProvider = new Keycloak.Saml.IdentityProvider(\"realm_identity_provider\", new()\n {\n Realm = \"my-realm\",\n Alias = \"my-idp\",\n SingleSignOnServiceUrl = \"https://domain.com/adfs/ls/\",\n SingleLogoutServiceUrl = \"https://domain.com/adfs/ls/?wa=wsignout1.0\",\n BackchannelSupported = true,\n PostBindingResponse = true,\n PostBindingLogout = true,\n PostBindingAuthnRequest = true,\n StoreToken = false,\n TrustEmail = true,\n ForceAuthn = true,\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/saml\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := saml.NewIdentityProvider(ctx, \"realm_identity_provider\", \u0026saml.IdentityProviderArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tAlias: pulumi.String(\"my-idp\"),\n\t\t\tSingleSignOnServiceUrl: pulumi.String(\"https://domain.com/adfs/ls/\"),\n\t\t\tSingleLogoutServiceUrl: pulumi.String(\"https://domain.com/adfs/ls/?wa=wsignout1.0\"),\n\t\t\tBackchannelSupported: pulumi.Bool(true),\n\t\t\tPostBindingResponse: pulumi.Bool(true),\n\t\t\tPostBindingLogout: pulumi.Bool(true),\n\t\t\tPostBindingAuthnRequest: pulumi.Bool(true),\n\t\t\tStoreToken: pulumi.Bool(false),\n\t\t\tTrustEmail: pulumi.Bool(true),\n\t\t\tForceAuthn: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.saml.IdentityProvider;\nimport com.pulumi.keycloak.saml.IdentityProviderArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realmIdentityProvider = new IdentityProvider(\"realmIdentityProvider\", IdentityProviderArgs.builder()\n .realm(\"my-realm\")\n .alias(\"my-idp\")\n .singleSignOnServiceUrl(\"https://domain.com/adfs/ls/\")\n .singleLogoutServiceUrl(\"https://domain.com/adfs/ls/?wa=wsignout1.0\")\n .backchannelSupported(true)\n .postBindingResponse(true)\n .postBindingLogout(true)\n .postBindingAuthnRequest(true)\n .storeToken(false)\n .trustEmail(true)\n .forceAuthn(true)\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realmIdentityProvider:\n type: keycloak:saml:IdentityProvider\n name: realm_identity_provider\n properties:\n realm: my-realm\n alias: my-idp\n singleSignOnServiceUrl: https://domain.com/adfs/ls/\n singleLogoutServiceUrl: https://domain.com/adfs/ls/?wa=wsignout1.0\n backchannelSupported: true\n postBindingResponse: true\n postBindingLogout: true\n postBindingAuthnRequest: true\n storeToken: false\n trustEmail: true\n forceAuthn: true\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm` - (Required) The name of the realm. This is unique across Keycloak.\n- `alias` - (Optional) The uniq name of identity provider.\n- `enabled` - (Optional) When false, users and clients will not be able to access this realm. Defaults to `true`.\n- `display_name` - (Optional) The display name for the realm that is shown when logging in to the admin console.\n- `store_token` - (Optional) Enable/disable if tokens must be stored after authenticating users. Defaults to `true`.\n- `add_read_token_role_on_create` - (Optional) Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. Defaults to `false`.\n- `trust_email` - (Optional) If enabled then email provided by this provider is not verified even if verification is enabled for the realm. Defaults to `false`.\n- `link_only` - (Optional) If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider. Defaults to `false`.\n- `hide_on_login_page` - (Optional) If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.\n- `first_broker_login_flow_alias` - (Optional) Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`.\n- `post_broker_login_flow_alias` - (Optional) Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.\n- `authenticate_by_default` - (Optional) Authenticate users by default. Defaults to `false`.\n\n#### SAML Configuration\n\n- `single_sign_on_service_url` - (Optional) The Url that must be used to send authentication requests (SAML AuthnRequest).\n- `single_logout_service_url` - (Optional) The Url that must be used to send logout requests.\n- `backchannel_supported` - (Optional) Does the external IDP support back-channel logout ?.\n- `name_id_policy_format` - (Optional) Specifies the URI reference corresponding to a name identifier format. Defaults to empty.\n- `post_binding_response` - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used..\n- `post_binding_authn_request` - (Optional) Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.\n- `post_binding_logout` - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.\n- `want_assertions_signed` - (Optional) Indicates whether this service provider expects a signed Assertion.\n- `want_assertions_encrypted` - (Optional) Indicates whether this service provider expects an encrypted Assertion.\n- `force_authn` - (Optional) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.\n- `validate_signature` - (Optional) Enable/disable signature validation of SAML responses.\n- `signing_certificate` - (Optional) Signing Certificate.\n- `signature_algorithm` - (Optional) Signing Algorithm. Defaults to empty.\n- `xml_sign_key_info_key_name_transformer` - (Optional) Sign Key Transformer. Defaults to empty.\n\n### Import\n\nIdentity providers can be imported using the format `{{realm_id}}/{{idp_alias}}`, where `idp_alias` is the identity provider alias.\n\nExample:\n\n```bash\n$ terraform import keycloak_saml_identity_provider.realm_identity_provider my-realm/my-idp\n```\n", + "description": "Allows for creating and managing SAML Identity Providers within Keycloak.\n\nSAML (Security Assertion Markup Language) identity providers allows users to authenticate through a third-party system using the SAML protocol.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst realmSamlIdentityProvider = new keycloak.saml.IdentityProvider(\"realm_saml_identity_provider\", {\n realm: realm.id,\n alias: \"my-saml-idp\",\n entityId: \"https://domain.com/entity_id\",\n singleSignOnServiceUrl: \"https://domain.com/adfs/ls/\",\n singleLogoutServiceUrl: \"https://domain.com/adfs/ls/?wa=wsignout1.0\",\n backchannelSupported: true,\n postBindingResponse: true,\n postBindingLogout: true,\n postBindingAuthnRequest: true,\n storeToken: false,\n trustEmail: true,\n forceAuthn: true,\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nrealm_saml_identity_provider = keycloak.saml.IdentityProvider(\"realm_saml_identity_provider\",\n realm=realm.id,\n alias=\"my-saml-idp\",\n entity_id=\"https://domain.com/entity_id\",\n single_sign_on_service_url=\"https://domain.com/adfs/ls/\",\n single_logout_service_url=\"https://domain.com/adfs/ls/?wa=wsignout1.0\",\n backchannel_supported=True,\n post_binding_response=True,\n post_binding_logout=True,\n post_binding_authn_request=True,\n store_token=False,\n trust_email=True,\n force_authn=True)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var realmSamlIdentityProvider = new Keycloak.Saml.IdentityProvider(\"realm_saml_identity_provider\", new()\n {\n Realm = realm.Id,\n Alias = \"my-saml-idp\",\n EntityId = \"https://domain.com/entity_id\",\n SingleSignOnServiceUrl = \"https://domain.com/adfs/ls/\",\n SingleLogoutServiceUrl = \"https://domain.com/adfs/ls/?wa=wsignout1.0\",\n BackchannelSupported = true,\n PostBindingResponse = true,\n PostBindingLogout = true,\n PostBindingAuthnRequest = true,\n StoreToken = false,\n TrustEmail = true,\n ForceAuthn = true,\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/saml\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = saml.NewIdentityProvider(ctx, \"realm_saml_identity_provider\", \u0026saml.IdentityProviderArgs{\n\t\t\tRealm: realm.ID(),\n\t\t\tAlias: pulumi.String(\"my-saml-idp\"),\n\t\t\tEntityId: pulumi.String(\"https://domain.com/entity_id\"),\n\t\t\tSingleSignOnServiceUrl: pulumi.String(\"https://domain.com/adfs/ls/\"),\n\t\t\tSingleLogoutServiceUrl: pulumi.String(\"https://domain.com/adfs/ls/?wa=wsignout1.0\"),\n\t\t\tBackchannelSupported: pulumi.Bool(true),\n\t\t\tPostBindingResponse: pulumi.Bool(true),\n\t\t\tPostBindingLogout: pulumi.Bool(true),\n\t\t\tPostBindingAuthnRequest: pulumi.Bool(true),\n\t\t\tStoreToken: pulumi.Bool(false),\n\t\t\tTrustEmail: pulumi.Bool(true),\n\t\t\tForceAuthn: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.saml.IdentityProvider;\nimport com.pulumi.keycloak.saml.IdentityProviderArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var realmSamlIdentityProvider = new IdentityProvider(\"realmSamlIdentityProvider\", IdentityProviderArgs.builder()\n .realm(realm.id())\n .alias(\"my-saml-idp\")\n .entityId(\"https://domain.com/entity_id\")\n .singleSignOnServiceUrl(\"https://domain.com/adfs/ls/\")\n .singleLogoutServiceUrl(\"https://domain.com/adfs/ls/?wa=wsignout1.0\")\n .backchannelSupported(true)\n .postBindingResponse(true)\n .postBindingLogout(true)\n .postBindingAuthnRequest(true)\n .storeToken(false)\n .trustEmail(true)\n .forceAuthn(true)\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n realmSamlIdentityProvider:\n type: keycloak:saml:IdentityProvider\n name: realm_saml_identity_provider\n properties:\n realm: ${realm.id}\n alias: my-saml-idp\n entityId: https://domain.com/entity_id\n singleSignOnServiceUrl: https://domain.com/adfs/ls/\n singleLogoutServiceUrl: https://domain.com/adfs/ls/?wa=wsignout1.0\n backchannelSupported: true\n postBindingResponse: true\n postBindingLogout: true\n postBindingAuthnRequest: true\n storeToken: false\n trustEmail: true\n forceAuthn: true\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nIdentity providers can be imported using the format `{{realm_id}}/{{idp_alias}}`, where `idp_alias` is the identity provider alias.\n\nExample:\n\nbash\n\n```sh\n$ pulumi import keycloak:saml/identityProvider:IdentityProvider realm_saml_identity_provider my-realm/my-saml-idp\n```\n\n", "properties": { "addReadTokenRoleOnCreate": { "type": "boolean", - "description": "Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.\n" + "description": "When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`.\n" }, "alias": { "type": "string", - "description": "The alias uniquely identifies an identity provider and it is also used to build the redirect uri.\n" + "description": "The unique name of identity provider.\n" }, "authenticateByDefault": { "type": "boolean", - "description": "Enable/disable authenticate users by default.\n" + "description": "Authenticate users by default. Defaults to `false`.\n" }, "authnContextClassRefs": { "type": "array", "items": { "type": "string" }, - "description": "AuthnContext ClassRefs\n" + "description": "Ordered list of requested AuthnContext ClassRefs.\n" }, "authnContextComparisonType": { "type": "string", - "description": "AuthnContext Comparison\n" + "description": "Specifies the comparison method used to evaluate the requested context classes or statements.\n" }, "authnContextDeclRefs": { "type": "array", "items": { "type": "string" }, - "description": "AuthnContext DeclRefs\n" + "description": "Ordered list of requested AuthnContext DeclRefs.\n" }, "backchannelSupported": { "type": "boolean", - "description": "Does the external IDP support backchannel logout?\n" + "description": "Does the external IDP support backchannel logout?. Defaults to `false`.\n" }, "displayName": { "type": "string", - "description": "Friendly name for Identity Providers.\n" + "description": "The display name for the realm that is shown when logging in to the admin console.\n" }, "enabled": { "type": "boolean", - "description": "Enable/disable this identity provider.\n" + "description": "When `false`, users and clients will not be able to access this realm. Defaults to `true`.\n" }, "entityId": { "type": "string", @@ -12780,19 +13373,19 @@ }, "firstBrokerLoginFlowAlias": { "type": "string", - "description": "Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means\nthat there is not yet existing Keycloak account linked with the authenticated identity provider account.\n" + "description": "Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`.\n" }, "forceAuthn": { "type": "boolean", - "description": "Require Force Authn.\n" + "description": "Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.\n" }, "guiOrder": { "type": "string", - "description": "GUI Order\n" + "description": "A number defining the order of this identity provider in the GUI.\n" }, "hideOnLoginPage": { "type": "boolean", - "description": "Hide On Login Page.\n" + "description": "If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.\n" }, "internalId": { "type": "string", @@ -12800,7 +13393,7 @@ }, "linkOnly": { "type": "boolean", - "description": "If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't\nwant to allow login from the provider, but want to integrate with a provider\n" + "description": "When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`.\n" }, "loginHint": { "type": "string", @@ -12808,43 +13401,43 @@ }, "nameIdPolicyFormat": { "type": "string", - "description": "Name ID Policy Format.\n" + "description": "Specifies the URI reference corresponding to a name identifier format. Defaults to empty.\n" }, "postBindingAuthnRequest": { "type": "boolean", - "description": "Post Binding Authn Request.\n" + "description": "Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.\n" }, "postBindingLogout": { "type": "boolean", - "description": "Post Binding Logout.\n" + "description": "Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.\n" }, "postBindingResponse": { "type": "boolean", - "description": "Post Binding Response.\n" + "description": "Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used..\n" }, "postBrokerLoginFlowAlias": { "type": "string", - "description": "Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want\nadditional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if\nyou don't want any additional authenticators to be triggered after login with this identity provider. Also note, that\nauthenticator implementations must assume that user is already set in ClientSession as identity provider already set it.\n" + "description": "Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.\n" }, "principalAttribute": { "type": "string", - "description": "Principal Attribute\n" + "description": "The principal attribute.\n" }, "principalType": { "type": "string", - "description": "Principal Type\n" + "description": "The principal type. Can be one of `SUBJECT`, `ATTRIBUTE` or `FRIENDLY_ATTRIBUTE`.\n" }, "providerId": { "type": "string", - "description": "provider id, is always saml, unless you have a custom implementation\n" + "description": "The ID of the identity provider to use. Defaults to `saml`, which should be used unless you have extended Keycloak and provided your own implementation.\n" }, "realm": { "type": "string", - "description": "Realm Name\n" + "description": "The name of the realm. This is unique across Keycloak.\n" }, "signatureAlgorithm": { "type": "string", - "description": "Signing Algorithm.\n" + "description": "Signing Algorithm. Defaults to empty.\n" }, "signingCertificate": { "type": "string", @@ -12852,23 +13445,23 @@ }, "singleLogoutServiceUrl": { "type": "string", - "description": "Logout URL.\n" + "description": "The Url that must be used to send logout requests.\n" }, "singleSignOnServiceUrl": { "type": "string", - "description": "SSO Logout URL.\n" + "description": "The Url that must be used to send authentication requests (SAML AuthnRequest).\n" }, "storeToken": { "type": "boolean", - "description": "Enable/disable if tokens must be stored after authenticating users.\n" + "description": "When `true`, tokens will be stored after authenticating users. Defaults to `true`.\n" }, "syncMode": { "type": "string", - "description": "Sync Mode\n" + "description": "The default sync mode to use for all mappers attached to this identity provider. Can be one of `IMPORT`, `FORCE`, or `LEGACY`.\n" }, "trustEmail": { "type": "boolean", - "description": "If enabled then email provided by this provider is not verified even if verification is enabled for the realm.\n" + "description": "When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`.\n" }, "validateSignature": { "type": "boolean", @@ -12876,15 +13469,15 @@ }, "wantAssertionsEncrypted": { "type": "boolean", - "description": "Want Assertions Encrypted.\n" + "description": "Indicates whether this service provider expects an encrypted Assertion.\n" }, "wantAssertionsSigned": { "type": "boolean", - "description": "Want Assertions Signed.\n" + "description": "Indicates whether this service provider expects a signed Assertion.\n" }, "xmlSignKeyInfoKeyNameTransformer": { "type": "string", - "description": "Sign Key Transformer.\n" + "description": "The SAML signature key name. Can be one of `NONE`, `KEY_ID`, or `CERT_SUBJECT`.\n" } }, "required": [ @@ -12897,47 +13490,47 @@ "inputProperties": { "addReadTokenRoleOnCreate": { "type": "boolean", - "description": "Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.\n", + "description": "When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`.\n", "willReplaceOnChanges": true }, "alias": { "type": "string", - "description": "The alias uniquely identifies an identity provider and it is also used to build the redirect uri.\n", + "description": "The unique name of identity provider.\n", "willReplaceOnChanges": true }, "authenticateByDefault": { "type": "boolean", - "description": "Enable/disable authenticate users by default.\n" + "description": "Authenticate users by default. Defaults to `false`.\n" }, "authnContextClassRefs": { "type": "array", "items": { "type": "string" }, - "description": "AuthnContext ClassRefs\n" + "description": "Ordered list of requested AuthnContext ClassRefs.\n" }, "authnContextComparisonType": { "type": "string", - "description": "AuthnContext Comparison\n" + "description": "Specifies the comparison method used to evaluate the requested context classes or statements.\n" }, "authnContextDeclRefs": { "type": "array", "items": { "type": "string" }, - "description": "AuthnContext DeclRefs\n" + "description": "Ordered list of requested AuthnContext DeclRefs.\n" }, "backchannelSupported": { "type": "boolean", - "description": "Does the external IDP support backchannel logout?\n" + "description": "Does the external IDP support backchannel logout?. Defaults to `false`.\n" }, "displayName": { "type": "string", - "description": "Friendly name for Identity Providers.\n" + "description": "The display name for the realm that is shown when logging in to the admin console.\n" }, "enabled": { "type": "boolean", - "description": "Enable/disable this identity provider.\n" + "description": "When `false`, users and clients will not be able to access this realm. Defaults to `true`.\n" }, "entityId": { "type": "string", @@ -12951,23 +13544,23 @@ }, "firstBrokerLoginFlowAlias": { "type": "string", - "description": "Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means\nthat there is not yet existing Keycloak account linked with the authenticated identity provider account.\n" + "description": "Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`.\n" }, "forceAuthn": { "type": "boolean", - "description": "Require Force Authn.\n" + "description": "Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.\n" }, "guiOrder": { "type": "string", - "description": "GUI Order\n" + "description": "A number defining the order of this identity provider in the GUI.\n" }, "hideOnLoginPage": { "type": "boolean", - "description": "Hide On Login Page.\n" + "description": "If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.\n" }, "linkOnly": { "type": "boolean", - "description": "If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't\nwant to allow login from the provider, but want to integrate with a provider\n" + "description": "When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`.\n" }, "loginHint": { "type": "string", @@ -12975,44 +13568,44 @@ }, "nameIdPolicyFormat": { "type": "string", - "description": "Name ID Policy Format.\n" + "description": "Specifies the URI reference corresponding to a name identifier format. Defaults to empty.\n" }, "postBindingAuthnRequest": { "type": "boolean", - "description": "Post Binding Authn Request.\n" + "description": "Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.\n" }, "postBindingLogout": { "type": "boolean", - "description": "Post Binding Logout.\n" + "description": "Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.\n" }, "postBindingResponse": { "type": "boolean", - "description": "Post Binding Response.\n" + "description": "Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used..\n" }, "postBrokerLoginFlowAlias": { "type": "string", - "description": "Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want\nadditional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if\nyou don't want any additional authenticators to be triggered after login with this identity provider. Also note, that\nauthenticator implementations must assume that user is already set in ClientSession as identity provider already set it.\n" + "description": "Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.\n" }, "principalAttribute": { "type": "string", - "description": "Principal Attribute\n" + "description": "The principal attribute.\n" }, "principalType": { "type": "string", - "description": "Principal Type\n" + "description": "The principal type. Can be one of `SUBJECT`, `ATTRIBUTE` or `FRIENDLY_ATTRIBUTE`.\n" }, "providerId": { "type": "string", - "description": "provider id, is always saml, unless you have a custom implementation\n" + "description": "The ID of the identity provider to use. Defaults to `saml`, which should be used unless you have extended Keycloak and provided your own implementation.\n" }, "realm": { "type": "string", - "description": "Realm Name\n", + "description": "The name of the realm. This is unique across Keycloak.\n", "willReplaceOnChanges": true }, "signatureAlgorithm": { "type": "string", - "description": "Signing Algorithm.\n" + "description": "Signing Algorithm. Defaults to empty.\n" }, "signingCertificate": { "type": "string", @@ -13020,23 +13613,23 @@ }, "singleLogoutServiceUrl": { "type": "string", - "description": "Logout URL.\n" + "description": "The Url that must be used to send logout requests.\n" }, "singleSignOnServiceUrl": { "type": "string", - "description": "SSO Logout URL.\n" + "description": "The Url that must be used to send authentication requests (SAML AuthnRequest).\n" }, "storeToken": { "type": "boolean", - "description": "Enable/disable if tokens must be stored after authenticating users.\n" + "description": "When `true`, tokens will be stored after authenticating users. Defaults to `true`.\n" }, "syncMode": { "type": "string", - "description": "Sync Mode\n" + "description": "The default sync mode to use for all mappers attached to this identity provider. Can be one of `IMPORT`, `FORCE`, or `LEGACY`.\n" }, "trustEmail": { "type": "boolean", - "description": "If enabled then email provided by this provider is not verified even if verification is enabled for the realm.\n" + "description": "When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`.\n" }, "validateSignature": { "type": "boolean", @@ -13044,15 +13637,15 @@ }, "wantAssertionsEncrypted": { "type": "boolean", - "description": "Want Assertions Encrypted.\n" + "description": "Indicates whether this service provider expects an encrypted Assertion.\n" }, "wantAssertionsSigned": { "type": "boolean", - "description": "Want Assertions Signed.\n" + "description": "Indicates whether this service provider expects a signed Assertion.\n" }, "xmlSignKeyInfoKeyNameTransformer": { "type": "string", - "description": "Sign Key Transformer.\n" + "description": "The SAML signature key name. Can be one of `NONE`, `KEY_ID`, or `CERT_SUBJECT`.\n" } }, "requiredInputs": [ @@ -13066,47 +13659,47 @@ "properties": { "addReadTokenRoleOnCreate": { "type": "boolean", - "description": "Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.\n", + "description": "When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`.\n", "willReplaceOnChanges": true }, "alias": { "type": "string", - "description": "The alias uniquely identifies an identity provider and it is also used to build the redirect uri.\n", + "description": "The unique name of identity provider.\n", "willReplaceOnChanges": true }, "authenticateByDefault": { "type": "boolean", - "description": "Enable/disable authenticate users by default.\n" + "description": "Authenticate users by default. Defaults to `false`.\n" }, "authnContextClassRefs": { "type": "array", "items": { "type": "string" }, - "description": "AuthnContext ClassRefs\n" + "description": "Ordered list of requested AuthnContext ClassRefs.\n" }, "authnContextComparisonType": { "type": "string", - "description": "AuthnContext Comparison\n" + "description": "Specifies the comparison method used to evaluate the requested context classes or statements.\n" }, "authnContextDeclRefs": { "type": "array", "items": { "type": "string" }, - "description": "AuthnContext DeclRefs\n" + "description": "Ordered list of requested AuthnContext DeclRefs.\n" }, "backchannelSupported": { "type": "boolean", - "description": "Does the external IDP support backchannel logout?\n" + "description": "Does the external IDP support backchannel logout?. Defaults to `false`.\n" }, "displayName": { "type": "string", - "description": "Friendly name for Identity Providers.\n" + "description": "The display name for the realm that is shown when logging in to the admin console.\n" }, "enabled": { "type": "boolean", - "description": "Enable/disable this identity provider.\n" + "description": "When `false`, users and clients will not be able to access this realm. Defaults to `true`.\n" }, "entityId": { "type": "string", @@ -13120,19 +13713,19 @@ }, "firstBrokerLoginFlowAlias": { "type": "string", - "description": "Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means\nthat there is not yet existing Keycloak account linked with the authenticated identity provider account.\n" + "description": "Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`.\n" }, "forceAuthn": { "type": "boolean", - "description": "Require Force Authn.\n" + "description": "Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.\n" }, "guiOrder": { "type": "string", - "description": "GUI Order\n" + "description": "A number defining the order of this identity provider in the GUI.\n" }, "hideOnLoginPage": { "type": "boolean", - "description": "Hide On Login Page.\n" + "description": "If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.\n" }, "internalId": { "type": "string", @@ -13140,7 +13733,7 @@ }, "linkOnly": { "type": "boolean", - "description": "If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't\nwant to allow login from the provider, but want to integrate with a provider\n" + "description": "When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`.\n" }, "loginHint": { "type": "string", @@ -13148,44 +13741,44 @@ }, "nameIdPolicyFormat": { "type": "string", - "description": "Name ID Policy Format.\n" + "description": "Specifies the URI reference corresponding to a name identifier format. Defaults to empty.\n" }, "postBindingAuthnRequest": { "type": "boolean", - "description": "Post Binding Authn Request.\n" + "description": "Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.\n" }, "postBindingLogout": { "type": "boolean", - "description": "Post Binding Logout.\n" + "description": "Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.\n" }, "postBindingResponse": { "type": "boolean", - "description": "Post Binding Response.\n" + "description": "Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used..\n" }, "postBrokerLoginFlowAlias": { "type": "string", - "description": "Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want\nadditional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if\nyou don't want any additional authenticators to be triggered after login with this identity provider. Also note, that\nauthenticator implementations must assume that user is already set in ClientSession as identity provider already set it.\n" + "description": "Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.\n" }, "principalAttribute": { "type": "string", - "description": "Principal Attribute\n" + "description": "The principal attribute.\n" }, "principalType": { "type": "string", - "description": "Principal Type\n" + "description": "The principal type. Can be one of `SUBJECT`, `ATTRIBUTE` or `FRIENDLY_ATTRIBUTE`.\n" }, "providerId": { "type": "string", - "description": "provider id, is always saml, unless you have a custom implementation\n" + "description": "The ID of the identity provider to use. Defaults to `saml`, which should be used unless you have extended Keycloak and provided your own implementation.\n" }, "realm": { "type": "string", - "description": "Realm Name\n", + "description": "The name of the realm. This is unique across Keycloak.\n", "willReplaceOnChanges": true }, "signatureAlgorithm": { "type": "string", - "description": "Signing Algorithm.\n" + "description": "Signing Algorithm. Defaults to empty.\n" }, "signingCertificate": { "type": "string", @@ -13193,23 +13786,23 @@ }, "singleLogoutServiceUrl": { "type": "string", - "description": "Logout URL.\n" + "description": "The Url that must be used to send logout requests.\n" }, "singleSignOnServiceUrl": { "type": "string", - "description": "SSO Logout URL.\n" + "description": "The Url that must be used to send authentication requests (SAML AuthnRequest).\n" }, "storeToken": { "type": "boolean", - "description": "Enable/disable if tokens must be stored after authenticating users.\n" + "description": "When `true`, tokens will be stored after authenticating users. Defaults to `true`.\n" }, "syncMode": { "type": "string", - "description": "Sync Mode\n" + "description": "The default sync mode to use for all mappers attached to this identity provider. Can be one of `IMPORT`, `FORCE`, or `LEGACY`.\n" }, "trustEmail": { "type": "boolean", - "description": "If enabled then email provided by this provider is not verified even if verification is enabled for the realm.\n" + "description": "When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`.\n" }, "validateSignature": { "type": "boolean", @@ -13217,15 +13810,15 @@ }, "wantAssertionsEncrypted": { "type": "boolean", - "description": "Want Assertions Encrypted.\n" + "description": "Indicates whether this service provider expects an encrypted Assertion.\n" }, "wantAssertionsSigned": { "type": "boolean", - "description": "Want Assertions Signed.\n" + "description": "Indicates whether this service provider expects a signed Assertion.\n" }, "xmlSignKeyInfoKeyNameTransformer": { "type": "string", - "description": "Sign Key Transformer.\n" + "description": "The SAML signature key name. Can be one of `NONE`, `KEY_ID`, or `CERT_SUBJECT`.\n" } }, "type": "object" @@ -13372,31 +13965,39 @@ } }, "keycloak:saml/userAttributeProtocolMapper:UserAttributeProtocolMapper": { - "description": "## # keycloak.saml.UserAttributeProtocolMapper\n\nAllows for creating and managing user attribute protocol mappers for\nSAML clients within Keycloak.\n\nSAML user attribute protocol mappers allow you to map custom attributes defined\nfor a user within Keycloak to an attribute in a SAML assertion. Protocol mappers\ncan be defined for a single client, or they can be defined for a client scope which\ncan be shared between multiple different clients.\n\n### Example Usage (Client)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst samlClient = new keycloak.saml.Client(\"saml_client\", {\n realmId: test.id,\n clientId: \"test-saml-client\",\n name: \"test-saml-client\",\n});\nconst samlUserAttributeMapper = new keycloak.saml.UserAttributeProtocolMapper(\"saml_user_attribute_mapper\", {\n realmId: test.id,\n clientId: samlClient.id,\n name: \"displayname-user-attribute-mapper\",\n userAttribute: \"displayName\",\n samlAttributeName: \"displayName\",\n samlAttributeNameFormat: \"Unspecified\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nsaml_client = keycloak.saml.Client(\"saml_client\",\n realm_id=test[\"id\"],\n client_id=\"test-saml-client\",\n name=\"test-saml-client\")\nsaml_user_attribute_mapper = keycloak.saml.UserAttributeProtocolMapper(\"saml_user_attribute_mapper\",\n realm_id=test[\"id\"],\n client_id=saml_client.id,\n name=\"displayname-user-attribute-mapper\",\n user_attribute=\"displayName\",\n saml_attribute_name=\"displayName\",\n saml_attribute_name_format=\"Unspecified\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var samlClient = new Keycloak.Saml.Client(\"saml_client\", new()\n {\n RealmId = test.Id,\n ClientId = \"test-saml-client\",\n Name = \"test-saml-client\",\n });\n\n var samlUserAttributeMapper = new Keycloak.Saml.UserAttributeProtocolMapper(\"saml_user_attribute_mapper\", new()\n {\n RealmId = test.Id,\n ClientId = samlClient.Id,\n Name = \"displayname-user-attribute-mapper\",\n UserAttribute = \"displayName\",\n SamlAttributeName = \"displayName\",\n SamlAttributeNameFormat = \"Unspecified\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/saml\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tsamlClient, err := saml.NewClient(ctx, \"saml_client\", \u0026saml.ClientArgs{\n\t\t\tRealmId: pulumi.Any(test.Id),\n\t\t\tClientId: pulumi.String(\"test-saml-client\"),\n\t\t\tName: pulumi.String(\"test-saml-client\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = saml.NewUserAttributeProtocolMapper(ctx, \"saml_user_attribute_mapper\", \u0026saml.UserAttributeProtocolMapperArgs{\n\t\t\tRealmId: pulumi.Any(test.Id),\n\t\t\tClientId: samlClient.ID(),\n\t\t\tName: pulumi.String(\"displayname-user-attribute-mapper\"),\n\t\t\tUserAttribute: pulumi.String(\"displayName\"),\n\t\t\tSamlAttributeName: pulumi.String(\"displayName\"),\n\t\t\tSamlAttributeNameFormat: pulumi.String(\"Unspecified\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.saml.Client;\nimport com.pulumi.keycloak.saml.ClientArgs;\nimport com.pulumi.keycloak.saml.UserAttributeProtocolMapper;\nimport com.pulumi.keycloak.saml.UserAttributeProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var samlClient = new Client(\"samlClient\", ClientArgs.builder()\n .realmId(test.id())\n .clientId(\"test-saml-client\")\n .name(\"test-saml-client\")\n .build());\n\n var samlUserAttributeMapper = new UserAttributeProtocolMapper(\"samlUserAttributeMapper\", UserAttributeProtocolMapperArgs.builder()\n .realmId(test.id())\n .clientId(samlClient.id())\n .name(\"displayname-user-attribute-mapper\")\n .userAttribute(\"displayName\")\n .samlAttributeName(\"displayName\")\n .samlAttributeNameFormat(\"Unspecified\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n samlClient:\n type: keycloak:saml:Client\n name: saml_client\n properties:\n realmId: ${test.id}\n clientId: test-saml-client\n name: test-saml-client\n samlUserAttributeMapper:\n type: keycloak:saml:UserAttributeProtocolMapper\n name: saml_user_attribute_mapper\n properties:\n realmId: ${test.id}\n clientId: ${samlClient.id}\n name: displayname-user-attribute-mapper\n userAttribute: displayName\n samlAttributeName: displayName\n samlAttributeNameFormat: Unspecified\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm_id` - (Required) The realm this protocol mapper exists within.\n- `client_id` - (Required if `client_scope_id` is not specified) The SAML client this protocol mapper is attached to.\n- `client_scope_id` - (Required if `client_id` is not specified) The SAML client scope this protocol mapper is attached to.\n- `name` - (Required) The display name of this protocol mapper in the GUI.\n- `user_attribute` - (Required) The custom user attribute to map.\n- `friendly_name` - (Optional) An optional human-friendly name for this attribute.\n- `saml_attribute_name` - (Required) The name of the SAML attribute.\n- `saml_attribute_name_format` - (Required) The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`.\n\n### Import\n\nProtocol mappers can be imported using one of the following formats:\n- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}`\n- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}`\n\nExample:\n\n```bash\n$ terraform import keycloak_saml_user_attribute_protocol_mapper.saml_user_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n$ terraform import keycloak_saml_user_attribute_protocol_mapper.saml_user_attribute_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n", + "description": "Allows for creating and managing user attribute protocol mappers for SAML clients within Keycloak.\n\nSAML user attribute protocol mappers allow you to map custom attributes defined for a user within Keycloak to an attribute\nin a SAML assertion.\n\nProtocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between\nmultiple different clients.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst samlClient = new keycloak.saml.Client(\"saml_client\", {\n realmId: realm.id,\n clientId: \"saml-client\",\n name: \"saml-client\",\n});\nconst samlUserAttributeMapper = new keycloak.saml.UserAttributeProtocolMapper(\"saml_user_attribute_mapper\", {\n realmId: realm.id,\n clientId: samlClient.id,\n name: \"displayname-user-attribute-mapper\",\n userAttribute: \"displayName\",\n samlAttributeName: \"displayName\",\n samlAttributeNameFormat: \"Unspecified\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nsaml_client = keycloak.saml.Client(\"saml_client\",\n realm_id=realm.id,\n client_id=\"saml-client\",\n name=\"saml-client\")\nsaml_user_attribute_mapper = keycloak.saml.UserAttributeProtocolMapper(\"saml_user_attribute_mapper\",\n realm_id=realm.id,\n client_id=saml_client.id,\n name=\"displayname-user-attribute-mapper\",\n user_attribute=\"displayName\",\n saml_attribute_name=\"displayName\",\n saml_attribute_name_format=\"Unspecified\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var samlClient = new Keycloak.Saml.Client(\"saml_client\", new()\n {\n RealmId = realm.Id,\n ClientId = \"saml-client\",\n Name = \"saml-client\",\n });\n\n var samlUserAttributeMapper = new Keycloak.Saml.UserAttributeProtocolMapper(\"saml_user_attribute_mapper\", new()\n {\n RealmId = realm.Id,\n ClientId = samlClient.Id,\n Name = \"displayname-user-attribute-mapper\",\n UserAttribute = \"displayName\",\n SamlAttributeName = \"displayName\",\n SamlAttributeNameFormat = \"Unspecified\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/saml\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tsamlClient, err := saml.NewClient(ctx, \"saml_client\", \u0026saml.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"saml-client\"),\n\t\t\tName: pulumi.String(\"saml-client\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = saml.NewUserAttributeProtocolMapper(ctx, \"saml_user_attribute_mapper\", \u0026saml.UserAttributeProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: samlClient.ID(),\n\t\t\tName: pulumi.String(\"displayname-user-attribute-mapper\"),\n\t\t\tUserAttribute: pulumi.String(\"displayName\"),\n\t\t\tSamlAttributeName: pulumi.String(\"displayName\"),\n\t\t\tSamlAttributeNameFormat: pulumi.String(\"Unspecified\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.saml.Client;\nimport com.pulumi.keycloak.saml.ClientArgs;\nimport com.pulumi.keycloak.saml.UserAttributeProtocolMapper;\nimport com.pulumi.keycloak.saml.UserAttributeProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var samlClient = new Client(\"samlClient\", ClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"saml-client\")\n .name(\"saml-client\")\n .build());\n\n var samlUserAttributeMapper = new UserAttributeProtocolMapper(\"samlUserAttributeMapper\", UserAttributeProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientId(samlClient.id())\n .name(\"displayname-user-attribute-mapper\")\n .userAttribute(\"displayName\")\n .samlAttributeName(\"displayName\")\n .samlAttributeNameFormat(\"Unspecified\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n samlClient:\n type: keycloak:saml:Client\n name: saml_client\n properties:\n realmId: ${realm.id}\n clientId: saml-client\n name: saml-client\n samlUserAttributeMapper:\n type: keycloak:saml:UserAttributeProtocolMapper\n name: saml_user_attribute_mapper\n properties:\n realmId: ${realm.id}\n clientId: ${samlClient.id}\n name: displayname-user-attribute-mapper\n userAttribute: displayName\n samlAttributeName: displayName\n samlAttributeNameFormat: Unspecified\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nProtocol mappers can be imported using one of the following formats:\n\n- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}`\n\n- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}`\n\nExample:\n\nbash\n\n```sh\n$ pulumi import keycloak:saml/userAttributeProtocolMapper:UserAttributeProtocolMapper saml_user_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n\n```sh\n$ pulumi import keycloak:saml/userAttributeProtocolMapper:UserAttributeProtocolMapper saml_user_attribute_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n\n", "properties": { "clientId": { - "type": "string" + "type": "string", + "description": "The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified.\n" }, "clientScopeId": { - "type": "string" + "type": "string", + "description": "The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified.\n" }, "friendlyName": { - "type": "string" + "type": "string", + "description": "An optional human-friendly name for this attribute.\n" }, "name": { - "type": "string" + "type": "string", + "description": "The display name of this protocol mapper in the GUI.\n" }, "realmId": { - "type": "string" + "type": "string", + "description": "The realm this protocol mapper exists within.\n" }, "samlAttributeName": { - "type": "string" + "type": "string", + "description": "The name of the SAML attribute.\n" }, "samlAttributeNameFormat": { - "type": "string" + "type": "string", + "description": "The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`.\n" }, "userAttribute": { - "type": "string" + "type": "string", + "description": "The custom user attribute to map.\n" } }, "required": [ @@ -13409,30 +14010,38 @@ "inputProperties": { "clientId": { "type": "string", + "description": "The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "clientScopeId": { "type": "string", + "description": "The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "friendlyName": { - "type": "string" + "type": "string", + "description": "An optional human-friendly name for this attribute.\n" }, "name": { - "type": "string" + "type": "string", + "description": "The display name of this protocol mapper in the GUI.\n" }, "realmId": { "type": "string", + "description": "The realm this protocol mapper exists within.\n", "willReplaceOnChanges": true }, "samlAttributeName": { - "type": "string" + "type": "string", + "description": "The name of the SAML attribute.\n" }, "samlAttributeNameFormat": { - "type": "string" + "type": "string", + "description": "The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`.\n" }, "userAttribute": { - "type": "string" + "type": "string", + "description": "The custom user attribute to map.\n" } }, "requiredInputs": [ @@ -13446,61 +14055,77 @@ "properties": { "clientId": { "type": "string", + "description": "The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "clientScopeId": { "type": "string", + "description": "The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "friendlyName": { - "type": "string" + "type": "string", + "description": "An optional human-friendly name for this attribute.\n" }, "name": { - "type": "string" + "type": "string", + "description": "The display name of this protocol mapper in the GUI.\n" }, "realmId": { "type": "string", + "description": "The realm this protocol mapper exists within.\n", "willReplaceOnChanges": true }, "samlAttributeName": { - "type": "string" + "type": "string", + "description": "The name of the SAML attribute.\n" }, "samlAttributeNameFormat": { - "type": "string" + "type": "string", + "description": "The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`.\n" }, "userAttribute": { - "type": "string" + "type": "string", + "description": "The custom user attribute to map.\n" } }, "type": "object" } }, "keycloak:saml/userPropertyProtocolMapper:UserPropertyProtocolMapper": { - "description": "## # keycloak.saml.UserPropertyProtocolMapper\n\nAllows for creating and managing user property protocol mappers for\nSAML clients within Keycloak.\n\nSAML user property protocol mappers allow you to map properties of the Keycloak\nuser model to an attribute in a SAML assertion. Protocol mappers\ncan be defined for a single client, or they can be defined for a client scope which\ncan be shared between multiple different clients.\n\n### Example Usage (Client)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst samlClient = new keycloak.saml.Client(\"saml_client\", {\n realmId: test.id,\n clientId: \"test-saml-client\",\n name: \"test-saml-client\",\n});\nconst samlUserPropertyMapper = new keycloak.saml.UserPropertyProtocolMapper(\"saml_user_property_mapper\", {\n realmId: test.id,\n clientId: samlClient.id,\n name: \"email-user-property-mapper\",\n userProperty: \"email\",\n samlAttributeName: \"email\",\n samlAttributeNameFormat: \"Unspecified\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nsaml_client = keycloak.saml.Client(\"saml_client\",\n realm_id=test[\"id\"],\n client_id=\"test-saml-client\",\n name=\"test-saml-client\")\nsaml_user_property_mapper = keycloak.saml.UserPropertyProtocolMapper(\"saml_user_property_mapper\",\n realm_id=test[\"id\"],\n client_id=saml_client.id,\n name=\"email-user-property-mapper\",\n user_property=\"email\",\n saml_attribute_name=\"email\",\n saml_attribute_name_format=\"Unspecified\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var samlClient = new Keycloak.Saml.Client(\"saml_client\", new()\n {\n RealmId = test.Id,\n ClientId = \"test-saml-client\",\n Name = \"test-saml-client\",\n });\n\n var samlUserPropertyMapper = new Keycloak.Saml.UserPropertyProtocolMapper(\"saml_user_property_mapper\", new()\n {\n RealmId = test.Id,\n ClientId = samlClient.Id,\n Name = \"email-user-property-mapper\",\n UserProperty = \"email\",\n SamlAttributeName = \"email\",\n SamlAttributeNameFormat = \"Unspecified\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/saml\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tsamlClient, err := saml.NewClient(ctx, \"saml_client\", \u0026saml.ClientArgs{\n\t\t\tRealmId: pulumi.Any(test.Id),\n\t\t\tClientId: pulumi.String(\"test-saml-client\"),\n\t\t\tName: pulumi.String(\"test-saml-client\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = saml.NewUserPropertyProtocolMapper(ctx, \"saml_user_property_mapper\", \u0026saml.UserPropertyProtocolMapperArgs{\n\t\t\tRealmId: pulumi.Any(test.Id),\n\t\t\tClientId: samlClient.ID(),\n\t\t\tName: pulumi.String(\"email-user-property-mapper\"),\n\t\t\tUserProperty: pulumi.String(\"email\"),\n\t\t\tSamlAttributeName: pulumi.String(\"email\"),\n\t\t\tSamlAttributeNameFormat: pulumi.String(\"Unspecified\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.saml.Client;\nimport com.pulumi.keycloak.saml.ClientArgs;\nimport com.pulumi.keycloak.saml.UserPropertyProtocolMapper;\nimport com.pulumi.keycloak.saml.UserPropertyProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var samlClient = new Client(\"samlClient\", ClientArgs.builder()\n .realmId(test.id())\n .clientId(\"test-saml-client\")\n .name(\"test-saml-client\")\n .build());\n\n var samlUserPropertyMapper = new UserPropertyProtocolMapper(\"samlUserPropertyMapper\", UserPropertyProtocolMapperArgs.builder()\n .realmId(test.id())\n .clientId(samlClient.id())\n .name(\"email-user-property-mapper\")\n .userProperty(\"email\")\n .samlAttributeName(\"email\")\n .samlAttributeNameFormat(\"Unspecified\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n samlClient:\n type: keycloak:saml:Client\n name: saml_client\n properties:\n realmId: ${test.id}\n clientId: test-saml-client\n name: test-saml-client\n samlUserPropertyMapper:\n type: keycloak:saml:UserPropertyProtocolMapper\n name: saml_user_property_mapper\n properties:\n realmId: ${test.id}\n clientId: ${samlClient.id}\n name: email-user-property-mapper\n userProperty: email\n samlAttributeName: email\n samlAttributeNameFormat: Unspecified\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm_id` - (Required) The realm this protocol mapper exists within.\n- `client_id` - (Required if `client_scope_id` is not specified) The SAML client this protocol mapper is attached to.\n- `client_scope_id` - (Required if `client_id` is not specified) The SAML client scope this protocol mapper is attached to.\n- `name` - (Required) The display name of this protocol mapper in the GUI.\n- `user_property` - (Required) The property of the Keycloak user model to map.\n- `friendly_name` - (Optional) An optional human-friendly name for this attribute.\n- `saml_attribute_name` - (Required) The name of the SAML attribute.\n- `saml_attribute_name_format` - (Required) The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`.\n\n### Import\n\nProtocol mappers can be imported using one of the following formats:\n- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}`\n- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}`\n\nExample:\n\n```bash\n$ terraform import keycloak_saml_user_property_protocol_mapper.saml_user_property_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n$ terraform import keycloak_saml_user_property_protocol_mapper.saml_user_property_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n", + "description": "Allows for creating and managing user property protocol mappers for SAML clients within Keycloak.\n\nSAML user property protocol mappers allow you to map properties of the Keycloak\nuser model to an attribute in a SAML assertion.\n\nProtocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between\nmultiple different clients.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst samlClient = new keycloak.saml.Client(\"saml_client\", {\n realmId: realm.id,\n clientId: \"saml-client\",\n name: \"saml-client\",\n});\nconst samlUserPropertyMapper = new keycloak.saml.UserPropertyProtocolMapper(\"saml_user_property_mapper\", {\n realmId: realm.id,\n clientId: samlClient.id,\n name: \"email-user-property-mapper\",\n userProperty: \"email\",\n samlAttributeName: \"email\",\n samlAttributeNameFormat: \"Unspecified\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nsaml_client = keycloak.saml.Client(\"saml_client\",\n realm_id=realm.id,\n client_id=\"saml-client\",\n name=\"saml-client\")\nsaml_user_property_mapper = keycloak.saml.UserPropertyProtocolMapper(\"saml_user_property_mapper\",\n realm_id=realm.id,\n client_id=saml_client.id,\n name=\"email-user-property-mapper\",\n user_property=\"email\",\n saml_attribute_name=\"email\",\n saml_attribute_name_format=\"Unspecified\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var samlClient = new Keycloak.Saml.Client(\"saml_client\", new()\n {\n RealmId = realm.Id,\n ClientId = \"saml-client\",\n Name = \"saml-client\",\n });\n\n var samlUserPropertyMapper = new Keycloak.Saml.UserPropertyProtocolMapper(\"saml_user_property_mapper\", new()\n {\n RealmId = realm.Id,\n ClientId = samlClient.Id,\n Name = \"email-user-property-mapper\",\n UserProperty = \"email\",\n SamlAttributeName = \"email\",\n SamlAttributeNameFormat = \"Unspecified\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/saml\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tsamlClient, err := saml.NewClient(ctx, \"saml_client\", \u0026saml.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"saml-client\"),\n\t\t\tName: pulumi.String(\"saml-client\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = saml.NewUserPropertyProtocolMapper(ctx, \"saml_user_property_mapper\", \u0026saml.UserPropertyProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: samlClient.ID(),\n\t\t\tName: pulumi.String(\"email-user-property-mapper\"),\n\t\t\tUserProperty: pulumi.String(\"email\"),\n\t\t\tSamlAttributeName: pulumi.String(\"email\"),\n\t\t\tSamlAttributeNameFormat: pulumi.String(\"Unspecified\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.saml.Client;\nimport com.pulumi.keycloak.saml.ClientArgs;\nimport com.pulumi.keycloak.saml.UserPropertyProtocolMapper;\nimport com.pulumi.keycloak.saml.UserPropertyProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var samlClient = new Client(\"samlClient\", ClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"saml-client\")\n .name(\"saml-client\")\n .build());\n\n var samlUserPropertyMapper = new UserPropertyProtocolMapper(\"samlUserPropertyMapper\", UserPropertyProtocolMapperArgs.builder()\n .realmId(realm.id())\n .clientId(samlClient.id())\n .name(\"email-user-property-mapper\")\n .userProperty(\"email\")\n .samlAttributeName(\"email\")\n .samlAttributeNameFormat(\"Unspecified\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n samlClient:\n type: keycloak:saml:Client\n name: saml_client\n properties:\n realmId: ${realm.id}\n clientId: saml-client\n name: saml-client\n samlUserPropertyMapper:\n type: keycloak:saml:UserPropertyProtocolMapper\n name: saml_user_property_mapper\n properties:\n realmId: ${realm.id}\n clientId: ${samlClient.id}\n name: email-user-property-mapper\n userProperty: email\n samlAttributeName: email\n samlAttributeNameFormat: Unspecified\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nProtocol mappers can be imported using one of the following formats:\n\n- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}`\n\n- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}`\n\nExample:\n\nbash\n\n```sh\n$ pulumi import keycloak:saml/userPropertyProtocolMapper:UserPropertyProtocolMapper saml_user_property_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n\n```sh\n$ pulumi import keycloak:saml/userPropertyProtocolMapper:UserPropertyProtocolMapper saml_user_property_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n\n", "properties": { "clientId": { - "type": "string" + "type": "string", + "description": "The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified.\n" }, "clientScopeId": { - "type": "string" + "type": "string", + "description": "The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified.\n" }, "friendlyName": { - "type": "string" + "type": "string", + "description": "An optional human-friendly name for this attribute.\n" }, "name": { - "type": "string" + "type": "string", + "description": "The display name of this protocol mapper in the GUI.\n" }, "realmId": { - "type": "string" + "type": "string", + "description": "The realm this protocol mapper exists within.\n" }, "samlAttributeName": { - "type": "string" + "type": "string", + "description": "The name of the SAML attribute.\n" }, "samlAttributeNameFormat": { - "type": "string" + "type": "string", + "description": "The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`.\n" }, "userProperty": { - "type": "string" + "type": "string", + "description": "The property of the Keycloak user model to map.\n" } }, "required": [ @@ -13513,30 +14138,38 @@ "inputProperties": { "clientId": { "type": "string", + "description": "The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "clientScopeId": { "type": "string", + "description": "The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "friendlyName": { - "type": "string" + "type": "string", + "description": "An optional human-friendly name for this attribute.\n" }, "name": { - "type": "string" + "type": "string", + "description": "The display name of this protocol mapper in the GUI.\n" }, "realmId": { "type": "string", + "description": "The realm this protocol mapper exists within.\n", "willReplaceOnChanges": true }, "samlAttributeName": { - "type": "string" + "type": "string", + "description": "The name of the SAML attribute.\n" }, "samlAttributeNameFormat": { - "type": "string" + "type": "string", + "description": "The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`.\n" }, "userProperty": { - "type": "string" + "type": "string", + "description": "The property of the Keycloak user model to map.\n" } }, "requiredInputs": [ @@ -13550,30 +14183,38 @@ "properties": { "clientId": { "type": "string", + "description": "The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "clientScopeId": { "type": "string", + "description": "The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified.\n", "willReplaceOnChanges": true }, "friendlyName": { - "type": "string" + "type": "string", + "description": "An optional human-friendly name for this attribute.\n" }, "name": { - "type": "string" + "type": "string", + "description": "The display name of this protocol mapper in the GUI.\n" }, "realmId": { "type": "string", + "description": "The realm this protocol mapper exists within.\n", "willReplaceOnChanges": true }, "samlAttributeName": { - "type": "string" + "type": "string", + "description": "The name of the SAML attribute.\n" }, "samlAttributeNameFormat": { - "type": "string" + "type": "string", + "description": "The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`.\n" }, "userProperty": { - "type": "string" + "type": "string", + "description": "The property of the Keycloak user model to map.\n" } }, "type": "object" @@ -13890,15 +14531,17 @@ } }, "keycloak:index/getGroup:getGroup": { - "description": "## # keycloak.Group data source\n\nThis data source can be used to fetch properties of a Keycloak group for\nusage with other resources, such as `keycloak.GroupRoles`.\n\n### Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n groupRoles:\n type: keycloak:GroupRoles\n name: group_roles\n properties:\n realmId: ${realm.id}\n groupId: ${group.id}\n roles:\n - ${offlineAccess.id}\nvariables:\n offlineAccess:\n fn::invoke:\n Function: keycloak:getRole\n Arguments:\n realmId: ${realm.id}\n name: offline_access\n group:\n fn::invoke:\n Function: keycloak:getGroup\n Arguments:\n realmId: ${realm.id}\n name: group\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm_id` - (Required) The realm this group exists within.\n- `name` - (Required) The name of the group\n\n### Attributes Reference\n\nIn addition to the arguments listed above, the following computed attributes are exported:\n\n- `id` - The unique ID of the group, which can be used as an argument to\n other resources supported by this provider.\n", + "description": "This data source can be used to fetch properties of a Keycloak group for\nusage with other resources, such as `keycloak.GroupRoles`.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst offlineAccess = keycloak.getRoleOutput({\n realmId: realm.id,\n name: \"offline_access\",\n});\nconst group = keycloak.getGroupOutput({\n realmId: realm.id,\n name: \"group\",\n});\nconst groupRoles = new keycloak.GroupRoles(\"group_roles\", {\n realmId: realm.id,\n groupId: group.apply(group =\u003e group.id),\n roleIds: [offlineAccess.apply(offlineAccess =\u003e offlineAccess.id)],\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\noffline_access = keycloak.get_role_output(realm_id=realm.id,\n name=\"offline_access\")\ngroup = keycloak.get_group_output(realm_id=realm.id,\n name=\"group\")\ngroup_roles = keycloak.GroupRoles(\"group_roles\",\n realm_id=realm.id,\n group_id=group.id,\n role_ids=[offline_access.id])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var offlineAccess = Keycloak.GetRole.Invoke(new()\n {\n RealmId = realm.Id,\n Name = \"offline_access\",\n });\n\n var @group = Keycloak.GetGroup.Invoke(new()\n {\n RealmId = realm.Id,\n Name = \"group\",\n });\n\n var groupRoles = new Keycloak.GroupRoles(\"group_roles\", new()\n {\n RealmId = realm.Id,\n GroupId = @group.Apply(@group =\u003e @group.Apply(getGroupResult =\u003e getGroupResult.Id)),\n RoleIds = new[]\n {\n offlineAccess.Apply(getRoleResult =\u003e getRoleResult.Id),\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tofflineAccess := keycloak.LookupRoleOutput(ctx, keycloak.GetRoleOutputArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"offline_access\"),\n\t\t}, nil)\n\t\tgroup := keycloak.LookupGroupOutput(ctx, keycloak.GetGroupOutputArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"group\"),\n\t\t}, nil)\n\t\t_, err = keycloak.NewGroupRoles(ctx, \"group_roles\", \u0026keycloak.GroupRolesArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tGroupId: pulumi.String(group.ApplyT(func(group keycloak.GetGroupResult) (*string, error) {\n\t\t\t\treturn \u0026group.Id, nil\n\t\t\t}).(pulumi.StringPtrOutput)),\n\t\t\tRoleIds: pulumi.StringArray{\n\t\t\t\tpulumi.String(offlineAccess.ApplyT(func(offlineAccess keycloak.GetRoleResult) (*string, error) {\n\t\t\t\t\treturn \u0026offlineAccess.Id, nil\n\t\t\t\t}).(pulumi.StringPtrOutput)),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.KeycloakFunctions;\nimport com.pulumi.keycloak.inputs.GetRoleArgs;\nimport com.pulumi.keycloak.inputs.GetGroupArgs;\nimport com.pulumi.keycloak.GroupRoles;\nimport com.pulumi.keycloak.GroupRolesArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n final var offlineAccess = KeycloakFunctions.getRole(GetRoleArgs.builder()\n .realmId(realm.id())\n .name(\"offline_access\")\n .build());\n\n final var group = KeycloakFunctions.getGroup(GetGroupArgs.builder()\n .realmId(realm.id())\n .name(\"group\")\n .build());\n\n var groupRoles = new GroupRoles(\"groupRoles\", GroupRolesArgs.builder()\n .realmId(realm.id())\n .groupId(group.applyValue(getGroupResult -\u003e getGroupResult).applyValue(group -\u003e group.applyValue(getGroupResult -\u003e getGroupResult.id())))\n .roleIds(offlineAccess.applyValue(getRoleResult -\u003e getRoleResult).applyValue(offlineAccess -\u003e offlineAccess.applyValue(getRoleResult -\u003e getRoleResult.id())))\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n groupRoles:\n type: keycloak:GroupRoles\n name: group_roles\n properties:\n realmId: ${realm.id}\n groupId: ${group.id}\n roleIds:\n - ${offlineAccess.id}\nvariables:\n offlineAccess:\n fn::invoke:\n Function: keycloak:getRole\n Arguments:\n realmId: ${realm.id}\n name: offline_access\n group:\n fn::invoke:\n Function: keycloak:getGroup\n Arguments:\n realmId: ${realm.id}\n name: group\n```\n\u003c!--End PulumiCodeChooser --\u003e\n", "inputs": { "description": "A collection of arguments for invoking getGroup.\n", "properties": { "name": { - "type": "string" + "type": "string", + "description": "The name of the group. If there are multiple groups match `name`, the first result will be returned.\n" }, "realmId": { - "type": "string" + "type": "string", + "description": "The realm this group exists within.\n" } }, "type": "object", @@ -13945,7 +14588,7 @@ } }, "keycloak:index/getRealm:getRealm": { - "description": "## # keycloak.Realm data source\n\nThis data source can be used to fetch properties of a Keycloak realm for\nusage with other resources.\n\n### Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = keycloak.getRealm({\n realm: \"my-realm\",\n});\n// use the data source\nconst group = new keycloak.Role(\"group\", {\n realmId: id,\n name: \"group\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.get_realm(realm=\"my-realm\")\n# use the data source\ngroup = keycloak.Role(\"group\",\n realm_id=id,\n name=\"group\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = Keycloak.GetRealm.Invoke(new()\n {\n Realm = \"my-realm\",\n });\n\n // use the data source\n var @group = new Keycloak.Role(\"group\", new()\n {\n RealmId = id,\n Name = \"group\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := keycloak.LookupRealm(ctx, \u0026keycloak.LookupRealmArgs{\n\t\t\tRealm: \"my-realm\",\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t// use the data source\n\t\t_, err = keycloak.NewRole(ctx, \"group\", \u0026keycloak.RoleArgs{\n\t\t\tRealmId: pulumi.Any(id),\n\t\t\tName: pulumi.String(\"group\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.KeycloakFunctions;\nimport com.pulumi.keycloak.inputs.GetRealmArgs;\nimport com.pulumi.keycloak.Role;\nimport com.pulumi.keycloak.RoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n final var realm = KeycloakFunctions.getRealm(GetRealmArgs.builder()\n .realm(\"my-realm\")\n .build());\n\n // use the data source\n var group = new Role(\"group\", RoleArgs.builder()\n .realmId(id)\n .name(\"group\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n # use the data source\n group:\n type: keycloak:Role\n properties:\n realmId: ${id}\n name: group\nvariables:\n realm:\n fn::invoke:\n Function: keycloak:getRealm\n Arguments:\n realm: my-realm\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm` - (Required) The realm name.\n\n### Attributes Reference\n\nSee the docs for the `keycloak.Realm` resource for details on the exported attributes.\n", + "description": "This data source can be used to fetch properties of a Keycloak realm for\nusage with other resources.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = keycloak.getRealm({\n realm: \"my-realm\",\n});\n// use the data source\nconst group = new keycloak.Role(\"group\", {\n realmId: realm.then(realm =\u003e realm.id),\n name: \"group\",\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.get_realm(realm=\"my-realm\")\n# use the data source\ngroup = keycloak.Role(\"group\",\n realm_id=realm.id,\n name=\"group\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = Keycloak.GetRealm.Invoke(new()\n {\n Realm = \"my-realm\",\n });\n\n // use the data source\n var @group = new Keycloak.Role(\"group\", new()\n {\n RealmId = realm.Apply(getRealmResult =\u003e getRealmResult.Id),\n Name = \"group\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.LookupRealm(ctx, \u0026keycloak.LookupRealmArgs{\n\t\t\tRealm: \"my-realm\",\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t// use the data source\n\t\t_, err = keycloak.NewRole(ctx, \"group\", \u0026keycloak.RoleArgs{\n\t\t\tRealmId: pulumi.String(realm.Id),\n\t\t\tName: pulumi.String(\"group\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.KeycloakFunctions;\nimport com.pulumi.keycloak.inputs.GetRealmArgs;\nimport com.pulumi.keycloak.Role;\nimport com.pulumi.keycloak.RoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n final var realm = KeycloakFunctions.getRealm(GetRealmArgs.builder()\n .realm(\"my-realm\")\n .build());\n\n // use the data source\n var group = new Role(\"group\", RoleArgs.builder()\n .realmId(realm.applyValue(getRealmResult -\u003e getRealmResult.id()))\n .name(\"group\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n # use the data source\n group:\n type: keycloak:Role\n properties:\n realmId: ${realm.id}\n name: group\nvariables:\n realm:\n fn::invoke:\n Function: keycloak:getRealm\n Arguments:\n realm: my-realm\n```\n\u003c!--End PulumiCodeChooser --\u003e\n", "inputs": { "description": "A collection of arguments for invoking getRealm.\n", "properties": { @@ -13980,7 +14623,8 @@ "$ref": "#/types/keycloak:index/getRealmOtpPolicy:getRealmOtpPolicy" }, "realm": { - "type": "string" + "type": "string", + "description": "The realm name.\n" }, "securityDefenses": { "type": "array", @@ -14262,7 +14906,7 @@ } }, "keycloak:index/getRealmKeys:getRealmKeys": { - "description": "## # keycloak.getRealmKeys data source\n\nUse this data source to get the keys of a realm. Keys can be filtered by algorithm and status.\n\nRemarks:\n\n- A key must meet all filter criteria\n- This datasource may return more than one value.\n- If no key matches the filter criteria, then an error is returned.\n\n", + "description": "Use this data source to get the keys of a realm. Keys can be filtered by algorithm and status.\n\nRemarks:\n\n- A key must meet all filter criteria\n- This data source may return more than one value.\n- If no key matches the filter criteria, then an error will be returned.\n\n", "inputs": { "description": "A collection of arguments for invoking getRealmKeys.\n", "properties": { @@ -14270,16 +14914,19 @@ "type": "array", "items": { "type": "string" - } + }, + "description": "When specified, keys will be filtered by algorithm. The algorithms can be any of `HS256`, `RS256`,`AES`, etc.\n" }, "realmId": { - "type": "string" + "type": "string", + "description": "The realm from which the keys will be retrieved.\n" }, "statuses": { "type": "array", "items": { "type": "string" - } + }, + "description": "When specified, keys will be filtered by status. The statuses can be any of `ACTIVE`, `DISABLED` and `PASSIVE`.\n" } }, "type": "object", @@ -14301,6 +14948,7 @@ "type": "string" }, "keys": { + "description": "(Computed) A list of keys that match the filter criteria. Each key has the following attributes:\n", "items": { "$ref": "#/types/keycloak:index/getRealmKeysKey:getRealmKeysKey" }, @@ -14310,6 +14958,7 @@ "type": "string" }, "statuses": { + "description": "Key status (string)\n", "items": { "type": "string" }, @@ -14325,18 +14974,21 @@ } }, "keycloak:index/getRole:getRole": { - "description": "## # keycloak.Role data source\n\nThis data source can be used to fetch properties of a Keycloak role for\nusage with other resources, such as `keycloak.GroupRoles`.\n\n### Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n # use the data source\n group:\n type: keycloak:Group\n properties:\n realmId: ${realm.id}\n name: group\n groupRoles:\n type: keycloak:GroupRoles\n name: group_roles\n properties:\n realmId: ${realm.id}\n groupId: ${group.id}\n roles:\n - ${offlineAccess.id}\nvariables:\n offlineAccess:\n fn::invoke:\n Function: keycloak:getRole\n Arguments:\n realmId: ${realm.id}\n name: offline_access\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm_id` - (Required) The realm this role exists within.\n- `client_id` - (Optional) When specified, this role is assumed to be a\n client role belonging to the client with the provided ID\n- `name` - (Required) The name of the role\n \n### Attributes Reference\n\nIn addition to the arguments listed above, the following computed attributes are exported:\n\n- `id` - The unique ID of the role, which can be used as an argument to\n other resources supported by this provider.\n- `description` - The description of the role.\n", + "description": "This data source can be used to fetch properties of a Keycloak role for\nusage with other resources, such as `keycloak.GroupRoles`.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst offlineAccess = keycloak.getRoleOutput({\n realmId: realm.id,\n name: \"offline_access\",\n});\n// use the data source\nconst group = new keycloak.Group(\"group\", {\n realmId: realm.id,\n name: \"group\",\n});\nconst groupRoles = new keycloak.GroupRoles(\"group_roles\", {\n realmId: realm.id,\n groupId: group.id,\n roleIds: [offlineAccess.apply(offlineAccess =\u003e offlineAccess.id)],\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\noffline_access = keycloak.get_role_output(realm_id=realm.id,\n name=\"offline_access\")\n# use the data source\ngroup = keycloak.Group(\"group\",\n realm_id=realm.id,\n name=\"group\")\ngroup_roles = keycloak.GroupRoles(\"group_roles\",\n realm_id=realm.id,\n group_id=group.id,\n role_ids=[offline_access.id])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var offlineAccess = Keycloak.GetRole.Invoke(new()\n {\n RealmId = realm.Id,\n Name = \"offline_access\",\n });\n\n // use the data source\n var @group = new Keycloak.Group(\"group\", new()\n {\n RealmId = realm.Id,\n Name = \"group\",\n });\n\n var groupRoles = new Keycloak.GroupRoles(\"group_roles\", new()\n {\n RealmId = realm.Id,\n GroupId = @group.Id,\n RoleIds = new[]\n {\n offlineAccess.Apply(getRoleResult =\u003e getRoleResult.Id),\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tofflineAccess := keycloak.LookupRoleOutput(ctx, keycloak.GetRoleOutputArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"offline_access\"),\n\t\t}, nil)\n\t\t// use the data source\n\t\tgroup, err := keycloak.NewGroup(ctx, \"group\", \u0026keycloak.GroupArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tName: pulumi.String(\"group\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewGroupRoles(ctx, \"group_roles\", \u0026keycloak.GroupRolesArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tGroupId: group.ID(),\n\t\t\tRoleIds: pulumi.StringArray{\n\t\t\t\tpulumi.String(offlineAccess.ApplyT(func(offlineAccess keycloak.GetRoleResult) (*string, error) {\n\t\t\t\t\treturn \u0026offlineAccess.Id, nil\n\t\t\t\t}).(pulumi.StringPtrOutput)),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.KeycloakFunctions;\nimport com.pulumi.keycloak.inputs.GetRoleArgs;\nimport com.pulumi.keycloak.Group;\nimport com.pulumi.keycloak.GroupArgs;\nimport com.pulumi.keycloak.GroupRoles;\nimport com.pulumi.keycloak.GroupRolesArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder()\n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n final var offlineAccess = KeycloakFunctions.getRole(GetRoleArgs.builder()\n .realmId(realm.id())\n .name(\"offline_access\")\n .build());\n\n // use the data source\n var group = new Group(\"group\", GroupArgs.builder()\n .realmId(realm.id())\n .name(\"group\")\n .build());\n\n var groupRoles = new GroupRoles(\"groupRoles\", GroupRolesArgs.builder()\n .realmId(realm.id())\n .groupId(group.id())\n .roleIds(offlineAccess.applyValue(getRoleResult -\u003e getRoleResult).applyValue(offlineAccess -\u003e offlineAccess.applyValue(getRoleResult -\u003e getRoleResult.id())))\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n # use the data source\n group:\n type: keycloak:Group\n properties:\n realmId: ${realm.id}\n name: group\n groupRoles:\n type: keycloak:GroupRoles\n name: group_roles\n properties:\n realmId: ${realm.id}\n groupId: ${group.id}\n roleIds:\n - ${offlineAccess.id}\nvariables:\n offlineAccess:\n fn::invoke:\n Function: keycloak:getRole\n Arguments:\n realmId: ${realm.id}\n name: offline_access\n```\n\u003c!--End PulumiCodeChooser --\u003e\n", "inputs": { "description": "A collection of arguments for invoking getRole.\n", "properties": { "clientId": { - "type": "string" + "type": "string", + "description": "When specified, this role is assumed to be a client role belonging to the client with the provided ID. The `id` attribute of a `keycloak_client` resource should be used here.\n" }, "name": { - "type": "string" + "type": "string", + "description": "The name of the role.\n" }, "realmId": { - "type": "string" + "type": "string", + "description": "The realm this role exists within.\n" } }, "type": "object", @@ -14364,6 +15016,7 @@ "type": "array" }, "description": { + "description": "(Computed) The description of the role.\n", "type": "string" }, "id": { @@ -14529,12 +15182,13 @@ } }, "keycloak:openid/getClient:getClient": { - "description": "## # keycloak.openid.Client data source\n\nThis data source can be used to fetch properties of a Keycloak OpenID client for usage with other resources.\n\n### Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realmManagement = keycloak.openid.getClient({\n realmId: \"my-realm\",\n clientId: \"realm-management\",\n});\n// use the data source\nconst admin = realmManagement.then(realmManagement =\u003e keycloak.getRole({\n realmId: \"my-realm\",\n clientId: realmManagement.id,\n name: \"realm-admin\",\n}));\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm_management = keycloak.openid.get_client(realm_id=\"my-realm\",\n client_id=\"realm-management\")\n# use the data source\nadmin = keycloak.get_role(realm_id=\"my-realm\",\n client_id=realm_management.id,\n name=\"realm-admin\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realmManagement = Keycloak.OpenId.GetClient.Invoke(new()\n {\n RealmId = \"my-realm\",\n ClientId = \"realm-management\",\n });\n\n // use the data source\n var admin = Keycloak.GetRole.Invoke(new()\n {\n RealmId = \"my-realm\",\n ClientId = realmManagement.Apply(getClientResult =\u003e getClientResult.Id),\n Name = \"realm-admin\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealmManagement, err := openid.LookupClient(ctx, \u0026openid.LookupClientArgs{\n\t\t\tRealmId: \"my-realm\",\n\t\t\tClientId: \"realm-management\",\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t// use the data source\n\t\t_, err = keycloak.LookupRole(ctx, \u0026keycloak.LookupRoleArgs{\n\t\t\tRealmId: \"my-realm\",\n\t\t\tClientId: pulumi.StringRef(realmManagement.Id),\n\t\t\tName: \"realm-admin\",\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.openid.OpenidFunctions;\nimport com.pulumi.keycloak.openid.inputs.GetClientArgs;\nimport com.pulumi.keycloak.KeycloakFunctions;\nimport com.pulumi.keycloak.inputs.GetRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n final var realmManagement = OpenidFunctions.getClient(GetClientArgs.builder()\n .realmId(\"my-realm\")\n .clientId(\"realm-management\")\n .build());\n\n // use the data source\n final var admin = KeycloakFunctions.getRole(GetRoleArgs.builder()\n .realmId(\"my-realm\")\n .clientId(realmManagement.applyValue(getClientResult -\u003e getClientResult.id()))\n .name(\"realm-admin\")\n .build());\n\n }\n}\n```\n```yaml\nvariables:\n realmManagement:\n fn::invoke:\n Function: keycloak:openid:getClient\n Arguments:\n realmId: my-realm\n clientId: realm-management\n # use the data source\n admin:\n fn::invoke:\n Function: keycloak:getRole\n Arguments:\n realmId: my-realm\n clientId: ${realmManagement.id}\n name: realm-admin\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm_id` - (Required) The realm id.\n- `client_id` - (Required) The client id.\n\n### Attributes Reference\n\nSee the docs for the `keycloak.openid.Client` resource for details on the exported attributes.\n", + "description": "This data source can be used to fetch properties of a Keycloak OpenID client for usage with other resources.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realmManagement = keycloak.openid.getClient({\n realmId: \"my-realm\",\n clientId: \"realm-management\",\n});\n// use the data source\nconst admin = realmManagement.then(realmManagement =\u003e keycloak.getRole({\n realmId: \"my-realm\",\n clientId: realmManagement.id,\n name: \"realm-admin\",\n}));\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm_management = keycloak.openid.get_client(realm_id=\"my-realm\",\n client_id=\"realm-management\")\n# use the data source\nadmin = keycloak.get_role(realm_id=\"my-realm\",\n client_id=realm_management.id,\n name=\"realm-admin\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realmManagement = Keycloak.OpenId.GetClient.Invoke(new()\n {\n RealmId = \"my-realm\",\n ClientId = \"realm-management\",\n });\n\n // use the data source\n var admin = Keycloak.GetRole.Invoke(new()\n {\n RealmId = \"my-realm\",\n ClientId = realmManagement.Apply(getClientResult =\u003e getClientResult.Id),\n Name = \"realm-admin\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealmManagement, err := openid.LookupClient(ctx, \u0026openid.LookupClientArgs{\n\t\t\tRealmId: \"my-realm\",\n\t\t\tClientId: \"realm-management\",\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t// use the data source\n\t\t_, err = keycloak.LookupRole(ctx, \u0026keycloak.LookupRoleArgs{\n\t\t\tRealmId: \"my-realm\",\n\t\t\tClientId: pulumi.StringRef(realmManagement.Id),\n\t\t\tName: \"realm-admin\",\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.openid.OpenidFunctions;\nimport com.pulumi.keycloak.openid.inputs.GetClientArgs;\nimport com.pulumi.keycloak.KeycloakFunctions;\nimport com.pulumi.keycloak.inputs.GetRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n final var realmManagement = OpenidFunctions.getClient(GetClientArgs.builder()\n .realmId(\"my-realm\")\n .clientId(\"realm-management\")\n .build());\n\n // use the data source\n final var admin = KeycloakFunctions.getRole(GetRoleArgs.builder()\n .realmId(\"my-realm\")\n .clientId(realmManagement.applyValue(getClientResult -\u003e getClientResult.id()))\n .name(\"realm-admin\")\n .build());\n\n }\n}\n```\n```yaml\nvariables:\n realmManagement:\n fn::invoke:\n Function: keycloak:openid:getClient\n Arguments:\n realmId: my-realm\n clientId: realm-management\n # use the data source\n admin:\n fn::invoke:\n Function: keycloak:getRole\n Arguments:\n realmId: my-realm\n clientId: ${realmManagement.id}\n name: realm-admin\n```\n\u003c!--End PulumiCodeChooser --\u003e\n", "inputs": { "description": "A collection of arguments for invoking getClient.\n", "properties": { "clientId": { - "type": "string" + "type": "string", + "description": "The client id (not its unique ID).\n" }, "consentScreenText": { "type": "string" @@ -14558,7 +15212,8 @@ "type": "string" }, "realmId": { - "type": "string" + "type": "string", + "description": "The realm id.\n" } }, "type": "object", diff --git a/sdk/dotnet/AttributeImporterIdentityProviderMapper.cs b/sdk/dotnet/AttributeImporterIdentityProviderMapper.cs index c08ee9f9..a22da753 100644 --- a/sdk/dotnet/AttributeImporterIdentityProviderMapper.cs +++ b/sdk/dotnet/AttributeImporterIdentityProviderMapper.cs @@ -10,11 +10,16 @@ namespace Pulumi.Keycloak { /// - /// ## # keycloak.AttributeImporterIdentityProviderMapper + /// Allows for creating and managing an attribute importer identity provider mapper within Keycloak. /// - /// Allows to create and manage identity provider mappers within Keycloak. + /// The attribute importer mapper can be used to map attributes from externally defined users to attributes or properties of the imported Keycloak user: + /// - For the OIDC identity provider, this will map a claim on the ID or access token to an attribute for the imported Keycloak user. + /// - For the SAML identity provider, this will map a SAML attribute found within the assertion to an attribute for the imported Keycloak user. + /// - For social identity providers, this will map a JSON field from the user profile to an attribute for the imported Keycloak user. /// - /// ### Example Usage + /// > If you are using Keycloak 10 or higher, you will need to specify the `extra_config` argument in order to define a `syncMode` for the mapper. + /// + /// ## Example Usage /// /// ```csharp /// using System.Collections.Generic; @@ -24,81 +29,100 @@ namespace Pulumi.Keycloak /// /// return await Deployment.RunAsync(() => /// { - /// var testMapper = new Keycloak.AttributeImporterIdentityProviderMapper("test_mapper", new() + /// var realm = new Keycloak.Realm("realm", new() /// { - /// Realm = "my-realm", - /// Name = "my-mapper", - /// IdentityProviderAlias = "idp_alias", - /// AttributeName = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", - /// UserAttribute = "lastName", + /// RealmName = "my-realm", + /// Enabled = true, /// }); /// - /// }); - /// ``` + /// var oidc = new Keycloak.Oidc.IdentityProvider("oidc", new() + /// { + /// Realm = realm.Id, + /// Alias = "oidc", + /// AuthorizationUrl = "https://example.com/auth", + /// TokenUrl = "https://example.com/token", + /// ClientId = "example_id", + /// ClientSecret = "example_token", + /// DefaultScopes = "openid random profile", + /// }); /// - /// ### Argument Reference + /// var oidcAttributeImporterIdentityProviderMapper = new Keycloak.AttributeImporterIdentityProviderMapper("oidc", new() + /// { + /// Realm = realm.Id, + /// Name = "email-attribute-importer", + /// ClaimName = "my-email-claim", + /// IdentityProviderAlias = oidc.Alias, + /// UserAttribute = "email", + /// ExtraConfig = + /// { + /// { "syncMode", "INHERIT" }, + /// }, + /// }); /// - /// The following arguments are supported: + /// }); + /// ``` /// - /// - `realm` - (Required) The name of the realm. - /// - `name` - (Required) The name of the mapper. - /// - `identity_provider_alias` - (Required) The alias of the associated identity provider. - /// - `user_attribute` - (Required) The user attribute name to store SAML attribute. - /// - `attribute_name` - (Optional) The Name of attribute to search for in assertion. You can leave this blank and specify a friendly name instead. - /// - `attribute_friendly_name` - (Optional) The friendly name of attribute to search for in assertion. You can leave this blank and specify an attribute name instead. - /// - `claim_name` - (Optional) The claim name. + /// ## Import /// - /// ### Import + /// Identity provider mappers can be imported using the format `{{realm_id}}/{{idp_alias}}/{{idp_mapper_id}}`, where `idp_alias` is the identity provider alias, and `idp_mapper_id` is the unique ID that Keycloak /// - /// Identity provider mapper can be imported using the format `{{realm_id}}/{{idp_alias}}/{{idp_mapper_id}}`, where `idp_alias` is the identity provider alias, and `idp_mapper_id` is the unique ID that Keycloak /// assigns to the mapper upon creation. This value can be found in the URI when editing this mapper in the GUI, and is typically a GUID. /// /// Example: + /// + /// bash + /// + /// ```sh + /// $ pulumi import keycloak:index/attributeImporterIdentityProviderMapper:AttributeImporterIdentityProviderMapper test_mapper my-realm/my-mapper/f446db98-7133-4e30-b18a-3d28fde7ca1b + /// ``` /// [KeycloakResourceType("keycloak:index/attributeImporterIdentityProviderMapper:AttributeImporterIdentityProviderMapper")] public partial class AttributeImporterIdentityProviderMapper : global::Pulumi.CustomResource { /// - /// Attribute Friendly Name + /// For SAML based providers, this is the friendly name of the attribute to search for in the assertion. Conflicts with `attribute_name`. /// [Output("attributeFriendlyName")] public Output AttributeFriendlyName { get; private set; } = null!; /// - /// Attribute Name + /// For SAML based providers, this is the name of the attribute to search for in the assertion. Conflicts with `attribute_friendly_name`. /// [Output("attributeName")] public Output AttributeName { get; private set; } = null!; /// - /// Claim Name + /// For OIDC based providers, this is the name of the claim to use. /// [Output("claimName")] public Output ClaimName { get; private set; } = null!; + /// + /// Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + /// [Output("extraConfig")] public Output?> ExtraConfig { get; private set; } = null!; /// - /// IDP Alias + /// The alias of the associated identity provider. /// [Output("identityProviderAlias")] public Output IdentityProviderAlias { get; private set; } = null!; /// - /// IDP Mapper Name + /// The name of the mapper. /// [Output("name")] public Output Name { get; private set; } = null!; /// - /// Realm Name + /// The name of the realm. /// [Output("realm")] public Output Realm { get; private set; } = null!; /// - /// User Attribute + /// The user attribute or property name to store the mapped result. /// [Output("userAttribute")] public Output UserAttribute { get; private set; } = null!; @@ -150,25 +174,29 @@ public static AttributeImporterIdentityProviderMapper Get(string name, Input - /// Attribute Friendly Name + /// For SAML based providers, this is the friendly name of the attribute to search for in the assertion. Conflicts with `attribute_name`. /// [Input("attributeFriendlyName")] public Input? AttributeFriendlyName { get; set; } /// - /// Attribute Name + /// For SAML based providers, this is the name of the attribute to search for in the assertion. Conflicts with `attribute_friendly_name`. /// [Input("attributeName")] public Input? AttributeName { get; set; } /// - /// Claim Name + /// For OIDC based providers, this is the name of the claim to use. /// [Input("claimName")] public Input? ClaimName { get; set; } [Input("extraConfig")] private InputMap? _extraConfig; + + /// + /// Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + /// public InputMap ExtraConfig { get => _extraConfig ?? (_extraConfig = new InputMap()); @@ -176,25 +204,25 @@ public InputMap ExtraConfig } /// - /// IDP Alias + /// The alias of the associated identity provider. /// [Input("identityProviderAlias", required: true)] public Input IdentityProviderAlias { get; set; } = null!; /// - /// IDP Mapper Name + /// The name of the mapper. /// [Input("name")] public Input? Name { get; set; } /// - /// Realm Name + /// The name of the realm. /// [Input("realm", required: true)] public Input Realm { get; set; } = null!; /// - /// User Attribute + /// The user attribute or property name to store the mapped result. /// [Input("userAttribute", required: true)] public Input UserAttribute { get; set; } = null!; @@ -208,25 +236,29 @@ public AttributeImporterIdentityProviderMapperArgs() public sealed class AttributeImporterIdentityProviderMapperState : global::Pulumi.ResourceArgs { /// - /// Attribute Friendly Name + /// For SAML based providers, this is the friendly name of the attribute to search for in the assertion. Conflicts with `attribute_name`. /// [Input("attributeFriendlyName")] public Input? AttributeFriendlyName { get; set; } /// - /// Attribute Name + /// For SAML based providers, this is the name of the attribute to search for in the assertion. Conflicts with `attribute_friendly_name`. /// [Input("attributeName")] public Input? AttributeName { get; set; } /// - /// Claim Name + /// For OIDC based providers, this is the name of the claim to use. /// [Input("claimName")] public Input? ClaimName { get; set; } [Input("extraConfig")] private InputMap? _extraConfig; + + /// + /// Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + /// public InputMap ExtraConfig { get => _extraConfig ?? (_extraConfig = new InputMap()); @@ -234,25 +266,25 @@ public InputMap ExtraConfig } /// - /// IDP Alias + /// The alias of the associated identity provider. /// [Input("identityProviderAlias")] public Input? IdentityProviderAlias { get; set; } /// - /// IDP Mapper Name + /// The name of the mapper. /// [Input("name")] public Input? Name { get; set; } /// - /// Realm Name + /// The name of the realm. /// [Input("realm")] public Input? Realm { get; set; } /// - /// User Attribute + /// The user attribute or property name to store the mapped result. /// [Input("userAttribute")] public Input? UserAttribute { get; set; } diff --git a/sdk/dotnet/CustomUserFederation.cs b/sdk/dotnet/CustomUserFederation.cs index b45e0765..b76235e4 100644 --- a/sdk/dotnet/CustomUserFederation.cs +++ b/sdk/dotnet/CustomUserFederation.cs @@ -10,15 +10,12 @@ namespace Pulumi.Keycloak { /// - /// ## # keycloak.CustomUserFederation - /// /// Allows for creating and managing custom user federation providers within Keycloak. /// - /// A custom user federation provider is an implementation of Keycloak's - /// [User Storage SPI](https://www.keycloak.org/docs/4.2/server_development/index.html#_user-storage-spi). + /// A custom user federation provider is an implementation of Keycloak's [User Storage SPI](https://www.keycloak.org/docs/4.2/server_development/index.html#_user-storage-spi). /// An example of this implementation can be found here. /// - /// ### Example Usage + /// ## Example Usage /// /// ```csharp /// using System.Collections.Generic; @@ -40,45 +37,52 @@ namespace Pulumi.Keycloak /// RealmId = realm.Id, /// ProviderId = "custom", /// Enabled = true, + /// Config = + /// { + /// { "dummyString", "foobar" }, + /// { "dummyBool", "true" }, + /// { "multivalue", "value1##value2" }, + /// }, /// }); /// /// }); /// ``` /// - /// ### Argument Reference + /// ## Import /// - /// The following arguments are supported: + /// Custom user federation providers can be imported using the format `{{realm_id}}/{{custom_user_federation_id}}`. /// - /// - `realm_id` - (Required) The realm that this provider will provide user federation for. - /// - `name` - (Required) Display name of the provider when displayed in the console. - /// - `provider_id` - (Required) The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. - /// - `enabled` - (Optional) When `false`, this provider will not be used when performing queries for users. Defaults to `true`. - /// - `priority` - (Optional) Priority of this provider when looking up users. Lower values are first. Defaults to `0`. - /// - `cache_policy` - (Optional) Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + /// The ID of the custom user federation provider can be found within the Keycloak GUI and is typically a GUID: /// - /// ### Import + /// bash /// - /// Custom user federation providers can be imported using the format `{{realm_id}}/{{custom_user_federation_id}}`. - /// The ID of the custom user federation provider can be found within the Keycloak GUI and is typically a GUID: + /// ```sh + /// $ pulumi import keycloak:index/customUserFederation:CustomUserFederation custom_user_federation my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860 + /// ``` /// [KeycloakResourceType("keycloak:index/customUserFederation:CustomUserFederation")] public partial class CustomUserFederation : global::Pulumi.CustomResource { + /// + /// Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + /// [Output("cachePolicy")] public Output CachePolicy { get; private set; } = null!; /// - /// How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users - /// sync. + /// How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users sync. /// [Output("changedSyncPeriod")] public Output ChangedSyncPeriod { get; private set; } = null!; + /// + /// The provider configuration handed over to your custom user federation provider. In order to add multivalue settings, use `##` to seperate the values. + /// [Output("config")] public Output?> Config { get; private set; } = null!; /// - /// When false, this provider will not be used when performing queries for users. + /// When `false`, this provider will not be used when performing queries for users. Defaults to `true`. /// [Output("enabled")] public Output Enabled { get; private set; } = null!; @@ -96,26 +100,25 @@ public partial class CustomUserFederation : global::Pulumi.CustomResource public Output Name { get; private set; } = null!; /// - /// The parent_id of the generated component. will use realm_id if not specified. + /// Must be set to the realms' `internal_id` when it differs from the realm. This can happen when existing resources are imported into the state. /// [Output("parentId")] public Output ParentId { get; private set; } = null!; /// - /// Priority of this provider when looking up users. Lower values are first. + /// Priority of this provider when looking up users. Lower values are first. Defaults to `0`. /// [Output("priority")] public Output Priority { get; private set; } = null!; /// - /// The unique ID of the custom provider, specified in the `getId` implementation for the UserStorageProviderFactory - /// interface + /// The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. /// [Output("providerId")] public Output ProviderId { get; private set; } = null!; /// - /// The realm (name) this provider will provide user federation for. + /// The realm that this provider will provide user federation for. /// [Output("realmId")] public Output RealmId { get; private set; } = null!; @@ -166,18 +169,24 @@ public static CustomUserFederation Get(string name, Input id, CustomUser public sealed class CustomUserFederationArgs : global::Pulumi.ResourceArgs { + /// + /// Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + /// [Input("cachePolicy")] public Input? CachePolicy { get; set; } /// - /// How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users - /// sync. + /// How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users sync. /// [Input("changedSyncPeriod")] public Input? ChangedSyncPeriod { get; set; } [Input("config")] private InputMap? _config; + + /// + /// The provider configuration handed over to your custom user federation provider. In order to add multivalue settings, use `##` to seperate the values. + /// public InputMap Config { get => _config ?? (_config = new InputMap()); @@ -185,7 +194,7 @@ public InputMap Config } /// - /// When false, this provider will not be used when performing queries for users. + /// When `false`, this provider will not be used when performing queries for users. Defaults to `true`. /// [Input("enabled")] public Input? Enabled { get; set; } @@ -203,26 +212,25 @@ public InputMap Config public Input? Name { get; set; } /// - /// The parent_id of the generated component. will use realm_id if not specified. + /// Must be set to the realms' `internal_id` when it differs from the realm. This can happen when existing resources are imported into the state. /// [Input("parentId")] public Input? ParentId { get; set; } /// - /// Priority of this provider when looking up users. Lower values are first. + /// Priority of this provider when looking up users. Lower values are first. Defaults to `0`. /// [Input("priority")] public Input? Priority { get; set; } /// - /// The unique ID of the custom provider, specified in the `getId` implementation for the UserStorageProviderFactory - /// interface + /// The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. /// [Input("providerId", required: true)] public Input ProviderId { get; set; } = null!; /// - /// The realm (name) this provider will provide user federation for. + /// The realm that this provider will provide user federation for. /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; @@ -235,18 +243,24 @@ public CustomUserFederationArgs() public sealed class CustomUserFederationState : global::Pulumi.ResourceArgs { + /// + /// Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + /// [Input("cachePolicy")] public Input? CachePolicy { get; set; } /// - /// How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users - /// sync. + /// How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users sync. /// [Input("changedSyncPeriod")] public Input? ChangedSyncPeriod { get; set; } [Input("config")] private InputMap? _config; + + /// + /// The provider configuration handed over to your custom user federation provider. In order to add multivalue settings, use `##` to seperate the values. + /// public InputMap Config { get => _config ?? (_config = new InputMap()); @@ -254,7 +268,7 @@ public InputMap Config } /// - /// When false, this provider will not be used when performing queries for users. + /// When `false`, this provider will not be used when performing queries for users. Defaults to `true`. /// [Input("enabled")] public Input? Enabled { get; set; } @@ -272,26 +286,25 @@ public InputMap Config public Input? Name { get; set; } /// - /// The parent_id of the generated component. will use realm_id if not specified. + /// Must be set to the realms' `internal_id` when it differs from the realm. This can happen when existing resources are imported into the state. /// [Input("parentId")] public Input? ParentId { get; set; } /// - /// Priority of this provider when looking up users. Lower values are first. + /// Priority of this provider when looking up users. Lower values are first. Defaults to `0`. /// [Input("priority")] public Input? Priority { get; set; } /// - /// The unique ID of the custom provider, specified in the `getId` implementation for the UserStorageProviderFactory - /// interface + /// The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. /// [Input("providerId")] public Input? ProviderId { get; set; } /// - /// The realm (name) this provider will provide user federation for. + /// The realm that this provider will provide user federation for. /// [Input("realmId")] public Input? RealmId { get; set; } diff --git a/sdk/dotnet/DefaultGroups.cs b/sdk/dotnet/DefaultGroups.cs index ad4ba44c..59902f62 100644 --- a/sdk/dotnet/DefaultGroups.cs +++ b/sdk/dotnet/DefaultGroups.cs @@ -10,14 +10,11 @@ namespace Pulumi.Keycloak { /// - /// ## # keycloak.DefaultGroups - /// /// Allows for managing a realm's default groups. /// - /// Note that you should not use `keycloak.DefaultGroups` with a group with memberships managed - /// by `keycloak.GroupMemberships`. + /// > You should not use `keycloak.DefaultGroups` with a group whose members are managed by `keycloak.GroupMemberships`. /// - /// ### Example Usage + /// ## Example Usage /// /// ```csharp /// using System.Collections.Generic; @@ -51,25 +48,30 @@ namespace Pulumi.Keycloak /// }); /// ``` /// - /// ### Argument Reference - /// - /// The following arguments are supported: + /// ## Import /// - /// - `realm_id` - (Required) The realm this group exists in. - /// - `group_ids` - (Required) A set of group ids that should be default groups on the realm referenced by `realm_id`. + /// Default groups can be imported using the format `{{realm_id}}` where `realm_id` is the realm the group exists in. /// - /// ### Import + /// Example: /// - /// Groups can be imported using the format `{{realm_id}}` where `realm_id` is the realm the group exists in. + /// bash /// - /// Example: + /// ```sh + /// $ pulumi import keycloak:index/defaultGroups:DefaultGroups default my-realm + /// ``` /// [KeycloakResourceType("keycloak:index/defaultGroups:DefaultGroups")] public partial class DefaultGroups : global::Pulumi.CustomResource { + /// + /// A set of group ids that should be default groups on the realm referenced by `realm_id`. + /// [Output("groupIds")] public Output> GroupIds { get; private set; } = null!; + /// + /// The realm this group exists in. + /// [Output("realmId")] public Output RealmId { get; private set; } = null!; @@ -121,12 +123,19 @@ public sealed class DefaultGroupsArgs : global::Pulumi.ResourceArgs { [Input("groupIds", required: true)] private InputList? _groupIds; + + /// + /// A set of group ids that should be default groups on the realm referenced by `realm_id`. + /// public InputList GroupIds { get => _groupIds ?? (_groupIds = new InputList()); set => _groupIds = value; } + /// + /// The realm this group exists in. + /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; @@ -140,12 +149,19 @@ public sealed class DefaultGroupsState : global::Pulumi.ResourceArgs { [Input("groupIds")] private InputList? _groupIds; + + /// + /// A set of group ids that should be default groups on the realm referenced by `realm_id`. + /// public InputList GroupIds { get => _groupIds ?? (_groupIds = new InputList()); set => _groupIds = value; } + /// + /// The realm this group exists in. + /// [Input("realmId")] public Input? RealmId { get; set; } diff --git a/sdk/dotnet/GenericClientProtocolMapper.cs b/sdk/dotnet/GenericClientProtocolMapper.cs index 36296c84..1586953b 100644 --- a/sdk/dotnet/GenericClientProtocolMapper.cs +++ b/sdk/dotnet/GenericClientProtocolMapper.cs @@ -10,9 +10,9 @@ namespace Pulumi.Keycloak { /// - /// ## # keycloak.GenericClientProtocolMapper + /// !> **WARNING:** This resource is deprecated and will be removed in the next major version. Please use `keycloak.GenericProtocolMapper` instead. /// - /// Allows for creating and managing protocol mapper for both types of clients (openid-connect and saml) within Keycloak. + /// Allows for creating and managing protocol mappers for both types of clients (openid-connect and saml) within Keycloak. /// /// There are two uses cases for using this resource: /// * If you implemented a custom protocol mapper, this resource can be used to configure it @@ -21,7 +21,7 @@ namespace Pulumi.Keycloak /// Due to the generic nature of this mapper, it is less user-friendly and more prone to configuration errors. /// Therefore, if possible, a specific mapper should be used. /// - /// ### Example Usage + /// ## Example Usage /// /// ```csharp /// using System.Collections.Generic; @@ -47,7 +47,7 @@ namespace Pulumi.Keycloak /// { /// RealmId = realm.Id, /// ClientId = samlClient.Id, - /// Name = "tes-mapper", + /// Name = "test-mapper", /// Protocol = "saml", /// ProtocolMapper = "saml-hardcode-attribute-mapper", /// Config = @@ -62,29 +62,23 @@ namespace Pulumi.Keycloak /// }); /// ``` /// - /// ### Argument Reference - /// - /// The following arguments are supported: - /// - /// - `realm_id` - (Required) The realm this protocol mapper exists within. - /// - `client_id` - (Required) The client this protocol mapper is attached to. - /// - `name` - (Required) The display name of this protocol mapper in the GUI. - /// - `protocol` - (Required) The type of client (either `openid-connect` or `saml`). The type must match the type of the client. - /// - `protocol_mapper` - (Required) The name of the protocol mapper. The protocol mapper must be - /// compatible with the specified client. - /// - `config` - (Required) A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. - /// - /// ### Import + /// ## Import /// /// Protocol mappers can be imported using the following format: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` /// /// Example: + /// + /// bash + /// + /// ```sh + /// $ pulumi import keycloak:index/genericClientProtocolMapper:GenericClientProtocolMapper saml_hardcode_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + /// ``` /// [KeycloakResourceType("keycloak:index/genericClientProtocolMapper:GenericClientProtocolMapper")] public partial class GenericClientProtocolMapper : global::Pulumi.CustomResource { /// - /// The mapper's associated client. Cannot be used at the same time as client_scope_id. + /// The client this protocol mapper is attached to. /// [Output("clientId")] public Output ClientId { get; private set; } = null!; @@ -95,29 +89,32 @@ public partial class GenericClientProtocolMapper : global::Pulumi.CustomResource [Output("clientScopeId")] public Output ClientScopeId { get; private set; } = null!; + /// + /// A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. + /// [Output("config")] public Output> Config { get; private set; } = null!; /// - /// A human-friendly name that will appear in the Keycloak console. + /// The display name of this protocol mapper in the GUI. /// [Output("name")] public Output Name { get; private set; } = null!; /// - /// The protocol of the client (openid-connect / saml). + /// The type of client (either `openid-connect` or `saml`). The type must match the type of the client. /// [Output("protocol")] public Output Protocol { get; private set; } = null!; /// - /// The type of the protocol mapper. + /// The name of the protocol mapper. The protocol mapper must be compatible with the specified client. /// [Output("protocolMapper")] public Output ProtocolMapper { get; private set; } = null!; /// - /// The realm id where the associated client or client scope exists. + /// The realm this protocol mapper exists within. /// [Output("realmId")] public Output RealmId { get; private set; } = null!; @@ -169,7 +166,7 @@ public static GenericClientProtocolMapper Get(string name, Input id, Gen public sealed class GenericClientProtocolMapperArgs : global::Pulumi.ResourceArgs { /// - /// The mapper's associated client. Cannot be used at the same time as client_scope_id. + /// The client this protocol mapper is attached to. /// [Input("clientId")] public Input? ClientId { get; set; } @@ -182,6 +179,10 @@ public sealed class GenericClientProtocolMapperArgs : global::Pulumi.ResourceArg [Input("config", required: true)] private InputMap? _config; + + /// + /// A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. + /// public InputMap Config { get => _config ?? (_config = new InputMap()); @@ -189,25 +190,25 @@ public InputMap Config } /// - /// A human-friendly name that will appear in the Keycloak console. + /// The display name of this protocol mapper in the GUI. /// [Input("name")] public Input? Name { get; set; } /// - /// The protocol of the client (openid-connect / saml). + /// The type of client (either `openid-connect` or `saml`). The type must match the type of the client. /// [Input("protocol", required: true)] public Input Protocol { get; set; } = null!; /// - /// The type of the protocol mapper. + /// The name of the protocol mapper. The protocol mapper must be compatible with the specified client. /// [Input("protocolMapper", required: true)] public Input ProtocolMapper { get; set; } = null!; /// - /// The realm id where the associated client or client scope exists. + /// The realm this protocol mapper exists within. /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; @@ -221,7 +222,7 @@ public GenericClientProtocolMapperArgs() public sealed class GenericClientProtocolMapperState : global::Pulumi.ResourceArgs { /// - /// The mapper's associated client. Cannot be used at the same time as client_scope_id. + /// The client this protocol mapper is attached to. /// [Input("clientId")] public Input? ClientId { get; set; } @@ -234,6 +235,10 @@ public sealed class GenericClientProtocolMapperState : global::Pulumi.ResourceAr [Input("config")] private InputMap? _config; + + /// + /// A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. + /// public InputMap Config { get => _config ?? (_config = new InputMap()); @@ -241,25 +246,25 @@ public InputMap Config } /// - /// A human-friendly name that will appear in the Keycloak console. + /// The display name of this protocol mapper in the GUI. /// [Input("name")] public Input? Name { get; set; } /// - /// The protocol of the client (openid-connect / saml). + /// The type of client (either `openid-connect` or `saml`). The type must match the type of the client. /// [Input("protocol")] public Input? Protocol { get; set; } /// - /// The type of the protocol mapper. + /// The name of the protocol mapper. The protocol mapper must be compatible with the specified client. /// [Input("protocolMapper")] public Input? ProtocolMapper { get; set; } /// - /// The realm id where the associated client or client scope exists. + /// The realm this protocol mapper exists within. /// [Input("realmId")] public Input? RealmId { get; set; } diff --git a/sdk/dotnet/GetGroup.cs b/sdk/dotnet/GetGroup.cs index befdc837..6bd04ee4 100644 --- a/sdk/dotnet/GetGroup.cs +++ b/sdk/dotnet/GetGroup.cs @@ -12,19 +12,97 @@ namespace Pulumi.Keycloak public static class GetGroup { /// - /// ## # keycloak.Group data source - /// /// This data source can be used to fetch properties of a Keycloak group for /// usage with other resources, such as `keycloak.GroupRoles`. + /// + /// ## Example Usage + /// + /// ```csharp + /// using System.Collections.Generic; + /// using System.Linq; + /// using Pulumi; + /// using Keycloak = Pulumi.Keycloak; + /// + /// return await Deployment.RunAsync(() => + /// { + /// var realm = new Keycloak.Realm("realm", new() + /// { + /// RealmName = "my-realm", + /// Enabled = true, + /// }); + /// + /// var offlineAccess = Keycloak.GetRole.Invoke(new() + /// { + /// RealmId = realm.Id, + /// Name = "offline_access", + /// }); + /// + /// var @group = Keycloak.GetGroup.Invoke(new() + /// { + /// RealmId = realm.Id, + /// Name = "group", + /// }); + /// + /// var groupRoles = new Keycloak.GroupRoles("group_roles", new() + /// { + /// RealmId = realm.Id, + /// GroupId = @group.Apply(@group => @group.Apply(getGroupResult => getGroupResult.Id)), + /// RoleIds = new[] + /// { + /// offlineAccess.Apply(getRoleResult => getRoleResult.Id), + /// }, + /// }); + /// + /// }); + /// ``` /// public static Task InvokeAsync(GetGroupArgs args, InvokeOptions? options = null) => global::Pulumi.Deployment.Instance.InvokeAsync("keycloak:index/getGroup:getGroup", args ?? new GetGroupArgs(), options.WithDefaults()); /// - /// ## # keycloak.Group data source - /// /// This data source can be used to fetch properties of a Keycloak group for /// usage with other resources, such as `keycloak.GroupRoles`. + /// + /// ## Example Usage + /// + /// ```csharp + /// using System.Collections.Generic; + /// using System.Linq; + /// using Pulumi; + /// using Keycloak = Pulumi.Keycloak; + /// + /// return await Deployment.RunAsync(() => + /// { + /// var realm = new Keycloak.Realm("realm", new() + /// { + /// RealmName = "my-realm", + /// Enabled = true, + /// }); + /// + /// var offlineAccess = Keycloak.GetRole.Invoke(new() + /// { + /// RealmId = realm.Id, + /// Name = "offline_access", + /// }); + /// + /// var @group = Keycloak.GetGroup.Invoke(new() + /// { + /// RealmId = realm.Id, + /// Name = "group", + /// }); + /// + /// var groupRoles = new Keycloak.GroupRoles("group_roles", new() + /// { + /// RealmId = realm.Id, + /// GroupId = @group.Apply(@group => @group.Apply(getGroupResult => getGroupResult.Id)), + /// RoleIds = new[] + /// { + /// offlineAccess.Apply(getRoleResult => getRoleResult.Id), + /// }, + /// }); + /// + /// }); + /// ``` /// public static Output Invoke(GetGroupInvokeArgs args, InvokeOptions? options = null) => global::Pulumi.Deployment.Instance.Invoke("keycloak:index/getGroup:getGroup", args ?? new GetGroupInvokeArgs(), options.WithDefaults()); @@ -33,9 +111,15 @@ public static Output Invoke(GetGroupInvokeArgs args, InvokeOptio public sealed class GetGroupArgs : global::Pulumi.InvokeArgs { + /// + /// The name of the group. If there are multiple groups match `name`, the first result will be returned. + /// [Input("name", required: true)] public string Name { get; set; } = null!; + /// + /// The realm this group exists within. + /// [Input("realmId", required: true)] public string RealmId { get; set; } = null!; @@ -47,9 +131,15 @@ public GetGroupArgs() public sealed class GetGroupInvokeArgs : global::Pulumi.InvokeArgs { + /// + /// The name of the group. If there are multiple groups match `name`, the first result will be returned. + /// [Input("name", required: true)] public Input Name { get; set; } = null!; + /// + /// The realm this group exists within. + /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; diff --git a/sdk/dotnet/GetRealm.cs b/sdk/dotnet/GetRealm.cs index 74cfc853..efc7d18a 100644 --- a/sdk/dotnet/GetRealm.cs +++ b/sdk/dotnet/GetRealm.cs @@ -12,12 +12,10 @@ namespace Pulumi.Keycloak public static class GetRealm { /// - /// ## # keycloak.Realm data source - /// /// This data source can be used to fetch properties of a Keycloak realm for /// usage with other resources. /// - /// ### Example Usage + /// ## Example Usage /// /// ```csharp /// using System.Collections.Generic; @@ -35,33 +33,21 @@ public static class GetRealm /// // use the data source /// var @group = new Keycloak.Role("group", new() /// { - /// RealmId = id, + /// RealmId = realm.Apply(getRealmResult => getRealmResult.Id), /// Name = "group", /// }); /// /// }); /// ``` - /// - /// ### Argument Reference - /// - /// The following arguments are supported: - /// - /// - `realm` - (Required) The realm name. - /// - /// ### Attributes Reference - /// - /// See the docs for the `keycloak.Realm` resource for details on the exported attributes. /// public static Task InvokeAsync(GetRealmArgs args, InvokeOptions? options = null) => global::Pulumi.Deployment.Instance.InvokeAsync("keycloak:index/getRealm:getRealm", args ?? new GetRealmArgs(), options.WithDefaults()); /// - /// ## # keycloak.Realm data source - /// /// This data source can be used to fetch properties of a Keycloak realm for /// usage with other resources. /// - /// ### Example Usage + /// ## Example Usage /// /// ```csharp /// using System.Collections.Generic; @@ -79,22 +65,12 @@ public static Task InvokeAsync(GetRealmArgs args, InvokeOptions? /// // use the data source /// var @group = new Keycloak.Role("group", new() /// { - /// RealmId = id, + /// RealmId = realm.Apply(getRealmResult => getRealmResult.Id), /// Name = "group", /// }); /// /// }); /// ``` - /// - /// ### Argument Reference - /// - /// The following arguments are supported: - /// - /// - `realm` - (Required) The realm name. - /// - /// ### Attributes Reference - /// - /// See the docs for the `keycloak.Realm` resource for details on the exported attributes. /// public static Output Invoke(GetRealmInvokeArgs args, InvokeOptions? options = null) => global::Pulumi.Deployment.Instance.Invoke("keycloak:index/getRealm:getRealm", args ?? new GetRealmInvokeArgs(), options.WithDefaults()); @@ -141,6 +117,9 @@ public List Internationalizations [Input("otpPolicy")] public Inputs.GetRealmOtpPolicyArgs? OtpPolicy { get; set; } + /// + /// The realm name. + /// [Input("realm", required: true)] public string Realm { get; set; } = null!; @@ -212,6 +191,9 @@ public InputList Internationalizat [Input("otpPolicy")] public Input? OtpPolicy { get; set; } + /// + /// The realm name. + /// [Input("realm", required: true)] public Input Realm { get; set; } = null!; diff --git a/sdk/dotnet/GetRealmKeys.cs b/sdk/dotnet/GetRealmKeys.cs index af89f1f5..909cd03e 100644 --- a/sdk/dotnet/GetRealmKeys.cs +++ b/sdk/dotnet/GetRealmKeys.cs @@ -12,29 +12,25 @@ namespace Pulumi.Keycloak public static class GetRealmKeys { /// - /// ## # keycloak.getRealmKeys data source - /// /// Use this data source to get the keys of a realm. Keys can be filtered by algorithm and status. /// /// Remarks: /// /// - A key must meet all filter criteria - /// - This datasource may return more than one value. - /// - If no key matches the filter criteria, then an error is returned. + /// - This data source may return more than one value. + /// - If no key matches the filter criteria, then an error will be returned. /// public static Task InvokeAsync(GetRealmKeysArgs args, InvokeOptions? options = null) => global::Pulumi.Deployment.Instance.InvokeAsync("keycloak:index/getRealmKeys:getRealmKeys", args ?? new GetRealmKeysArgs(), options.WithDefaults()); /// - /// ## # keycloak.getRealmKeys data source - /// /// Use this data source to get the keys of a realm. Keys can be filtered by algorithm and status. /// /// Remarks: /// /// - A key must meet all filter criteria - /// - This datasource may return more than one value. - /// - If no key matches the filter criteria, then an error is returned. + /// - This data source may return more than one value. + /// - If no key matches the filter criteria, then an error will be returned. /// public static Output Invoke(GetRealmKeysInvokeArgs args, InvokeOptions? options = null) => global::Pulumi.Deployment.Instance.Invoke("keycloak:index/getRealmKeys:getRealmKeys", args ?? new GetRealmKeysInvokeArgs(), options.WithDefaults()); @@ -45,17 +41,28 @@ public sealed class GetRealmKeysArgs : global::Pulumi.InvokeArgs { [Input("algorithms")] private List? _algorithms; + + /// + /// When specified, keys will be filtered by algorithm. The algorithms can be any of `HS256`, `RS256`,`AES`, etc. + /// public List Algorithms { get => _algorithms ?? (_algorithms = new List()); set => _algorithms = value; } + /// + /// The realm from which the keys will be retrieved. + /// [Input("realmId", required: true)] public string RealmId { get; set; } = null!; [Input("statuses")] private List? _statuses; + + /// + /// When specified, keys will be filtered by status. The statuses can be any of `ACTIVE`, `DISABLED` and `PASSIVE`. + /// public List Statuses { get => _statuses ?? (_statuses = new List()); @@ -72,17 +79,28 @@ public sealed class GetRealmKeysInvokeArgs : global::Pulumi.InvokeArgs { [Input("algorithms")] private InputList? _algorithms; + + /// + /// When specified, keys will be filtered by algorithm. The algorithms can be any of `HS256`, `RS256`,`AES`, etc. + /// public InputList Algorithms { get => _algorithms ?? (_algorithms = new InputList()); set => _algorithms = value; } + /// + /// The realm from which the keys will be retrieved. + /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; [Input("statuses")] private InputList? _statuses; + + /// + /// When specified, keys will be filtered by status. The statuses can be any of `ACTIVE`, `DISABLED` and `PASSIVE`. + /// public InputList Statuses { get => _statuses ?? (_statuses = new InputList()); @@ -104,8 +122,14 @@ public sealed class GetRealmKeysResult /// The provider-assigned unique ID for this managed resource. /// public readonly string Id; + /// + /// (Computed) A list of keys that match the filter criteria. Each key has the following attributes: + /// public readonly ImmutableArray Keys; public readonly string RealmId; + /// + /// Key status (string) + /// public readonly ImmutableArray Statuses; [OutputConstructor] diff --git a/sdk/dotnet/GetRole.cs b/sdk/dotnet/GetRole.cs index f561619a..12825517 100644 --- a/sdk/dotnet/GetRole.cs +++ b/sdk/dotnet/GetRole.cs @@ -12,19 +12,99 @@ namespace Pulumi.Keycloak public static class GetRole { /// - /// ## # keycloak.Role data source - /// /// This data source can be used to fetch properties of a Keycloak role for /// usage with other resources, such as `keycloak.GroupRoles`. + /// + /// ## Example Usage + /// + /// ```csharp + /// using System.Collections.Generic; + /// using System.Linq; + /// using Pulumi; + /// using Keycloak = Pulumi.Keycloak; + /// + /// return await Deployment.RunAsync(() => + /// { + /// var realm = new Keycloak.Realm("realm", new() + /// { + /// RealmName = "my-realm", + /// Enabled = true, + /// }); + /// + /// var offlineAccess = Keycloak.GetRole.Invoke(new() + /// { + /// RealmId = realm.Id, + /// Name = "offline_access", + /// }); + /// + /// // use the data source + /// var @group = new Keycloak.Group("group", new() + /// { + /// RealmId = realm.Id, + /// Name = "group", + /// }); + /// + /// var groupRoles = new Keycloak.GroupRoles("group_roles", new() + /// { + /// RealmId = realm.Id, + /// GroupId = @group.Id, + /// RoleIds = new[] + /// { + /// offlineAccess.Apply(getRoleResult => getRoleResult.Id), + /// }, + /// }); + /// + /// }); + /// ``` /// public static Task InvokeAsync(GetRoleArgs args, InvokeOptions? options = null) => global::Pulumi.Deployment.Instance.InvokeAsync("keycloak:index/getRole:getRole", args ?? new GetRoleArgs(), options.WithDefaults()); /// - /// ## # keycloak.Role data source - /// /// This data source can be used to fetch properties of a Keycloak role for /// usage with other resources, such as `keycloak.GroupRoles`. + /// + /// ## Example Usage + /// + /// ```csharp + /// using System.Collections.Generic; + /// using System.Linq; + /// using Pulumi; + /// using Keycloak = Pulumi.Keycloak; + /// + /// return await Deployment.RunAsync(() => + /// { + /// var realm = new Keycloak.Realm("realm", new() + /// { + /// RealmName = "my-realm", + /// Enabled = true, + /// }); + /// + /// var offlineAccess = Keycloak.GetRole.Invoke(new() + /// { + /// RealmId = realm.Id, + /// Name = "offline_access", + /// }); + /// + /// // use the data source + /// var @group = new Keycloak.Group("group", new() + /// { + /// RealmId = realm.Id, + /// Name = "group", + /// }); + /// + /// var groupRoles = new Keycloak.GroupRoles("group_roles", new() + /// { + /// RealmId = realm.Id, + /// GroupId = @group.Id, + /// RoleIds = new[] + /// { + /// offlineAccess.Apply(getRoleResult => getRoleResult.Id), + /// }, + /// }); + /// + /// }); + /// ``` /// public static Output Invoke(GetRoleInvokeArgs args, InvokeOptions? options = null) => global::Pulumi.Deployment.Instance.Invoke("keycloak:index/getRole:getRole", args ?? new GetRoleInvokeArgs(), options.WithDefaults()); @@ -33,12 +113,21 @@ public static Output Invoke(GetRoleInvokeArgs args, InvokeOptions public sealed class GetRoleArgs : global::Pulumi.InvokeArgs { + /// + /// When specified, this role is assumed to be a client role belonging to the client with the provided ID. The `id` attribute of a `keycloak_client` resource should be used here. + /// [Input("clientId")] public string? ClientId { get; set; } + /// + /// The name of the role. + /// [Input("name", required: true)] public string Name { get; set; } = null!; + /// + /// The realm this role exists within. + /// [Input("realmId", required: true)] public string RealmId { get; set; } = null!; @@ -50,12 +139,21 @@ public GetRoleArgs() public sealed class GetRoleInvokeArgs : global::Pulumi.InvokeArgs { + /// + /// When specified, this role is assumed to be a client role belonging to the client with the provided ID. The `id` attribute of a `keycloak_client` resource should be used here. + /// [Input("clientId")] public Input? ClientId { get; set; } + /// + /// The name of the role. + /// [Input("name", required: true)] public Input Name { get; set; } = null!; + /// + /// The realm this role exists within. + /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; @@ -72,6 +170,9 @@ public sealed class GetRoleResult public readonly ImmutableDictionary Attributes; public readonly string? ClientId; public readonly ImmutableArray CompositeRoles; + /// + /// (Computed) The description of the role. + /// public readonly string Description; /// /// The provider-assigned unique ID for this managed resource. diff --git a/sdk/dotnet/Group.cs b/sdk/dotnet/Group.cs index e4ce0b24..26b2b658 100644 --- a/sdk/dotnet/Group.cs +++ b/sdk/dotnet/Group.cs @@ -10,20 +10,17 @@ namespace Pulumi.Keycloak { /// - /// ## # keycloak.Group - /// /// Allows for creating and managing Groups within Keycloak. /// - /// Groups provide a logical wrapping for users within Keycloak. Users within a - /// group can share attributes and roles, and group membership can be mapped - /// to a claim. + /// Groups provide a logical wrapping for users within Keycloak. Users within a group can share attributes and roles, and + /// group membership can be mapped to a claim. /// /// Attributes can also be defined on Groups. /// - /// Groups can also be federated from external data sources, such as LDAP or Active Directory. - /// This resource **should not** be used to manage groups that were created this way. + /// Groups can also be federated from external data sources, such as LDAP or Active Directory. This resource **should not** + /// be used to manage groups that were created this way. /// - /// ### Example Usage + /// ## Example Usage /// /// ```csharp /// using System.Collections.Generic; @@ -59,51 +56,58 @@ namespace Pulumi.Keycloak /// Name = "child-group-with-optional-attributes", /// Attributes = /// { - /// { "key1", "value1" }, - /// { "key2", "value2" }, + /// { "foo", "bar" }, + /// { "multivalue", "value1##value2" }, /// }, /// }); /// /// }); /// ``` /// - /// ### Argument Reference - /// - /// The following arguments are supported: - /// - /// - `realm_id` - (Required) The realm this group exists in. - /// - `parent_id` - (Optional) The ID of this group's parent. If omitted, this group will be defined at the root level. - /// - `name` - (Required) The name of the group. - /// - `attributes` - (Optional) A dict of key/value pairs to set as custom attributes for the group. - /// - /// ### Attributes Reference - /// - /// In addition to the arguments listed above, the following computed attributes are exported: - /// - /// - `path` - The complete path of the group. For example, the child group's path in the example configuration would be `/parent-group/child-group`. - /// - /// ### Import + /// ## Import /// /// Groups can be imported using the format `{{realm_id}}/{{group_id}}`, where `group_id` is the unique ID that Keycloak + /// /// assigns to the group upon creation. This value can be found in the URI when editing this group in the GUI, and is typically a GUID. /// /// Example: + /// + /// bash + /// + /// ```sh + /// $ pulumi import keycloak:index/group:Group child_group my-realm/934a4a4e-28bd-4703-a0fa-332df153aabd + /// ``` /// [KeycloakResourceType("keycloak:index/group:Group")] public partial class Group : global::Pulumi.CustomResource { + /// + /// A map representing attributes for the group. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + /// [Output("attributes")] public Output?> Attributes { get; private set; } = null!; + /// + /// The name of the group. + /// [Output("name")] public Output Name { get; private set; } = null!; + /// + /// The ID of this group's parent. If omitted, this group will be defined at the root level. + /// [Output("parentId")] public Output ParentId { get; private set; } = null!; + /// + /// (Computed) The complete path of the group. For example, the child group's path in the example configuration would be `/parent-group/child-group`. + /// [Output("path")] public Output Path { get; private set; } = null!; + /// + /// The realm this group exists in. + /// [Output("realmId")] public Output RealmId { get; private set; } = null!; @@ -155,18 +159,31 @@ public sealed class GroupArgs : global::Pulumi.ResourceArgs { [Input("attributes")] private InputMap? _attributes; + + /// + /// A map representing attributes for the group. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + /// public InputMap Attributes { get => _attributes ?? (_attributes = new InputMap()); set => _attributes = value; } + /// + /// The name of the group. + /// [Input("name")] public Input? Name { get; set; } + /// + /// The ID of this group's parent. If omitted, this group will be defined at the root level. + /// [Input("parentId")] public Input? ParentId { get; set; } + /// + /// The realm this group exists in. + /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; @@ -180,21 +197,37 @@ public sealed class GroupState : global::Pulumi.ResourceArgs { [Input("attributes")] private InputMap? _attributes; + + /// + /// A map representing attributes for the group. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + /// public InputMap Attributes { get => _attributes ?? (_attributes = new InputMap()); set => _attributes = value; } + /// + /// The name of the group. + /// [Input("name")] public Input? Name { get; set; } + /// + /// The ID of this group's parent. If omitted, this group will be defined at the root level. + /// [Input("parentId")] public Input? ParentId { get; set; } + /// + /// (Computed) The complete path of the group. For example, the child group's path in the example configuration would be `/parent-group/child-group`. + /// [Input("path")] public Input? Path { get; set; } + /// + /// The realm this group exists in. + /// [Input("realmId")] public Input? RealmId { get; set; } diff --git a/sdk/dotnet/GroupMemberships.cs b/sdk/dotnet/GroupMemberships.cs index ff027df4..cb6758ad 100644 --- a/sdk/dotnet/GroupMemberships.cs +++ b/sdk/dotnet/GroupMemberships.cs @@ -10,23 +10,23 @@ namespace Pulumi.Keycloak { /// - /// ## # keycloak.GroupMemberships - /// /// Allows for managing a Keycloak group's members. /// - /// Note that this resource attempts to be an **authoritative** source over group members. - /// When this resource takes control over a group's members, users that are manually added - /// to the group will be removed, and users that are manually removed from the group will - /// be added upon the next run of `pulumi up`. Eventually, a non-authoritative resource - /// for group membership will be added to this provider. + /// Note that this resource attempts to be an **authoritative** source over group members. When this resource takes control + /// over a group's members, users that are manually added to the group will be removed, and users that are manually removed + /// from the group will be added upon the next run of `pulumi up`. + /// + /// Also note that you should not use `keycloak.GroupMemberships` with a group has been assigned as a default group via + /// `keycloak.DefaultGroups`. /// - /// Also note that you should not use `keycloak.GroupMemberships` with a group has been assigned - /// as a default group via `keycloak.DefaultGroups`. + /// This resource **should not** be used to control membership of a group that has its members federated from an external + /// source via group mapping. /// - /// This resource **should not** be used to control membership of a group that has its members - /// federated from an external source via group mapping. + /// To non-exclusively manage the group's of a user, see the [`keycloak.UserGroups` resource][1] /// - /// ### Example Usage + /// This resource paginates its data loading on refresh by 50 items. + /// + /// ## Example Usage /// /// ```csharp /// using System.Collections.Generic; @@ -67,28 +67,32 @@ namespace Pulumi.Keycloak /// }); /// ``` /// - /// ### Argument Reference - /// - /// The following arguments are supported: - /// - /// - `realm_id` - (Required) The realm this group exists in. - /// - `group_id` - (Required) The ID of the group this resource should manage memberships for. - /// - `members` - (Required) An array of usernames that belong to this group. - /// - /// ### Import + /// ## Import /// /// This resource does not support import. Instead of importing, feel free to create this resource + /// /// as if it did not already exist on the server. + /// + /// [1]: providers/mrparkers/keycloak/latest/docs/resources/group_memberships /// [KeycloakResourceType("keycloak:index/groupMemberships:GroupMemberships")] public partial class GroupMemberships : global::Pulumi.CustomResource { + /// + /// The ID of the group this resource should manage memberships for. + /// [Output("groupId")] public Output GroupId { get; private set; } = null!; + /// + /// A list of usernames that belong to this group. + /// [Output("members")] public Output> Members { get; private set; } = null!; + /// + /// The realm this group exists in. + /// [Output("realmId")] public Output RealmId { get; private set; } = null!; @@ -138,17 +142,27 @@ public static GroupMemberships Get(string name, Input id, GroupMembershi public sealed class GroupMembershipsArgs : global::Pulumi.ResourceArgs { + /// + /// The ID of the group this resource should manage memberships for. + /// [Input("groupId")] public Input? GroupId { get; set; } [Input("members", required: true)] private InputList? _members; + + /// + /// A list of usernames that belong to this group. + /// public InputList Members { get => _members ?? (_members = new InputList()); set => _members = value; } + /// + /// The realm this group exists in. + /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; @@ -160,17 +174,27 @@ public GroupMembershipsArgs() public sealed class GroupMembershipsState : global::Pulumi.ResourceArgs { + /// + /// The ID of the group this resource should manage memberships for. + /// [Input("groupId")] public Input? GroupId { get; set; } [Input("members")] private InputList? _members; + + /// + /// A list of usernames that belong to this group. + /// public InputList Members { get => _members ?? (_members = new InputList()); set => _members = value; } + /// + /// The realm this group exists in. + /// [Input("realmId")] public Input? RealmId { get; set; } diff --git a/sdk/dotnet/GroupRoles.cs b/sdk/dotnet/GroupRoles.cs index c4da6659..3ddb3d8e 100644 --- a/sdk/dotnet/GroupRoles.cs +++ b/sdk/dotnet/GroupRoles.cs @@ -10,21 +10,18 @@ namespace Pulumi.Keycloak { /// - /// ## # keycloak.GroupRoles - /// /// Allows you to manage roles assigned to a Keycloak group. /// - /// Note that this resource attempts to be an **authoritative** source over - /// group roles. When this resource takes control over a group's roles, - /// roles that are manually added to the group will be removed, and roles - /// that are manually removed from the group will be added upon the next run - /// of `pulumi up`. + /// If `exhaustive` is true, this resource attempts to be an **authoritative** source over group roles: roles that are manually added to the group will be removed, and roles that are manually removed from the + /// group will be added upon the next run of `pulumi up`. + /// If `exhaustive` is false, this resource is a partial assignation of roles to a group. As a result, you can get multiple `keycloak.GroupRoles` for the same `group_id`. + /// + /// Note that when assigning composite roles to a group, you may see a non-empty plan following a `pulumi up` if you + /// assign a role and a composite that includes that role to the same group. /// - /// Note that when assigning composite roles to a group, you may see a - /// non-empty plan following a `pulumi up` if you assign a role and a - /// composite that includes that role to the same group. + /// ## Example Usage /// - /// ### Example Usage + /// ### Exhaustive Roles) /// /// ```csharp /// using System.Collections.Generic; @@ -84,36 +81,117 @@ namespace Pulumi.Keycloak /// }); /// ``` /// - /// ### Argument Reference + /// ### Non Exhaustive Roles) + /// + /// ```csharp + /// using System.Collections.Generic; + /// using System.Linq; + /// using Pulumi; + /// using Keycloak = Pulumi.Keycloak; + /// + /// return await Deployment.RunAsync(() => + /// { + /// var realm = new Keycloak.Realm("realm", new() + /// { + /// RealmName = "my-realm", + /// Enabled = true, + /// }); + /// + /// var realmRole = new Keycloak.Role("realm_role", new() + /// { + /// RealmId = realm.Id, + /// Name = "my-realm-role", + /// Description = "My Realm Role", + /// }); + /// + /// var client = new Keycloak.OpenId.Client("client", new() + /// { + /// RealmId = realm.Id, + /// ClientId = "client", + /// Name = "client", + /// Enabled = true, + /// AccessType = "BEARER-ONLY", + /// }); + /// + /// var clientRole = new Keycloak.Role("client_role", new() + /// { + /// RealmId = realm.Id, + /// ClientId = clientKeycloakClient.Id, + /// Name = "my-client-role", + /// Description = "My Client Role", + /// }); + /// + /// var @group = new Keycloak.Group("group", new() + /// { + /// RealmId = realm.Id, + /// Name = "my-group", + /// }); + /// + /// var groupRoleAssociation1 = new Keycloak.GroupRoles("group_role_association1", new() + /// { + /// RealmId = realm.Id, + /// GroupId = @group.Id, + /// Exhaustive = false, + /// RoleIds = new[] + /// { + /// realmRole.Id, + /// }, + /// }); + /// + /// var groupRoleAssociation2 = new Keycloak.GroupRoles("group_role_association2", new() + /// { + /// RealmId = realm.Id, + /// GroupId = @group.Id, + /// Exhaustive = false, + /// RoleIds = new[] + /// { + /// clientRole.Id, + /// }, + /// }); + /// + /// }); + /// ``` /// - /// The following arguments are supported: + /// ## Import /// - /// - `realm_id` - (Required) The realm this group exists in. - /// - `group_id` - (Required) The ID of the group this resource should - /// manage roles for. - /// - `role_ids` - (Required) A list of role IDs to map to the group + /// This resource can be imported using the format `{{realm_id}}/{{group_id}}`, where `group_id` is the unique ID that Keycloak /// - /// ### Import + /// assigns to the group upon creation. This value can be found in the URI when editing this group in the GUI, and is typically /// - /// This resource can be imported using the format - /// `{{realm_id}}/{{group_id}}`, where `group_id` is the unique ID that - /// Keycloak assigns to the group upon creation. This value can be found in - /// the URI when editing this group in the GUI, and is typically a GUID. + /// a GUID. /// /// Example: + /// + /// bash + /// + /// ```sh + /// $ pulumi import keycloak:index/groupRoles:GroupRoles group_roles my-realm/18cc6b87-2ce7-4e59-bdc8-b9d49ec98a94 + /// ``` /// [KeycloakResourceType("keycloak:index/groupRoles:GroupRoles")] public partial class GroupRoles : global::Pulumi.CustomResource { + /// + /// Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the group will be removed. Defaults to `true`. + /// [Output("exhaustive")] public Output Exhaustive { get; private set; } = null!; + /// + /// The ID of the group this resource should manage roles for. + /// [Output("groupId")] public Output GroupId { get; private set; } = null!; + /// + /// The realm this group exists in. + /// [Output("realmId")] public Output RealmId { get; private set; } = null!; + /// + /// A list of role IDs to map to the group. + /// [Output("roleIds")] public Output> RoleIds { get; private set; } = null!; @@ -163,17 +241,30 @@ public static GroupRoles Get(string name, Input id, GroupRolesState? sta public sealed class GroupRolesArgs : global::Pulumi.ResourceArgs { + /// + /// Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the group will be removed. Defaults to `true`. + /// [Input("exhaustive")] public Input? Exhaustive { get; set; } + /// + /// The ID of the group this resource should manage roles for. + /// [Input("groupId", required: true)] public Input GroupId { get; set; } = null!; + /// + /// The realm this group exists in. + /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; [Input("roleIds", required: true)] private InputList? _roleIds; + + /// + /// A list of role IDs to map to the group. + /// public InputList RoleIds { get => _roleIds ?? (_roleIds = new InputList()); @@ -188,17 +279,30 @@ public GroupRolesArgs() public sealed class GroupRolesState : global::Pulumi.ResourceArgs { + /// + /// Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the group will be removed. Defaults to `true`. + /// [Input("exhaustive")] public Input? Exhaustive { get; set; } + /// + /// The ID of the group this resource should manage roles for. + /// [Input("groupId")] public Input? GroupId { get; set; } + /// + /// The realm this group exists in. + /// [Input("realmId")] public Input? RealmId { get; set; } [Input("roleIds")] private InputList? _roleIds; + + /// + /// A list of role IDs to map to the group. + /// public InputList RoleIds { get => _roleIds ?? (_roleIds = new InputList()); diff --git a/sdk/dotnet/Inputs/RealmInternationalizationArgs.cs b/sdk/dotnet/Inputs/RealmInternationalizationArgs.cs index 67846725..71aa11fc 100644 --- a/sdk/dotnet/Inputs/RealmInternationalizationArgs.cs +++ b/sdk/dotnet/Inputs/RealmInternationalizationArgs.cs @@ -12,11 +12,18 @@ namespace Pulumi.Keycloak.Inputs public sealed class RealmInternationalizationArgs : global::Pulumi.ResourceArgs { + /// + /// The locale to use by default. This locale code must be present within the `supported_locales` list. + /// [Input("defaultLocale", required: true)] public Input DefaultLocale { get; set; } = null!; [Input("supportedLocales", required: true)] private InputList? _supportedLocales; + + /// + /// A list of [ISO 639-1](https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes) locale codes that the realm should support. + /// public InputList SupportedLocales { get => _supportedLocales ?? (_supportedLocales = new InputList()); diff --git a/sdk/dotnet/Inputs/RealmInternationalizationGetArgs.cs b/sdk/dotnet/Inputs/RealmInternationalizationGetArgs.cs index b82eabaa..f83787ae 100644 --- a/sdk/dotnet/Inputs/RealmInternationalizationGetArgs.cs +++ b/sdk/dotnet/Inputs/RealmInternationalizationGetArgs.cs @@ -12,11 +12,18 @@ namespace Pulumi.Keycloak.Inputs public sealed class RealmInternationalizationGetArgs : global::Pulumi.ResourceArgs { + /// + /// The locale to use by default. This locale code must be present within the `supported_locales` list. + /// [Input("defaultLocale", required: true)] public Input DefaultLocale { get; set; } = null!; [Input("supportedLocales", required: true)] private InputList? _supportedLocales; + + /// + /// A list of [ISO 639-1](https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes) locale codes that the realm should support. + /// public InputList SupportedLocales { get => _supportedLocales ?? (_supportedLocales = new InputList()); diff --git a/sdk/dotnet/Inputs/RealmOtpPolicyArgs.cs b/sdk/dotnet/Inputs/RealmOtpPolicyArgs.cs index 58b28767..a327de3f 100644 --- a/sdk/dotnet/Inputs/RealmOtpPolicyArgs.cs +++ b/sdk/dotnet/Inputs/RealmOtpPolicyArgs.cs @@ -13,25 +13,37 @@ namespace Pulumi.Keycloak.Inputs public sealed class RealmOtpPolicyArgs : global::Pulumi.ResourceArgs { /// - /// What hashing algorithm should be used to generate the OTP. + /// What hashing algorithm should be used to generate the OTP, Valid options are `HmacSHA1`,`HmacSHA256` and `HmacSHA512`. Defaults to `HmacSHA1`. /// [Input("algorithm")] public Input? Algorithm { get; set; } + /// + /// How many digits the OTP have. Defaults to `6`. + /// [Input("digits")] public Input? Digits { get; set; } + /// + /// What should the initial counter value be. Defaults to `2`. + /// [Input("initialCounter")] public Input? InitialCounter { get; set; } + /// + /// How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to `1`. + /// [Input("lookAheadWindow")] public Input? LookAheadWindow { get; set; } + /// + /// How many seconds should an OTP token be valid. Defaults to `30`. + /// [Input("period")] public Input? Period { get; set; } /// - /// OTP Type, totp for Time-Based One Time Password or hotp for counter base one time password + /// One Time Password Type, supported Values are `totp` for Time-Based One Time Password and `hotp` for Counter Based. Defaults to `totp`. /// [Input("type")] public Input? Type { get; set; } diff --git a/sdk/dotnet/Inputs/RealmOtpPolicyGetArgs.cs b/sdk/dotnet/Inputs/RealmOtpPolicyGetArgs.cs index ca981b59..c190e0ae 100644 --- a/sdk/dotnet/Inputs/RealmOtpPolicyGetArgs.cs +++ b/sdk/dotnet/Inputs/RealmOtpPolicyGetArgs.cs @@ -13,25 +13,37 @@ namespace Pulumi.Keycloak.Inputs public sealed class RealmOtpPolicyGetArgs : global::Pulumi.ResourceArgs { /// - /// What hashing algorithm should be used to generate the OTP. + /// What hashing algorithm should be used to generate the OTP, Valid options are `HmacSHA1`,`HmacSHA256` and `HmacSHA512`. Defaults to `HmacSHA1`. /// [Input("algorithm")] public Input? Algorithm { get; set; } + /// + /// How many digits the OTP have. Defaults to `6`. + /// [Input("digits")] public Input? Digits { get; set; } + /// + /// What should the initial counter value be. Defaults to `2`. + /// [Input("initialCounter")] public Input? InitialCounter { get; set; } + /// + /// How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to `1`. + /// [Input("lookAheadWindow")] public Input? LookAheadWindow { get; set; } + /// + /// How many seconds should an OTP token be valid. Defaults to `30`. + /// [Input("period")] public Input? Period { get; set; } /// - /// OTP Type, totp for Time-Based One Time Password or hotp for counter base one time password + /// One Time Password Type, supported Values are `totp` for Time-Based One Time Password and `hotp` for Counter Based. Defaults to `totp`. /// [Input("type")] public Input? Type { get; set; } diff --git a/sdk/dotnet/Inputs/RealmSecurityDefensesBruteForceDetectionArgs.cs b/sdk/dotnet/Inputs/RealmSecurityDefensesBruteForceDetectionArgs.cs index 3128fe67..d7bb4a19 100644 --- a/sdk/dotnet/Inputs/RealmSecurityDefensesBruteForceDetectionArgs.cs +++ b/sdk/dotnet/Inputs/RealmSecurityDefensesBruteForceDetectionArgs.cs @@ -12,24 +12,43 @@ namespace Pulumi.Keycloak.Inputs public sealed class RealmSecurityDefensesBruteForceDetectionArgs : global::Pulumi.ResourceArgs { + /// + /// When will failure count be reset? + /// [Input("failureResetTimeSeconds")] public Input? FailureResetTimeSeconds { get; set; } [Input("maxFailureWaitSeconds")] public Input? MaxFailureWaitSeconds { get; set; } + /// + /// How many failures before wait is triggered. + /// [Input("maxLoginFailures")] public Input? MaxLoginFailures { get; set; } + /// + /// How long to wait after a quick login failure. + /// - `max_failure_wait_seconds ` - (Optional) Max. time a user will be locked out. + /// [Input("minimumQuickLoginWaitSeconds")] public Input? MinimumQuickLoginWaitSeconds { get; set; } + /// + /// When `true`, this will lock the user permanently when the user exceeds the maximum login failures. + /// [Input("permanentLockout")] public Input? PermanentLockout { get; set; } + /// + /// Configures the amount of time, in milliseconds, for consecutive failures to lock a user out. + /// [Input("quickLoginCheckMilliSeconds")] public Input? QuickLoginCheckMilliSeconds { get; set; } + /// + /// This represents the amount of time a user should be locked out when the login failure threshold has been met. + /// [Input("waitIncrementSeconds")] public Input? WaitIncrementSeconds { get; set; } diff --git a/sdk/dotnet/Inputs/RealmSecurityDefensesBruteForceDetectionGetArgs.cs b/sdk/dotnet/Inputs/RealmSecurityDefensesBruteForceDetectionGetArgs.cs index f1b06b66..1db5ac31 100644 --- a/sdk/dotnet/Inputs/RealmSecurityDefensesBruteForceDetectionGetArgs.cs +++ b/sdk/dotnet/Inputs/RealmSecurityDefensesBruteForceDetectionGetArgs.cs @@ -12,24 +12,43 @@ namespace Pulumi.Keycloak.Inputs public sealed class RealmSecurityDefensesBruteForceDetectionGetArgs : global::Pulumi.ResourceArgs { + /// + /// When will failure count be reset? + /// [Input("failureResetTimeSeconds")] public Input? FailureResetTimeSeconds { get; set; } [Input("maxFailureWaitSeconds")] public Input? MaxFailureWaitSeconds { get; set; } + /// + /// How many failures before wait is triggered. + /// [Input("maxLoginFailures")] public Input? MaxLoginFailures { get; set; } + /// + /// How long to wait after a quick login failure. + /// - `max_failure_wait_seconds ` - (Optional) Max. time a user will be locked out. + /// [Input("minimumQuickLoginWaitSeconds")] public Input? MinimumQuickLoginWaitSeconds { get; set; } + /// + /// When `true`, this will lock the user permanently when the user exceeds the maximum login failures. + /// [Input("permanentLockout")] public Input? PermanentLockout { get; set; } + /// + /// Configures the amount of time, in milliseconds, for consecutive failures to lock a user out. + /// [Input("quickLoginCheckMilliSeconds")] public Input? QuickLoginCheckMilliSeconds { get; set; } + /// + /// This represents the amount of time a user should be locked out when the login failure threshold has been met. + /// [Input("waitIncrementSeconds")] public Input? WaitIncrementSeconds { get; set; } diff --git a/sdk/dotnet/Inputs/RealmSecurityDefensesHeadersArgs.cs b/sdk/dotnet/Inputs/RealmSecurityDefensesHeadersArgs.cs index a9911e0f..6e3646f2 100644 --- a/sdk/dotnet/Inputs/RealmSecurityDefensesHeadersArgs.cs +++ b/sdk/dotnet/Inputs/RealmSecurityDefensesHeadersArgs.cs @@ -12,27 +12,51 @@ namespace Pulumi.Keycloak.Inputs public sealed class RealmSecurityDefensesHeadersArgs : global::Pulumi.ResourceArgs { + /// + /// Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the [W3C-CSP](https://www.w3.org/TR/CSP/) Abstract. + /// [Input("contentSecurityPolicy")] public Input? ContentSecurityPolicy { get; set; } + /// + /// Used for testing Content Security Policies. + /// [Input("contentSecurityPolicyReportOnly")] public Input? ContentSecurityPolicyReportOnly { get; set; } + /// + /// The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests. + /// [Input("referrerPolicy")] public Input? ReferrerPolicy { get; set; } + /// + /// The Script-Transport-Security HTTP header tells browsers to always use HTTPS. + /// [Input("strictTransportSecurity")] public Input? StrictTransportSecurity { get; set; } + /// + /// Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type + /// [Input("xContentTypeOptions")] public Input? XContentTypeOptions { get; set; } + /// + /// Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the [RFC7034](https://tools.ietf.org/html/rfc7034) + /// [Input("xFrameOptions")] public Input? XFrameOptions { get; set; } + /// + /// Prevent pages from appearing in search engines. + /// [Input("xRobotsTag")] public Input? XRobotsTag { get; set; } + /// + /// This header configures the Cross-site scripting (XSS) filter in your browser. + /// [Input("xXssProtection")] public Input? XXssProtection { get; set; } diff --git a/sdk/dotnet/Inputs/RealmSecurityDefensesHeadersGetArgs.cs b/sdk/dotnet/Inputs/RealmSecurityDefensesHeadersGetArgs.cs index ada410ba..3411184c 100644 --- a/sdk/dotnet/Inputs/RealmSecurityDefensesHeadersGetArgs.cs +++ b/sdk/dotnet/Inputs/RealmSecurityDefensesHeadersGetArgs.cs @@ -12,27 +12,51 @@ namespace Pulumi.Keycloak.Inputs public sealed class RealmSecurityDefensesHeadersGetArgs : global::Pulumi.ResourceArgs { + /// + /// Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the [W3C-CSP](https://www.w3.org/TR/CSP/) Abstract. + /// [Input("contentSecurityPolicy")] public Input? ContentSecurityPolicy { get; set; } + /// + /// Used for testing Content Security Policies. + /// [Input("contentSecurityPolicyReportOnly")] public Input? ContentSecurityPolicyReportOnly { get; set; } + /// + /// The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests. + /// [Input("referrerPolicy")] public Input? ReferrerPolicy { get; set; } + /// + /// The Script-Transport-Security HTTP header tells browsers to always use HTTPS. + /// [Input("strictTransportSecurity")] public Input? StrictTransportSecurity { get; set; } + /// + /// Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type + /// [Input("xContentTypeOptions")] public Input? XContentTypeOptions { get; set; } + /// + /// Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the [RFC7034](https://tools.ietf.org/html/rfc7034) + /// [Input("xFrameOptions")] public Input? XFrameOptions { get; set; } + /// + /// Prevent pages from appearing in search engines. + /// [Input("xRobotsTag")] public Input? XRobotsTag { get; set; } + /// + /// This header configures the Cross-site scripting (XSS) filter in your browser. + /// [Input("xXssProtection")] public Input? XXssProtection { get; set; } diff --git a/sdk/dotnet/Inputs/RealmSmtpServerArgs.cs b/sdk/dotnet/Inputs/RealmSmtpServerArgs.cs index da22fdaf..b82e0082 100644 --- a/sdk/dotnet/Inputs/RealmSmtpServerArgs.cs +++ b/sdk/dotnet/Inputs/RealmSmtpServerArgs.cs @@ -12,33 +12,63 @@ namespace Pulumi.Keycloak.Inputs public sealed class RealmSmtpServerArgs : global::Pulumi.ResourceArgs { + /// + /// Enables authentication to the SMTP server. This block supports the following arguments: + /// [Input("auth")] public Input? Auth { get; set; } + /// + /// The email address uses for bounces. + /// [Input("envelopeFrom")] public Input? EnvelopeFrom { get; set; } + /// + /// The email address for the sender. + /// [Input("from", required: true)] public Input From { get; set; } = null!; + /// + /// The display name of the sender email address. + /// [Input("fromDisplayName")] public Input? FromDisplayName { get; set; } + /// + /// The host of the SMTP server. + /// [Input("host", required: true)] public Input Host { get; set; } = null!; + /// + /// The port of the SMTP server (defaults to 25). + /// [Input("port")] public Input? Port { get; set; } + /// + /// The "reply to" email address. + /// [Input("replyTo")] public Input? ReplyTo { get; set; } + /// + /// The display name of the "reply to" email address. + /// [Input("replyToDisplayName")] public Input? ReplyToDisplayName { get; set; } + /// + /// When `true`, enables SSL. Defaults to `false`. + /// [Input("ssl")] public Input? Ssl { get; set; } + /// + /// When `true`, enables StartTLS. Defaults to `false`. + /// [Input("starttls")] public Input? Starttls { get; set; } diff --git a/sdk/dotnet/Inputs/RealmSmtpServerAuthArgs.cs b/sdk/dotnet/Inputs/RealmSmtpServerAuthArgs.cs index 1aea2c9b..40eb6e0b 100644 --- a/sdk/dotnet/Inputs/RealmSmtpServerAuthArgs.cs +++ b/sdk/dotnet/Inputs/RealmSmtpServerAuthArgs.cs @@ -14,6 +14,10 @@ public sealed class RealmSmtpServerAuthArgs : global::Pulumi.ResourceArgs { [Input("password", required: true)] private Input? _password; + + /// + /// The SMTP server password. + /// public Input? Password { get => _password; @@ -24,6 +28,9 @@ public Input? Password } } + /// + /// The SMTP server username. + /// [Input("username", required: true)] public Input Username { get; set; } = null!; diff --git a/sdk/dotnet/Inputs/RealmSmtpServerAuthGetArgs.cs b/sdk/dotnet/Inputs/RealmSmtpServerAuthGetArgs.cs index 443bb57f..2b6eced4 100644 --- a/sdk/dotnet/Inputs/RealmSmtpServerAuthGetArgs.cs +++ b/sdk/dotnet/Inputs/RealmSmtpServerAuthGetArgs.cs @@ -14,6 +14,10 @@ public sealed class RealmSmtpServerAuthGetArgs : global::Pulumi.ResourceArgs { [Input("password", required: true)] private Input? _password; + + /// + /// The SMTP server password. + /// public Input? Password { get => _password; @@ -24,6 +28,9 @@ public Input? Password } } + /// + /// The SMTP server username. + /// [Input("username", required: true)] public Input Username { get; set; } = null!; diff --git a/sdk/dotnet/Inputs/RealmSmtpServerGetArgs.cs b/sdk/dotnet/Inputs/RealmSmtpServerGetArgs.cs index 57c54c35..8b3fd44a 100644 --- a/sdk/dotnet/Inputs/RealmSmtpServerGetArgs.cs +++ b/sdk/dotnet/Inputs/RealmSmtpServerGetArgs.cs @@ -12,33 +12,63 @@ namespace Pulumi.Keycloak.Inputs public sealed class RealmSmtpServerGetArgs : global::Pulumi.ResourceArgs { + /// + /// Enables authentication to the SMTP server. This block supports the following arguments: + /// [Input("auth")] public Input? Auth { get; set; } + /// + /// The email address uses for bounces. + /// [Input("envelopeFrom")] public Input? EnvelopeFrom { get; set; } + /// + /// The email address for the sender. + /// [Input("from", required: true)] public Input From { get; set; } = null!; + /// + /// The display name of the sender email address. + /// [Input("fromDisplayName")] public Input? FromDisplayName { get; set; } + /// + /// The host of the SMTP server. + /// [Input("host", required: true)] public Input Host { get; set; } = null!; + /// + /// The port of the SMTP server (defaults to 25). + /// [Input("port")] public Input? Port { get; set; } + /// + /// The "reply to" email address. + /// [Input("replyTo")] public Input? ReplyTo { get; set; } + /// + /// The display name of the "reply to" email address. + /// [Input("replyToDisplayName")] public Input? ReplyToDisplayName { get; set; } + /// + /// When `true`, enables SSL. Defaults to `false`. + /// [Input("ssl")] public Input? Ssl { get; set; } + /// + /// When `true`, enables StartTLS. Defaults to `false`. + /// [Input("starttls")] public Input? Starttls { get; set; } diff --git a/sdk/dotnet/Inputs/RealmWebAuthnPasswordlessPolicyArgs.cs b/sdk/dotnet/Inputs/RealmWebAuthnPasswordlessPolicyArgs.cs index 3ca97ed4..722f3db4 100644 --- a/sdk/dotnet/Inputs/RealmWebAuthnPasswordlessPolicyArgs.cs +++ b/sdk/dotnet/Inputs/RealmWebAuthnPasswordlessPolicyArgs.cs @@ -14,6 +14,10 @@ public sealed class RealmWebAuthnPasswordlessPolicyArgs : global::Pulumi.Resourc { [Input("acceptableAaguids")] private InputList? _acceptableAaguids; + + /// + /// A set of AAGUIDs for which an authenticator can be registered. + /// public InputList AcceptableAaguids { get => _acceptableAaguids ?? (_acceptableAaguids = new InputList()); @@ -32,15 +36,27 @@ public InputList AcceptableAaguids [Input("authenticatorAttachment")] public Input? AuthenticatorAttachment { get; set; } + /// + /// When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + /// [Input("avoidSameAuthenticatorRegister")] public Input? AvoidSameAuthenticatorRegister { get; set; } + /// + /// The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + /// [Input("createTimeout")] public Input? CreateTimeout { get; set; } + /// + /// A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + /// [Input("relyingPartyEntityName")] public Input? RelyingPartyEntityName { get; set; } + /// + /// The WebAuthn relying party ID. + /// [Input("relyingPartyId")] public Input? RelyingPartyId { get; set; } diff --git a/sdk/dotnet/Inputs/RealmWebAuthnPasswordlessPolicyGetArgs.cs b/sdk/dotnet/Inputs/RealmWebAuthnPasswordlessPolicyGetArgs.cs index 4df7ea21..743ccafd 100644 --- a/sdk/dotnet/Inputs/RealmWebAuthnPasswordlessPolicyGetArgs.cs +++ b/sdk/dotnet/Inputs/RealmWebAuthnPasswordlessPolicyGetArgs.cs @@ -14,6 +14,10 @@ public sealed class RealmWebAuthnPasswordlessPolicyGetArgs : global::Pulumi.Reso { [Input("acceptableAaguids")] private InputList? _acceptableAaguids; + + /// + /// A set of AAGUIDs for which an authenticator can be registered. + /// public InputList AcceptableAaguids { get => _acceptableAaguids ?? (_acceptableAaguids = new InputList()); @@ -32,15 +36,27 @@ public InputList AcceptableAaguids [Input("authenticatorAttachment")] public Input? AuthenticatorAttachment { get; set; } + /// + /// When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + /// [Input("avoidSameAuthenticatorRegister")] public Input? AvoidSameAuthenticatorRegister { get; set; } + /// + /// The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + /// [Input("createTimeout")] public Input? CreateTimeout { get; set; } + /// + /// A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + /// [Input("relyingPartyEntityName")] public Input? RelyingPartyEntityName { get; set; } + /// + /// The WebAuthn relying party ID. + /// [Input("relyingPartyId")] public Input? RelyingPartyId { get; set; } diff --git a/sdk/dotnet/Inputs/RealmWebAuthnPolicyArgs.cs b/sdk/dotnet/Inputs/RealmWebAuthnPolicyArgs.cs index 66a3e02c..c721c7b5 100644 --- a/sdk/dotnet/Inputs/RealmWebAuthnPolicyArgs.cs +++ b/sdk/dotnet/Inputs/RealmWebAuthnPolicyArgs.cs @@ -14,6 +14,10 @@ public sealed class RealmWebAuthnPolicyArgs : global::Pulumi.ResourceArgs { [Input("acceptableAaguids")] private InputList? _acceptableAaguids; + + /// + /// A set of AAGUIDs for which an authenticator can be registered. + /// public InputList AcceptableAaguids { get => _acceptableAaguids ?? (_acceptableAaguids = new InputList()); @@ -32,15 +36,27 @@ public InputList AcceptableAaguids [Input("authenticatorAttachment")] public Input? AuthenticatorAttachment { get; set; } + /// + /// When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + /// [Input("avoidSameAuthenticatorRegister")] public Input? AvoidSameAuthenticatorRegister { get; set; } + /// + /// The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + /// [Input("createTimeout")] public Input? CreateTimeout { get; set; } + /// + /// A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + /// [Input("relyingPartyEntityName")] public Input? RelyingPartyEntityName { get; set; } + /// + /// The WebAuthn relying party ID. + /// [Input("relyingPartyId")] public Input? RelyingPartyId { get; set; } diff --git a/sdk/dotnet/Inputs/RealmWebAuthnPolicyGetArgs.cs b/sdk/dotnet/Inputs/RealmWebAuthnPolicyGetArgs.cs index b69f6ed7..922dcc17 100644 --- a/sdk/dotnet/Inputs/RealmWebAuthnPolicyGetArgs.cs +++ b/sdk/dotnet/Inputs/RealmWebAuthnPolicyGetArgs.cs @@ -14,6 +14,10 @@ public sealed class RealmWebAuthnPolicyGetArgs : global::Pulumi.ResourceArgs { [Input("acceptableAaguids")] private InputList? _acceptableAaguids; + + /// + /// A set of AAGUIDs for which an authenticator can be registered. + /// public InputList AcceptableAaguids { get => _acceptableAaguids ?? (_acceptableAaguids = new InputList()); @@ -32,15 +36,27 @@ public InputList AcceptableAaguids [Input("authenticatorAttachment")] public Input? AuthenticatorAttachment { get; set; } + /// + /// When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + /// [Input("avoidSameAuthenticatorRegister")] public Input? AvoidSameAuthenticatorRegister { get; set; } + /// + /// The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + /// [Input("createTimeout")] public Input? CreateTimeout { get; set; } + /// + /// A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + /// [Input("relyingPartyEntityName")] public Input? RelyingPartyEntityName { get; set; } + /// + /// The WebAuthn relying party ID. + /// [Input("relyingPartyId")] public Input? RelyingPartyId { get; set; } diff --git a/sdk/dotnet/Inputs/UserFederatedIdentityArgs.cs b/sdk/dotnet/Inputs/UserFederatedIdentityArgs.cs index 803e1725..20dbd459 100644 --- a/sdk/dotnet/Inputs/UserFederatedIdentityArgs.cs +++ b/sdk/dotnet/Inputs/UserFederatedIdentityArgs.cs @@ -12,12 +12,21 @@ namespace Pulumi.Keycloak.Inputs public sealed class UserFederatedIdentityArgs : global::Pulumi.ResourceArgs { + /// + /// The name of the identity provider + /// [Input("identityProvider", required: true)] public Input IdentityProvider { get; set; } = null!; + /// + /// The ID of the user defined in the identity provider + /// [Input("userId", required: true)] public Input UserId { get; set; } = null!; + /// + /// The user name of the user defined in the identity provider + /// [Input("userName", required: true)] public Input UserName { get; set; } = null!; diff --git a/sdk/dotnet/Inputs/UserFederatedIdentityGetArgs.cs b/sdk/dotnet/Inputs/UserFederatedIdentityGetArgs.cs index a52f28a6..797a438a 100644 --- a/sdk/dotnet/Inputs/UserFederatedIdentityGetArgs.cs +++ b/sdk/dotnet/Inputs/UserFederatedIdentityGetArgs.cs @@ -12,12 +12,21 @@ namespace Pulumi.Keycloak.Inputs public sealed class UserFederatedIdentityGetArgs : global::Pulumi.ResourceArgs { + /// + /// The name of the identity provider + /// [Input("identityProvider", required: true)] public Input IdentityProvider { get; set; } = null!; + /// + /// The ID of the user defined in the identity provider + /// [Input("userId", required: true)] public Input UserId { get; set; } = null!; + /// + /// The user name of the user defined in the identity provider + /// [Input("userName", required: true)] public Input UserName { get; set; } = null!; diff --git a/sdk/dotnet/Inputs/UserInitialPasswordArgs.cs b/sdk/dotnet/Inputs/UserInitialPasswordArgs.cs index 27e4c2ae..4a2bda3e 100644 --- a/sdk/dotnet/Inputs/UserInitialPasswordArgs.cs +++ b/sdk/dotnet/Inputs/UserInitialPasswordArgs.cs @@ -12,11 +12,18 @@ namespace Pulumi.Keycloak.Inputs public sealed class UserInitialPasswordArgs : global::Pulumi.ResourceArgs { + /// + /// If set to `true`, the initial password is set up for renewal on first use. Default to `false`. + /// [Input("temporary")] public Input? Temporary { get; set; } [Input("value", required: true)] private Input? _value; + + /// + /// The initial password. + /// public Input? Value { get => _value; diff --git a/sdk/dotnet/Inputs/UserInitialPasswordGetArgs.cs b/sdk/dotnet/Inputs/UserInitialPasswordGetArgs.cs index 96cef579..51a096a7 100644 --- a/sdk/dotnet/Inputs/UserInitialPasswordGetArgs.cs +++ b/sdk/dotnet/Inputs/UserInitialPasswordGetArgs.cs @@ -12,11 +12,18 @@ namespace Pulumi.Keycloak.Inputs public sealed class UserInitialPasswordGetArgs : global::Pulumi.ResourceArgs { + /// + /// If set to `true`, the initial password is set up for renewal on first use. Default to `false`. + /// [Input("temporary")] public Input? Temporary { get; set; } [Input("value", required: true)] private Input? _value; + + /// + /// The initial password. + /// public Input? Value { get => _value; diff --git a/sdk/dotnet/Ldap/FullNameMapper.cs b/sdk/dotnet/Ldap/FullNameMapper.cs index 1bba0ad2..b0dc4a06 100644 --- a/sdk/dotnet/Ldap/FullNameMapper.cs +++ b/sdk/dotnet/Ldap/FullNameMapper.cs @@ -10,15 +10,12 @@ namespace Pulumi.Keycloak.Ldap { /// - /// ## # keycloak.ldap.FullNameMapper + /// Allows for creating and managing full name mappers for Keycloak users federated via LDAP. /// - /// Allows for creating and managing full name mappers for Keycloak users federated - /// via LDAP. + /// The LDAP full name mapper can map a user's full name from an LDAP attribute to the first and last name attributes of a + /// Keycloak user. /// - /// The LDAP full name mapper can map a user's full name from an LDAP attribute - /// to the first and last name attributes of a Keycloak user. - /// - /// ### Example Usage + /// ## Example Usage /// /// ```csharp /// using System.Collections.Generic; @@ -30,7 +27,7 @@ namespace Pulumi.Keycloak.Ldap /// { /// var realm = new Keycloak.Realm("realm", new() /// { - /// RealmName = "test", + /// RealmName = "my-realm", /// Enabled = true, /// }); /// @@ -63,50 +60,56 @@ namespace Pulumi.Keycloak.Ldap /// }); /// ``` /// - /// ### Argument Reference + /// ## Import /// - /// The following arguments are supported: + /// LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. /// - /// - `realm_id` - (Required) The realm that this LDAP mapper will exist in. - /// - `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. - /// - `name` - (Required) Display name of this mapper when displayed in the console. - /// - `ldap_full_name_attribute` - (Required) The name of the LDAP attribute containing the user's full name. - /// - `read_only` - (Optional) When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. - /// - `write_only` - (Optional) When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. + /// The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. /// - /// ### Import + /// Example: /// - /// LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. - /// The ID of the LDAP user federation provider and the mapper can be found within - /// the Keycloak GUI, and they are typically GUIDs: + /// bash + /// + /// ```sh + /// $ pulumi import keycloak:ldap/fullNameMapper:FullNameMapper ldap_full_name_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 + /// ``` /// [KeycloakResourceType("keycloak:ldap/fullNameMapper:FullNameMapper")] public partial class FullNameMapper : global::Pulumi.CustomResource { + /// + /// The name of the LDAP attribute containing the user's full name. + /// [Output("ldapFullNameAttribute")] public Output LdapFullNameAttribute { get; private set; } = null!; /// - /// The ldap user federation provider to attach this mapper to. + /// The ID of the LDAP user federation provider to attach this mapper to. /// [Output("ldapUserFederationId")] public Output LdapUserFederationId { get; private set; } = null!; /// - /// Display name of the mapper when displayed in the console. + /// Display name of this mapper when displayed in the console. /// [Output("name")] public Output Name { get; private set; } = null!; + /// + /// When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. + /// [Output("readOnly")] public Output ReadOnly { get; private set; } = null!; /// - /// The realm in which the ldap user federation provider exists. + /// The realm that this LDAP mapper will exist in. /// [Output("realmId")] public Output RealmId { get; private set; } = null!; + /// + /// When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. + /// [Output("writeOnly")] public Output WriteOnly { get; private set; } = null!; @@ -156,30 +159,39 @@ public static FullNameMapper Get(string name, Input id, FullNameMapperSt public sealed class FullNameMapperArgs : global::Pulumi.ResourceArgs { + /// + /// The name of the LDAP attribute containing the user's full name. + /// [Input("ldapFullNameAttribute", required: true)] public Input LdapFullNameAttribute { get; set; } = null!; /// - /// The ldap user federation provider to attach this mapper to. + /// The ID of the LDAP user federation provider to attach this mapper to. /// [Input("ldapUserFederationId", required: true)] public Input LdapUserFederationId { get; set; } = null!; /// - /// Display name of the mapper when displayed in the console. + /// Display name of this mapper when displayed in the console. /// [Input("name")] public Input? Name { get; set; } + /// + /// When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. + /// [Input("readOnly")] public Input? ReadOnly { get; set; } /// - /// The realm in which the ldap user federation provider exists. + /// The realm that this LDAP mapper will exist in. /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; + /// + /// When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. + /// [Input("writeOnly")] public Input? WriteOnly { get; set; } @@ -191,30 +203,39 @@ public FullNameMapperArgs() public sealed class FullNameMapperState : global::Pulumi.ResourceArgs { + /// + /// The name of the LDAP attribute containing the user's full name. + /// [Input("ldapFullNameAttribute")] public Input? LdapFullNameAttribute { get; set; } /// - /// The ldap user federation provider to attach this mapper to. + /// The ID of the LDAP user federation provider to attach this mapper to. /// [Input("ldapUserFederationId")] public Input? LdapUserFederationId { get; set; } /// - /// Display name of the mapper when displayed in the console. + /// Display name of this mapper when displayed in the console. /// [Input("name")] public Input? Name { get; set; } + /// + /// When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. + /// [Input("readOnly")] public Input? ReadOnly { get; set; } /// - /// The realm in which the ldap user federation provider exists. + /// The realm that this LDAP mapper will exist in. /// [Input("realmId")] public Input? RealmId { get; set; } + /// + /// When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. + /// [Input("writeOnly")] public Input? WriteOnly { get; set; } diff --git a/sdk/dotnet/Ldap/GroupMapper.cs b/sdk/dotnet/Ldap/GroupMapper.cs index 9d1829e5..f9dc9296 100644 --- a/sdk/dotnet/Ldap/GroupMapper.cs +++ b/sdk/dotnet/Ldap/GroupMapper.cs @@ -10,16 +10,12 @@ namespace Pulumi.Keycloak.Ldap { /// - /// ## # keycloak.ldap.GroupMapper + /// Allows for creating and managing group mappers for Keycloak users federated via LDAP. /// - /// Allows for creating and managing group mappers for Keycloak users federated - /// via LDAP. + /// The LDAP group mapper can be used to map an LDAP user's groups from some DN to Keycloak groups. This group mapper will also + /// create the groups within Keycloak if they do not already exist. /// - /// The LDAP group mapper can be used to map an LDAP user's groups from some DN - /// to Keycloak groups. This group mapper will also create the groups within Keycloak - /// if they do not already exist. - /// - /// ### Example Usage + /// ## Example Usage /// /// ```csharp /// using System.Collections.Generic; @@ -31,7 +27,7 @@ namespace Pulumi.Keycloak.Ldap /// { /// var realm = new Keycloak.Realm("realm", new() /// { - /// RealmName = "test", + /// RealmName = "my-realm", /// Enabled = true, /// }); /// @@ -73,97 +69,128 @@ namespace Pulumi.Keycloak.Ldap /// }); /// ``` /// - /// ### Argument Reference + /// ## Import + /// + /// LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. /// - /// The following arguments are supported: + /// The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. /// - /// - `realm_id` - (Required) The realm that this LDAP mapper will exist in. - /// - `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. - /// - `name` - (Required) Display name of this mapper when displayed in the console. - /// - `ldap_groups_dn` - (Required) The LDAP DN where groups can be found. - /// - `group_name_ldap_attribute` - (Required) The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. - /// - `group_object_classes` - (Required) Array of strings representing the object classes for the group. Must contain at least one. - /// - `preserve_group_inheritance` - (Optional) When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. - /// - `ignore_missing_groups` - (Optional) When `true`, missing groups in the hierarchy will be ignored. - /// - `membership_ldap_attribute` - (Required) The name of the LDAP attribute that is used for membership mappings. - /// - `membership_attribute_type` - (Optional) Can be one of `DN` or `UID`. Defaults to `DN`. - /// - `membership_user_ldap_attribute` - (Required) The name of the LDAP attribute on a user that is used for membership mappings. - /// - `groups_ldap_filter` - (Optional) When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. - /// - `mode` - (Optional) Can be one of `READ_ONLY` or `LDAP_ONLY`. Defaults to `READ_ONLY`. - /// - `user_roles_retrieve_strategy` - (Optional) Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. - /// - `memberof_ldap_attribute` - (Optional) Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. - /// - `mapped_group_attributes` - (Optional) Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. - /// - `drop_non_existing_groups_during_sync` - (Optional) When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. + /// Example: /// - /// ### Import + /// bash /// - /// LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. - /// The ID of the LDAP user federation provider and the mapper can be found within - /// the Keycloak GUI, and they are typically GUIDs: + /// ```sh + /// $ pulumi import keycloak:ldap/groupMapper:GroupMapper ldap_group_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 + /// ``` /// [KeycloakResourceType("keycloak:ldap/groupMapper:GroupMapper")] public partial class GroupMapper : global::Pulumi.CustomResource { + /// + /// When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. + /// [Output("dropNonExistingGroupsDuringSync")] public Output DropNonExistingGroupsDuringSync { get; private set; } = null!; + /// + /// The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. + /// [Output("groupNameLdapAttribute")] public Output GroupNameLdapAttribute { get; private set; } = null!; + /// + /// List of strings representing the object classes for the group. Must contain at least one. + /// [Output("groupObjectClasses")] public Output> GroupObjectClasses { get; private set; } = null!; + /// + /// When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. + /// [Output("groupsLdapFilter")] public Output GroupsLdapFilter { get; private set; } = null!; + /// + /// Keycloak group path the LDAP groups are added to. For example if value `/Applications/App1` is used, then LDAP groups will be available in Keycloak under group `App1`, which is the child of top level group `Applications`. The configured group path must already exist in Keycloak when creating this mapper. + /// [Output("groupsPath")] public Output GroupsPath { get; private set; } = null!; + /// + /// When `true`, missing groups in the hierarchy will be ignored. + /// [Output("ignoreMissingGroups")] public Output IgnoreMissingGroups { get; private set; } = null!; + /// + /// The LDAP DN where groups can be found. + /// [Output("ldapGroupsDn")] public Output LdapGroupsDn { get; private set; } = null!; /// - /// The ldap user federation provider to attach this mapper to. + /// The ID of the LDAP user federation provider to attach this mapper to. /// [Output("ldapUserFederationId")] public Output LdapUserFederationId { get; private set; } = null!; + /// + /// Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. + /// [Output("mappedGroupAttributes")] public Output> MappedGroupAttributes { get; private set; } = null!; + /// + /// Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. + /// [Output("memberofLdapAttribute")] public Output MemberofLdapAttribute { get; private set; } = null!; + /// + /// Can be one of `DN` or `UID`. Defaults to `DN`. + /// [Output("membershipAttributeType")] public Output MembershipAttributeType { get; private set; } = null!; + /// + /// The name of the LDAP attribute that is used for membership mappings. + /// [Output("membershipLdapAttribute")] public Output MembershipLdapAttribute { get; private set; } = null!; + /// + /// The name of the LDAP attribute on a user that is used for membership mappings. + /// [Output("membershipUserLdapAttribute")] public Output MembershipUserLdapAttribute { get; private set; } = null!; + /// + /// Can be one of `READ_ONLY`, `LDAP_ONLY` or `IMPORT`. Defaults to `READ_ONLY`. + /// [Output("mode")] public Output Mode { get; private set; } = null!; /// - /// Display name of the mapper when displayed in the console. + /// Display name of this mapper when displayed in the console. /// [Output("name")] public Output Name { get; private set; } = null!; + /// + /// When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. + /// [Output("preserveGroupInheritance")] public Output PreserveGroupInheritance { get; private set; } = null!; /// - /// The realm in which the ldap user federation provider exists. + /// The realm that this LDAP mapper will exist in. /// [Output("realmId")] public Output RealmId { get; private set; } = null!; + /// + /// Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. + /// [Output("userRolesRetrieveStrategy")] public Output UserRolesRetrieveStrategy { get; private set; } = null!; @@ -213,76 +240,123 @@ public static GroupMapper Get(string name, Input id, GroupMapperState? s public sealed class GroupMapperArgs : global::Pulumi.ResourceArgs { + /// + /// When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. + /// [Input("dropNonExistingGroupsDuringSync")] public Input? DropNonExistingGroupsDuringSync { get; set; } + /// + /// The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. + /// [Input("groupNameLdapAttribute", required: true)] public Input GroupNameLdapAttribute { get; set; } = null!; [Input("groupObjectClasses", required: true)] private InputList? _groupObjectClasses; + + /// + /// List of strings representing the object classes for the group. Must contain at least one. + /// public InputList GroupObjectClasses { get => _groupObjectClasses ?? (_groupObjectClasses = new InputList()); set => _groupObjectClasses = value; } + /// + /// When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. + /// [Input("groupsLdapFilter")] public Input? GroupsLdapFilter { get; set; } + /// + /// Keycloak group path the LDAP groups are added to. For example if value `/Applications/App1` is used, then LDAP groups will be available in Keycloak under group `App1`, which is the child of top level group `Applications`. The configured group path must already exist in Keycloak when creating this mapper. + /// [Input("groupsPath")] public Input? GroupsPath { get; set; } + /// + /// When `true`, missing groups in the hierarchy will be ignored. + /// [Input("ignoreMissingGroups")] public Input? IgnoreMissingGroups { get; set; } + /// + /// The LDAP DN where groups can be found. + /// [Input("ldapGroupsDn", required: true)] public Input LdapGroupsDn { get; set; } = null!; /// - /// The ldap user federation provider to attach this mapper to. + /// The ID of the LDAP user federation provider to attach this mapper to. /// [Input("ldapUserFederationId", required: true)] public Input LdapUserFederationId { get; set; } = null!; [Input("mappedGroupAttributes")] private InputList? _mappedGroupAttributes; + + /// + /// Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. + /// public InputList MappedGroupAttributes { get => _mappedGroupAttributes ?? (_mappedGroupAttributes = new InputList()); set => _mappedGroupAttributes = value; } + /// + /// Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. + /// [Input("memberofLdapAttribute")] public Input? MemberofLdapAttribute { get; set; } + /// + /// Can be one of `DN` or `UID`. Defaults to `DN`. + /// [Input("membershipAttributeType")] public Input? MembershipAttributeType { get; set; } + /// + /// The name of the LDAP attribute that is used for membership mappings. + /// [Input("membershipLdapAttribute", required: true)] public Input MembershipLdapAttribute { get; set; } = null!; + /// + /// The name of the LDAP attribute on a user that is used for membership mappings. + /// [Input("membershipUserLdapAttribute", required: true)] public Input MembershipUserLdapAttribute { get; set; } = null!; + /// + /// Can be one of `READ_ONLY`, `LDAP_ONLY` or `IMPORT`. Defaults to `READ_ONLY`. + /// [Input("mode")] public Input? Mode { get; set; } /// - /// Display name of the mapper when displayed in the console. + /// Display name of this mapper when displayed in the console. /// [Input("name")] public Input? Name { get; set; } + /// + /// When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. + /// [Input("preserveGroupInheritance")] public Input? PreserveGroupInheritance { get; set; } /// - /// The realm in which the ldap user federation provider exists. + /// The realm that this LDAP mapper will exist in. /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; + /// + /// Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. + /// [Input("userRolesRetrieveStrategy")] public Input? UserRolesRetrieveStrategy { get; set; } @@ -294,76 +368,123 @@ public GroupMapperArgs() public sealed class GroupMapperState : global::Pulumi.ResourceArgs { + /// + /// When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. + /// [Input("dropNonExistingGroupsDuringSync")] public Input? DropNonExistingGroupsDuringSync { get; set; } + /// + /// The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. + /// [Input("groupNameLdapAttribute")] public Input? GroupNameLdapAttribute { get; set; } [Input("groupObjectClasses")] private InputList? _groupObjectClasses; + + /// + /// List of strings representing the object classes for the group. Must contain at least one. + /// public InputList GroupObjectClasses { get => _groupObjectClasses ?? (_groupObjectClasses = new InputList()); set => _groupObjectClasses = value; } + /// + /// When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. + /// [Input("groupsLdapFilter")] public Input? GroupsLdapFilter { get; set; } + /// + /// Keycloak group path the LDAP groups are added to. For example if value `/Applications/App1` is used, then LDAP groups will be available in Keycloak under group `App1`, which is the child of top level group `Applications`. The configured group path must already exist in Keycloak when creating this mapper. + /// [Input("groupsPath")] public Input? GroupsPath { get; set; } + /// + /// When `true`, missing groups in the hierarchy will be ignored. + /// [Input("ignoreMissingGroups")] public Input? IgnoreMissingGroups { get; set; } + /// + /// The LDAP DN where groups can be found. + /// [Input("ldapGroupsDn")] public Input? LdapGroupsDn { get; set; } /// - /// The ldap user federation provider to attach this mapper to. + /// The ID of the LDAP user federation provider to attach this mapper to. /// [Input("ldapUserFederationId")] public Input? LdapUserFederationId { get; set; } [Input("mappedGroupAttributes")] private InputList? _mappedGroupAttributes; + + /// + /// Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. + /// public InputList MappedGroupAttributes { get => _mappedGroupAttributes ?? (_mappedGroupAttributes = new InputList()); set => _mappedGroupAttributes = value; } + /// + /// Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. + /// [Input("memberofLdapAttribute")] public Input? MemberofLdapAttribute { get; set; } + /// + /// Can be one of `DN` or `UID`. Defaults to `DN`. + /// [Input("membershipAttributeType")] public Input? MembershipAttributeType { get; set; } + /// + /// The name of the LDAP attribute that is used for membership mappings. + /// [Input("membershipLdapAttribute")] public Input? MembershipLdapAttribute { get; set; } + /// + /// The name of the LDAP attribute on a user that is used for membership mappings. + /// [Input("membershipUserLdapAttribute")] public Input? MembershipUserLdapAttribute { get; set; } + /// + /// Can be one of `READ_ONLY`, `LDAP_ONLY` or `IMPORT`. Defaults to `READ_ONLY`. + /// [Input("mode")] public Input? Mode { get; set; } /// - /// Display name of the mapper when displayed in the console. + /// Display name of this mapper when displayed in the console. /// [Input("name")] public Input? Name { get; set; } + /// + /// When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. + /// [Input("preserveGroupInheritance")] public Input? PreserveGroupInheritance { get; set; } /// - /// The realm in which the ldap user federation provider exists. + /// The realm that this LDAP mapper will exist in. /// [Input("realmId")] public Input? RealmId { get; set; } + /// + /// Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. + /// [Input("userRolesRetrieveStrategy")] public Input? UserRolesRetrieveStrategy { get; set; } diff --git a/sdk/dotnet/Ldap/HardcodedRoleMapper.cs b/sdk/dotnet/Ldap/HardcodedRoleMapper.cs index 67900037..175e2a98 100644 --- a/sdk/dotnet/Ldap/HardcodedRoleMapper.cs +++ b/sdk/dotnet/Ldap/HardcodedRoleMapper.cs @@ -10,11 +10,13 @@ namespace Pulumi.Keycloak.Ldap { /// - /// ## # keycloak.ldap.HardcodedRoleMapper + /// Allows for creating and managing hardcoded role mappers for Keycloak users federated via LDAP. /// - /// This mapper will grant a specified Keycloak role to each Keycloak user linked with LDAP. + /// The LDAP hardcoded role mapper will grant a specified Keycloak role to each Keycloak user linked with LDAP. /// - /// ### Example Usage + /// ## Example Usage + /// + /// ### Realm Role) /// /// ```csharp /// using System.Collections.Generic; @@ -26,7 +28,7 @@ namespace Pulumi.Keycloak.Ldap /// { /// var realm = new Keycloak.Realm("realm", new() /// { - /// RealmName = "test", + /// RealmName = "my-realm", /// Enabled = true, /// }); /// @@ -48,55 +50,125 @@ namespace Pulumi.Keycloak.Ldap /// BindCredential = "admin", /// }); /// + /// var realmAdminRole = new Keycloak.Role("realm_admin_role", new() + /// { + /// RealmId = realm.Id, + /// Name = "my-admin-role", + /// Description = "My Realm Role", + /// }); + /// /// var assignAdminRoleToAllUsers = new Keycloak.Ldap.HardcodedRoleMapper("assign_admin_role_to_all_users", new() /// { /// RealmId = realm.Id, /// LdapUserFederationId = ldapUserFederation.Id, /// Name = "assign-admin-role-to-all-users", - /// Role = "admin", + /// Role = realmAdminRole.Name, /// }); /// /// }); /// ``` /// - /// ### Argument Reference + /// ### Client Role) + /// + /// ```csharp + /// using System.Collections.Generic; + /// using System.Linq; + /// using Pulumi; + /// using Keycloak = Pulumi.Keycloak; + /// + /// return await Deployment.RunAsync(() => + /// { + /// var realm = new Keycloak.Realm("realm", new() + /// { + /// RealmName = "my-realm", + /// Enabled = true, + /// }); + /// + /// var ldapUserFederation = new Keycloak.Ldap.UserFederation("ldap_user_federation", new() + /// { + /// Name = "openldap", + /// RealmId = realm.Id, + /// UsernameLdapAttribute = "cn", + /// RdnLdapAttribute = "cn", + /// UuidLdapAttribute = "entryDN", + /// UserObjectClasses = new[] + /// { + /// "simpleSecurityObject", + /// "organizationalRole", + /// }, + /// ConnectionUrl = "ldap://openldap", + /// UsersDn = "dc=example,dc=org", + /// BindDn = "cn=admin,dc=example,dc=org", + /// BindCredential = "admin", + /// }); + /// + /// // data sources aren't technically necessary here, but they are helpful for demonstration purposes + /// var realmManagement = Keycloak.OpenId.GetClient.Invoke(new() + /// { + /// RealmId = realm.Id, + /// ClientId = "realm-management", + /// }); /// - /// The following arguments are supported: + /// var createClient = Keycloak.GetRole.Invoke(new() + /// { + /// RealmId = realm.Id, + /// ClientId = realmManagement.Apply(getClientResult => getClientResult.Id), + /// Name = "create-client", + /// }); /// - /// - `realm_id` - (Required) The realm that this LDAP mapper will exist in. - /// - `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. - /// - `name` - (Required) Display name of this mapper when displayed in the console. - /// - `role` - (Required) The role which should be assigned to the users. + /// var assignAdminRoleToAllUsers = new Keycloak.Ldap.HardcodedRoleMapper("assign_admin_role_to_all_users", new() + /// { + /// RealmId = realm.Id, + /// LdapUserFederationId = ldapUserFederation.Id, + /// Name = "assign-admin-role-to-all-users", + /// Role = Output.Tuple(realmManagement, createClient).Apply(values => + /// { + /// var realmManagement = values.Item1; + /// var createClient = values.Item2; + /// return $"{realmManagement.Apply(getClientResult => getClientResult.ClientId)}.{createClient.Apply(getRoleResult => getRoleResult.Name)}"; + /// }), + /// }); + /// + /// }); + /// ``` /// - /// ### Import + /// ## Import /// /// LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. - /// The ID of the LDAP user federation provider and the mapper can be found within - /// the Keycloak GUI, and they are typically GUIDs: + /// + /// The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. + /// + /// Example: + /// + /// bash + /// + /// ```sh + /// $ pulumi import keycloak:ldap/hardcodedRoleMapper:HardcodedRoleMapper assign_admin_role_to_all_users my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 + /// ``` /// [KeycloakResourceType("keycloak:ldap/hardcodedRoleMapper:HardcodedRoleMapper")] public partial class HardcodedRoleMapper : global::Pulumi.CustomResource { /// - /// The ldap user federation provider to attach this mapper to. + /// The ID of the LDAP user federation provider to attach this mapper to. /// [Output("ldapUserFederationId")] public Output LdapUserFederationId { get; private set; } = null!; /// - /// Display name of the mapper when displayed in the console. + /// Display name of this mapper when displayed in the console. /// [Output("name")] public Output Name { get; private set; } = null!; /// - /// The realm in which the ldap user federation provider exists. + /// The realm that this LDAP mapper will exist in. /// [Output("realmId")] public Output RealmId { get; private set; } = null!; /// - /// Role to grant to user. + /// The name of the role which should be assigned to the users. Client roles should use the format `{{client_id}}.{{client_role_name}}`. /// [Output("role")] public Output Role { get; private set; } = null!; @@ -148,25 +220,25 @@ public static HardcodedRoleMapper Get(string name, Input id, HardcodedRo public sealed class HardcodedRoleMapperArgs : global::Pulumi.ResourceArgs { /// - /// The ldap user federation provider to attach this mapper to. + /// The ID of the LDAP user federation provider to attach this mapper to. /// [Input("ldapUserFederationId", required: true)] public Input LdapUserFederationId { get; set; } = null!; /// - /// Display name of the mapper when displayed in the console. + /// Display name of this mapper when displayed in the console. /// [Input("name")] public Input? Name { get; set; } /// - /// The realm in which the ldap user federation provider exists. + /// The realm that this LDAP mapper will exist in. /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; /// - /// Role to grant to user. + /// The name of the role which should be assigned to the users. Client roles should use the format `{{client_id}}.{{client_role_name}}`. /// [Input("role", required: true)] public Input Role { get; set; } = null!; @@ -180,25 +252,25 @@ public HardcodedRoleMapperArgs() public sealed class HardcodedRoleMapperState : global::Pulumi.ResourceArgs { /// - /// The ldap user federation provider to attach this mapper to. + /// The ID of the LDAP user federation provider to attach this mapper to. /// [Input("ldapUserFederationId")] public Input? LdapUserFederationId { get; set; } /// - /// Display name of the mapper when displayed in the console. + /// Display name of this mapper when displayed in the console. /// [Input("name")] public Input? Name { get; set; } /// - /// The realm in which the ldap user federation provider exists. + /// The realm that this LDAP mapper will exist in. /// [Input("realmId")] public Input? RealmId { get; set; } /// - /// Role to grant to user. + /// The name of the role which should be assigned to the users. Client roles should use the format `{{client_id}}.{{client_role_name}}`. /// [Input("role")] public Input? Role { get; set; } diff --git a/sdk/dotnet/Ldap/Inputs/UserFederationCacheArgs.cs b/sdk/dotnet/Ldap/Inputs/UserFederationCacheArgs.cs index 0caca897..d46c8aa2 100644 --- a/sdk/dotnet/Ldap/Inputs/UserFederationCacheArgs.cs +++ b/sdk/dotnet/Ldap/Inputs/UserFederationCacheArgs.cs @@ -13,7 +13,7 @@ namespace Pulumi.Keycloak.Ldap.Inputs public sealed class UserFederationCacheArgs : global::Pulumi.ResourceArgs { /// - /// Day of the week the entry will become invalid on. + /// Day of the week the entry will become invalid on /// [Input("evictionDay")] public Input? EvictionDay { get; set; } @@ -36,6 +36,9 @@ public sealed class UserFederationCacheArgs : global::Pulumi.ResourceArgs [Input("maxLifespan")] public Input? MaxLifespan { get; set; } + /// + /// Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + /// [Input("policy")] public Input? Policy { get; set; } diff --git a/sdk/dotnet/Ldap/Inputs/UserFederationCacheGetArgs.cs b/sdk/dotnet/Ldap/Inputs/UserFederationCacheGetArgs.cs index 12f4b364..012e27b9 100644 --- a/sdk/dotnet/Ldap/Inputs/UserFederationCacheGetArgs.cs +++ b/sdk/dotnet/Ldap/Inputs/UserFederationCacheGetArgs.cs @@ -13,7 +13,7 @@ namespace Pulumi.Keycloak.Ldap.Inputs public sealed class UserFederationCacheGetArgs : global::Pulumi.ResourceArgs { /// - /// Day of the week the entry will become invalid on. + /// Day of the week the entry will become invalid on /// [Input("evictionDay")] public Input? EvictionDay { get; set; } @@ -36,6 +36,9 @@ public sealed class UserFederationCacheGetArgs : global::Pulumi.ResourceArgs [Input("maxLifespan")] public Input? MaxLifespan { get; set; } + /// + /// Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + /// [Input("policy")] public Input? Policy { get; set; } diff --git a/sdk/dotnet/Ldap/Inputs/UserFederationKerberosArgs.cs b/sdk/dotnet/Ldap/Inputs/UserFederationKerberosArgs.cs index 9e718b98..3b7ca931 100644 --- a/sdk/dotnet/Ldap/Inputs/UserFederationKerberosArgs.cs +++ b/sdk/dotnet/Ldap/Inputs/UserFederationKerberosArgs.cs @@ -13,7 +13,7 @@ namespace Pulumi.Keycloak.Ldap.Inputs public sealed class UserFederationKerberosArgs : global::Pulumi.ResourceArgs { /// - /// The name of the kerberos realm, e.g. FOO.LOCAL + /// The name of the kerberos realm, e.g. FOO.LOCAL. /// [Input("kerberosRealm", required: true)] public Input KerberosRealm { get; set; } = null!; diff --git a/sdk/dotnet/Ldap/Inputs/UserFederationKerberosGetArgs.cs b/sdk/dotnet/Ldap/Inputs/UserFederationKerberosGetArgs.cs index 65c7f9c4..296828c4 100644 --- a/sdk/dotnet/Ldap/Inputs/UserFederationKerberosGetArgs.cs +++ b/sdk/dotnet/Ldap/Inputs/UserFederationKerberosGetArgs.cs @@ -13,7 +13,7 @@ namespace Pulumi.Keycloak.Ldap.Inputs public sealed class UserFederationKerberosGetArgs : global::Pulumi.ResourceArgs { /// - /// The name of the kerberos realm, e.g. FOO.LOCAL + /// The name of the kerberos realm, e.g. FOO.LOCAL. /// [Input("kerberosRealm", required: true)] public Input KerberosRealm { get; set; } = null!; diff --git a/sdk/dotnet/Ldap/MsadUserAccountControlMapper.cs b/sdk/dotnet/Ldap/MsadUserAccountControlMapper.cs index 9d54cdaa..679f729d 100644 --- a/sdk/dotnet/Ldap/MsadUserAccountControlMapper.cs +++ b/sdk/dotnet/Ldap/MsadUserAccountControlMapper.cs @@ -10,8 +10,6 @@ namespace Pulumi.Keycloak.Ldap { /// - /// ## # keycloak.ldap.MsadUserAccountControlMapper - /// /// Allows for creating and managing MSAD user account control mappers for Keycloak /// users federated via LDAP. /// @@ -20,7 +18,7 @@ namespace Pulumi.Keycloak.Ldap /// AD user state to Keycloak in order to enforce settings like expired passwords /// or disabled accounts. /// - /// ### Example Usage + /// ## Example Usage /// /// ```csharp /// using System.Collections.Generic; @@ -32,7 +30,7 @@ namespace Pulumi.Keycloak.Ldap /// { /// var realm = new Keycloak.Realm("realm", new() /// { - /// RealmName = "test", + /// RealmName = "my-realm", /// Enabled = true, /// }); /// @@ -65,41 +63,43 @@ namespace Pulumi.Keycloak.Ldap /// }); /// ``` /// - /// ### Argument Reference + /// ## Import /// - /// The following arguments are supported: + /// LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. /// - /// - `realm_id` - (Required) The realm that this LDAP mapper will exist in. - /// - `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. - /// - `name` - (Required) Display name of this mapper when displayed in the console. - /// - `ldap_password_policy_hints_enabled` - (Optional) When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. + /// The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. /// - /// ### Import + /// Example: /// - /// LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. - /// The ID of the LDAP user federation provider and the mapper can be found within - /// the Keycloak GUI, and they are typically GUIDs: + /// bash + /// + /// ```sh + /// $ pulumi import keycloak:ldap/msadUserAccountControlMapper:MsadUserAccountControlMapper msad_user_account_control_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 + /// ``` /// [KeycloakResourceType("keycloak:ldap/msadUserAccountControlMapper:MsadUserAccountControlMapper")] public partial class MsadUserAccountControlMapper : global::Pulumi.CustomResource { + /// + /// When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. + /// [Output("ldapPasswordPolicyHintsEnabled")] public Output LdapPasswordPolicyHintsEnabled { get; private set; } = null!; /// - /// The ldap user federation provider to attach this mapper to. + /// The ID of the LDAP user federation provider to attach this mapper to. /// [Output("ldapUserFederationId")] public Output LdapUserFederationId { get; private set; } = null!; /// - /// Display name of the mapper when displayed in the console. + /// Display name of this mapper when displayed in the console. /// [Output("name")] public Output Name { get; private set; } = null!; /// - /// The realm in which the ldap user federation provider exists. + /// The realm that this LDAP mapper will exist in. /// [Output("realmId")] public Output RealmId { get; private set; } = null!; @@ -150,23 +150,26 @@ public static MsadUserAccountControlMapper Get(string name, Input id, Ms public sealed class MsadUserAccountControlMapperArgs : global::Pulumi.ResourceArgs { + /// + /// When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. + /// [Input("ldapPasswordPolicyHintsEnabled")] public Input? LdapPasswordPolicyHintsEnabled { get; set; } /// - /// The ldap user federation provider to attach this mapper to. + /// The ID of the LDAP user federation provider to attach this mapper to. /// [Input("ldapUserFederationId", required: true)] public Input LdapUserFederationId { get; set; } = null!; /// - /// Display name of the mapper when displayed in the console. + /// Display name of this mapper when displayed in the console. /// [Input("name")] public Input? Name { get; set; } /// - /// The realm in which the ldap user federation provider exists. + /// The realm that this LDAP mapper will exist in. /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; @@ -179,23 +182,26 @@ public MsadUserAccountControlMapperArgs() public sealed class MsadUserAccountControlMapperState : global::Pulumi.ResourceArgs { + /// + /// When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. + /// [Input("ldapPasswordPolicyHintsEnabled")] public Input? LdapPasswordPolicyHintsEnabled { get; set; } /// - /// The ldap user federation provider to attach this mapper to. + /// The ID of the LDAP user federation provider to attach this mapper to. /// [Input("ldapUserFederationId")] public Input? LdapUserFederationId { get; set; } /// - /// Display name of the mapper when displayed in the console. + /// Display name of this mapper when displayed in the console. /// [Input("name")] public Input? Name { get; set; } /// - /// The realm in which the ldap user federation provider exists. + /// The realm that this LDAP mapper will exist in. /// [Input("realmId")] public Input? RealmId { get; set; } diff --git a/sdk/dotnet/Ldap/Outputs/UserFederationCache.cs b/sdk/dotnet/Ldap/Outputs/UserFederationCache.cs index 469a3663..1ac84829 100644 --- a/sdk/dotnet/Ldap/Outputs/UserFederationCache.cs +++ b/sdk/dotnet/Ldap/Outputs/UserFederationCache.cs @@ -14,7 +14,7 @@ namespace Pulumi.Keycloak.Ldap.Outputs public sealed class UserFederationCache { /// - /// Day of the week the entry will become invalid on. + /// Day of the week the entry will become invalid on /// public readonly int? EvictionDay; /// @@ -29,6 +29,9 @@ public sealed class UserFederationCache /// Max lifespan of cache entry (duration string). /// public readonly string? MaxLifespan; + /// + /// Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + /// public readonly string? Policy; [OutputConstructor] diff --git a/sdk/dotnet/Ldap/Outputs/UserFederationKerberos.cs b/sdk/dotnet/Ldap/Outputs/UserFederationKerberos.cs index f1f760ad..62058956 100644 --- a/sdk/dotnet/Ldap/Outputs/UserFederationKerberos.cs +++ b/sdk/dotnet/Ldap/Outputs/UserFederationKerberos.cs @@ -14,7 +14,7 @@ namespace Pulumi.Keycloak.Ldap.Outputs public sealed class UserFederationKerberos { /// - /// The name of the kerberos realm, e.g. FOO.LOCAL + /// The name of the kerberos realm, e.g. FOO.LOCAL. /// public readonly string KerberosRealm; /// diff --git a/sdk/dotnet/Ldap/UserAttributeMapper.cs b/sdk/dotnet/Ldap/UserAttributeMapper.cs index cec91cc3..5cf9ccbb 100644 --- a/sdk/dotnet/Ldap/UserAttributeMapper.cs +++ b/sdk/dotnet/Ldap/UserAttributeMapper.cs @@ -10,15 +10,13 @@ namespace Pulumi.Keycloak.Ldap { /// - /// ## # keycloak.ldap.UserAttributeMapper - /// /// Allows for creating and managing user attribute mappers for Keycloak users /// federated via LDAP. /// /// The LDAP user attribute mapper can be used to map a single LDAP attribute /// to an attribute on the Keycloak user model. /// - /// ### Example Usage + /// ## Example Usage /// /// ```csharp /// using System.Collections.Generic; @@ -30,7 +28,7 @@ namespace Pulumi.Keycloak.Ldap /// { /// var realm = new Keycloak.Realm("realm", new() /// { - /// RealmName = "test", + /// RealmName = "my-realm", /// Enabled = true, /// }); /// @@ -64,84 +62,79 @@ namespace Pulumi.Keycloak.Ldap /// }); /// ``` /// - /// ### Argument Reference + /// ## Import /// - /// The following arguments are supported: + /// LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. /// - /// - `realm_id` - (Required) The realm that this LDAP mapper will exist in. - /// - `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. - /// - `name` - (Required) Display name of this mapper when displayed in the console. - /// - `user_model_attribute` - (Required) Name of the user property or attribute you want to map the LDAP attribute into. - /// - `ldap_attribute` - (Required) Name of the mapped attribute on the LDAP object. - /// - `read_only` - (Optional) When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. - /// - `always_read_value_from_ldap` - (Optional) When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. - /// - `is_mandatory_in_ldap` - (Optional) When `true`, this attribute must exist in LDAP. Defaults to `false`. + /// The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. /// - /// ### Import + /// Example: /// - /// LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. - /// The ID of the LDAP user federation provider and the mapper can be found within - /// the Keycloak GUI, and they are typically GUIDs: + /// bash + /// + /// ```sh + /// $ pulumi import keycloak:ldap/userAttributeMapper:UserAttributeMapper ldap_user_attribute_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 + /// ``` /// [KeycloakResourceType("keycloak:ldap/userAttributeMapper:UserAttributeMapper")] public partial class UserAttributeMapper : global::Pulumi.CustomResource { /// - /// When true, the value fetched from LDAP will override the value stored in Keycloak. + /// When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. /// [Output("alwaysReadValueFromLdap")] public Output AlwaysReadValueFromLdap { get; private set; } = null!; /// - /// Default value to set in LDAP if is_mandatory_in_ldap and the value is empty + /// Default value to set in LDAP if `is_mandatory_in_ldap` is true and the value is empty. /// [Output("attributeDefaultValue")] public Output AttributeDefaultValue { get; private set; } = null!; /// - /// Should be true for binary LDAP attributes + /// Should be true for binary LDAP attributes. /// [Output("isBinaryAttribute")] public Output IsBinaryAttribute { get; private set; } = null!; /// - /// When true, this attribute must exist in LDAP. + /// When `true`, this attribute must exist in LDAP. Defaults to `false`. /// [Output("isMandatoryInLdap")] public Output IsMandatoryInLdap { get; private set; } = null!; /// - /// Name of the mapped attribute on LDAP object. + /// Name of the mapped attribute on the LDAP object. /// [Output("ldapAttribute")] public Output LdapAttribute { get; private set; } = null!; /// - /// The ldap user federation provider to attach this mapper to. + /// The ID of the LDAP user federation provider to attach this mapper to. /// [Output("ldapUserFederationId")] public Output LdapUserFederationId { get; private set; } = null!; /// - /// Display name of the mapper when displayed in the console. + /// Display name of this mapper when displayed in the console. /// [Output("name")] public Output Name { get; private set; } = null!; /// - /// When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. + /// When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. /// [Output("readOnly")] public Output ReadOnly { get; private set; } = null!; /// - /// The realm in which the ldap user federation provider exists. + /// The realm that this LDAP mapper will exist in. /// [Output("realmId")] public Output RealmId { get; private set; } = null!; /// - /// Name of the UserModel property or attribute you want to map the LDAP attribute into. + /// Name of the user property or attribute you want to map the LDAP attribute into. /// [Output("userModelAttribute")] public Output UserModelAttribute { get; private set; } = null!; @@ -193,61 +186,61 @@ public static UserAttributeMapper Get(string name, Input id, UserAttribu public sealed class UserAttributeMapperArgs : global::Pulumi.ResourceArgs { /// - /// When true, the value fetched from LDAP will override the value stored in Keycloak. + /// When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. /// [Input("alwaysReadValueFromLdap")] public Input? AlwaysReadValueFromLdap { get; set; } /// - /// Default value to set in LDAP if is_mandatory_in_ldap and the value is empty + /// Default value to set in LDAP if `is_mandatory_in_ldap` is true and the value is empty. /// [Input("attributeDefaultValue")] public Input? AttributeDefaultValue { get; set; } /// - /// Should be true for binary LDAP attributes + /// Should be true for binary LDAP attributes. /// [Input("isBinaryAttribute")] public Input? IsBinaryAttribute { get; set; } /// - /// When true, this attribute must exist in LDAP. + /// When `true`, this attribute must exist in LDAP. Defaults to `false`. /// [Input("isMandatoryInLdap")] public Input? IsMandatoryInLdap { get; set; } /// - /// Name of the mapped attribute on LDAP object. + /// Name of the mapped attribute on the LDAP object. /// [Input("ldapAttribute", required: true)] public Input LdapAttribute { get; set; } = null!; /// - /// The ldap user federation provider to attach this mapper to. + /// The ID of the LDAP user federation provider to attach this mapper to. /// [Input("ldapUserFederationId", required: true)] public Input LdapUserFederationId { get; set; } = null!; /// - /// Display name of the mapper when displayed in the console. + /// Display name of this mapper when displayed in the console. /// [Input("name")] public Input? Name { get; set; } /// - /// When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. + /// When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. /// [Input("readOnly")] public Input? ReadOnly { get; set; } /// - /// The realm in which the ldap user federation provider exists. + /// The realm that this LDAP mapper will exist in. /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; /// - /// Name of the UserModel property or attribute you want to map the LDAP attribute into. + /// Name of the user property or attribute you want to map the LDAP attribute into. /// [Input("userModelAttribute", required: true)] public Input UserModelAttribute { get; set; } = null!; @@ -261,61 +254,61 @@ public UserAttributeMapperArgs() public sealed class UserAttributeMapperState : global::Pulumi.ResourceArgs { /// - /// When true, the value fetched from LDAP will override the value stored in Keycloak. + /// When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. /// [Input("alwaysReadValueFromLdap")] public Input? AlwaysReadValueFromLdap { get; set; } /// - /// Default value to set in LDAP if is_mandatory_in_ldap and the value is empty + /// Default value to set in LDAP if `is_mandatory_in_ldap` is true and the value is empty. /// [Input("attributeDefaultValue")] public Input? AttributeDefaultValue { get; set; } /// - /// Should be true for binary LDAP attributes + /// Should be true for binary LDAP attributes. /// [Input("isBinaryAttribute")] public Input? IsBinaryAttribute { get; set; } /// - /// When true, this attribute must exist in LDAP. + /// When `true`, this attribute must exist in LDAP. Defaults to `false`. /// [Input("isMandatoryInLdap")] public Input? IsMandatoryInLdap { get; set; } /// - /// Name of the mapped attribute on LDAP object. + /// Name of the mapped attribute on the LDAP object. /// [Input("ldapAttribute")] public Input? LdapAttribute { get; set; } /// - /// The ldap user federation provider to attach this mapper to. + /// The ID of the LDAP user federation provider to attach this mapper to. /// [Input("ldapUserFederationId")] public Input? LdapUserFederationId { get; set; } /// - /// Display name of the mapper when displayed in the console. + /// Display name of this mapper when displayed in the console. /// [Input("name")] public Input? Name { get; set; } /// - /// When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. + /// When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. /// [Input("readOnly")] public Input? ReadOnly { get; set; } /// - /// The realm in which the ldap user federation provider exists. + /// The realm that this LDAP mapper will exist in. /// [Input("realmId")] public Input? RealmId { get; set; } /// - /// Name of the UserModel property or attribute you want to map the LDAP attribute into. + /// Name of the user property or attribute you want to map the LDAP attribute into. /// [Input("userModelAttribute")] public Input? UserModelAttribute { get; set; } diff --git a/sdk/dotnet/Ldap/UserFederation.cs b/sdk/dotnet/Ldap/UserFederation.cs index 8050b805..85c2ac56 100644 --- a/sdk/dotnet/Ldap/UserFederation.cs +++ b/sdk/dotnet/Ldap/UserFederation.cs @@ -10,8 +10,6 @@ namespace Pulumi.Keycloak.Ldap { /// - /// ## # keycloak.ldap.UserFederation - /// /// Allows for creating and managing LDAP user federation providers within Keycloak. /// /// Keycloak can use an LDAP user federation provider to federate users to Keycloak @@ -19,7 +17,7 @@ namespace Pulumi.Keycloak.Ldap /// will exist within the realm and will be able to log in to clients. Federated /// users can have their attributes defined using mappers. /// - /// ### Example Usage + /// ## Example Usage /// /// ```csharp /// using System.Collections.Generic; @@ -31,7 +29,7 @@ namespace Pulumi.Keycloak.Ldap /// { /// var realm = new Keycloak.Realm("realm", new() /// { - /// RealmName = "test", + /// RealmName = "my-realm", /// Enabled = true, /// }); /// @@ -54,89 +52,64 @@ namespace Pulumi.Keycloak.Ldap /// BindCredential = "admin", /// ConnectionTimeout = "5s", /// ReadTimeout = "10s", + /// Kerberos = new Keycloak.Ldap.Inputs.UserFederationKerberosArgs + /// { + /// KerberosRealm = "FOO.LOCAL", + /// ServerPrincipal = "HTTP/host.foo.com@FOO.LOCAL", + /// KeyTab = "/etc/host.keytab", + /// }, /// }); /// /// }); /// ``` /// - /// ### Argument Reference + /// ## Import /// - /// The following arguments are supported: + /// LDAP user federation providers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}`. /// - /// - `realm_id` - (Required) The realm that this provider will provide user federation for. - /// - `name` - (Required) Display name of the provider when displayed in the console. - /// - `enabled` - (Optional) When `false`, this provider will not be used when performing queries for users. Defaults to `true`. - /// - `priority` - (Optional) Priority of this provider when looking up users. Lower values are first. Defaults to `0`. - /// - `import_enabled` - (Optional) When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. - /// - `edit_mode` - (Optional) Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. - /// - `sync_registrations` - (Optional) When `true`, newly created users will be synced back to LDAP. Defaults to `false`. - /// - `vendor` - (Optional) Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OPTIONAL`. - /// - `username_ldap_attribute` - (Required) Name of the LDAP attribute to use as the Keycloak username. - /// - `rdn_ldap_attribute` - (Required) Name of the LDAP attribute to use as the relative distinguished name. - /// - `uuid_ldap_attribute` - (Required) Name of the LDAP attribute to use as a unique object identifier for objects in LDAP. - /// - `user_object_classes` - (Required) Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. - /// - `connection_url` - (Required) Connection URL to the LDAP server. - /// - `users_dn` - (Required) Full DN of LDAP tree where your users are. - /// - `bind_dn` - (Optional) DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bind_credential` is set. - /// - `bind_credential` - (Optional) Password of LDAP admin. This attribute must be set if `bind_dn` is set. - /// - `custom_user_search_filter` - (Optional) Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. - /// - `search_scope` - (Optional) Can be one of `ONE_LEVEL` or `SUBTREE`: - /// - `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`. - /// - `SUBTREE`: Search entire LDAP subtree. - /// - `validate_password_policy` - (Optional) When `true`, Keycloak will validate passwords using the realm policy before updating it. - /// - `use_truststore_spi` - (Optional) Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: - /// - `ALWAYS` - Always use the truststore SPI for LDAP connections. - /// - `NEVER` - Never use the truststore SPI for LDAP connections. - /// - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. - /// - `connection_timeout` - (Optional) LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). - /// - `read_timeout` - (Optional) LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). - /// - `pagination` - (Optional) When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. - /// - `batch_size_for_sync` - (Optional) The number of users to sync within a single transaction. Defaults to `1000`. - /// - `full_sync_period` - (Optional) How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync. - /// - `changed_sync_period` - (Optional) How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. - /// - `cache_policy` - (Optional) Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + /// The ID of the LDAP user federation provider can be found within the Keycloak GUI and is typically a GUID: /// - /// ### Import + /// bash /// - /// LDAP user federation providers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}`. - /// The ID of the LDAP user federation provider can be found within the Keycloak GUI and is typically a GUID: + /// ```sh + /// $ pulumi import keycloak:ldap/userFederation:UserFederation ldap_user_federation my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860 + /// ``` /// [KeycloakResourceType("keycloak:ldap/userFederation:UserFederation")] public partial class UserFederation : global::Pulumi.CustomResource { /// - /// The number of users to sync within a single transaction. + /// The number of users to sync within a single transaction. Defaults to `1000`. /// [Output("batchSizeForSync")] public Output BatchSizeForSync { get; private set; } = null!; /// - /// Password of LDAP admin. + /// Password of LDAP admin. This attribute must be set if `bind_dn` is set. /// [Output("bindCredential")] public Output BindCredential { get; private set; } = null!; /// - /// DN of LDAP admin, which will be used by Keycloak to access LDAP server. + /// DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bind_credential` is set. /// [Output("bindDn")] public Output BindDn { get; private set; } = null!; /// - /// Settings regarding cache policy for this realm. + /// A block containing the cache settings. /// [Output("cache")] public Output Cache { get; private set; } = null!; /// - /// How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users - /// sync. + /// How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. /// [Output("changedSyncPeriod")] public Output ChangedSyncPeriod { get; private set; } = null!; /// - /// LDAP connection timeout (duration string) + /// LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). /// [Output("connectionTimeout")] public Output ConnectionTimeout { get; private set; } = null!; @@ -148,26 +121,25 @@ public partial class UserFederation : global::Pulumi.CustomResource public Output ConnectionUrl { get; private set; } = null!; /// - /// Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'. + /// Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. /// [Output("customUserSearchFilter")] public Output CustomUserSearchFilter { get; private set; } = null!; /// - /// When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP - /// user federation provider. + /// When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to `false`. /// [Output("deleteDefaultMappers")] public Output DeleteDefaultMappers { get; private set; } = null!; /// - /// READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP. + /// Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. /// [Output("editMode")] public Output EditMode { get; private set; } = null!; /// - /// When false, this provider will not be used when performing queries for users. + /// When `false`, this provider will not be used when performing queries for users. Defaults to `true`. /// [Output("enabled")] public Output Enabled { get; private set; } = null!; @@ -179,13 +151,13 @@ public partial class UserFederation : global::Pulumi.CustomResource public Output FullSyncPeriod { get; private set; } = null!; /// - /// When true, LDAP users will be imported into the Keycloak database. + /// When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. /// [Output("importEnabled")] public Output ImportEnabled { get; private set; } = null!; /// - /// Settings regarding kerberos authentication for this realm. + /// A block containing the kerberos settings. /// [Output("kerberos")] public Output Kerberos { get; private set; } = null!; @@ -197,13 +169,13 @@ public partial class UserFederation : global::Pulumi.CustomResource public Output Name { get; private set; } = null!; /// - /// When true, Keycloak assumes the LDAP server supports pagination. + /// When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. /// [Output("pagination")] public Output Pagination { get; private set; } = null!; /// - /// Priority of this provider when looking up users. Lower values are first. + /// Priority of this provider when looking up users. Lower values are first. Defaults to `0`. /// [Output("priority")] public Output Priority { get; private set; } = null!; @@ -215,31 +187,33 @@ public partial class UserFederation : global::Pulumi.CustomResource public Output RdnLdapAttribute { get; private set; } = null!; /// - /// LDAP read timeout (duration string) + /// LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). /// [Output("readTimeout")] public Output ReadTimeout { get; private set; } = null!; /// - /// The realm this provider will provide user federation for. + /// The realm that this provider will provide user federation for. /// [Output("realmId")] public Output RealmId { get; private set; } = null!; /// - /// ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree. + /// Can be one of `ONE_LEVEL` or `SUBTREE`: + /// - `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`. + /// - `SUBTREE`: Search entire LDAP subtree. /// [Output("searchScope")] public Output SearchScope { get; private set; } = null!; /// - /// When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. + /// When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. /// [Output("startTls")] public Output StartTls { get; private set; } = null!; /// - /// When true, newly created users will be synced back to LDAP. + /// When `true`, newly created users will be synced back to LDAP. Defaults to `false`. /// [Output("syncRegistrations")] public Output SyncRegistrations { get; private set; } = null!; @@ -256,11 +230,17 @@ public partial class UserFederation : global::Pulumi.CustomResource [Output("usePasswordModifyExtendedOp")] public Output UsePasswordModifyExtendedOp { get; private set; } = null!; + /// + /// Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: + /// - `ALWAYS` - Always use the truststore SPI for LDAP connections. + /// - `NEVER` - Never use the truststore SPI for LDAP connections. + /// - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. + /// [Output("useTruststoreSpi")] public Output UseTruststoreSpi { get; private set; } = null!; /// - /// All values of LDAP objectClass attribute for users in LDAP. + /// Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. /// [Output("userObjectClasses")] public Output> UserObjectClasses { get; private set; } = null!; @@ -284,13 +264,13 @@ public partial class UserFederation : global::Pulumi.CustomResource public Output UuidLdapAttribute { get; private set; } = null!; /// - /// When true, Keycloak will validate passwords using the realm policy before updating it. + /// When `true`, Keycloak will validate passwords using the realm policy before updating it. /// [Output("validatePasswordPolicy")] public Output ValidatePasswordPolicy { get; private set; } = null!; /// - /// LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required. + /// Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`. /// [Output("vendor")] public Output Vendor { get; private set; } = null!; @@ -346,7 +326,7 @@ public static UserFederation Get(string name, Input id, UserFederationSt public sealed class UserFederationArgs : global::Pulumi.ResourceArgs { /// - /// The number of users to sync within a single transaction. + /// The number of users to sync within a single transaction. Defaults to `1000`. /// [Input("batchSizeForSync")] public Input? BatchSizeForSync { get; set; } @@ -355,7 +335,7 @@ public sealed class UserFederationArgs : global::Pulumi.ResourceArgs private Input? _bindCredential; /// - /// Password of LDAP admin. + /// Password of LDAP admin. This attribute must be set if `bind_dn` is set. /// public Input? BindCredential { @@ -368,26 +348,25 @@ public Input? BindCredential } /// - /// DN of LDAP admin, which will be used by Keycloak to access LDAP server. + /// DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bind_credential` is set. /// [Input("bindDn")] public Input? BindDn { get; set; } /// - /// Settings regarding cache policy for this realm. + /// A block containing the cache settings. /// [Input("cache")] public Input? Cache { get; set; } /// - /// How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users - /// sync. + /// How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. /// [Input("changedSyncPeriod")] public Input? ChangedSyncPeriod { get; set; } /// - /// LDAP connection timeout (duration string) + /// LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). /// [Input("connectionTimeout")] public Input? ConnectionTimeout { get; set; } @@ -399,26 +378,25 @@ public Input? BindCredential public Input ConnectionUrl { get; set; } = null!; /// - /// Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'. + /// Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. /// [Input("customUserSearchFilter")] public Input? CustomUserSearchFilter { get; set; } /// - /// When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP - /// user federation provider. + /// When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to `false`. /// [Input("deleteDefaultMappers")] public Input? DeleteDefaultMappers { get; set; } /// - /// READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP. + /// Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. /// [Input("editMode")] public Input? EditMode { get; set; } /// - /// When false, this provider will not be used when performing queries for users. + /// When `false`, this provider will not be used when performing queries for users. Defaults to `true`. /// [Input("enabled")] public Input? Enabled { get; set; } @@ -430,13 +408,13 @@ public Input? BindCredential public Input? FullSyncPeriod { get; set; } /// - /// When true, LDAP users will be imported into the Keycloak database. + /// When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. /// [Input("importEnabled")] public Input? ImportEnabled { get; set; } /// - /// Settings regarding kerberos authentication for this realm. + /// A block containing the kerberos settings. /// [Input("kerberos")] public Input? Kerberos { get; set; } @@ -448,13 +426,13 @@ public Input? BindCredential public Input? Name { get; set; } /// - /// When true, Keycloak assumes the LDAP server supports pagination. + /// When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. /// [Input("pagination")] public Input? Pagination { get; set; } /// - /// Priority of this provider when looking up users. Lower values are first. + /// Priority of this provider when looking up users. Lower values are first. Defaults to `0`. /// [Input("priority")] public Input? Priority { get; set; } @@ -466,31 +444,33 @@ public Input? BindCredential public Input RdnLdapAttribute { get; set; } = null!; /// - /// LDAP read timeout (duration string) + /// LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). /// [Input("readTimeout")] public Input? ReadTimeout { get; set; } /// - /// The realm this provider will provide user federation for. + /// The realm that this provider will provide user federation for. /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; /// - /// ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree. + /// Can be one of `ONE_LEVEL` or `SUBTREE`: + /// - `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`. + /// - `SUBTREE`: Search entire LDAP subtree. /// [Input("searchScope")] public Input? SearchScope { get; set; } /// - /// When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. + /// When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. /// [Input("startTls")] public Input? StartTls { get; set; } /// - /// When true, newly created users will be synced back to LDAP. + /// When `true`, newly created users will be synced back to LDAP. Defaults to `false`. /// [Input("syncRegistrations")] public Input? SyncRegistrations { get; set; } @@ -507,6 +487,12 @@ public Input? BindCredential [Input("usePasswordModifyExtendedOp")] public Input? UsePasswordModifyExtendedOp { get; set; } + /// + /// Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: + /// - `ALWAYS` - Always use the truststore SPI for LDAP connections. + /// - `NEVER` - Never use the truststore SPI for LDAP connections. + /// - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. + /// [Input("useTruststoreSpi")] public Input? UseTruststoreSpi { get; set; } @@ -514,7 +500,7 @@ public Input? BindCredential private InputList? _userObjectClasses; /// - /// All values of LDAP objectClass attribute for users in LDAP. + /// Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. /// public InputList UserObjectClasses { @@ -541,13 +527,13 @@ public InputList UserObjectClasses public Input UuidLdapAttribute { get; set; } = null!; /// - /// When true, Keycloak will validate passwords using the realm policy before updating it. + /// When `true`, Keycloak will validate passwords using the realm policy before updating it. /// [Input("validatePasswordPolicy")] public Input? ValidatePasswordPolicy { get; set; } /// - /// LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required. + /// Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`. /// [Input("vendor")] public Input? Vendor { get; set; } @@ -561,7 +547,7 @@ public UserFederationArgs() public sealed class UserFederationState : global::Pulumi.ResourceArgs { /// - /// The number of users to sync within a single transaction. + /// The number of users to sync within a single transaction. Defaults to `1000`. /// [Input("batchSizeForSync")] public Input? BatchSizeForSync { get; set; } @@ -570,7 +556,7 @@ public sealed class UserFederationState : global::Pulumi.ResourceArgs private Input? _bindCredential; /// - /// Password of LDAP admin. + /// Password of LDAP admin. This attribute must be set if `bind_dn` is set. /// public Input? BindCredential { @@ -583,26 +569,25 @@ public Input? BindCredential } /// - /// DN of LDAP admin, which will be used by Keycloak to access LDAP server. + /// DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bind_credential` is set. /// [Input("bindDn")] public Input? BindDn { get; set; } /// - /// Settings regarding cache policy for this realm. + /// A block containing the cache settings. /// [Input("cache")] public Input? Cache { get; set; } /// - /// How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users - /// sync. + /// How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. /// [Input("changedSyncPeriod")] public Input? ChangedSyncPeriod { get; set; } /// - /// LDAP connection timeout (duration string) + /// LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). /// [Input("connectionTimeout")] public Input? ConnectionTimeout { get; set; } @@ -614,26 +599,25 @@ public Input? BindCredential public Input? ConnectionUrl { get; set; } /// - /// Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'. + /// Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. /// [Input("customUserSearchFilter")] public Input? CustomUserSearchFilter { get; set; } /// - /// When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP - /// user federation provider. + /// When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to `false`. /// [Input("deleteDefaultMappers")] public Input? DeleteDefaultMappers { get; set; } /// - /// READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP. + /// Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. /// [Input("editMode")] public Input? EditMode { get; set; } /// - /// When false, this provider will not be used when performing queries for users. + /// When `false`, this provider will not be used when performing queries for users. Defaults to `true`. /// [Input("enabled")] public Input? Enabled { get; set; } @@ -645,13 +629,13 @@ public Input? BindCredential public Input? FullSyncPeriod { get; set; } /// - /// When true, LDAP users will be imported into the Keycloak database. + /// When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. /// [Input("importEnabled")] public Input? ImportEnabled { get; set; } /// - /// Settings regarding kerberos authentication for this realm. + /// A block containing the kerberos settings. /// [Input("kerberos")] public Input? Kerberos { get; set; } @@ -663,13 +647,13 @@ public Input? BindCredential public Input? Name { get; set; } /// - /// When true, Keycloak assumes the LDAP server supports pagination. + /// When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. /// [Input("pagination")] public Input? Pagination { get; set; } /// - /// Priority of this provider when looking up users. Lower values are first. + /// Priority of this provider when looking up users. Lower values are first. Defaults to `0`. /// [Input("priority")] public Input? Priority { get; set; } @@ -681,31 +665,33 @@ public Input? BindCredential public Input? RdnLdapAttribute { get; set; } /// - /// LDAP read timeout (duration string) + /// LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). /// [Input("readTimeout")] public Input? ReadTimeout { get; set; } /// - /// The realm this provider will provide user federation for. + /// The realm that this provider will provide user federation for. /// [Input("realmId")] public Input? RealmId { get; set; } /// - /// ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree. + /// Can be one of `ONE_LEVEL` or `SUBTREE`: + /// - `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`. + /// - `SUBTREE`: Search entire LDAP subtree. /// [Input("searchScope")] public Input? SearchScope { get; set; } /// - /// When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. + /// When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. /// [Input("startTls")] public Input? StartTls { get; set; } /// - /// When true, newly created users will be synced back to LDAP. + /// When `true`, newly created users will be synced back to LDAP. Defaults to `false`. /// [Input("syncRegistrations")] public Input? SyncRegistrations { get; set; } @@ -722,6 +708,12 @@ public Input? BindCredential [Input("usePasswordModifyExtendedOp")] public Input? UsePasswordModifyExtendedOp { get; set; } + /// + /// Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: + /// - `ALWAYS` - Always use the truststore SPI for LDAP connections. + /// - `NEVER` - Never use the truststore SPI for LDAP connections. + /// - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. + /// [Input("useTruststoreSpi")] public Input? UseTruststoreSpi { get; set; } @@ -729,7 +721,7 @@ public Input? BindCredential private InputList? _userObjectClasses; /// - /// All values of LDAP objectClass attribute for users in LDAP. + /// Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. /// public InputList UserObjectClasses { @@ -756,13 +748,13 @@ public InputList UserObjectClasses public Input? UuidLdapAttribute { get; set; } /// - /// When true, Keycloak will validate passwords using the realm policy before updating it. + /// When `true`, Keycloak will validate passwords using the realm policy before updating it. /// [Input("validatePasswordPolicy")] public Input? ValidatePasswordPolicy { get; set; } /// - /// LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required. + /// Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`. /// [Input("vendor")] public Input? Vendor { get; set; } diff --git a/sdk/dotnet/OpenId/AudienceProtocolMapper.cs b/sdk/dotnet/OpenId/AudienceProtocolMapper.cs index 96525acb..ab61fb31 100644 --- a/sdk/dotnet/OpenId/AudienceProtocolMapper.cs +++ b/sdk/dotnet/OpenId/AudienceProtocolMapper.cs @@ -10,16 +10,14 @@ namespace Pulumi.Keycloak.OpenId { /// - /// ## # keycloak.openid.AudienceProtocolMapper + /// Allows for creating and managing audience protocol mappers within Keycloak. /// - /// Allows for creating and managing audience protocol mappers within - /// Keycloak. This mapper was added in Keycloak v4.6.0.Final. + /// Audience protocol mappers allow you add audiences to the `aud` claim within issued tokens. The audience can be a custom + /// string, or it can be mapped to the ID of a pre-existing client. /// - /// Audience protocol mappers allow you add audiences to the `aud` claim - /// within issued tokens. The audience can be a custom string, or it can be - /// mapped to the ID of a pre-existing client. + /// ## Example Usage /// - /// ### Example Usage (Client) + /// ### Client) /// /// ```csharp /// using System.Collections.Generic; @@ -38,8 +36,8 @@ namespace Pulumi.Keycloak.OpenId /// var openidClient = new Keycloak.OpenId.Client("openid_client", new() /// { /// RealmId = realm.Id, - /// ClientId = "test-client", - /// Name = "test client", + /// ClientId = "client", + /// Name = "client", /// Enabled = true, /// AccessType = "CONFIDENTIAL", /// ValidRedirectUris = new[] @@ -59,7 +57,7 @@ namespace Pulumi.Keycloak.OpenId /// }); /// ``` /// - /// ### Example Usage (Client Scope) + /// ### Client Scope) /// /// ```csharp /// using System.Collections.Generic; @@ -92,74 +90,73 @@ namespace Pulumi.Keycloak.OpenId /// }); /// ``` /// - /// ### Argument Reference - /// - /// The following arguments are supported: - /// - /// - `realm_id` - (Required) The realm this protocol mapper exists within. - /// - `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. - /// - `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. - /// - `name` - (Required) The display name of this protocol mapper in the GUI. - /// - `included_client_audience` - (Required if `included_custom_audience` is not specified) A client ID to include within the token's `aud` claim. - /// - `included_custom_audience` - (Required if `included_client_audience` is not specified) A custom audience to include within the token's `aud` claim. - /// - `add_to_id_token` - (Optional) Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. - /// - `add_to_access_token` - (Optional) Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. - /// - /// ### Import + /// ## Import /// /// Protocol mappers can be imported using one of the following formats: + /// /// - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + /// /// - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` /// /// Example: + /// + /// bash + /// + /// ```sh + /// $ pulumi import keycloak:openid/audienceProtocolMapper:AudienceProtocolMapper audience_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + /// ``` + /// + /// ```sh + /// $ pulumi import keycloak:openid/audienceProtocolMapper:AudienceProtocolMapper audience_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + /// ``` /// [KeycloakResourceType("keycloak:openid/audienceProtocolMapper:AudienceProtocolMapper")] public partial class AudienceProtocolMapper : global::Pulumi.CustomResource { /// - /// Indicates if this claim should be added to the access token. + /// Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. /// [Output("addToAccessToken")] public Output AddToAccessToken { get; private set; } = null!; /// - /// Indicates if this claim should be added to the id token. + /// Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. /// [Output("addToIdToken")] public Output AddToIdToken { get; private set; } = null!; /// - /// The mapper's associated client. Cannot be used at the same time as client_scope_id. + /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. /// [Output("clientId")] public Output ClientId { get; private set; } = null!; /// - /// The mapper's associated client scope. Cannot be used at the same time as client_id. + /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. /// [Output("clientScopeId")] public Output ClientScopeId { get; private set; } = null!; /// - /// A client ID to include within the token's `aud` claim. Cannot be used with included_custom_audience + /// A client ID to include within the token's `aud` claim. Conflicts with `included_custom_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. /// [Output("includedClientAudience")] public Output IncludedClientAudience { get; private set; } = null!; /// - /// A custom audience to include within the token's `aud` claim. Cannot be used with included_custom_audience + /// A custom audience to include within the token's `aud` claim. Conflicts with `included_client_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. /// [Output("includedCustomAudience")] public Output IncludedCustomAudience { get; private set; } = null!; /// - /// A human-friendly name that will appear in the Keycloak console. + /// The display name of this protocol mapper in the GUI. /// [Output("name")] public Output Name { get; private set; } = null!; /// - /// The realm id where the associated client or client scope exists. + /// The realm this protocol mapper exists within. /// [Output("realmId")] public Output RealmId { get; private set; } = null!; @@ -211,49 +208,49 @@ public static AudienceProtocolMapper Get(string name, Input id, Audience public sealed class AudienceProtocolMapperArgs : global::Pulumi.ResourceArgs { /// - /// Indicates if this claim should be added to the access token. + /// Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. /// [Input("addToAccessToken")] public Input? AddToAccessToken { get; set; } /// - /// Indicates if this claim should be added to the id token. + /// Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. /// [Input("addToIdToken")] public Input? AddToIdToken { get; set; } /// - /// The mapper's associated client. Cannot be used at the same time as client_scope_id. + /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. /// [Input("clientId")] public Input? ClientId { get; set; } /// - /// The mapper's associated client scope. Cannot be used at the same time as client_id. + /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. /// [Input("clientScopeId")] public Input? ClientScopeId { get; set; } /// - /// A client ID to include within the token's `aud` claim. Cannot be used with included_custom_audience + /// A client ID to include within the token's `aud` claim. Conflicts with `included_custom_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. /// [Input("includedClientAudience")] public Input? IncludedClientAudience { get; set; } /// - /// A custom audience to include within the token's `aud` claim. Cannot be used with included_custom_audience + /// A custom audience to include within the token's `aud` claim. Conflicts with `included_client_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. /// [Input("includedCustomAudience")] public Input? IncludedCustomAudience { get; set; } /// - /// A human-friendly name that will appear in the Keycloak console. + /// The display name of this protocol mapper in the GUI. /// [Input("name")] public Input? Name { get; set; } /// - /// The realm id where the associated client or client scope exists. + /// The realm this protocol mapper exists within. /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; @@ -267,49 +264,49 @@ public AudienceProtocolMapperArgs() public sealed class AudienceProtocolMapperState : global::Pulumi.ResourceArgs { /// - /// Indicates if this claim should be added to the access token. + /// Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. /// [Input("addToAccessToken")] public Input? AddToAccessToken { get; set; } /// - /// Indicates if this claim should be added to the id token. + /// Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. /// [Input("addToIdToken")] public Input? AddToIdToken { get; set; } /// - /// The mapper's associated client. Cannot be used at the same time as client_scope_id. + /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. /// [Input("clientId")] public Input? ClientId { get; set; } /// - /// The mapper's associated client scope. Cannot be used at the same time as client_id. + /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. /// [Input("clientScopeId")] public Input? ClientScopeId { get; set; } /// - /// A client ID to include within the token's `aud` claim. Cannot be used with included_custom_audience + /// A client ID to include within the token's `aud` claim. Conflicts with `included_custom_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. /// [Input("includedClientAudience")] public Input? IncludedClientAudience { get; set; } /// - /// A custom audience to include within the token's `aud` claim. Cannot be used with included_custom_audience + /// A custom audience to include within the token's `aud` claim. Conflicts with `included_client_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. /// [Input("includedCustomAudience")] public Input? IncludedCustomAudience { get; set; } /// - /// A human-friendly name that will appear in the Keycloak console. + /// The display name of this protocol mapper in the GUI. /// [Input("name")] public Input? Name { get; set; } /// - /// The realm id where the associated client or client scope exists. + /// The realm this protocol mapper exists within. /// [Input("realmId")] public Input? RealmId { get; set; } diff --git a/sdk/dotnet/OpenId/Client.cs b/sdk/dotnet/OpenId/Client.cs index fe67c1b1..616cb91a 100644 --- a/sdk/dotnet/OpenId/Client.cs +++ b/sdk/dotnet/OpenId/Client.cs @@ -10,15 +10,13 @@ namespace Pulumi.Keycloak.OpenId { /// - /// ## # keycloak.openid.Client - /// /// Allows for creating and managing Keycloak clients that use the OpenID Connect protocol. /// /// Clients are entities that can use Keycloak for user authentication. Typically, /// clients are applications that redirect users to Keycloak for authentication /// in order to take advantage of Keycloak's user sessions for SSO. /// - /// ### Example Usage + /// ## Example Usage /// /// ```csharp /// using System.Collections.Generic; @@ -45,192 +43,315 @@ namespace Pulumi.Keycloak.OpenId /// { /// "http://localhost:8080/openid-callback", /// }, + /// LoginTheme = "keycloak", + /// ExtraConfig = + /// { + /// { "key1", "value1" }, + /// { "key2", "value2" }, + /// }, /// }); /// /// }); /// ``` /// - /// ### Argument Reference - /// - /// The following arguments are supported: - /// - /// - `realm_id` - (Required) The realm this client is attached to. - /// - `client_id` - (Required) The unique ID of this client, referenced in the URI during authentication and in issued tokens. - /// - `name` - (Optional) The display name of this client in the GUI. - /// - `enabled` - (Optional) When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. - /// - `description` - (Optional) The description of this client in the GUI. - /// - `access_type` - (Required) Specifies the type of client, which can be one of the following: - /// - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. - /// This client should be used for applications using the Authorization Code or Client Credentials grant flows. - /// - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect - /// URIs for security. This client should be used for applications using the Implicit grant flow. - /// - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. - /// - `client_secret` - (Optional) The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and - /// should be treated with the same care as a password. If omitted, Keycloak will generate a GUID for this attribute. - /// - `standard_flow_enabled` - (Optional) When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. - /// - `implicit_flow_enabled` - (Optional) When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. - /// - `direct_access_grants_enabled` - (Optional) When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. - /// - `service_accounts_enabled` - (Optional) When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. - /// - `valid_redirect_uris` - (Optional) A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple - /// wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled` - /// is set to `true`. - /// - `web_origins` - (Optional) A list of allowed CORS origins. `+` can be used to permit all valid redirect URIs, and `*` can be used to permit all origins. - /// - `admin_url` - (Optional) URL to the admin interface of the client. - /// - `base_url` - (Optional) Default URL to use when the auth server needs to redirect or link back to the client. - /// - `pkce_code_challenge_method` - (Optional) The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. - /// - `full_scope_allowed` - (Optional) - Allow to include all roles mappings in the access token. - /// - /// ### Attributes Reference - /// - /// In addition to the arguments listed above, the following computed attributes are exported: - /// - /// - `service_account_user_id` - When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account. - /// - /// ### Import + /// ## Import /// /// Clients can be imported using the format `{{realm_id}}/{{client_keycloak_id}}`, where `client_keycloak_id` is the unique ID that Keycloak + /// /// assigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID. /// /// Example: + /// + /// bash + /// + /// ```sh + /// $ pulumi import keycloak:openid/client:Client openid_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352 + /// ``` /// [KeycloakResourceType("keycloak:openid/client:Client")] public partial class Client : global::Pulumi.CustomResource { + /// + /// The amount of time in seconds before an access token expires. This will override the default for the realm. + /// [Output("accessTokenLifespan")] public Output AccessTokenLifespan { get; private set; } = null!; + /// + /// Specifies the type of client, which can be one of the following: + /// - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. + /// This client should be used for applications using the Authorization Code or Client Credentials grant flows. + /// - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect + /// URIs for security. This client should be used for applications using the Implicit grant flow. + /// - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. + /// [Output("accessType")] public Output AccessType { get; private set; } = null!; + /// + /// URL to the admin interface of the client. + /// [Output("adminUrl")] public Output AdminUrl { get; private set; } = null!; + /// + /// Override realm authentication flow bindings + /// [Output("authenticationFlowBindingOverrides")] public Output AuthenticationFlowBindingOverrides { get; private set; } = null!; + /// + /// When this block is present, fine-grained authorization will be enabled for this client. The client's `access_type` must be `CONFIDENTIAL`, and `service_accounts_enabled` must be `true`. This block has the following arguments: + /// [Output("authorization")] public Output Authorization { get; private set; } = null!; + /// + /// Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event. + /// [Output("backchannelLogoutRevokeOfflineSessions")] public Output BackchannelLogoutRevokeOfflineSessions { get; private set; } = null!; + /// + /// When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`. + /// [Output("backchannelLogoutSessionRequired")] public Output BackchannelLogoutSessionRequired { get; private set; } = null!; + /// + /// The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case. + /// [Output("backchannelLogoutUrl")] public Output BackchannelLogoutUrl { get; private set; } = null!; + /// + /// Default URL to use when the auth server needs to redirect or link back to the client. + /// [Output("baseUrl")] public Output BaseUrl { get; private set; } = null!; + /// + /// Defaults to `client-secret`. The authenticator type for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types: + /// - `client-secret` (Default) Use client id and client secret to authenticate client. + /// - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = <alg>` + /// - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extra_config` with `attributes.x509.subjectdn = <subjectDn>` + /// - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = <alg>` + /// [Output("clientAuthenticatorType")] public Output ClientAuthenticatorType { get; private set; } = null!; + /// + /// The Client ID for this client, referenced in the URI during authentication and in issued tokens. + /// [Output("clientId")] public Output ClientId { get; private set; } = null!; + /// + /// Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value. + /// [Output("clientOfflineSessionIdleTimeout")] public Output ClientOfflineSessionIdleTimeout { get; private set; } = null!; + /// + /// Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value. + /// [Output("clientOfflineSessionMaxLifespan")] public Output ClientOfflineSessionMaxLifespan { get; private set; } = null!; + /// + /// The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. + /// [Output("clientSecret")] public Output ClientSecret { get; private set; } = null!; + /// + /// Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value. + /// [Output("clientSessionIdleTimeout")] public Output ClientSessionIdleTimeout { get; private set; } = null!; + /// + /// Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value. + /// [Output("clientSessionMaxLifespan")] public Output ClientSessionMaxLifespan { get; private set; } = null!; + /// + /// When `true`, users have to consent to client access. Defaults to `false`. + /// [Output("consentRequired")] public Output ConsentRequired { get; private set; } = null!; + /// + /// The text to display on the consent screen about permissions specific to this client. This is applicable only when `display_on_consent_screen` is `true`. + /// [Output("consentScreenText")] public Output ConsentScreenText { get; private set; } = null!; + /// + /// The description of this client in the GUI. + /// [Output("description")] public Output Description { get; private set; } = null!; + /// + /// When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. + /// [Output("directAccessGrantsEnabled")] public Output DirectAccessGrantsEnabled { get; private set; } = null!; + /// + /// When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consent_required` is `true`. + /// [Output("displayOnConsentScreen")] public Output DisplayOnConsentScreen { get; private set; } = null!; + /// + /// When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + /// [Output("enabled")] public Output Enabled { get; private set; } = null!; + /// + /// When `true`, the parameter `session_state` will not be included in OpenID Connect Authentication Response. + /// [Output("excludeSessionStateFromAuthResponse")] public Output ExcludeSessionStateFromAuthResponse { get; private set; } = null!; [Output("extraConfig")] public Output?> ExtraConfig { get; private set; } = null!; + /// + /// When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannel_logout_url`. Defaults to `false`. + /// [Output("frontchannelLogoutEnabled")] public Output FrontchannelLogoutEnabled { get; private set; } = null!; + /// + /// The frontchannel logout url. This is applicable only when `frontchannel_logout_enabled` is `true`. + /// [Output("frontchannelLogoutUrl")] public Output FrontchannelLogoutUrl { get; private set; } = null!; + /// + /// Allow to include all roles mappings in the access token. + /// [Output("fullScopeAllowed")] public Output FullScopeAllowed { get; private set; } = null!; + /// + /// When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. + /// [Output("implicitFlowEnabled")] public Output ImplicitFlowEnabled { get; private set; } = null!; + /// + /// When `true`, the client with the specified `client_id` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`. + /// [Output("import")] public Output Import { get; private set; } = null!; + /// + /// The client login theme. This will override the default theme for the realm. + /// [Output("loginTheme")] public Output LoginTheme { get; private set; } = null!; + /// + /// The display name of this client in the GUI. + /// [Output("name")] public Output Name { get; private set; } = null!; + /// + /// Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser. + /// [Output("oauth2DeviceAuthorizationGrantEnabled")] public Output Oauth2DeviceAuthorizationGrantEnabled { get; private set; } = null!; + /// + /// The maximum amount of time a client has to finish the device code flow before it expires. + /// [Output("oauth2DeviceCodeLifespan")] public Output Oauth2DeviceCodeLifespan { get; private set; } = null!; + /// + /// The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint. + /// [Output("oauth2DevicePollingInterval")] public Output Oauth2DevicePollingInterval { get; private set; } = null!; + /// + /// The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. + /// [Output("pkceCodeChallengeMethod")] public Output PkceCodeChallengeMethod { get; private set; } = null!; + /// + /// The realm this client is attached to. + /// [Output("realmId")] public Output RealmId { get; private set; } = null!; + /// + /// (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the `.id` attribute). + /// [Output("resourceServerId")] public Output ResourceServerId { get; private set; } = null!; + /// + /// When specified, this URL is prepended to any relative URLs found within `valid_redirect_uris`, `web_origins`, and `admin_url`. NOTE: Due to limitations in the Keycloak API, when the `root_url` attribute is used, the `valid_redirect_uris`, `web_origins`, and `admin_url` attributes will be required. + /// [Output("rootUrl")] public Output RootUrl { get; private set; } = null!; + /// + /// (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account. + /// [Output("serviceAccountUserId")] public Output ServiceAccountUserId { get; private set; } = null!; + /// + /// When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. + /// [Output("serviceAccountsEnabled")] public Output ServiceAccountsEnabled { get; private set; } = null!; + /// + /// When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. + /// [Output("standardFlowEnabled")] public Output StandardFlowEnabled { get; private set; } = null!; + /// + /// If this is `true`, a refresh_token will be created and added to the token response. If this is `false` then no refresh_token will be generated. Defaults to `true`. + /// [Output("useRefreshTokens")] public Output UseRefreshTokens { get; private set; } = null!; + /// + /// If this is `true`, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is `false` then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`. + /// [Output("useRefreshTokensClientCredentials")] public Output UseRefreshTokensClientCredentials { get; private set; } = null!; + /// + /// A list of valid URIs a browser is permitted to redirect to after a successful logout. + /// [Output("validPostLogoutRedirectUris")] public Output> ValidPostLogoutRedirectUris { get; private set; } = null!; + /// + /// A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple + /// wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled` + /// is set to `true`. + /// [Output("validRedirectUris")] public Output> ValidRedirectUris { get; private set; } = null!; + /// + /// A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`." + /// [Output("webOrigins")] public Output> WebOrigins { get; private set; } = null!; @@ -284,47 +405,99 @@ public static Client Get(string name, Input id, ClientState? state = nul public sealed class ClientArgs : global::Pulumi.ResourceArgs { + /// + /// The amount of time in seconds before an access token expires. This will override the default for the realm. + /// [Input("accessTokenLifespan")] public Input? AccessTokenLifespan { get; set; } + /// + /// Specifies the type of client, which can be one of the following: + /// - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. + /// This client should be used for applications using the Authorization Code or Client Credentials grant flows. + /// - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect + /// URIs for security. This client should be used for applications using the Implicit grant flow. + /// - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. + /// [Input("accessType", required: true)] public Input AccessType { get; set; } = null!; + /// + /// URL to the admin interface of the client. + /// [Input("adminUrl")] public Input? AdminUrl { get; set; } + /// + /// Override realm authentication flow bindings + /// [Input("authenticationFlowBindingOverrides")] public Input? AuthenticationFlowBindingOverrides { get; set; } + /// + /// When this block is present, fine-grained authorization will be enabled for this client. The client's `access_type` must be `CONFIDENTIAL`, and `service_accounts_enabled` must be `true`. This block has the following arguments: + /// [Input("authorization")] public Input? Authorization { get; set; } + /// + /// Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event. + /// [Input("backchannelLogoutRevokeOfflineSessions")] public Input? BackchannelLogoutRevokeOfflineSessions { get; set; } + /// + /// When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`. + /// [Input("backchannelLogoutSessionRequired")] public Input? BackchannelLogoutSessionRequired { get; set; } + /// + /// The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case. + /// [Input("backchannelLogoutUrl")] public Input? BackchannelLogoutUrl { get; set; } + /// + /// Default URL to use when the auth server needs to redirect or link back to the client. + /// [Input("baseUrl")] public Input? BaseUrl { get; set; } + /// + /// Defaults to `client-secret`. The authenticator type for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types: + /// - `client-secret` (Default) Use client id and client secret to authenticate client. + /// - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = <alg>` + /// - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extra_config` with `attributes.x509.subjectdn = <subjectDn>` + /// - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = <alg>` + /// [Input("clientAuthenticatorType")] public Input? ClientAuthenticatorType { get; set; } + /// + /// The Client ID for this client, referenced in the URI during authentication and in issued tokens. + /// [Input("clientId", required: true)] public Input ClientId { get; set; } = null!; + /// + /// Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value. + /// [Input("clientOfflineSessionIdleTimeout")] public Input? ClientOfflineSessionIdleTimeout { get; set; } + /// + /// Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value. + /// [Input("clientOfflineSessionMaxLifespan")] public Input? ClientOfflineSessionMaxLifespan { get; set; } [Input("clientSecret")] private Input? _clientSecret; + + /// + /// The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. + /// public Input? ClientSecret { get => _clientSecret; @@ -335,30 +508,57 @@ public Input? ClientSecret } } + /// + /// Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value. + /// [Input("clientSessionIdleTimeout")] public Input? ClientSessionIdleTimeout { get; set; } + /// + /// Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value. + /// [Input("clientSessionMaxLifespan")] public Input? ClientSessionMaxLifespan { get; set; } + /// + /// When `true`, users have to consent to client access. Defaults to `false`. + /// [Input("consentRequired")] public Input? ConsentRequired { get; set; } + /// + /// The text to display on the consent screen about permissions specific to this client. This is applicable only when `display_on_consent_screen` is `true`. + /// [Input("consentScreenText")] public Input? ConsentScreenText { get; set; } + /// + /// The description of this client in the GUI. + /// [Input("description")] public Input? Description { get; set; } + /// + /// When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. + /// [Input("directAccessGrantsEnabled")] public Input? DirectAccessGrantsEnabled { get; set; } + /// + /// When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consent_required` is `true`. + /// [Input("displayOnConsentScreen")] public Input? DisplayOnConsentScreen { get; set; } + /// + /// When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + /// [Input("enabled")] public Input? Enabled { get; set; } + /// + /// When `true`, the parameter `session_state` will not be included in OpenID Connect Authentication Response. + /// [Input("excludeSessionStateFromAuthResponse")] public Input? ExcludeSessionStateFromAuthResponse { get; set; } @@ -370,59 +570,114 @@ public InputMap ExtraConfig set => _extraConfig = value; } + /// + /// When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannel_logout_url`. Defaults to `false`. + /// [Input("frontchannelLogoutEnabled")] public Input? FrontchannelLogoutEnabled { get; set; } + /// + /// The frontchannel logout url. This is applicable only when `frontchannel_logout_enabled` is `true`. + /// [Input("frontchannelLogoutUrl")] public Input? FrontchannelLogoutUrl { get; set; } + /// + /// Allow to include all roles mappings in the access token. + /// [Input("fullScopeAllowed")] public Input? FullScopeAllowed { get; set; } + /// + /// When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. + /// [Input("implicitFlowEnabled")] public Input? ImplicitFlowEnabled { get; set; } + /// + /// When `true`, the client with the specified `client_id` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`. + /// [Input("import")] public Input? Import { get; set; } + /// + /// The client login theme. This will override the default theme for the realm. + /// [Input("loginTheme")] public Input? LoginTheme { get; set; } + /// + /// The display name of this client in the GUI. + /// [Input("name")] public Input? Name { get; set; } + /// + /// Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser. + /// [Input("oauth2DeviceAuthorizationGrantEnabled")] public Input? Oauth2DeviceAuthorizationGrantEnabled { get; set; } + /// + /// The maximum amount of time a client has to finish the device code flow before it expires. + /// [Input("oauth2DeviceCodeLifespan")] public Input? Oauth2DeviceCodeLifespan { get; set; } + /// + /// The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint. + /// [Input("oauth2DevicePollingInterval")] public Input? Oauth2DevicePollingInterval { get; set; } + /// + /// The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. + /// [Input("pkceCodeChallengeMethod")] public Input? PkceCodeChallengeMethod { get; set; } + /// + /// The realm this client is attached to. + /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; + /// + /// When specified, this URL is prepended to any relative URLs found within `valid_redirect_uris`, `web_origins`, and `admin_url`. NOTE: Due to limitations in the Keycloak API, when the `root_url` attribute is used, the `valid_redirect_uris`, `web_origins`, and `admin_url` attributes will be required. + /// [Input("rootUrl")] public Input? RootUrl { get; set; } + /// + /// When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. + /// [Input("serviceAccountsEnabled")] public Input? ServiceAccountsEnabled { get; set; } + /// + /// When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. + /// [Input("standardFlowEnabled")] public Input? StandardFlowEnabled { get; set; } + /// + /// If this is `true`, a refresh_token will be created and added to the token response. If this is `false` then no refresh_token will be generated. Defaults to `true`. + /// [Input("useRefreshTokens")] public Input? UseRefreshTokens { get; set; } + /// + /// If this is `true`, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is `false` then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`. + /// [Input("useRefreshTokensClientCredentials")] public Input? UseRefreshTokensClientCredentials { get; set; } [Input("validPostLogoutRedirectUris")] private InputList? _validPostLogoutRedirectUris; + + /// + /// A list of valid URIs a browser is permitted to redirect to after a successful logout. + /// public InputList ValidPostLogoutRedirectUris { get => _validPostLogoutRedirectUris ?? (_validPostLogoutRedirectUris = new InputList()); @@ -431,6 +686,12 @@ public InputList ValidPostLogoutRedirectUris [Input("validRedirectUris")] private InputList? _validRedirectUris; + + /// + /// A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple + /// wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled` + /// is set to `true`. + /// public InputList ValidRedirectUris { get => _validRedirectUris ?? (_validRedirectUris = new InputList()); @@ -439,6 +700,10 @@ public InputList ValidRedirectUris [Input("webOrigins")] private InputList? _webOrigins; + + /// + /// A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`." + /// public InputList WebOrigins { get => _webOrigins ?? (_webOrigins = new InputList()); @@ -453,47 +718,99 @@ public ClientArgs() public sealed class ClientState : global::Pulumi.ResourceArgs { + /// + /// The amount of time in seconds before an access token expires. This will override the default for the realm. + /// [Input("accessTokenLifespan")] public Input? AccessTokenLifespan { get; set; } + /// + /// Specifies the type of client, which can be one of the following: + /// - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. + /// This client should be used for applications using the Authorization Code or Client Credentials grant flows. + /// - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect + /// URIs for security. This client should be used for applications using the Implicit grant flow. + /// - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. + /// [Input("accessType")] public Input? AccessType { get; set; } + /// + /// URL to the admin interface of the client. + /// [Input("adminUrl")] public Input? AdminUrl { get; set; } + /// + /// Override realm authentication flow bindings + /// [Input("authenticationFlowBindingOverrides")] public Input? AuthenticationFlowBindingOverrides { get; set; } + /// + /// When this block is present, fine-grained authorization will be enabled for this client. The client's `access_type` must be `CONFIDENTIAL`, and `service_accounts_enabled` must be `true`. This block has the following arguments: + /// [Input("authorization")] public Input? Authorization { get; set; } + /// + /// Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event. + /// [Input("backchannelLogoutRevokeOfflineSessions")] public Input? BackchannelLogoutRevokeOfflineSessions { get; set; } + /// + /// When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`. + /// [Input("backchannelLogoutSessionRequired")] public Input? BackchannelLogoutSessionRequired { get; set; } + /// + /// The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case. + /// [Input("backchannelLogoutUrl")] public Input? BackchannelLogoutUrl { get; set; } + /// + /// Default URL to use when the auth server needs to redirect or link back to the client. + /// [Input("baseUrl")] public Input? BaseUrl { get; set; } + /// + /// Defaults to `client-secret`. The authenticator type for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types: + /// - `client-secret` (Default) Use client id and client secret to authenticate client. + /// - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = <alg>` + /// - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extra_config` with `attributes.x509.subjectdn = <subjectDn>` + /// - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = <alg>` + /// [Input("clientAuthenticatorType")] public Input? ClientAuthenticatorType { get; set; } + /// + /// The Client ID for this client, referenced in the URI during authentication and in issued tokens. + /// [Input("clientId")] public Input? ClientId { get; set; } + /// + /// Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value. + /// [Input("clientOfflineSessionIdleTimeout")] public Input? ClientOfflineSessionIdleTimeout { get; set; } + /// + /// Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value. + /// [Input("clientOfflineSessionMaxLifespan")] public Input? ClientOfflineSessionMaxLifespan { get; set; } [Input("clientSecret")] private Input? _clientSecret; + + /// + /// The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. + /// public Input? ClientSecret { get => _clientSecret; @@ -504,30 +821,57 @@ public Input? ClientSecret } } + /// + /// Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value. + /// [Input("clientSessionIdleTimeout")] public Input? ClientSessionIdleTimeout { get; set; } + /// + /// Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value. + /// [Input("clientSessionMaxLifespan")] public Input? ClientSessionMaxLifespan { get; set; } + /// + /// When `true`, users have to consent to client access. Defaults to `false`. + /// [Input("consentRequired")] public Input? ConsentRequired { get; set; } + /// + /// The text to display on the consent screen about permissions specific to this client. This is applicable only when `display_on_consent_screen` is `true`. + /// [Input("consentScreenText")] public Input? ConsentScreenText { get; set; } + /// + /// The description of this client in the GUI. + /// [Input("description")] public Input? Description { get; set; } + /// + /// When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. + /// [Input("directAccessGrantsEnabled")] public Input? DirectAccessGrantsEnabled { get; set; } + /// + /// When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consent_required` is `true`. + /// [Input("displayOnConsentScreen")] public Input? DisplayOnConsentScreen { get; set; } + /// + /// When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + /// [Input("enabled")] public Input? Enabled { get; set; } + /// + /// When `true`, the parameter `session_state` will not be included in OpenID Connect Authentication Response. + /// [Input("excludeSessionStateFromAuthResponse")] public Input? ExcludeSessionStateFromAuthResponse { get; set; } @@ -539,65 +883,126 @@ public InputMap ExtraConfig set => _extraConfig = value; } + /// + /// When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannel_logout_url`. Defaults to `false`. + /// [Input("frontchannelLogoutEnabled")] public Input? FrontchannelLogoutEnabled { get; set; } + /// + /// The frontchannel logout url. This is applicable only when `frontchannel_logout_enabled` is `true`. + /// [Input("frontchannelLogoutUrl")] public Input? FrontchannelLogoutUrl { get; set; } + /// + /// Allow to include all roles mappings in the access token. + /// [Input("fullScopeAllowed")] public Input? FullScopeAllowed { get; set; } + /// + /// When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. + /// [Input("implicitFlowEnabled")] public Input? ImplicitFlowEnabled { get; set; } + /// + /// When `true`, the client with the specified `client_id` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`. + /// [Input("import")] public Input? Import { get; set; } + /// + /// The client login theme. This will override the default theme for the realm. + /// [Input("loginTheme")] public Input? LoginTheme { get; set; } + /// + /// The display name of this client in the GUI. + /// [Input("name")] public Input? Name { get; set; } + /// + /// Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser. + /// [Input("oauth2DeviceAuthorizationGrantEnabled")] public Input? Oauth2DeviceAuthorizationGrantEnabled { get; set; } + /// + /// The maximum amount of time a client has to finish the device code flow before it expires. + /// [Input("oauth2DeviceCodeLifespan")] public Input? Oauth2DeviceCodeLifespan { get; set; } + /// + /// The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint. + /// [Input("oauth2DevicePollingInterval")] public Input? Oauth2DevicePollingInterval { get; set; } + /// + /// The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. + /// [Input("pkceCodeChallengeMethod")] public Input? PkceCodeChallengeMethod { get; set; } + /// + /// The realm this client is attached to. + /// [Input("realmId")] public Input? RealmId { get; set; } + /// + /// (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the `.id` attribute). + /// [Input("resourceServerId")] public Input? ResourceServerId { get; set; } + /// + /// When specified, this URL is prepended to any relative URLs found within `valid_redirect_uris`, `web_origins`, and `admin_url`. NOTE: Due to limitations in the Keycloak API, when the `root_url` attribute is used, the `valid_redirect_uris`, `web_origins`, and `admin_url` attributes will be required. + /// [Input("rootUrl")] public Input? RootUrl { get; set; } + /// + /// (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account. + /// [Input("serviceAccountUserId")] public Input? ServiceAccountUserId { get; set; } + /// + /// When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. + /// [Input("serviceAccountsEnabled")] public Input? ServiceAccountsEnabled { get; set; } + /// + /// When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. + /// [Input("standardFlowEnabled")] public Input? StandardFlowEnabled { get; set; } + /// + /// If this is `true`, a refresh_token will be created and added to the token response. If this is `false` then no refresh_token will be generated. Defaults to `true`. + /// [Input("useRefreshTokens")] public Input? UseRefreshTokens { get; set; } + /// + /// If this is `true`, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is `false` then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`. + /// [Input("useRefreshTokensClientCredentials")] public Input? UseRefreshTokensClientCredentials { get; set; } [Input("validPostLogoutRedirectUris")] private InputList? _validPostLogoutRedirectUris; + + /// + /// A list of valid URIs a browser is permitted to redirect to after a successful logout. + /// public InputList ValidPostLogoutRedirectUris { get => _validPostLogoutRedirectUris ?? (_validPostLogoutRedirectUris = new InputList()); @@ -606,6 +1011,12 @@ public InputList ValidPostLogoutRedirectUris [Input("validRedirectUris")] private InputList? _validRedirectUris; + + /// + /// A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple + /// wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled` + /// is set to `true`. + /// public InputList ValidRedirectUris { get => _validRedirectUris ?? (_validRedirectUris = new InputList()); @@ -614,6 +1025,10 @@ public InputList ValidRedirectUris [Input("webOrigins")] private InputList? _webOrigins; + + /// + /// A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`." + /// public InputList WebOrigins { get => _webOrigins ?? (_webOrigins = new InputList()); diff --git a/sdk/dotnet/OpenId/ClientDefaultScopes.cs b/sdk/dotnet/OpenId/ClientDefaultScopes.cs index da36b977..b88baf31 100644 --- a/sdk/dotnet/OpenId/ClientDefaultScopes.cs +++ b/sdk/dotnet/OpenId/ClientDefaultScopes.cs @@ -56,28 +56,30 @@ namespace Pulumi.Keycloak.OpenId /// }); /// ``` /// - /// ### Argument Reference - /// - /// The following arguments are supported: - /// - /// - `realm_id` - (Required) The realm this client and scopes exists in. - /// - `client_id` - (Required) The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. - /// - `default_scopes` - (Required) An array of client scope names to attach to this client. - /// - /// ### Import + /// ## Import /// /// This resource does not support import. Instead of importing, feel free to create this resource + /// /// as if it did not already exist on the server. /// [KeycloakResourceType("keycloak:openid/clientDefaultScopes:ClientDefaultScopes")] public partial class ClientDefaultScopes : global::Pulumi.CustomResource { + /// + /// The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. + /// [Output("clientId")] public Output ClientId { get; private set; } = null!; + /// + /// An array of client scope names to attach to this client. + /// [Output("defaultScopes")] public Output> DefaultScopes { get; private set; } = null!; + /// + /// The realm this client and scopes exists in. + /// [Output("realmId")] public Output RealmId { get; private set; } = null!; @@ -127,17 +129,27 @@ public static ClientDefaultScopes Get(string name, Input id, ClientDefau public sealed class ClientDefaultScopesArgs : global::Pulumi.ResourceArgs { + /// + /// The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. + /// [Input("clientId", required: true)] public Input ClientId { get; set; } = null!; [Input("defaultScopes", required: true)] private InputList? _defaultScopes; + + /// + /// An array of client scope names to attach to this client. + /// public InputList DefaultScopes { get => _defaultScopes ?? (_defaultScopes = new InputList()); set => _defaultScopes = value; } + /// + /// The realm this client and scopes exists in. + /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; @@ -149,17 +161,27 @@ public ClientDefaultScopesArgs() public sealed class ClientDefaultScopesState : global::Pulumi.ResourceArgs { + /// + /// The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. + /// [Input("clientId")] public Input? ClientId { get; set; } [Input("defaultScopes")] private InputList? _defaultScopes; + + /// + /// An array of client scope names to attach to this client. + /// public InputList DefaultScopes { get => _defaultScopes ?? (_defaultScopes = new InputList()); set => _defaultScopes = value; } + /// + /// The realm this client and scopes exists in. + /// [Input("realmId")] public Input? RealmId { get; set; } diff --git a/sdk/dotnet/OpenId/ClientOptionalScopes.cs b/sdk/dotnet/OpenId/ClientOptionalScopes.cs index 034c8245..8d682829 100644 --- a/sdk/dotnet/OpenId/ClientOptionalScopes.cs +++ b/sdk/dotnet/OpenId/ClientOptionalScopes.cs @@ -48,6 +48,7 @@ namespace Pulumi.Keycloak.OpenId /// "address", /// "phone", /// "offline_access", + /// "microprofile-jwt", /// clientScope.Name, /// }, /// }); @@ -55,28 +56,30 @@ namespace Pulumi.Keycloak.OpenId /// }); /// ``` /// - /// ### Argument Reference - /// - /// The following arguments are supported: - /// - /// - `realm_id` - (Required) The realm this client and scopes exists in. - /// - `client_id` - (Required) The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. - /// - `optional_scopes` - (Required) An array of client scope names to attach to this client as optional scopes. - /// - /// ### Import + /// ## Import /// /// This resource does not support import. Instead of importing, feel free to create this resource + /// /// as if it did not already exist on the server. /// [KeycloakResourceType("keycloak:openid/clientOptionalScopes:ClientOptionalScopes")] public partial class ClientOptionalScopes : global::Pulumi.CustomResource { + /// + /// The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. + /// [Output("clientId")] public Output ClientId { get; private set; } = null!; + /// + /// An array of client scope names to attach to this client as optional scopes. + /// [Output("optionalScopes")] public Output> OptionalScopes { get; private set; } = null!; + /// + /// The realm this client and scopes exists in. + /// [Output("realmId")] public Output RealmId { get; private set; } = null!; @@ -126,17 +129,27 @@ public static ClientOptionalScopes Get(string name, Input id, ClientOpti public sealed class ClientOptionalScopesArgs : global::Pulumi.ResourceArgs { + /// + /// The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. + /// [Input("clientId", required: true)] public Input ClientId { get; set; } = null!; [Input("optionalScopes", required: true)] private InputList? _optionalScopes; + + /// + /// An array of client scope names to attach to this client as optional scopes. + /// public InputList OptionalScopes { get => _optionalScopes ?? (_optionalScopes = new InputList()); set => _optionalScopes = value; } + /// + /// The realm this client and scopes exists in. + /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; @@ -148,17 +161,27 @@ public ClientOptionalScopesArgs() public sealed class ClientOptionalScopesState : global::Pulumi.ResourceArgs { + /// + /// The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. + /// [Input("clientId")] public Input? ClientId { get; set; } [Input("optionalScopes")] private InputList? _optionalScopes; + + /// + /// An array of client scope names to attach to this client as optional scopes. + /// public InputList OptionalScopes { get => _optionalScopes ?? (_optionalScopes = new InputList()); set => _optionalScopes = value; } + /// + /// The realm this client and scopes exists in. + /// [Input("realmId")] public Input? RealmId { get; set; } diff --git a/sdk/dotnet/OpenId/ClientScope.cs b/sdk/dotnet/OpenId/ClientScope.cs index 598eb8a7..533ca3ef 100644 --- a/sdk/dotnet/OpenId/ClientScope.cs +++ b/sdk/dotnet/OpenId/ClientScope.cs @@ -10,16 +10,12 @@ namespace Pulumi.Keycloak.OpenId { /// - /// ## # keycloak.openid.ClientScope + /// Allows for creating and managing Keycloak client scopes that can be attached to clients that use the OpenID Connect protocol. /// - /// Allows for creating and managing Keycloak client scopes that can be attached to - /// clients that use the OpenID Connect protocol. + /// Client Scopes can be used to share common protocol and role mappings between multiple clients within a realm. They can also + /// be used by clients to conditionally request claims or roles for a user based on the OAuth 2.0 `scope` parameter. /// - /// Client Scopes can be used to share common protocol and role mappings between multiple - /// clients within a realm. They can also be used by clients to conditionally request - /// claims or roles for a user based on the OAuth 2.0 `scope` parameter. - /// - /// ### Example Usage + /// ## Example Usage /// /// ```csharp /// using System.Collections.Generic; @@ -40,47 +36,63 @@ namespace Pulumi.Keycloak.OpenId /// RealmId = realm.Id, /// Name = "groups", /// Description = "When requested, this scope will map a user's group memberships to a claim", + /// IncludeInTokenScope = true, + /// GuiOrder = 1, /// }); /// /// }); /// ``` /// - /// ### Argument Reference - /// - /// The following arguments are supported: - /// - /// - `realm_id` - (Required) The realm this client scope belongs to. - /// - `name` - (Required) The display name of this client scope in the GUI. - /// - `description` - (Optional) The description of this client scope in the GUI. - /// - `consent_screen_text` - (Optional) When set, a consent screen will be displayed to users - /// authenticating to clients with this scope attached. The consent screen will display the string - /// value of this attribute. - /// - /// ### Import + /// ## Import /// /// Client scopes can be imported using the format `{{realm_id}}/{{client_scope_id}}`, where `client_scope_id` is the unique ID that Keycloak + /// /// assigns to the client scope upon creation. This value can be found in the URI when editing this client scope in the GUI, and is typically a GUID. /// /// Example: + /// + /// bash + /// + /// ```sh + /// $ pulumi import keycloak:openid/clientScope:ClientScope openid_client_scope my-realm/8e8f7fe1-df9b-40ed-bed3-4597aa0dac52 + /// ``` /// [KeycloakResourceType("keycloak:openid/clientScope:ClientScope")] public partial class ClientScope : global::Pulumi.CustomResource { + /// + /// When set, a consent screen will be displayed to users authenticating to clients with this scope attached. The consent screen will display the string value of this attribute. + /// [Output("consentScreenText")] public Output ConsentScreenText { get; private set; } = null!; + /// + /// The description of this client scope in the GUI. + /// [Output("description")] public Output Description { get; private set; } = null!; + /// + /// Specify order of the client scope in GUI (such as in Consent page) as integer. + /// [Output("guiOrder")] public Output GuiOrder { get; private set; } = null!; + /// + /// When `true`, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response. + /// [Output("includeInTokenScope")] public Output IncludeInTokenScope { get; private set; } = null!; + /// + /// The display name of this client scope in the GUI. + /// [Output("name")] public Output Name { get; private set; } = null!; + /// + /// The realm this client scope belongs to. + /// [Output("realmId")] public Output RealmId { get; private set; } = null!; @@ -130,21 +142,39 @@ public static ClientScope Get(string name, Input id, ClientScopeState? s public sealed class ClientScopeArgs : global::Pulumi.ResourceArgs { + /// + /// When set, a consent screen will be displayed to users authenticating to clients with this scope attached. The consent screen will display the string value of this attribute. + /// [Input("consentScreenText")] public Input? ConsentScreenText { get; set; } + /// + /// The description of this client scope in the GUI. + /// [Input("description")] public Input? Description { get; set; } + /// + /// Specify order of the client scope in GUI (such as in Consent page) as integer. + /// [Input("guiOrder")] public Input? GuiOrder { get; set; } + /// + /// When `true`, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response. + /// [Input("includeInTokenScope")] public Input? IncludeInTokenScope { get; set; } + /// + /// The display name of this client scope in the GUI. + /// [Input("name")] public Input? Name { get; set; } + /// + /// The realm this client scope belongs to. + /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; @@ -156,21 +186,39 @@ public ClientScopeArgs() public sealed class ClientScopeState : global::Pulumi.ResourceArgs { + /// + /// When set, a consent screen will be displayed to users authenticating to clients with this scope attached. The consent screen will display the string value of this attribute. + /// [Input("consentScreenText")] public Input? ConsentScreenText { get; set; } + /// + /// The description of this client scope in the GUI. + /// [Input("description")] public Input? Description { get; set; } + /// + /// Specify order of the client scope in GUI (such as in Consent page) as integer. + /// [Input("guiOrder")] public Input? GuiOrder { get; set; } + /// + /// When `true`, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response. + /// [Input("includeInTokenScope")] public Input? IncludeInTokenScope { get; set; } + /// + /// The display name of this client scope in the GUI. + /// [Input("name")] public Input? Name { get; set; } + /// + /// The realm this client scope belongs to. + /// [Input("realmId")] public Input? RealmId { get; set; } diff --git a/sdk/dotnet/OpenId/FullNameProtocolMapper.cs b/sdk/dotnet/OpenId/FullNameProtocolMapper.cs index 0d6fd2aa..ba2b00cc 100644 --- a/sdk/dotnet/OpenId/FullNameProtocolMapper.cs +++ b/sdk/dotnet/OpenId/FullNameProtocolMapper.cs @@ -10,17 +10,16 @@ namespace Pulumi.Keycloak.OpenId { /// - /// ## # keycloak.openid.FullNameProtocolMapper + /// Allows for creating and managing full name protocol mappers within Keycloak. /// - /// Allows for creating and managing full name protocol mappers within - /// Keycloak. + /// Full name protocol mappers allow you to map a user's first and last name to the OpenID Connect `name` claim in a token. /// - /// Full name protocol mappers allow you to map a user's first and last name - /// to the OpenID Connect `name` claim in a token. Protocol mappers can be defined - /// for a single client, or they can be defined for a client scope which can - /// be shared between multiple different clients. + /// Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + /// multiple different clients. /// - /// ### Example Usage (Client) + /// ## Example Usage + /// + /// ### Client) /// /// ```csharp /// using System.Collections.Generic; @@ -39,8 +38,8 @@ namespace Pulumi.Keycloak.OpenId /// var openidClient = new Keycloak.OpenId.Client("openid_client", new() /// { /// RealmId = realm.Id, - /// ClientId = "test-client", - /// Name = "test client", + /// ClientId = "client", + /// Name = "client", /// Enabled = true, /// AccessType = "CONFIDENTIAL", /// ValidRedirectUris = new[] @@ -59,7 +58,7 @@ namespace Pulumi.Keycloak.OpenId /// }); /// ``` /// - /// ### Example Usage (Client Scope) + /// ### Client Scope) /// /// ```csharp /// using System.Collections.Generic; @@ -78,7 +77,7 @@ namespace Pulumi.Keycloak.OpenId /// var clientScope = new Keycloak.OpenId.ClientScope("client_scope", new() /// { /// RealmId = realm.Id, - /// Name = "test-client-scope", + /// Name = "client-scope", /// }); /// /// var fullNameMapper = new Keycloak.OpenId.FullNameProtocolMapper("full_name_mapper", new() @@ -91,58 +90,67 @@ namespace Pulumi.Keycloak.OpenId /// }); /// ``` /// - /// ### Argument Reference - /// - /// The following arguments are supported: - /// - /// - `realm_id` - (Required) The realm this protocol mapper exists within. - /// - `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. - /// - `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. - /// - `name` - (Required) The display name of this protocol mapper in the GUI. - /// - `add_to_id_token` - (Optional) Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. - /// - `add_to_access_token` - (Optional) Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. - /// - `add_to_userinfo` - (Optional) Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. - /// - /// ### Import + /// ## Import /// /// Protocol mappers can be imported using one of the following formats: + /// /// - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + /// /// - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` /// /// Example: + /// + /// bash + /// + /// ```sh + /// $ pulumi import keycloak:openid/fullNameProtocolMapper:FullNameProtocolMapper full_name_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + /// ``` + /// + /// ```sh + /// $ pulumi import keycloak:openid/fullNameProtocolMapper:FullNameProtocolMapper full_name_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + /// ``` /// [KeycloakResourceType("keycloak:openid/fullNameProtocolMapper:FullNameProtocolMapper")] public partial class FullNameProtocolMapper : global::Pulumi.CustomResource { + /// + /// Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. + /// [Output("addToAccessToken")] public Output AddToAccessToken { get; private set; } = null!; + /// + /// Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. + /// [Output("addToIdToken")] public Output AddToIdToken { get; private set; } = null!; + /// + /// Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. + /// [Output("addToUserinfo")] public Output AddToUserinfo { get; private set; } = null!; /// - /// The mapper's associated client. Cannot be used at the same time as client_scope_id. + /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. /// [Output("clientId")] public Output ClientId { get; private set; } = null!; /// - /// The mapper's associated client scope. Cannot be used at the same time as client_id. + /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. /// [Output("clientScopeId")] public Output ClientScopeId { get; private set; } = null!; /// - /// A human-friendly name that will appear in the Keycloak console. + /// The display name of this protocol mapper in the GUI. /// [Output("name")] public Output Name { get; private set; } = null!; /// - /// The realm id where the associated client or client scope exists. + /// The realm this protocol mapper exists within. /// [Output("realmId")] public Output RealmId { get; private set; } = null!; @@ -193,35 +201,44 @@ public static FullNameProtocolMapper Get(string name, Input id, FullName public sealed class FullNameProtocolMapperArgs : global::Pulumi.ResourceArgs { + /// + /// Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. + /// [Input("addToAccessToken")] public Input? AddToAccessToken { get; set; } + /// + /// Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. + /// [Input("addToIdToken")] public Input? AddToIdToken { get; set; } + /// + /// Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. + /// [Input("addToUserinfo")] public Input? AddToUserinfo { get; set; } /// - /// The mapper's associated client. Cannot be used at the same time as client_scope_id. + /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. /// [Input("clientId")] public Input? ClientId { get; set; } /// - /// The mapper's associated client scope. Cannot be used at the same time as client_id. + /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. /// [Input("clientScopeId")] public Input? ClientScopeId { get; set; } /// - /// A human-friendly name that will appear in the Keycloak console. + /// The display name of this protocol mapper in the GUI. /// [Input("name")] public Input? Name { get; set; } /// - /// The realm id where the associated client or client scope exists. + /// The realm this protocol mapper exists within. /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; @@ -234,35 +251,44 @@ public FullNameProtocolMapperArgs() public sealed class FullNameProtocolMapperState : global::Pulumi.ResourceArgs { + /// + /// Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. + /// [Input("addToAccessToken")] public Input? AddToAccessToken { get; set; } + /// + /// Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. + /// [Input("addToIdToken")] public Input? AddToIdToken { get; set; } + /// + /// Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. + /// [Input("addToUserinfo")] public Input? AddToUserinfo { get; set; } /// - /// The mapper's associated client. Cannot be used at the same time as client_scope_id. + /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. /// [Input("clientId")] public Input? ClientId { get; set; } /// - /// The mapper's associated client scope. Cannot be used at the same time as client_id. + /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. /// [Input("clientScopeId")] public Input? ClientScopeId { get; set; } /// - /// A human-friendly name that will appear in the Keycloak console. + /// The display name of this protocol mapper in the GUI. /// [Input("name")] public Input? Name { get; set; } /// - /// The realm id where the associated client or client scope exists. + /// The realm this protocol mapper exists within. /// [Input("realmId")] public Input? RealmId { get; set; } diff --git a/sdk/dotnet/OpenId/GetClient.cs b/sdk/dotnet/OpenId/GetClient.cs index 7f149882..36850c2f 100644 --- a/sdk/dotnet/OpenId/GetClient.cs +++ b/sdk/dotnet/OpenId/GetClient.cs @@ -12,11 +12,9 @@ namespace Pulumi.Keycloak.OpenId public static class GetClient { /// - /// ## # keycloak.openid.Client data source - /// /// This data source can be used to fetch properties of a Keycloak OpenID client for usage with other resources. /// - /// ### Example Usage + /// ## Example Usage /// /// ```csharp /// using System.Collections.Generic; @@ -42,27 +40,14 @@ public static class GetClient /// /// }); /// ``` - /// - /// ### Argument Reference - /// - /// The following arguments are supported: - /// - /// - `realm_id` - (Required) The realm id. - /// - `client_id` - (Required) The client id. - /// - /// ### Attributes Reference - /// - /// See the docs for the `keycloak.openid.Client` resource for details on the exported attributes. /// public static Task InvokeAsync(GetClientArgs args, InvokeOptions? options = null) => global::Pulumi.Deployment.Instance.InvokeAsync("keycloak:openid/getClient:getClient", args ?? new GetClientArgs(), options.WithDefaults()); /// - /// ## # keycloak.openid.Client data source - /// /// This data source can be used to fetch properties of a Keycloak OpenID client for usage with other resources. /// - /// ### Example Usage + /// ## Example Usage /// /// ```csharp /// using System.Collections.Generic; @@ -88,17 +73,6 @@ public static Task InvokeAsync(GetClientArgs args, InvokeOption /// /// }); /// ``` - /// - /// ### Argument Reference - /// - /// The following arguments are supported: - /// - /// - `realm_id` - (Required) The realm id. - /// - `client_id` - (Required) The client id. - /// - /// ### Attributes Reference - /// - /// See the docs for the `keycloak.openid.Client` resource for details on the exported attributes. /// public static Output Invoke(GetClientInvokeArgs args, InvokeOptions? options = null) => global::Pulumi.Deployment.Instance.Invoke("keycloak:openid/getClient:getClient", args ?? new GetClientInvokeArgs(), options.WithDefaults()); @@ -107,6 +81,9 @@ public static Output Invoke(GetClientInvokeArgs args, InvokeOpt public sealed class GetClientArgs : global::Pulumi.InvokeArgs { + /// + /// The client id (not its unique ID). + /// [Input("clientId", required: true)] public string ClientId { get; set; } = null!; @@ -133,6 +110,9 @@ public Dictionary ExtraConfig [Input("oauth2DevicePollingInterval")] public string? Oauth2DevicePollingInterval { get; set; } + /// + /// The realm id. + /// [Input("realmId", required: true)] public string RealmId { get; set; } = null!; @@ -144,6 +124,9 @@ public GetClientArgs() public sealed class GetClientInvokeArgs : global::Pulumi.InvokeArgs { + /// + /// The client id (not its unique ID). + /// [Input("clientId", required: true)] public Input ClientId { get; set; } = null!; @@ -170,6 +153,9 @@ public InputMap ExtraConfig [Input("oauth2DevicePollingInterval")] public Input? Oauth2DevicePollingInterval { get; set; } + /// + /// The realm id. + /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; diff --git a/sdk/dotnet/OpenId/GroupMembershipProtocolMapper.cs b/sdk/dotnet/OpenId/GroupMembershipProtocolMapper.cs index f24183b7..431db0de 100644 --- a/sdk/dotnet/OpenId/GroupMembershipProtocolMapper.cs +++ b/sdk/dotnet/OpenId/GroupMembershipProtocolMapper.cs @@ -10,17 +10,16 @@ namespace Pulumi.Keycloak.OpenId { /// - /// ## # keycloak.openid.GroupMembershipProtocolMapper + /// Allows for creating and managing group membership protocol mappers within Keycloak. /// - /// Allows for creating and managing group membership protocol mappers within - /// Keycloak. + /// Group membership protocol mappers allow you to map a user's group memberships to a claim in a token. /// - /// Group membership protocol mappers allow you to map a user's group memberships - /// to a claim in a token. Protocol mappers can be defined for a single client, - /// or they can be defined for a client scope which can be shared between multiple - /// different clients. + /// Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + /// multiple different clients. /// - /// ### Example Usage (Client) + /// ## Example Usage + /// + /// ### Client) /// /// ```csharp /// using System.Collections.Generic; @@ -39,8 +38,8 @@ namespace Pulumi.Keycloak.OpenId /// var openidClient = new Keycloak.OpenId.Client("openid_client", new() /// { /// RealmId = realm.Id, - /// ClientId = "test-client", - /// Name = "test client", + /// ClientId = "client", + /// Name = "client", /// Enabled = true, /// AccessType = "CONFIDENTIAL", /// ValidRedirectUris = new[] @@ -60,7 +59,7 @@ namespace Pulumi.Keycloak.OpenId /// }); /// ``` /// - /// ### Example Usage (Client Scope) + /// ### Client Scope) /// /// ```csharp /// using System.Collections.Generic; @@ -79,7 +78,7 @@ namespace Pulumi.Keycloak.OpenId /// var clientScope = new Keycloak.OpenId.ClientScope("client_scope", new() /// { /// RealmId = realm.Id, - /// Name = "test-client-scope", + /// Name = "client-scope", /// }); /// /// var groupMembershipMapper = new Keycloak.OpenId.GroupMembershipProtocolMapper("group_membership_mapper", new() @@ -93,66 +92,79 @@ namespace Pulumi.Keycloak.OpenId /// }); /// ``` /// - /// ### Argument Reference - /// - /// The following arguments are supported: - /// - /// - `realm_id` - (Required) The realm this protocol mapper exists within. - /// - `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. - /// - `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. - /// - `name` - (Required) The display name of this protocol mapper in the GUI. - /// - `claim_name` - (Required) The name of the claim to insert into a token. - /// - `full_path` - (Optional) Indicates whether the full path of the group including its parents will be used. Defaults to `true`. - /// - `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. - /// - `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. - /// - `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. - /// - /// ### Import + /// ## Import /// /// Protocol mappers can be imported using one of the following formats: + /// /// - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + /// /// - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` /// /// Example: + /// + /// bash + /// + /// ```sh + /// $ pulumi import keycloak:openid/groupMembershipProtocolMapper:GroupMembershipProtocolMapper group_membership_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + /// ``` + /// + /// ```sh + /// $ pulumi import keycloak:openid/groupMembershipProtocolMapper:GroupMembershipProtocolMapper group_membership_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + /// ``` /// [KeycloakResourceType("keycloak:openid/groupMembershipProtocolMapper:GroupMembershipProtocolMapper")] public partial class GroupMembershipProtocolMapper : global::Pulumi.CustomResource { + /// + /// Indicates if the property should be added as a claim to the access token. Defaults to `true`. + /// [Output("addToAccessToken")] public Output AddToAccessToken { get; private set; } = null!; + /// + /// Indicates if the property should be added as a claim to the id token. Defaults to `true`. + /// [Output("addToIdToken")] public Output AddToIdToken { get; private set; } = null!; + /// + /// Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + /// [Output("addToUserinfo")] public Output AddToUserinfo { get; private set; } = null!; + /// + /// The name of the claim to insert into a token. + /// [Output("claimName")] public Output ClaimName { get; private set; } = null!; /// - /// The mapper's associated client. Cannot be used at the same time as client_scope_id. + /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. /// [Output("clientId")] public Output ClientId { get; private set; } = null!; /// - /// The mapper's associated client scope. Cannot be used at the same time as client_id. + /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. /// [Output("clientScopeId")] public Output ClientScopeId { get; private set; } = null!; + /// + /// Indicates whether the full path of the group including its parents will be used. Defaults to `true`. + /// [Output("fullPath")] public Output FullPath { get; private set; } = null!; /// - /// A human-friendly name that will appear in the Keycloak console. + /// The display name of this protocol mapper in the GUI. /// [Output("name")] public Output Name { get; private set; } = null!; /// - /// The realm id where the associated client or client scope exists. + /// The realm this protocol mapper exists within. /// [Output("realmId")] public Output RealmId { get; private set; } = null!; @@ -203,41 +215,56 @@ public static GroupMembershipProtocolMapper Get(string name, Input id, G public sealed class GroupMembershipProtocolMapperArgs : global::Pulumi.ResourceArgs { + /// + /// Indicates if the property should be added as a claim to the access token. Defaults to `true`. + /// [Input("addToAccessToken")] public Input? AddToAccessToken { get; set; } + /// + /// Indicates if the property should be added as a claim to the id token. Defaults to `true`. + /// [Input("addToIdToken")] public Input? AddToIdToken { get; set; } + /// + /// Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + /// [Input("addToUserinfo")] public Input? AddToUserinfo { get; set; } + /// + /// The name of the claim to insert into a token. + /// [Input("claimName", required: true)] public Input ClaimName { get; set; } = null!; /// - /// The mapper's associated client. Cannot be used at the same time as client_scope_id. + /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. /// [Input("clientId")] public Input? ClientId { get; set; } /// - /// The mapper's associated client scope. Cannot be used at the same time as client_id. + /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. /// [Input("clientScopeId")] public Input? ClientScopeId { get; set; } + /// + /// Indicates whether the full path of the group including its parents will be used. Defaults to `true`. + /// [Input("fullPath")] public Input? FullPath { get; set; } /// - /// A human-friendly name that will appear in the Keycloak console. + /// The display name of this protocol mapper in the GUI. /// [Input("name")] public Input? Name { get; set; } /// - /// The realm id where the associated client or client scope exists. + /// The realm this protocol mapper exists within. /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; @@ -250,41 +277,56 @@ public GroupMembershipProtocolMapperArgs() public sealed class GroupMembershipProtocolMapperState : global::Pulumi.ResourceArgs { + /// + /// Indicates if the property should be added as a claim to the access token. Defaults to `true`. + /// [Input("addToAccessToken")] public Input? AddToAccessToken { get; set; } + /// + /// Indicates if the property should be added as a claim to the id token. Defaults to `true`. + /// [Input("addToIdToken")] public Input? AddToIdToken { get; set; } + /// + /// Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + /// [Input("addToUserinfo")] public Input? AddToUserinfo { get; set; } + /// + /// The name of the claim to insert into a token. + /// [Input("claimName")] public Input? ClaimName { get; set; } /// - /// The mapper's associated client. Cannot be used at the same time as client_scope_id. + /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. /// [Input("clientId")] public Input? ClientId { get; set; } /// - /// The mapper's associated client scope. Cannot be used at the same time as client_id. + /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. /// [Input("clientScopeId")] public Input? ClientScopeId { get; set; } + /// + /// Indicates whether the full path of the group including its parents will be used. Defaults to `true`. + /// [Input("fullPath")] public Input? FullPath { get; set; } /// - /// A human-friendly name that will appear in the Keycloak console. + /// The display name of this protocol mapper in the GUI. /// [Input("name")] public Input? Name { get; set; } /// - /// The realm id where the associated client or client scope exists. + /// The realm this protocol mapper exists within. /// [Input("realmId")] public Input? RealmId { get; set; } diff --git a/sdk/dotnet/OpenId/HardcodedClaimProtocolMapper.cs b/sdk/dotnet/OpenId/HardcodedClaimProtocolMapper.cs index ecc5f94a..3344614e 100644 --- a/sdk/dotnet/OpenId/HardcodedClaimProtocolMapper.cs +++ b/sdk/dotnet/OpenId/HardcodedClaimProtocolMapper.cs @@ -10,17 +10,16 @@ namespace Pulumi.Keycloak.OpenId { /// - /// ## # keycloak.openid.HardcodedClaimProtocolMapper + /// Allows for creating and managing hardcoded claim protocol mappers within Keycloak. /// - /// Allows for creating and managing hardcoded claim protocol mappers within - /// Keycloak. + /// Hardcoded claim protocol mappers allow you to define a claim with a hardcoded value. /// - /// Hardcoded claim protocol mappers allow you to define a claim with a hardcoded - /// value. Protocol mappers can be defined for a single client, or they can - /// be defined for a client scope which can be shared between multiple different - /// clients. + /// Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + /// multiple different clients. /// - /// ### Example Usage (Client) + /// ## Example Usage + /// + /// ### Client) /// /// ```csharp /// using System.Collections.Generic; @@ -39,8 +38,8 @@ namespace Pulumi.Keycloak.OpenId /// var openidClient = new Keycloak.OpenId.Client("openid_client", new() /// { /// RealmId = realm.Id, - /// ClientId = "test-client", - /// Name = "test client", + /// ClientId = "client", + /// Name = "client", /// Enabled = true, /// AccessType = "CONFIDENTIAL", /// ValidRedirectUris = new[] @@ -61,7 +60,7 @@ namespace Pulumi.Keycloak.OpenId /// }); /// ``` /// - /// ### Example Usage (Client Scope) + /// ### Client Scope) /// /// ```csharp /// using System.Collections.Generic; @@ -80,7 +79,7 @@ namespace Pulumi.Keycloak.OpenId /// var clientScope = new Keycloak.OpenId.ClientScope("client_scope", new() /// { /// RealmId = realm.Id, - /// Name = "test-client-scope", + /// Name = "client-scope", /// }); /// /// var hardcodedClaimMapper = new Keycloak.OpenId.HardcodedClaimProtocolMapper("hardcoded_claim_mapper", new() @@ -95,82 +94,85 @@ namespace Pulumi.Keycloak.OpenId /// }); /// ``` /// - /// ### Argument Reference - /// - /// The following arguments are supported: - /// - /// - `realm_id` - (Required) The realm this protocol mapper exists within. - /// - `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. - /// - `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. - /// - `name` - (Required) The display name of this protocol mapper in the GUI. - /// - `claim_name` - (Required) The name of the claim to insert into a token. - /// - `claim_value` - (Required) The hardcoded value of the claim. - /// - `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`. - /// - `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. - /// - `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. - /// - `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. - /// - /// ### Import + /// ## Import /// /// Protocol mappers can be imported using one of the following formats: + /// /// - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + /// /// - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` /// /// Example: + /// + /// bash + /// + /// ```sh + /// $ pulumi import keycloak:openid/hardcodedClaimProtocolMapper:HardcodedClaimProtocolMapper hardcoded_claim_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + /// ``` + /// + /// ```sh + /// $ pulumi import keycloak:openid/hardcodedClaimProtocolMapper:HardcodedClaimProtocolMapper hardcoded_claim_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + /// ``` /// [KeycloakResourceType("keycloak:openid/hardcodedClaimProtocolMapper:HardcodedClaimProtocolMapper")] public partial class HardcodedClaimProtocolMapper : global::Pulumi.CustomResource { /// - /// Indicates if the attribute should be a claim in the access token. + /// Indicates if the property should be added as a claim to the access token. Defaults to `true`. /// [Output("addToAccessToken")] public Output AddToAccessToken { get; private set; } = null!; /// - /// Indicates if the attribute should be a claim in the id token. + /// Indicates if the property should be added as a claim to the id token. Defaults to `true`. /// [Output("addToIdToken")] public Output AddToIdToken { get; private set; } = null!; /// - /// Indicates if the attribute should appear in the userinfo response body. + /// Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. /// [Output("addToUserinfo")] public Output AddToUserinfo { get; private set; } = null!; + /// + /// The name of the claim to insert into a token. + /// [Output("claimName")] public Output ClaimName { get; private set; } = null!; + /// + /// The hardcoded value of the claim. + /// [Output("claimValue")] public Output ClaimValue { get; private set; } = null!; /// - /// Claim type used when serializing tokens. + /// The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. /// [Output("claimValueType")] public Output ClaimValueType { get; private set; } = null!; /// - /// The mapper's associated client. Cannot be used at the same time as client_scope_id. + /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. /// [Output("clientId")] public Output ClientId { get; private set; } = null!; /// - /// The mapper's associated client scope. Cannot be used at the same time as client_id. + /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. /// [Output("clientScopeId")] public Output ClientScopeId { get; private set; } = null!; /// - /// A human-friendly name that will appear in the Keycloak console. + /// The display name of this protocol mapper in the GUI. /// [Output("name")] public Output Name { get; private set; } = null!; /// - /// The realm id where the associated client or client scope exists. + /// The realm this protocol mapper exists within. /// [Output("realmId")] public Output RealmId { get; private set; } = null!; @@ -222,55 +224,61 @@ public static HardcodedClaimProtocolMapper Get(string name, Input id, Ha public sealed class HardcodedClaimProtocolMapperArgs : global::Pulumi.ResourceArgs { /// - /// Indicates if the attribute should be a claim in the access token. + /// Indicates if the property should be added as a claim to the access token. Defaults to `true`. /// [Input("addToAccessToken")] public Input? AddToAccessToken { get; set; } /// - /// Indicates if the attribute should be a claim in the id token. + /// Indicates if the property should be added as a claim to the id token. Defaults to `true`. /// [Input("addToIdToken")] public Input? AddToIdToken { get; set; } /// - /// Indicates if the attribute should appear in the userinfo response body. + /// Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. /// [Input("addToUserinfo")] public Input? AddToUserinfo { get; set; } + /// + /// The name of the claim to insert into a token. + /// [Input("claimName", required: true)] public Input ClaimName { get; set; } = null!; + /// + /// The hardcoded value of the claim. + /// [Input("claimValue", required: true)] public Input ClaimValue { get; set; } = null!; /// - /// Claim type used when serializing tokens. + /// The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. /// [Input("claimValueType")] public Input? ClaimValueType { get; set; } /// - /// The mapper's associated client. Cannot be used at the same time as client_scope_id. + /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. /// [Input("clientId")] public Input? ClientId { get; set; } /// - /// The mapper's associated client scope. Cannot be used at the same time as client_id. + /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. /// [Input("clientScopeId")] public Input? ClientScopeId { get; set; } /// - /// A human-friendly name that will appear in the Keycloak console. + /// The display name of this protocol mapper in the GUI. /// [Input("name")] public Input? Name { get; set; } /// - /// The realm id where the associated client or client scope exists. + /// The realm this protocol mapper exists within. /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; @@ -284,55 +292,61 @@ public HardcodedClaimProtocolMapperArgs() public sealed class HardcodedClaimProtocolMapperState : global::Pulumi.ResourceArgs { /// - /// Indicates if the attribute should be a claim in the access token. + /// Indicates if the property should be added as a claim to the access token. Defaults to `true`. /// [Input("addToAccessToken")] public Input? AddToAccessToken { get; set; } /// - /// Indicates if the attribute should be a claim in the id token. + /// Indicates if the property should be added as a claim to the id token. Defaults to `true`. /// [Input("addToIdToken")] public Input? AddToIdToken { get; set; } /// - /// Indicates if the attribute should appear in the userinfo response body. + /// Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. /// [Input("addToUserinfo")] public Input? AddToUserinfo { get; set; } + /// + /// The name of the claim to insert into a token. + /// [Input("claimName")] public Input? ClaimName { get; set; } + /// + /// The hardcoded value of the claim. + /// [Input("claimValue")] public Input? ClaimValue { get; set; } /// - /// Claim type used when serializing tokens. + /// The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. /// [Input("claimValueType")] public Input? ClaimValueType { get; set; } /// - /// The mapper's associated client. Cannot be used at the same time as client_scope_id. + /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. /// [Input("clientId")] public Input? ClientId { get; set; } /// - /// The mapper's associated client scope. Cannot be used at the same time as client_id. + /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. /// [Input("clientScopeId")] public Input? ClientScopeId { get; set; } /// - /// A human-friendly name that will appear in the Keycloak console. + /// The display name of this protocol mapper in the GUI. /// [Input("name")] public Input? Name { get; set; } /// - /// The realm id where the associated client or client scope exists. + /// The realm this protocol mapper exists within. /// [Input("realmId")] public Input? RealmId { get; set; } diff --git a/sdk/dotnet/OpenId/HardcodedRoleProtocolMapper.cs b/sdk/dotnet/OpenId/HardcodedRoleProtocolMapper.cs index 02f49f73..46d04e30 100644 --- a/sdk/dotnet/OpenId/HardcodedRoleProtocolMapper.cs +++ b/sdk/dotnet/OpenId/HardcodedRoleProtocolMapper.cs @@ -10,17 +10,16 @@ namespace Pulumi.Keycloak.OpenId { /// - /// ## # keycloak.openid.HardcodedRoleProtocolMapper + /// Allows for creating and managing hardcoded role protocol mappers within Keycloak. /// - /// Allows for creating and managing hardcoded role protocol mappers within - /// Keycloak. + /// Hardcoded role protocol mappers allow you to specify a single role to always map to an access token for a client. /// - /// Hardcoded role protocol mappers allow you to specify a single role to - /// always map to an access token for a client. Protocol mappers can be - /// defined for a single client, or they can be defined for a client scope - /// which can be shared between multiple different clients. + /// Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + /// multiple different clients. /// - /// ### Example Usage (Client) + /// ## Example Usage + /// + /// ### Client) /// /// ```csharp /// using System.Collections.Generic; @@ -45,8 +44,8 @@ namespace Pulumi.Keycloak.OpenId /// var openidClient = new Keycloak.OpenId.Client("openid_client", new() /// { /// RealmId = realm.Id, - /// ClientId = "test-client", - /// Name = "test client", + /// ClientId = "client", + /// Name = "client", /// Enabled = true, /// AccessType = "CONFIDENTIAL", /// ValidRedirectUris = new[] @@ -66,7 +65,7 @@ namespace Pulumi.Keycloak.OpenId /// }); /// ``` /// - /// ### Example Usage (Client Scope) + /// ### Client Scope) /// /// ```csharp /// using System.Collections.Generic; @@ -91,7 +90,7 @@ namespace Pulumi.Keycloak.OpenId /// var clientScope = new Keycloak.OpenId.ClientScope("client_scope", new() /// { /// RealmId = realm.Id, - /// Name = "test-client-scope", + /// Name = "client-scope", /// }); /// /// var hardcodedRoleMapper = new Keycloak.OpenId.HardcodedRoleProtocolMapper("hardcoded_role_mapper", new() @@ -105,52 +104,56 @@ namespace Pulumi.Keycloak.OpenId /// }); /// ``` /// - /// ### Argument Reference - /// - /// The following arguments are supported: - /// - /// - `realm_id` - (Required) The realm this protocol mapper exists within. - /// - `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. - /// - `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. - /// - `name` - (Required) The display name of this protocol mapper in the - /// GUI. - /// - `role_id` - (Required) The ID of the role to map to an access token. - /// - /// ### Import + /// ## Import /// /// Protocol mappers can be imported using one of the following formats: + /// /// - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + /// /// - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` /// /// Example: + /// + /// bash + /// + /// ```sh + /// $ pulumi import keycloak:openid/hardcodedRoleProtocolMapper:HardcodedRoleProtocolMapper hardcoded_role_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + /// ``` + /// + /// ```sh + /// $ pulumi import keycloak:openid/hardcodedRoleProtocolMapper:HardcodedRoleProtocolMapper hardcoded_role_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + /// ``` /// [KeycloakResourceType("keycloak:openid/hardcodedRoleProtocolMapper:HardcodedRoleProtocolMapper")] public partial class HardcodedRoleProtocolMapper : global::Pulumi.CustomResource { /// - /// The mapper's associated client. Cannot be used at the same time as client_scope_id. + /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. /// [Output("clientId")] public Output ClientId { get; private set; } = null!; /// - /// The mapper's associated client scope. Cannot be used at the same time as client_id. + /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. /// [Output("clientScopeId")] public Output ClientScopeId { get; private set; } = null!; /// - /// A human-friendly name that will appear in the Keycloak console. + /// The display name of this protocol mapper in the GUI. /// [Output("name")] public Output Name { get; private set; } = null!; /// - /// The realm id where the associated client or client scope exists. + /// The realm this protocol mapper exists within. /// [Output("realmId")] public Output RealmId { get; private set; } = null!; + /// + /// The ID of the role to map to an access token. + /// [Output("roleId")] public Output RoleId { get; private set; } = null!; @@ -201,29 +204,32 @@ public static HardcodedRoleProtocolMapper Get(string name, Input id, Har public sealed class HardcodedRoleProtocolMapperArgs : global::Pulumi.ResourceArgs { /// - /// The mapper's associated client. Cannot be used at the same time as client_scope_id. + /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. /// [Input("clientId")] public Input? ClientId { get; set; } /// - /// The mapper's associated client scope. Cannot be used at the same time as client_id. + /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. /// [Input("clientScopeId")] public Input? ClientScopeId { get; set; } /// - /// A human-friendly name that will appear in the Keycloak console. + /// The display name of this protocol mapper in the GUI. /// [Input("name")] public Input? Name { get; set; } /// - /// The realm id where the associated client or client scope exists. + /// The realm this protocol mapper exists within. /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; + /// + /// The ID of the role to map to an access token. + /// [Input("roleId", required: true)] public Input RoleId { get; set; } = null!; @@ -236,29 +242,32 @@ public HardcodedRoleProtocolMapperArgs() public sealed class HardcodedRoleProtocolMapperState : global::Pulumi.ResourceArgs { /// - /// The mapper's associated client. Cannot be used at the same time as client_scope_id. + /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. /// [Input("clientId")] public Input? ClientId { get; set; } /// - /// The mapper's associated client scope. Cannot be used at the same time as client_id. + /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. /// [Input("clientScopeId")] public Input? ClientScopeId { get; set; } /// - /// A human-friendly name that will appear in the Keycloak console. + /// The display name of this protocol mapper in the GUI. /// [Input("name")] public Input? Name { get; set; } /// - /// The realm id where the associated client or client scope exists. + /// The realm this protocol mapper exists within. /// [Input("realmId")] public Input? RealmId { get; set; } + /// + /// The ID of the role to map to an access token. + /// [Input("roleId")] public Input? RoleId { get; set; } diff --git a/sdk/dotnet/OpenId/Inputs/ClientAuthenticationFlowBindingOverridesArgs.cs b/sdk/dotnet/OpenId/Inputs/ClientAuthenticationFlowBindingOverridesArgs.cs index 17fa7e45..80ae3a66 100644 --- a/sdk/dotnet/OpenId/Inputs/ClientAuthenticationFlowBindingOverridesArgs.cs +++ b/sdk/dotnet/OpenId/Inputs/ClientAuthenticationFlowBindingOverridesArgs.cs @@ -12,9 +12,15 @@ namespace Pulumi.Keycloak.OpenId.Inputs public sealed class ClientAuthenticationFlowBindingOverridesArgs : global::Pulumi.ResourceArgs { + /// + /// Browser flow id, (flow needs to exist) + /// [Input("browserId")] public Input? BrowserId { get; set; } + /// + /// Direct grant flow id (flow needs to exist) + /// [Input("directGrantId")] public Input? DirectGrantId { get; set; } diff --git a/sdk/dotnet/OpenId/Inputs/ClientAuthenticationFlowBindingOverridesGetArgs.cs b/sdk/dotnet/OpenId/Inputs/ClientAuthenticationFlowBindingOverridesGetArgs.cs index f7695d6f..8e27eb3a 100644 --- a/sdk/dotnet/OpenId/Inputs/ClientAuthenticationFlowBindingOverridesGetArgs.cs +++ b/sdk/dotnet/OpenId/Inputs/ClientAuthenticationFlowBindingOverridesGetArgs.cs @@ -12,9 +12,15 @@ namespace Pulumi.Keycloak.OpenId.Inputs public sealed class ClientAuthenticationFlowBindingOverridesGetArgs : global::Pulumi.ResourceArgs { + /// + /// Browser flow id, (flow needs to exist) + /// [Input("browserId")] public Input? BrowserId { get; set; } + /// + /// Direct grant flow id (flow needs to exist) + /// [Input("directGrantId")] public Input? DirectGrantId { get; set; } diff --git a/sdk/dotnet/OpenId/Inputs/ClientAuthorizationArgs.cs b/sdk/dotnet/OpenId/Inputs/ClientAuthorizationArgs.cs index 551ecb02..a8114a6f 100644 --- a/sdk/dotnet/OpenId/Inputs/ClientAuthorizationArgs.cs +++ b/sdk/dotnet/OpenId/Inputs/ClientAuthorizationArgs.cs @@ -12,15 +12,27 @@ namespace Pulumi.Keycloak.OpenId.Inputs public sealed class ClientAuthorizationArgs : global::Pulumi.ResourceArgs { + /// + /// When `true`, resources can be managed remotely by the resource server. Defaults to `false`. + /// [Input("allowRemoteResourceManagement")] public Input? AllowRemoteResourceManagement { get; set; } + /// + /// Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of `AFFIRMATIVE`, `CONSENSUS`, or `UNANIMOUS`. Applies to permissions. + /// [Input("decisionStrategy")] public Input? DecisionStrategy { get; set; } + /// + /// When `true`, defaults set by Keycloak will be respected. Defaults to `false`. + /// [Input("keepDefaults")] public Input? KeepDefaults { get; set; } + /// + /// Dictates how policies are enforced when evaluating authorization requests. Can be one of `ENFORCING`, `PERMISSIVE`, or `DISABLED`. + /// [Input("policyEnforcementMode", required: true)] public Input PolicyEnforcementMode { get; set; } = null!; diff --git a/sdk/dotnet/OpenId/Inputs/ClientAuthorizationGetArgs.cs b/sdk/dotnet/OpenId/Inputs/ClientAuthorizationGetArgs.cs index 064b57f2..2d5774d1 100644 --- a/sdk/dotnet/OpenId/Inputs/ClientAuthorizationGetArgs.cs +++ b/sdk/dotnet/OpenId/Inputs/ClientAuthorizationGetArgs.cs @@ -12,15 +12,27 @@ namespace Pulumi.Keycloak.OpenId.Inputs public sealed class ClientAuthorizationGetArgs : global::Pulumi.ResourceArgs { + /// + /// When `true`, resources can be managed remotely by the resource server. Defaults to `false`. + /// [Input("allowRemoteResourceManagement")] public Input? AllowRemoteResourceManagement { get; set; } + /// + /// Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of `AFFIRMATIVE`, `CONSENSUS`, or `UNANIMOUS`. Applies to permissions. + /// [Input("decisionStrategy")] public Input? DecisionStrategy { get; set; } + /// + /// When `true`, defaults set by Keycloak will be respected. Defaults to `false`. + /// [Input("keepDefaults")] public Input? KeepDefaults { get; set; } + /// + /// Dictates how policies are enforced when evaluating authorization requests. Can be one of `ENFORCING`, `PERMISSIVE`, or `DISABLED`. + /// [Input("policyEnforcementMode", required: true)] public Input PolicyEnforcementMode { get; set; } = null!; diff --git a/sdk/dotnet/OpenId/Outputs/ClientAuthenticationFlowBindingOverrides.cs b/sdk/dotnet/OpenId/Outputs/ClientAuthenticationFlowBindingOverrides.cs index b5551a9c..664f1ca6 100644 --- a/sdk/dotnet/OpenId/Outputs/ClientAuthenticationFlowBindingOverrides.cs +++ b/sdk/dotnet/OpenId/Outputs/ClientAuthenticationFlowBindingOverrides.cs @@ -13,7 +13,13 @@ namespace Pulumi.Keycloak.OpenId.Outputs [OutputType] public sealed class ClientAuthenticationFlowBindingOverrides { + /// + /// Browser flow id, (flow needs to exist) + /// public readonly string? BrowserId; + /// + /// Direct grant flow id (flow needs to exist) + /// public readonly string? DirectGrantId; [OutputConstructor] diff --git a/sdk/dotnet/OpenId/Outputs/ClientAuthorization.cs b/sdk/dotnet/OpenId/Outputs/ClientAuthorization.cs index 79512de2..e61e811e 100644 --- a/sdk/dotnet/OpenId/Outputs/ClientAuthorization.cs +++ b/sdk/dotnet/OpenId/Outputs/ClientAuthorization.cs @@ -13,9 +13,21 @@ namespace Pulumi.Keycloak.OpenId.Outputs [OutputType] public sealed class ClientAuthorization { + /// + /// When `true`, resources can be managed remotely by the resource server. Defaults to `false`. + /// public readonly bool? AllowRemoteResourceManagement; + /// + /// Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of `AFFIRMATIVE`, `CONSENSUS`, or `UNANIMOUS`. Applies to permissions. + /// public readonly string? DecisionStrategy; + /// + /// When `true`, defaults set by Keycloak will be respected. Defaults to `false`. + /// public readonly bool? KeepDefaults; + /// + /// Dictates how policies are enforced when evaluating authorization requests. Can be one of `ENFORCING`, `PERMISSIVE`, or `DISABLED`. + /// public readonly string PolicyEnforcementMode; [OutputConstructor] diff --git a/sdk/dotnet/OpenId/UserAttributeProtocolMapper.cs b/sdk/dotnet/OpenId/UserAttributeProtocolMapper.cs index ad63e7fe..64b576f2 100644 --- a/sdk/dotnet/OpenId/UserAttributeProtocolMapper.cs +++ b/sdk/dotnet/OpenId/UserAttributeProtocolMapper.cs @@ -10,17 +10,16 @@ namespace Pulumi.Keycloak.OpenId { /// - /// ## # keycloak.openid.UserAttributeProtocolMapper + /// Allows for creating and managing user attribute protocol mappers within Keycloak. /// - /// Allows for creating and managing user attribute protocol mappers within - /// Keycloak. + /// User attribute protocol mappers allow you to map custom attributes defined for a user within Keycloak to a claim in a token. /// - /// User attribute protocol mappers allow you to map custom attributes defined - /// for a user within Keycloak to a claim in a token. Protocol mappers can be - /// defined for a single client, or they can be defined for a client scope which - /// can be shared between multiple different clients. + /// Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + /// multiple different clients. /// - /// ### Example Usage (Client) + /// ## Example Usage + /// + /// ### Client) /// /// ```csharp /// using System.Collections.Generic; @@ -39,8 +38,8 @@ namespace Pulumi.Keycloak.OpenId /// var openidClient = new Keycloak.OpenId.Client("openid_client", new() /// { /// RealmId = realm.Id, - /// ClientId = "test-client", - /// Name = "test client", + /// ClientId = "client", + /// Name = "client", /// Enabled = true, /// AccessType = "CONFIDENTIAL", /// ValidRedirectUris = new[] @@ -53,7 +52,7 @@ namespace Pulumi.Keycloak.OpenId /// { /// RealmId = realm.Id, /// ClientId = openidClient.Id, - /// Name = "test-mapper", + /// Name = "user-attribute-mapper", /// UserAttribute = "foo", /// ClaimName = "bar", /// }); @@ -61,7 +60,7 @@ namespace Pulumi.Keycloak.OpenId /// }); /// ``` /// - /// ### Example Usage (Client Scope) + /// ### Client Scope) /// /// ```csharp /// using System.Collections.Generic; @@ -80,14 +79,14 @@ namespace Pulumi.Keycloak.OpenId /// var clientScope = new Keycloak.OpenId.ClientScope("client_scope", new() /// { /// RealmId = realm.Id, - /// Name = "test-client-scope", + /// Name = "client-scope", /// }); /// /// var userAttributeMapper = new Keycloak.OpenId.UserAttributeProtocolMapper("user_attribute_mapper", new() /// { /// RealmId = realm.Id, /// ClientScopeId = clientScope.Id, - /// Name = "test-mapper", + /// Name = "user-attribute-mapper", /// UserAttribute = "foo", /// ClaimName = "bar", /// }); @@ -95,96 +94,98 @@ namespace Pulumi.Keycloak.OpenId /// }); /// ``` /// - /// ### Argument Reference - /// - /// The following arguments are supported: - /// - /// - `realm_id` - (Required) The realm this protocol mapper exists within. - /// - `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. - /// - `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. - /// - `name` - (Required) The display name of this protocol mapper in the GUI. - /// - `user_attribute` - (Required) The custom user attribute to map a claim for. - /// - `claim_name` - (Required) The name of the claim to insert into a token. - /// - `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`. - /// - `multivalued` - (Optional) Indicates whether this attribute is a single value or an array of values. Defaults to `false`. - /// - `add_to_id_token` - (Optional) Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. - /// - `add_to_access_token` - (Optional) Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. - /// - `add_to_userinfo` - (Optional) Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. - /// - /// ### Import + /// ## Import /// /// Protocol mappers can be imported using one of the following formats: + /// /// - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + /// /// - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` /// /// Example: + /// + /// bash + /// + /// ```sh + /// $ pulumi import keycloak:openid/userAttributeProtocolMapper:UserAttributeProtocolMapper user_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + /// ``` + /// + /// ```sh + /// $ pulumi import keycloak:openid/userAttributeProtocolMapper:UserAttributeProtocolMapper user_attribute_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + /// ``` /// [KeycloakResourceType("keycloak:openid/userAttributeProtocolMapper:UserAttributeProtocolMapper")] public partial class UserAttributeProtocolMapper : global::Pulumi.CustomResource { /// - /// Indicates if the attribute should be a claim in the access token. + /// Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. /// [Output("addToAccessToken")] public Output AddToAccessToken { get; private set; } = null!; /// - /// Indicates if the attribute should be a claim in the id token. + /// Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. /// [Output("addToIdToken")] public Output AddToIdToken { get; private set; } = null!; /// - /// Indicates if the attribute should appear in the userinfo response body. + /// Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. /// [Output("addToUserinfo")] public Output AddToUserinfo { get; private set; } = null!; /// - /// Indicates if attribute values should be aggregated within the group attributes + /// Indicates whether this attribute is a single value or an array of values. Defaults to `false`. /// [Output("aggregateAttributes")] public Output AggregateAttributes { get; private set; } = null!; + /// + /// The name of the claim to insert into a token. + /// [Output("claimName")] public Output ClaimName { get; private set; } = null!; /// - /// Claim type used when serializing tokens. + /// The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. /// [Output("claimValueType")] public Output ClaimValueType { get; private set; } = null!; /// - /// The mapper's associated client. Cannot be used at the same time as client_scope_id. + /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. /// [Output("clientId")] public Output ClientId { get; private set; } = null!; /// - /// The mapper's associated client scope. Cannot be used at the same time as client_id. + /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. /// [Output("clientScopeId")] public Output ClientScopeId { get; private set; } = null!; /// - /// Indicates whether this attribute is a single value or an array of values. + /// Indicates whether this attribute is a single value or an array of values. Defaults to `false`. /// [Output("multivalued")] public Output Multivalued { get; private set; } = null!; /// - /// A human-friendly name that will appear in the Keycloak console. + /// The display name of this protocol mapper in the GUI. /// [Output("name")] public Output Name { get; private set; } = null!; /// - /// The realm id where the associated client or client scope exists. + /// The realm this protocol mapper exists within. /// [Output("realmId")] public Output RealmId { get; private set; } = null!; + /// + /// The custom user attribute to map a claim for. + /// [Output("userAttribute")] public Output UserAttribute { get; private set; } = null!; @@ -235,68 +236,74 @@ public static UserAttributeProtocolMapper Get(string name, Input id, Use public sealed class UserAttributeProtocolMapperArgs : global::Pulumi.ResourceArgs { /// - /// Indicates if the attribute should be a claim in the access token. + /// Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. /// [Input("addToAccessToken")] public Input? AddToAccessToken { get; set; } /// - /// Indicates if the attribute should be a claim in the id token. + /// Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. /// [Input("addToIdToken")] public Input? AddToIdToken { get; set; } /// - /// Indicates if the attribute should appear in the userinfo response body. + /// Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. /// [Input("addToUserinfo")] public Input? AddToUserinfo { get; set; } /// - /// Indicates if attribute values should be aggregated within the group attributes + /// Indicates whether this attribute is a single value or an array of values. Defaults to `false`. /// [Input("aggregateAttributes")] public Input? AggregateAttributes { get; set; } + /// + /// The name of the claim to insert into a token. + /// [Input("claimName", required: true)] public Input ClaimName { get; set; } = null!; /// - /// Claim type used when serializing tokens. + /// The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. /// [Input("claimValueType")] public Input? ClaimValueType { get; set; } /// - /// The mapper's associated client. Cannot be used at the same time as client_scope_id. + /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. /// [Input("clientId")] public Input? ClientId { get; set; } /// - /// The mapper's associated client scope. Cannot be used at the same time as client_id. + /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. /// [Input("clientScopeId")] public Input? ClientScopeId { get; set; } /// - /// Indicates whether this attribute is a single value or an array of values. + /// Indicates whether this attribute is a single value or an array of values. Defaults to `false`. /// [Input("multivalued")] public Input? Multivalued { get; set; } /// - /// A human-friendly name that will appear in the Keycloak console. + /// The display name of this protocol mapper in the GUI. /// [Input("name")] public Input? Name { get; set; } /// - /// The realm id where the associated client or client scope exists. + /// The realm this protocol mapper exists within. /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; + /// + /// The custom user attribute to map a claim for. + /// [Input("userAttribute", required: true)] public Input UserAttribute { get; set; } = null!; @@ -309,68 +316,74 @@ public UserAttributeProtocolMapperArgs() public sealed class UserAttributeProtocolMapperState : global::Pulumi.ResourceArgs { /// - /// Indicates if the attribute should be a claim in the access token. + /// Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. /// [Input("addToAccessToken")] public Input? AddToAccessToken { get; set; } /// - /// Indicates if the attribute should be a claim in the id token. + /// Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. /// [Input("addToIdToken")] public Input? AddToIdToken { get; set; } /// - /// Indicates if the attribute should appear in the userinfo response body. + /// Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. /// [Input("addToUserinfo")] public Input? AddToUserinfo { get; set; } /// - /// Indicates if attribute values should be aggregated within the group attributes + /// Indicates whether this attribute is a single value or an array of values. Defaults to `false`. /// [Input("aggregateAttributes")] public Input? AggregateAttributes { get; set; } + /// + /// The name of the claim to insert into a token. + /// [Input("claimName")] public Input? ClaimName { get; set; } /// - /// Claim type used when serializing tokens. + /// The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. /// [Input("claimValueType")] public Input? ClaimValueType { get; set; } /// - /// The mapper's associated client. Cannot be used at the same time as client_scope_id. + /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. /// [Input("clientId")] public Input? ClientId { get; set; } /// - /// The mapper's associated client scope. Cannot be used at the same time as client_id. + /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. /// [Input("clientScopeId")] public Input? ClientScopeId { get; set; } /// - /// Indicates whether this attribute is a single value or an array of values. + /// Indicates whether this attribute is a single value or an array of values. Defaults to `false`. /// [Input("multivalued")] public Input? Multivalued { get; set; } /// - /// A human-friendly name that will appear in the Keycloak console. + /// The display name of this protocol mapper in the GUI. /// [Input("name")] public Input? Name { get; set; } /// - /// The realm id where the associated client or client scope exists. + /// The realm this protocol mapper exists within. /// [Input("realmId")] public Input? RealmId { get; set; } + /// + /// The custom user attribute to map a claim for. + /// [Input("userAttribute")] public Input? UserAttribute { get; set; } diff --git a/sdk/dotnet/OpenId/UserPropertyProtocolMapper.cs b/sdk/dotnet/OpenId/UserPropertyProtocolMapper.cs index 3c66151d..204c365f 100644 --- a/sdk/dotnet/OpenId/UserPropertyProtocolMapper.cs +++ b/sdk/dotnet/OpenId/UserPropertyProtocolMapper.cs @@ -10,17 +10,17 @@ namespace Pulumi.Keycloak.OpenId { /// - /// ## # keycloak.openid.UserPropertyProtocolMapper + /// Allows for creating and managing user property protocol mappers within Keycloak. /// - /// Allows for creating and managing user property protocol mappers within - /// Keycloak. + /// User property protocol mappers allow you to map built in properties defined on the Keycloak user interface to a claim in + /// a token. /// - /// User property protocol mappers allow you to map built in properties defined - /// on the Keycloak user interface to a claim in a token. Protocol mappers can be - /// defined for a single client, or they can be defined for a client scope which - /// can be shared between multiple different clients. + /// Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + /// multiple different clients. /// - /// ### Example Usage (Client) + /// ## Example Usage + /// + /// ### Client) /// /// ```csharp /// using System.Collections.Generic; @@ -39,8 +39,8 @@ namespace Pulumi.Keycloak.OpenId /// var openidClient = new Keycloak.OpenId.Client("openid_client", new() /// { /// RealmId = realm.Id, - /// ClientId = "test-client", - /// Name = "test client", + /// ClientId = "client", + /// Name = "client", /// Enabled = true, /// AccessType = "CONFIDENTIAL", /// ValidRedirectUris = new[] @@ -53,7 +53,7 @@ namespace Pulumi.Keycloak.OpenId /// { /// RealmId = realm.Id, /// ClientId = openidClient.Id, - /// Name = "test-mapper", + /// Name = "user-property-mapper", /// UserProperty = "email", /// ClaimName = "email", /// }); @@ -61,7 +61,7 @@ namespace Pulumi.Keycloak.OpenId /// }); /// ``` /// - /// ### Example Usage (Client Scope) + /// ### Client Scope) /// /// ```csharp /// using System.Collections.Generic; @@ -80,7 +80,7 @@ namespace Pulumi.Keycloak.OpenId /// var clientScope = new Keycloak.OpenId.ClientScope("client_scope", new() /// { /// RealmId = realm.Id, - /// Name = "test-client-scope", + /// Name = "client-scope", /// }); /// /// var userPropertyMapper = new Keycloak.OpenId.UserPropertyProtocolMapper("user_property_mapper", new() @@ -95,83 +95,86 @@ namespace Pulumi.Keycloak.OpenId /// }); /// ``` /// - /// ### Argument Reference - /// - /// The following arguments are supported: - /// - /// - `realm_id` - (Required) The realm this protocol mapper exists within. - /// - `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. - /// - `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. - /// - `name` - (Required) The display name of this protocol mapper in the GUI. - /// - `user_property` - (Required) The built in user property (such as email) to map a claim for. - /// - `claim_name` - (Required) The name of the claim to insert into a token. - /// - `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`. - /// - `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. - /// - `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. - /// - `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. - /// - /// ### Import + /// ## Import /// /// Protocol mappers can be imported using one of the following formats: + /// /// - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + /// /// - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` /// /// Example: + /// + /// bash + /// + /// ```sh + /// $ pulumi import keycloak:openid/userPropertyProtocolMapper:UserPropertyProtocolMapper user_property_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + /// ``` + /// + /// ```sh + /// $ pulumi import keycloak:openid/userPropertyProtocolMapper:UserPropertyProtocolMapper user_property_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + /// ``` /// [KeycloakResourceType("keycloak:openid/userPropertyProtocolMapper:UserPropertyProtocolMapper")] public partial class UserPropertyProtocolMapper : global::Pulumi.CustomResource { /// - /// Indicates if the property should be a claim in the access token. + /// Indicates if the property should be added as a claim to the access token. Defaults to `true`. /// [Output("addToAccessToken")] public Output AddToAccessToken { get; private set; } = null!; /// - /// Indicates if the property should be a claim in the id token. + /// Indicates if the property should be added as a claim to the id token. Defaults to `true`. /// [Output("addToIdToken")] public Output AddToIdToken { get; private set; } = null!; /// - /// Indicates if the property should appear in the userinfo response body. + /// Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. /// [Output("addToUserinfo")] public Output AddToUserinfo { get; private set; } = null!; + /// + /// The name of the claim to insert into a token. + /// [Output("claimName")] public Output ClaimName { get; private set; } = null!; /// - /// Claim type used when serializing tokens. + /// The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. /// [Output("claimValueType")] public Output ClaimValueType { get; private set; } = null!; /// - /// The mapper's associated client. Cannot be used at the same time as client_scope_id. + /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. /// [Output("clientId")] public Output ClientId { get; private set; } = null!; /// - /// The mapper's associated client scope. Cannot be used at the same time as client_id. + /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. /// [Output("clientScopeId")] public Output ClientScopeId { get; private set; } = null!; /// - /// A human-friendly name that will appear in the Keycloak console. + /// The display name of this protocol mapper in the GUI. /// [Output("name")] public Output Name { get; private set; } = null!; /// - /// The realm id where the associated client or client scope exists. + /// The realm this protocol mapper exists within. /// [Output("realmId")] public Output RealmId { get; private set; } = null!; + /// + /// The built in user property (such as email) to map a claim for. + /// [Output("userProperty")] public Output UserProperty { get; private set; } = null!; @@ -222,56 +225,62 @@ public static UserPropertyProtocolMapper Get(string name, Input id, User public sealed class UserPropertyProtocolMapperArgs : global::Pulumi.ResourceArgs { /// - /// Indicates if the property should be a claim in the access token. + /// Indicates if the property should be added as a claim to the access token. Defaults to `true`. /// [Input("addToAccessToken")] public Input? AddToAccessToken { get; set; } /// - /// Indicates if the property should be a claim in the id token. + /// Indicates if the property should be added as a claim to the id token. Defaults to `true`. /// [Input("addToIdToken")] public Input? AddToIdToken { get; set; } /// - /// Indicates if the property should appear in the userinfo response body. + /// Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. /// [Input("addToUserinfo")] public Input? AddToUserinfo { get; set; } + /// + /// The name of the claim to insert into a token. + /// [Input("claimName", required: true)] public Input ClaimName { get; set; } = null!; /// - /// Claim type used when serializing tokens. + /// The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. /// [Input("claimValueType")] public Input? ClaimValueType { get; set; } /// - /// The mapper's associated client. Cannot be used at the same time as client_scope_id. + /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. /// [Input("clientId")] public Input? ClientId { get; set; } /// - /// The mapper's associated client scope. Cannot be used at the same time as client_id. + /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. /// [Input("clientScopeId")] public Input? ClientScopeId { get; set; } /// - /// A human-friendly name that will appear in the Keycloak console. + /// The display name of this protocol mapper in the GUI. /// [Input("name")] public Input? Name { get; set; } /// - /// The realm id where the associated client or client scope exists. + /// The realm this protocol mapper exists within. /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; + /// + /// The built in user property (such as email) to map a claim for. + /// [Input("userProperty", required: true)] public Input UserProperty { get; set; } = null!; @@ -284,56 +293,62 @@ public UserPropertyProtocolMapperArgs() public sealed class UserPropertyProtocolMapperState : global::Pulumi.ResourceArgs { /// - /// Indicates if the property should be a claim in the access token. + /// Indicates if the property should be added as a claim to the access token. Defaults to `true`. /// [Input("addToAccessToken")] public Input? AddToAccessToken { get; set; } /// - /// Indicates if the property should be a claim in the id token. + /// Indicates if the property should be added as a claim to the id token. Defaults to `true`. /// [Input("addToIdToken")] public Input? AddToIdToken { get; set; } /// - /// Indicates if the property should appear in the userinfo response body. + /// Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. /// [Input("addToUserinfo")] public Input? AddToUserinfo { get; set; } + /// + /// The name of the claim to insert into a token. + /// [Input("claimName")] public Input? ClaimName { get; set; } /// - /// Claim type used when serializing tokens. + /// The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. /// [Input("claimValueType")] public Input? ClaimValueType { get; set; } /// - /// The mapper's associated client. Cannot be used at the same time as client_scope_id. + /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. /// [Input("clientId")] public Input? ClientId { get; set; } /// - /// The mapper's associated client scope. Cannot be used at the same time as client_id. + /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. /// [Input("clientScopeId")] public Input? ClientScopeId { get; set; } /// - /// A human-friendly name that will appear in the Keycloak console. + /// The display name of this protocol mapper in the GUI. /// [Input("name")] public Input? Name { get; set; } /// - /// The realm id where the associated client or client scope exists. + /// The realm this protocol mapper exists within. /// [Input("realmId")] public Input? RealmId { get; set; } + /// + /// The built in user property (such as email) to map a claim for. + /// [Input("userProperty")] public Input? UserProperty { get; set; } diff --git a/sdk/dotnet/OpenId/UserRealmRoleProtocolMapper.cs b/sdk/dotnet/OpenId/UserRealmRoleProtocolMapper.cs index d9775ed4..26b36182 100644 --- a/sdk/dotnet/OpenId/UserRealmRoleProtocolMapper.cs +++ b/sdk/dotnet/OpenId/UserRealmRoleProtocolMapper.cs @@ -10,17 +10,16 @@ namespace Pulumi.Keycloak.OpenId { /// - /// ## # keycloak.openid.UserRealmRoleProtocolMapper - /// - /// Allows for creating and managing user realm role protocol mappers within - /// Keycloak. + /// Allows for creating and managing user realm role protocol mappers within Keycloak. /// /// User realm role protocol mappers allow you to define a claim containing the list of the realm roles. - /// Protocol mappers can be defined for a single client, or they can - /// be defined for a client scope which can be shared between multiple different - /// clients. /// - /// ### Example Usage (Client) + /// Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + /// multiple different clients. + /// + /// ## Example Usage + /// + /// ### Client) /// /// ```csharp /// using System.Collections.Generic; @@ -39,8 +38,8 @@ namespace Pulumi.Keycloak.OpenId /// var openidClient = new Keycloak.OpenId.Client("openid_client", new() /// { /// RealmId = realm.Id, - /// ClientId = "test-client", - /// Name = "test client", + /// ClientId = "client", + /// Name = "client", /// Enabled = true, /// AccessType = "CONFIDENTIAL", /// ValidRedirectUris = new[] @@ -60,7 +59,7 @@ namespace Pulumi.Keycloak.OpenId /// }); /// ``` /// - /// ### Example Usage (Client Scope) + /// ### Client Scope) /// /// ```csharp /// using System.Collections.Generic; @@ -93,92 +92,91 @@ namespace Pulumi.Keycloak.OpenId /// }); /// ``` /// - /// ### Argument Reference - /// - /// The following arguments are supported: - /// - /// - `realm_id` - (Required) The realm this protocol mapper exists within. - /// - `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. - /// - `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. - /// - `name` - (Required) The display name of this protocol mapper in the GUI. - /// - `claim_name` - (Required) The name of the claim to insert into a token. - /// - `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`. - /// - `multivalued` - (Optional) Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `true`. - /// - `realm_role_prefix` - (Optional) A prefix for each Realm Role. - /// - `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. - /// - `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. - /// - `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. - /// - /// ### Import + /// ## Import /// /// Protocol mappers can be imported using one of the following formats: + /// /// - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + /// /// - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` /// /// Example: + /// + /// bash + /// + /// ```sh + /// $ pulumi import keycloak:openid/userRealmRoleProtocolMapper:UserRealmRoleProtocolMapper user_realm_role_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + /// ``` + /// + /// ```sh + /// $ pulumi import keycloak:openid/userRealmRoleProtocolMapper:UserRealmRoleProtocolMapper user_realm_role_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + /// ``` /// [KeycloakResourceType("keycloak:openid/userRealmRoleProtocolMapper:UserRealmRoleProtocolMapper")] public partial class UserRealmRoleProtocolMapper : global::Pulumi.CustomResource { /// - /// Indicates if the attribute should be a claim in the access token. + /// Indicates if the property should be added as a claim to the access token. Defaults to `true`. /// [Output("addToAccessToken")] public Output AddToAccessToken { get; private set; } = null!; /// - /// Indicates if the attribute should be a claim in the id token. + /// Indicates if the property should be added as a claim to the id token. Defaults to `true`. /// [Output("addToIdToken")] public Output AddToIdToken { get; private set; } = null!; /// - /// Indicates if the attribute should appear in the userinfo response body. + /// Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. /// [Output("addToUserinfo")] public Output AddToUserinfo { get; private set; } = null!; + /// + /// The name of the claim to insert into a token. + /// [Output("claimName")] public Output ClaimName { get; private set; } = null!; /// - /// Claim type used when serializing tokens. + /// The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. /// [Output("claimValueType")] public Output ClaimValueType { get; private set; } = null!; /// - /// The mapper's associated client. Cannot be used at the same time as client_scope_id. + /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. /// [Output("clientId")] public Output ClientId { get; private set; } = null!; /// - /// The mapper's associated client scope. Cannot be used at the same time as client_id. + /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. /// [Output("clientScopeId")] public Output ClientScopeId { get; private set; } = null!; /// - /// Indicates whether this attribute is a single value or an array of values. + /// Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`. /// [Output("multivalued")] public Output Multivalued { get; private set; } = null!; /// - /// A human-friendly name that will appear in the Keycloak console. + /// The display name of this protocol mapper in the GUI. /// [Output("name")] public Output Name { get; private set; } = null!; /// - /// The realm id where the associated client or client scope exists. + /// The realm this protocol mapper exists within. /// [Output("realmId")] public Output RealmId { get; private set; } = null!; /// - /// Prefix that will be added to each realm role. + /// A prefix for each Realm Role. /// [Output("realmRolePrefix")] public Output RealmRolePrefix { get; private set; } = null!; @@ -230,64 +228,67 @@ public static UserRealmRoleProtocolMapper Get(string name, Input id, Use public sealed class UserRealmRoleProtocolMapperArgs : global::Pulumi.ResourceArgs { /// - /// Indicates if the attribute should be a claim in the access token. + /// Indicates if the property should be added as a claim to the access token. Defaults to `true`. /// [Input("addToAccessToken")] public Input? AddToAccessToken { get; set; } /// - /// Indicates if the attribute should be a claim in the id token. + /// Indicates if the property should be added as a claim to the id token. Defaults to `true`. /// [Input("addToIdToken")] public Input? AddToIdToken { get; set; } /// - /// Indicates if the attribute should appear in the userinfo response body. + /// Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. /// [Input("addToUserinfo")] public Input? AddToUserinfo { get; set; } + /// + /// The name of the claim to insert into a token. + /// [Input("claimName", required: true)] public Input ClaimName { get; set; } = null!; /// - /// Claim type used when serializing tokens. + /// The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. /// [Input("claimValueType")] public Input? ClaimValueType { get; set; } /// - /// The mapper's associated client. Cannot be used at the same time as client_scope_id. + /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. /// [Input("clientId")] public Input? ClientId { get; set; } /// - /// The mapper's associated client scope. Cannot be used at the same time as client_id. + /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. /// [Input("clientScopeId")] public Input? ClientScopeId { get; set; } /// - /// Indicates whether this attribute is a single value or an array of values. + /// Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`. /// [Input("multivalued")] public Input? Multivalued { get; set; } /// - /// A human-friendly name that will appear in the Keycloak console. + /// The display name of this protocol mapper in the GUI. /// [Input("name")] public Input? Name { get; set; } /// - /// The realm id where the associated client or client scope exists. + /// The realm this protocol mapper exists within. /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; /// - /// Prefix that will be added to each realm role. + /// A prefix for each Realm Role. /// [Input("realmRolePrefix")] public Input? RealmRolePrefix { get; set; } @@ -301,64 +302,67 @@ public UserRealmRoleProtocolMapperArgs() public sealed class UserRealmRoleProtocolMapperState : global::Pulumi.ResourceArgs { /// - /// Indicates if the attribute should be a claim in the access token. + /// Indicates if the property should be added as a claim to the access token. Defaults to `true`. /// [Input("addToAccessToken")] public Input? AddToAccessToken { get; set; } /// - /// Indicates if the attribute should be a claim in the id token. + /// Indicates if the property should be added as a claim to the id token. Defaults to `true`. /// [Input("addToIdToken")] public Input? AddToIdToken { get; set; } /// - /// Indicates if the attribute should appear in the userinfo response body. + /// Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. /// [Input("addToUserinfo")] public Input? AddToUserinfo { get; set; } + /// + /// The name of the claim to insert into a token. + /// [Input("claimName")] public Input? ClaimName { get; set; } /// - /// Claim type used when serializing tokens. + /// The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. /// [Input("claimValueType")] public Input? ClaimValueType { get; set; } /// - /// The mapper's associated client. Cannot be used at the same time as client_scope_id. + /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. /// [Input("clientId")] public Input? ClientId { get; set; } /// - /// The mapper's associated client scope. Cannot be used at the same time as client_id. + /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. /// [Input("clientScopeId")] public Input? ClientScopeId { get; set; } /// - /// Indicates whether this attribute is a single value or an array of values. + /// Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`. /// [Input("multivalued")] public Input? Multivalued { get; set; } /// - /// A human-friendly name that will appear in the Keycloak console. + /// The display name of this protocol mapper in the GUI. /// [Input("name")] public Input? Name { get; set; } /// - /// The realm id where the associated client or client scope exists. + /// The realm this protocol mapper exists within. /// [Input("realmId")] public Input? RealmId { get; set; } /// - /// Prefix that will be added to each realm role. + /// A prefix for each Realm Role. /// [Input("realmRolePrefix")] public Input? RealmRolePrefix { get; set; } diff --git a/sdk/dotnet/Outputs/GetRealmKeysKeyResult.cs b/sdk/dotnet/Outputs/GetRealmKeysKeyResult.cs index bd880630..f99a6b09 100644 --- a/sdk/dotnet/Outputs/GetRealmKeysKeyResult.cs +++ b/sdk/dotnet/Outputs/GetRealmKeysKeyResult.cs @@ -13,13 +13,37 @@ namespace Pulumi.Keycloak.Outputs [OutputType] public sealed class GetRealmKeysKeyResult { + /// + /// Key algorithm (string) + /// public readonly string Algorithm; + /// + /// Key certificate (string) + /// public readonly string Certificate; + /// + /// Key ID (string) + /// public readonly string Kid; + /// + /// Key provider ID (string) + /// public readonly string ProviderId; + /// + /// Key provider priority (int64) + /// public readonly int ProviderPriority; + /// + /// Key public key (string) + /// public readonly string PublicKey; + /// + /// When specified, keys will be filtered by status. The statuses can be any of `ACTIVE`, `DISABLED` and `PASSIVE`. + /// public readonly string Status; + /// + /// Key type (string) + /// public readonly string Type; [OutputConstructor] diff --git a/sdk/dotnet/Outputs/RealmInternationalization.cs b/sdk/dotnet/Outputs/RealmInternationalization.cs index 6ff534ef..e0e1ae85 100644 --- a/sdk/dotnet/Outputs/RealmInternationalization.cs +++ b/sdk/dotnet/Outputs/RealmInternationalization.cs @@ -13,7 +13,13 @@ namespace Pulumi.Keycloak.Outputs [OutputType] public sealed class RealmInternationalization { + /// + /// The locale to use by default. This locale code must be present within the `supported_locales` list. + /// public readonly string DefaultLocale; + /// + /// A list of [ISO 639-1](https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes) locale codes that the realm should support. + /// public readonly ImmutableArray SupportedLocales; [OutputConstructor] diff --git a/sdk/dotnet/Outputs/RealmOtpPolicy.cs b/sdk/dotnet/Outputs/RealmOtpPolicy.cs index 2333259a..aacb117c 100644 --- a/sdk/dotnet/Outputs/RealmOtpPolicy.cs +++ b/sdk/dotnet/Outputs/RealmOtpPolicy.cs @@ -14,15 +14,27 @@ namespace Pulumi.Keycloak.Outputs public sealed class RealmOtpPolicy { /// - /// What hashing algorithm should be used to generate the OTP. + /// What hashing algorithm should be used to generate the OTP, Valid options are `HmacSHA1`,`HmacSHA256` and `HmacSHA512`. Defaults to `HmacSHA1`. /// public readonly string? Algorithm; + /// + /// How many digits the OTP have. Defaults to `6`. + /// public readonly int? Digits; + /// + /// What should the initial counter value be. Defaults to `2`. + /// public readonly int? InitialCounter; + /// + /// How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to `1`. + /// public readonly int? LookAheadWindow; + /// + /// How many seconds should an OTP token be valid. Defaults to `30`. + /// public readonly int? Period; /// - /// OTP Type, totp for Time-Based One Time Password or hotp for counter base one time password + /// One Time Password Type, supported Values are `totp` for Time-Based One Time Password and `hotp` for Counter Based. Defaults to `totp`. /// public readonly string? Type; diff --git a/sdk/dotnet/Outputs/RealmSecurityDefensesBruteForceDetection.cs b/sdk/dotnet/Outputs/RealmSecurityDefensesBruteForceDetection.cs index c0e28cfa..eddefa2f 100644 --- a/sdk/dotnet/Outputs/RealmSecurityDefensesBruteForceDetection.cs +++ b/sdk/dotnet/Outputs/RealmSecurityDefensesBruteForceDetection.cs @@ -13,12 +13,31 @@ namespace Pulumi.Keycloak.Outputs [OutputType] public sealed class RealmSecurityDefensesBruteForceDetection { + /// + /// When will failure count be reset? + /// public readonly int? FailureResetTimeSeconds; public readonly int? MaxFailureWaitSeconds; + /// + /// How many failures before wait is triggered. + /// public readonly int? MaxLoginFailures; + /// + /// How long to wait after a quick login failure. + /// - `max_failure_wait_seconds ` - (Optional) Max. time a user will be locked out. + /// public readonly int? MinimumQuickLoginWaitSeconds; + /// + /// When `true`, this will lock the user permanently when the user exceeds the maximum login failures. + /// public readonly bool? PermanentLockout; + /// + /// Configures the amount of time, in milliseconds, for consecutive failures to lock a user out. + /// public readonly int? QuickLoginCheckMilliSeconds; + /// + /// This represents the amount of time a user should be locked out when the login failure threshold has been met. + /// public readonly int? WaitIncrementSeconds; [OutputConstructor] diff --git a/sdk/dotnet/Outputs/RealmSecurityDefensesHeaders.cs b/sdk/dotnet/Outputs/RealmSecurityDefensesHeaders.cs index 398978aa..986e469d 100644 --- a/sdk/dotnet/Outputs/RealmSecurityDefensesHeaders.cs +++ b/sdk/dotnet/Outputs/RealmSecurityDefensesHeaders.cs @@ -13,13 +13,37 @@ namespace Pulumi.Keycloak.Outputs [OutputType] public sealed class RealmSecurityDefensesHeaders { + /// + /// Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the [W3C-CSP](https://www.w3.org/TR/CSP/) Abstract. + /// public readonly string? ContentSecurityPolicy; + /// + /// Used for testing Content Security Policies. + /// public readonly string? ContentSecurityPolicyReportOnly; + /// + /// The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests. + /// public readonly string? ReferrerPolicy; + /// + /// The Script-Transport-Security HTTP header tells browsers to always use HTTPS. + /// public readonly string? StrictTransportSecurity; + /// + /// Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type + /// public readonly string? XContentTypeOptions; + /// + /// Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the [RFC7034](https://tools.ietf.org/html/rfc7034) + /// public readonly string? XFrameOptions; + /// + /// Prevent pages from appearing in search engines. + /// public readonly string? XRobotsTag; + /// + /// This header configures the Cross-site scripting (XSS) filter in your browser. + /// public readonly string? XXssProtection; [OutputConstructor] diff --git a/sdk/dotnet/Outputs/RealmSmtpServer.cs b/sdk/dotnet/Outputs/RealmSmtpServer.cs index 01e73870..797bd028 100644 --- a/sdk/dotnet/Outputs/RealmSmtpServer.cs +++ b/sdk/dotnet/Outputs/RealmSmtpServer.cs @@ -13,15 +13,45 @@ namespace Pulumi.Keycloak.Outputs [OutputType] public sealed class RealmSmtpServer { + /// + /// Enables authentication to the SMTP server. This block supports the following arguments: + /// public readonly Outputs.RealmSmtpServerAuth? Auth; + /// + /// The email address uses for bounces. + /// public readonly string? EnvelopeFrom; + /// + /// The email address for the sender. + /// public readonly string From; + /// + /// The display name of the sender email address. + /// public readonly string? FromDisplayName; + /// + /// The host of the SMTP server. + /// public readonly string Host; + /// + /// The port of the SMTP server (defaults to 25). + /// public readonly string? Port; + /// + /// The "reply to" email address. + /// public readonly string? ReplyTo; + /// + /// The display name of the "reply to" email address. + /// public readonly string? ReplyToDisplayName; + /// + /// When `true`, enables SSL. Defaults to `false`. + /// public readonly bool? Ssl; + /// + /// When `true`, enables StartTLS. Defaults to `false`. + /// public readonly bool? Starttls; [OutputConstructor] diff --git a/sdk/dotnet/Outputs/RealmSmtpServerAuth.cs b/sdk/dotnet/Outputs/RealmSmtpServerAuth.cs index 4733a250..bbe2763d 100644 --- a/sdk/dotnet/Outputs/RealmSmtpServerAuth.cs +++ b/sdk/dotnet/Outputs/RealmSmtpServerAuth.cs @@ -13,7 +13,13 @@ namespace Pulumi.Keycloak.Outputs [OutputType] public sealed class RealmSmtpServerAuth { + /// + /// The SMTP server password. + /// public readonly string Password; + /// + /// The SMTP server username. + /// public readonly string Username; [OutputConstructor] diff --git a/sdk/dotnet/Outputs/RealmWebAuthnPasswordlessPolicy.cs b/sdk/dotnet/Outputs/RealmWebAuthnPasswordlessPolicy.cs index c7b134dc..586b9677 100644 --- a/sdk/dotnet/Outputs/RealmWebAuthnPasswordlessPolicy.cs +++ b/sdk/dotnet/Outputs/RealmWebAuthnPasswordlessPolicy.cs @@ -13,6 +13,9 @@ namespace Pulumi.Keycloak.Outputs [OutputType] public sealed class RealmWebAuthnPasswordlessPolicy { + /// + /// A set of AAGUIDs for which an authenticator can be registered. + /// public readonly ImmutableArray AcceptableAaguids; /// /// Either none, indirect or direct @@ -22,9 +25,21 @@ public sealed class RealmWebAuthnPasswordlessPolicy /// Either platform or cross-platform /// public readonly string? AuthenticatorAttachment; + /// + /// When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + /// public readonly bool? AvoidSameAuthenticatorRegister; + /// + /// The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + /// public readonly int? CreateTimeout; + /// + /// A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + /// public readonly string? RelyingPartyEntityName; + /// + /// The WebAuthn relying party ID. + /// public readonly string? RelyingPartyId; /// /// Either Yes or No diff --git a/sdk/dotnet/Outputs/RealmWebAuthnPolicy.cs b/sdk/dotnet/Outputs/RealmWebAuthnPolicy.cs index 83f2a42e..89263d8b 100644 --- a/sdk/dotnet/Outputs/RealmWebAuthnPolicy.cs +++ b/sdk/dotnet/Outputs/RealmWebAuthnPolicy.cs @@ -13,6 +13,9 @@ namespace Pulumi.Keycloak.Outputs [OutputType] public sealed class RealmWebAuthnPolicy { + /// + /// A set of AAGUIDs for which an authenticator can be registered. + /// public readonly ImmutableArray AcceptableAaguids; /// /// Either none, indirect or direct @@ -22,9 +25,21 @@ public sealed class RealmWebAuthnPolicy /// Either platform or cross-platform /// public readonly string? AuthenticatorAttachment; + /// + /// When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + /// public readonly bool? AvoidSameAuthenticatorRegister; + /// + /// The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + /// public readonly int? CreateTimeout; + /// + /// A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + /// public readonly string? RelyingPartyEntityName; + /// + /// The WebAuthn relying party ID. + /// public readonly string? RelyingPartyId; /// /// Either Yes or No diff --git a/sdk/dotnet/Outputs/UserFederatedIdentity.cs b/sdk/dotnet/Outputs/UserFederatedIdentity.cs index 7f925ef5..92163beb 100644 --- a/sdk/dotnet/Outputs/UserFederatedIdentity.cs +++ b/sdk/dotnet/Outputs/UserFederatedIdentity.cs @@ -13,8 +13,17 @@ namespace Pulumi.Keycloak.Outputs [OutputType] public sealed class UserFederatedIdentity { + /// + /// The name of the identity provider + /// public readonly string IdentityProvider; + /// + /// The ID of the user defined in the identity provider + /// public readonly string UserId; + /// + /// The user name of the user defined in the identity provider + /// public readonly string UserName; [OutputConstructor] diff --git a/sdk/dotnet/Outputs/UserInitialPassword.cs b/sdk/dotnet/Outputs/UserInitialPassword.cs index 54fd1cd1..df9f5add 100644 --- a/sdk/dotnet/Outputs/UserInitialPassword.cs +++ b/sdk/dotnet/Outputs/UserInitialPassword.cs @@ -13,7 +13,13 @@ namespace Pulumi.Keycloak.Outputs [OutputType] public sealed class UserInitialPassword { + /// + /// If set to `true`, the initial password is set up for renewal on first use. Default to `false`. + /// public readonly bool? Temporary; + /// + /// The initial password. + /// public readonly string Value; [OutputConstructor] diff --git a/sdk/dotnet/Realm.cs b/sdk/dotnet/Realm.cs index f2bb92f2..990a9424 100644 --- a/sdk/dotnet/Realm.cs +++ b/sdk/dotnet/Realm.cs @@ -9,6 +9,111 @@ namespace Pulumi.Keycloak { + /// + /// Allows for creating and managing Realms within Keycloak. + /// + /// A realm manages a logical collection of users, credentials, roles, and groups. Users log in to realms and can be federated + /// from multiple sources. + /// + /// ## Example Usage + /// + /// ```csharp + /// using System.Collections.Generic; + /// using System.Linq; + /// using Pulumi; + /// using Keycloak = Pulumi.Keycloak; + /// + /// return await Deployment.RunAsync(() => + /// { + /// var realm = new Keycloak.Realm("realm", new() + /// { + /// RealmName = "my-realm", + /// Enabled = true, + /// DisplayName = "my realm", + /// DisplayNameHtml = "<b>my realm</b>", + /// LoginTheme = "base", + /// AccessCodeLifespan = "1h", + /// SslRequired = "external", + /// PasswordPolicy = "upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername", + /// Attributes = + /// { + /// { "mycustomAttribute", "myCustomValue" }, + /// }, + /// SmtpServer = new Keycloak.Inputs.RealmSmtpServerArgs + /// { + /// Host = "smtp.example.com", + /// From = "example@example.com", + /// Auth = new Keycloak.Inputs.RealmSmtpServerAuthArgs + /// { + /// Username = "tom", + /// Password = "password", + /// }, + /// }, + /// Internationalization = new Keycloak.Inputs.RealmInternationalizationArgs + /// { + /// SupportedLocales = new[] + /// { + /// "en", + /// "de", + /// "es", + /// }, + /// DefaultLocale = "en", + /// }, + /// SecurityDefenses = new Keycloak.Inputs.RealmSecurityDefensesArgs + /// { + /// Headers = new Keycloak.Inputs.RealmSecurityDefensesHeadersArgs + /// { + /// XFrameOptions = "DENY", + /// ContentSecurityPolicy = "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", + /// ContentSecurityPolicyReportOnly = "", + /// XContentTypeOptions = "nosniff", + /// XRobotsTag = "none", + /// XXssProtection = "1; mode=block", + /// StrictTransportSecurity = "max-age=31536000; includeSubDomains", + /// }, + /// BruteForceDetection = new Keycloak.Inputs.RealmSecurityDefensesBruteForceDetectionArgs + /// { + /// PermanentLockout = false, + /// MaxLoginFailures = 30, + /// WaitIncrementSeconds = 60, + /// QuickLoginCheckMilliSeconds = 1000, + /// MinimumQuickLoginWaitSeconds = 60, + /// MaxFailureWaitSeconds = 900, + /// FailureResetTimeSeconds = 43200, + /// }, + /// }, + /// WebAuthnPolicy = new Keycloak.Inputs.RealmWebAuthnPolicyArgs + /// { + /// RelyingPartyEntityName = "Example", + /// RelyingPartyId = "keycloak.example.com", + /// SignatureAlgorithms = new[] + /// { + /// "ES256", + /// "RS256", + /// }, + /// }, + /// }); + /// + /// }); + /// ``` + /// + /// ## Default Client Scopes + /// + /// - `default_default_client_scopes` - (Optional) A list of default default client scopes to be used for client definitions. Defaults to `[]` or keycloak's built-in default default client-scopes. + /// - `default_optional_client_scopes` - (Optional) A list of default optional client scopes to be used for client definitions. Defaults to `[]` or keycloak's built-in default optional client-scopes. + /// + /// ## Import + /// + /// Realms can be imported using their name. + /// + /// Example: + /// + /// bash + /// + /// ```sh + /// $ pulumi import keycloak:index/realm:Realm realm my-realm + /// ``` + /// [KeycloakResourceType("keycloak:index/realm:Realm")] public partial class Realm : global::Pulumi.CustomResource { @@ -39,6 +144,9 @@ public partial class Realm : global::Pulumi.CustomResource [Output("adminTheme")] public Output AdminTheme { get; private set; } = null!; + /// + /// A map of custom attributes to add to the realm. + /// [Output("attributes")] public Output?> Attributes { get; private set; } = null!; @@ -75,9 +183,15 @@ public partial class Realm : global::Pulumi.CustomResource [Output("directGrantFlow")] public Output DirectGrantFlow { get; private set; } = null!; + /// + /// The display name for the realm that is shown when logging in to the admin console. + /// [Output("displayName")] public Output DisplayName { get; private set; } = null!; + /// + /// The display name for the realm that is rendered as HTML on the screen when logging in to the admin console. + /// [Output("displayNameHtml")] public Output DisplayNameHtml { get; private set; } = null!; @@ -96,9 +210,15 @@ public partial class Realm : global::Pulumi.CustomResource [Output("emailTheme")] public Output EmailTheme { get; private set; } = null!; + /// + /// When `false`, users and clients will not be able to access this realm. Defaults to `true`. + /// [Output("enabled")] public Output Enabled { get; private set; } = null!; + /// + /// When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name. + /// [Output("internalId")] public Output InternalId { get; private set; } = null!; @@ -137,6 +257,9 @@ public partial class Realm : global::Pulumi.CustomResource [Output("passwordPolicy")] public Output PasswordPolicy { get; private set; } = null!; + /// + /// The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak. + /// [Output("realm")] public Output RealmName { get; private set; } = null!; @@ -194,6 +317,9 @@ public partial class Realm : global::Pulumi.CustomResource [Output("ssoSessionMaxLifespanRememberMe")] public Output SsoSessionMaxLifespanRememberMe { get; private set; } = null!; + /// + /// When `true`, users are allowed to manage their own resources. Defaults to `false`. + /// [Output("userManagedAccess")] public Output UserManagedAccess { get; private set; } = null!; @@ -281,6 +407,10 @@ public sealed class RealmArgs : global::Pulumi.ResourceArgs [Input("attributes")] private InputMap? _attributes; + + /// + /// A map of custom attributes to add to the realm. + /// public InputMap Attributes { get => _attributes ?? (_attributes = new InputMap()); @@ -330,9 +460,15 @@ public InputList DefaultOptionalClientScopes [Input("directGrantFlow")] public Input? DirectGrantFlow { get; set; } + /// + /// The display name for the realm that is shown when logging in to the admin console. + /// [Input("displayName")] public Input? DisplayName { get; set; } + /// + /// The display name for the realm that is rendered as HTML on the screen when logging in to the admin console. + /// [Input("displayNameHtml")] public Input? DisplayNameHtml { get; set; } @@ -351,9 +487,15 @@ public InputList DefaultOptionalClientScopes [Input("emailTheme")] public Input? EmailTheme { get; set; } + /// + /// When `false`, users and clients will not be able to access this realm. Defaults to `true`. + /// [Input("enabled")] public Input? Enabled { get; set; } + /// + /// When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name. + /// [Input("internalId")] public Input? InternalId { get; set; } @@ -392,6 +534,9 @@ public InputList DefaultOptionalClientScopes [Input("passwordPolicy")] public Input? PasswordPolicy { get; set; } + /// + /// The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak. + /// [Input("realm", required: true)] public Input RealmName { get; set; } = null!; @@ -449,6 +594,9 @@ public InputList DefaultOptionalClientScopes [Input("ssoSessionMaxLifespanRememberMe")] public Input? SsoSessionMaxLifespanRememberMe { get; set; } + /// + /// When `true`, users are allowed to manage their own resources. Defaults to `false`. + /// [Input("userManagedAccess")] public Input? UserManagedAccess { get; set; } @@ -498,6 +646,10 @@ public sealed class RealmState : global::Pulumi.ResourceArgs [Input("attributes")] private InputMap? _attributes; + + /// + /// A map of custom attributes to add to the realm. + /// public InputMap Attributes { get => _attributes ?? (_attributes = new InputMap()); @@ -547,9 +699,15 @@ public InputList DefaultOptionalClientScopes [Input("directGrantFlow")] public Input? DirectGrantFlow { get; set; } + /// + /// The display name for the realm that is shown when logging in to the admin console. + /// [Input("displayName")] public Input? DisplayName { get; set; } + /// + /// The display name for the realm that is rendered as HTML on the screen when logging in to the admin console. + /// [Input("displayNameHtml")] public Input? DisplayNameHtml { get; set; } @@ -568,9 +726,15 @@ public InputList DefaultOptionalClientScopes [Input("emailTheme")] public Input? EmailTheme { get; set; } + /// + /// When `false`, users and clients will not be able to access this realm. Defaults to `true`. + /// [Input("enabled")] public Input? Enabled { get; set; } + /// + /// When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name. + /// [Input("internalId")] public Input? InternalId { get; set; } @@ -609,6 +773,9 @@ public InputList DefaultOptionalClientScopes [Input("passwordPolicy")] public Input? PasswordPolicy { get; set; } + /// + /// The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak. + /// [Input("realm")] public Input? RealmName { get; set; } @@ -666,6 +833,9 @@ public InputList DefaultOptionalClientScopes [Input("ssoSessionMaxLifespanRememberMe")] public Input? SsoSessionMaxLifespanRememberMe { get; set; } + /// + /// When `true`, users are allowed to manage their own resources. Defaults to `false`. + /// [Input("userManagedAccess")] public Input? UserManagedAccess { get; set; } diff --git a/sdk/dotnet/RealmEvents.cs b/sdk/dotnet/RealmEvents.cs index f6c62131..acfd0b68 100644 --- a/sdk/dotnet/RealmEvents.cs +++ b/sdk/dotnet/RealmEvents.cs @@ -10,11 +10,9 @@ namespace Pulumi.Keycloak { /// - /// ## # keycloak.RealmEvents - /// /// Allows for managing Realm Events settings within Keycloak. /// - /// ### Example Usage + /// ## Example Usage /// /// ```csharp /// using System.Collections.Generic; @@ -26,7 +24,8 @@ namespace Pulumi.Keycloak /// { /// var realm = new Keycloak.Realm("realm", new() /// { - /// RealmName = "test", + /// RealmName = "my-realm", + /// Enabled = true, /// }); /// /// var realmEvents = new Keycloak.RealmEvents("realm_events", new() @@ -50,39 +49,52 @@ namespace Pulumi.Keycloak /// }); /// ``` /// - /// ### Argument Reference - /// - /// The following arguments are supported: + /// ## Import /// - /// - `realm_id` - (Required) The name of the realm the event settings apply to. - /// - `admin_events_enabled` - (Optional) When true, admin events are saved to the database, making them available through the admin console. Defaults to `false`. - /// - `admin_events_details_enabled` - (Optional) When true, saved admin events will included detailed information for create/update requests. Defaults to `false`. - /// - `events_enabled` - (Optional) When true, events from `enabled_event_types` are saved to the database, making them available through the admin console. Defaults to `false`. - /// - `events_expiration` - (Optional) The amount of time in seconds events will be saved in the database. Defaults to `0` or never. - /// - `enabled_event_types` - (Optional) The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. - /// - `events_listeners` - (Optional) The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. + /// This resource currently does not support importing. /// [KeycloakResourceType("keycloak:index/realmEvents:RealmEvents")] public partial class RealmEvents : global::Pulumi.CustomResource { + /// + /// When `true`, saved admin events will included detailed information for create/update requests. Defaults to `false`. + /// [Output("adminEventsDetailsEnabled")] public Output AdminEventsDetailsEnabled { get; private set; } = null!; + /// + /// When `true`, admin events are saved to the database, making them available through the admin console. Defaults to `false`. + /// [Output("adminEventsEnabled")] public Output AdminEventsEnabled { get; private set; } = null!; + /// + /// The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. + /// [Output("enabledEventTypes")] public Output> EnabledEventTypes { get; private set; } = null!; + /// + /// When `true`, events from `enabled_event_types` are saved to the database, making them available through the admin console. Defaults to `false`. + /// [Output("eventsEnabled")] public Output EventsEnabled { get; private set; } = null!; + /// + /// The amount of time in seconds events will be saved in the database. Defaults to `0` or never. + /// [Output("eventsExpiration")] public Output EventsExpiration { get; private set; } = null!; + /// + /// The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. + /// [Output("eventsListeners")] public Output> EventsListeners { get; private set; } = null!; + /// + /// The name of the realm the event settings apply to. + /// [Output("realmId")] public Output RealmId { get; private set; } = null!; @@ -132,34 +144,57 @@ public static RealmEvents Get(string name, Input id, RealmEventsState? s public sealed class RealmEventsArgs : global::Pulumi.ResourceArgs { + /// + /// When `true`, saved admin events will included detailed information for create/update requests. Defaults to `false`. + /// [Input("adminEventsDetailsEnabled")] public Input? AdminEventsDetailsEnabled { get; set; } + /// + /// When `true`, admin events are saved to the database, making them available through the admin console. Defaults to `false`. + /// [Input("adminEventsEnabled")] public Input? AdminEventsEnabled { get; set; } [Input("enabledEventTypes")] private InputList? _enabledEventTypes; + + /// + /// The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. + /// public InputList EnabledEventTypes { get => _enabledEventTypes ?? (_enabledEventTypes = new InputList()); set => _enabledEventTypes = value; } + /// + /// When `true`, events from `enabled_event_types` are saved to the database, making them available through the admin console. Defaults to `false`. + /// [Input("eventsEnabled")] public Input? EventsEnabled { get; set; } + /// + /// The amount of time in seconds events will be saved in the database. Defaults to `0` or never. + /// [Input("eventsExpiration")] public Input? EventsExpiration { get; set; } [Input("eventsListeners")] private InputList? _eventsListeners; + + /// + /// The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. + /// public InputList EventsListeners { get => _eventsListeners ?? (_eventsListeners = new InputList()); set => _eventsListeners = value; } + /// + /// The name of the realm the event settings apply to. + /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; @@ -171,34 +206,57 @@ public RealmEventsArgs() public sealed class RealmEventsState : global::Pulumi.ResourceArgs { + /// + /// When `true`, saved admin events will included detailed information for create/update requests. Defaults to `false`. + /// [Input("adminEventsDetailsEnabled")] public Input? AdminEventsDetailsEnabled { get; set; } + /// + /// When `true`, admin events are saved to the database, making them available through the admin console. Defaults to `false`. + /// [Input("adminEventsEnabled")] public Input? AdminEventsEnabled { get; set; } [Input("enabledEventTypes")] private InputList? _enabledEventTypes; + + /// + /// The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. + /// public InputList EnabledEventTypes { get => _enabledEventTypes ?? (_enabledEventTypes = new InputList()); set => _enabledEventTypes = value; } + /// + /// When `true`, events from `enabled_event_types` are saved to the database, making them available through the admin console. Defaults to `false`. + /// [Input("eventsEnabled")] public Input? EventsEnabled { get; set; } + /// + /// The amount of time in seconds events will be saved in the database. Defaults to `0` or never. + /// [Input("eventsExpiration")] public Input? EventsExpiration { get; set; } [Input("eventsListeners")] private InputList? _eventsListeners; + + /// + /// The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. + /// public InputList EventsListeners { get => _eventsListeners ?? (_eventsListeners = new InputList()); set => _eventsListeners = value; } + /// + /// The name of the realm the event settings apply to. + /// [Input("realmId")] public Input? RealmId { get; set; } diff --git a/sdk/dotnet/Role.cs b/sdk/dotnet/Role.cs index 50fae0e4..4c333a30 100644 --- a/sdk/dotnet/Role.cs +++ b/sdk/dotnet/Role.cs @@ -10,14 +10,13 @@ namespace Pulumi.Keycloak { /// - /// ## # keycloak.Role - /// /// Allows for creating and managing roles within Keycloak. /// - /// Roles allow you define privileges within Keycloak and map them to users - /// and groups. + /// Roles allow you define privileges within Keycloak and map them to users and groups. + /// + /// ## Example Usage /// - /// ### Example Usage (Realm role) + /// ### Realm Role) /// /// ```csharp /// using System.Collections.Generic; @@ -38,12 +37,17 @@ namespace Pulumi.Keycloak /// RealmId = realm.Id, /// Name = "my-realm-role", /// Description = "My Realm Role", + /// Attributes = + /// { + /// { "key", "value" }, + /// { "multivalue", "value1##value2" }, + /// }, /// }); /// /// }); /// ``` /// - /// ### Example Usage (Client role) + /// ### Client Role) /// /// ```csharp /// using System.Collections.Generic; @@ -59,27 +63,35 @@ namespace Pulumi.Keycloak /// Enabled = true, /// }); /// - /// var client = new Keycloak.OpenId.Client("client", new() + /// var openidClient = new Keycloak.OpenId.Client("openid_client", new() /// { /// RealmId = realm.Id, /// ClientId = "client", /// Name = "client", /// Enabled = true, - /// AccessType = "BEARER-ONLY", + /// AccessType = "CONFIDENTIAL", + /// ValidRedirectUris = new[] + /// { + /// "http://localhost:8080/openid-callback", + /// }, /// }); /// /// var clientRole = new Keycloak.Role("client_role", new() /// { /// RealmId = realm.Id, - /// ClientId = clientKeycloakClient.Id, + /// ClientId = openidClientKeycloakClient.Id, /// Name = "my-client-role", /// Description = "My Client Role", + /// Attributes = + /// { + /// { "key", "value" }, + /// }, /// }); /// /// }); /// ``` /// - /// ### Example Usage (Composite role) + /// ### Composite Role) /// /// ```csharp /// using System.Collections.Generic; @@ -100,42 +112,66 @@ namespace Pulumi.Keycloak /// { /// RealmId = realm.Id, /// Name = "create", + /// Attributes = + /// { + /// { "key", "value" }, + /// }, /// }); /// /// var readRole = new Keycloak.Role("read_role", new() /// { /// RealmId = realm.Id, /// Name = "read", + /// Attributes = + /// { + /// { "key", "value" }, + /// }, /// }); /// /// var updateRole = new Keycloak.Role("update_role", new() /// { /// RealmId = realm.Id, /// Name = "update", + /// Attributes = + /// { + /// { "key", "value" }, + /// }, /// }); /// /// var deleteRole = new Keycloak.Role("delete_role", new() /// { /// RealmId = realm.Id, /// Name = "delete", + /// Attributes = + /// { + /// { "key", "value" }, + /// }, /// }); /// /// // client role - /// var client = new Keycloak.OpenId.Client("client", new() + /// var openidClient = new Keycloak.OpenId.Client("openid_client", new() /// { /// RealmId = realm.Id, /// ClientId = "client", /// Name = "client", /// Enabled = true, - /// AccessType = "BEARER-ONLY", + /// AccessType = "CONFIDENTIAL", + /// ValidRedirectUris = new[] + /// { + /// "http://localhost:8080/openid-callback", + /// }, /// }); /// /// var clientRole = new Keycloak.Role("client_role", new() /// { /// RealmId = realm.Id, - /// ClientId = clientKeycloakClient.Id, + /// ClientId = openidClientKeycloakClient.Id, /// Name = "my-client-role", /// Description = "My Client Role", + /// Attributes = + /// { + /// { "key", "value" }, + /// }, /// }); /// /// var adminRole = new Keycloak.Role("admin_role", new() @@ -144,57 +180,71 @@ namespace Pulumi.Keycloak /// Name = "admin", /// CompositeRoles = new[] /// { - /// "{keycloak_role.create_role.id}", - /// "{keycloak_role.read_role.id}", - /// "{keycloak_role.update_role.id}", - /// "{keycloak_role.delete_role.id}", - /// "{keycloak_role.client_role.id}", + /// createRole.Id, + /// readRole.Id, + /// updateRole.Id, + /// deleteRole.Id, + /// clientRole.Id, + /// }, + /// Attributes = + /// { + /// { "key", "value" }, /// }, /// }); /// /// }); /// ``` /// - /// ### Argument Reference + /// ## Import /// - /// The following arguments are supported: + /// Roles can be imported using the format `{{realm_id}}/{{role_id}}`, where `role_id` is the unique ID that Keycloak assigns /// - /// - `realm_id` - (Required) The realm this role exists within. - /// - `client_id` - (Optional) When specified, this role will be created as - /// a client role attached to the client with the provided ID - /// - `name` - (Required) The name of the role - /// - `description` - (Optional) The description of the role - /// - `composite_roles` - (Optional) When specified, this role will be a - /// composite role, composed of all roles that have an ID present within - /// this list. + /// to the role. The ID is not easy to find in the GUI, but it appears in the URL when editing the role. /// - /// ### Import + /// Example: /// - /// Roles can be imported using the format `{{realm_id}}/{{role_id}}`, where - /// `role_id` is the unique ID that Keycloak assigns to the role. The ID is - /// not easy to find in the GUI, but it appears in the URL when editing the - /// role. + /// bash /// - /// Example: + /// ```sh + /// $ pulumi import keycloak:index/role:Role role my-realm/7e8cf32a-8acb-4d34-89c4-04fb1d10ccad + /// ``` /// [KeycloakResourceType("keycloak:index/role:Role")] public partial class Role : global::Pulumi.CustomResource { + /// + /// A map representing attributes for the role. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + /// [Output("attributes")] public Output?> Attributes { get; private set; } = null!; + /// + /// When specified, this role will be created as a client role attached to the client with the provided ID + /// [Output("clientId")] public Output ClientId { get; private set; } = null!; + /// + /// When specified, this role will be a composite role, composed of all roles that have an ID present within this list. + /// [Output("compositeRoles")] public Output> CompositeRoles { get; private set; } = null!; + /// + /// The description of the role + /// [Output("description")] public Output Description { get; private set; } = null!; + /// + /// The name of the role + /// [Output("name")] public Output Name { get; private set; } = null!; + /// + /// The realm this role exists within. + /// [Output("realmId")] public Output RealmId { get; private set; } = null!; @@ -246,29 +296,49 @@ public sealed class RoleArgs : global::Pulumi.ResourceArgs { [Input("attributes")] private InputMap? _attributes; + + /// + /// A map representing attributes for the role. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + /// public InputMap Attributes { get => _attributes ?? (_attributes = new InputMap()); set => _attributes = value; } + /// + /// When specified, this role will be created as a client role attached to the client with the provided ID + /// [Input("clientId")] public Input? ClientId { get; set; } [Input("compositeRoles")] private InputList? _compositeRoles; + + /// + /// When specified, this role will be a composite role, composed of all roles that have an ID present within this list. + /// public InputList CompositeRoles { get => _compositeRoles ?? (_compositeRoles = new InputList()); set => _compositeRoles = value; } + /// + /// The description of the role + /// [Input("description")] public Input? Description { get; set; } + /// + /// The name of the role + /// [Input("name")] public Input? Name { get; set; } + /// + /// The realm this role exists within. + /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; @@ -282,29 +352,49 @@ public sealed class RoleState : global::Pulumi.ResourceArgs { [Input("attributes")] private InputMap? _attributes; + + /// + /// A map representing attributes for the role. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + /// public InputMap Attributes { get => _attributes ?? (_attributes = new InputMap()); set => _attributes = value; } + /// + /// When specified, this role will be created as a client role attached to the client with the provided ID + /// [Input("clientId")] public Input? ClientId { get; set; } [Input("compositeRoles")] private InputList? _compositeRoles; + + /// + /// When specified, this role will be a composite role, composed of all roles that have an ID present within this list. + /// public InputList CompositeRoles { get => _compositeRoles ?? (_compositeRoles = new InputList()); set => _compositeRoles = value; } + /// + /// The description of the role + /// [Input("description")] public Input? Description { get; set; } + /// + /// The name of the role + /// [Input("name")] public Input? Name { get; set; } + /// + /// The realm this role exists within. + /// [Input("realmId")] public Input? RealmId { get; set; } diff --git a/sdk/dotnet/Saml/Client.cs b/sdk/dotnet/Saml/Client.cs index ba2d701f..26bf43cc 100644 --- a/sdk/dotnet/Saml/Client.cs +++ b/sdk/dotnet/Saml/Client.cs @@ -10,132 +10,244 @@ namespace Pulumi.Keycloak.Saml { /// - /// ## # keycloak.saml.Client - /// /// Allows for creating and managing Keycloak clients that use the SAML protocol. /// - /// Clients are entities that can use Keycloak for user authentication. Typically, - /// clients are applications that redirect users to Keycloak for authentication - /// in order to take advantage of Keycloak's user sessions for SSO. + /// Clients are entities that can use Keycloak for user authentication. Typically, clients are applications that redirect users + /// to Keycloak for authentication in order to take advantage of Keycloak's user sessions for SSO. /// - /// ### Import + /// ## Import /// /// Clients can be imported using the format `{{realm_id}}/{{client_keycloak_id}}`, where `client_keycloak_id` is the unique ID that Keycloak + /// /// assigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID. /// /// Example: + /// + /// bash + /// + /// ```sh + /// $ pulumi import keycloak:saml/client:Client saml_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352 + /// ``` /// [KeycloakResourceType("keycloak:saml/client:Client")] public partial class Client : global::Pulumi.CustomResource { + /// + /// SAML POST Binding URL for the client's assertion consumer service (login responses). + /// [Output("assertionConsumerPostUrl")] public Output AssertionConsumerPostUrl { get; private set; } = null!; + /// + /// SAML Redirect Binding URL for the client's assertion consumer service (login responses). + /// [Output("assertionConsumerRedirectUrl")] public Output AssertionConsumerRedirectUrl { get; private set; } = null!; + /// + /// Override realm authentication flow bindings + /// [Output("authenticationFlowBindingOverrides")] public Output AuthenticationFlowBindingOverrides { get; private set; } = null!; + /// + /// When specified, this URL will be used whenever Keycloak needs to link to this client. + /// [Output("baseUrl")] public Output BaseUrl { get; private set; } = null!; + /// + /// The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE". + /// [Output("canonicalizationMethod")] public Output CanonicalizationMethod { get; private set; } = null!; + /// + /// The unique ID of this client, referenced in the URI during authentication and in issued tokens. + /// [Output("clientId")] public Output ClientId { get; private set; } = null!; + /// + /// When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signing_certificate` and `signing_private_key`. Defaults to `true`. + /// [Output("clientSignatureRequired")] public Output ClientSignatureRequired { get; private set; } = null!; + /// + /// The description of this client in the GUI. + /// [Output("description")] public Output Description { get; private set; } = null!; + /// + /// When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + /// [Output("enabled")] public Output Enabled { get; private set; } = null!; + /// + /// When `true`, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to `false`. + /// [Output("encryptAssertions")] public Output EncryptAssertions { get; private set; } = null!; + /// + /// If assertions for the client are encrypted, this certificate will be used for encryption. + /// [Output("encryptionCertificate")] public Output EncryptionCertificate { get; private set; } = null!; + /// + /// (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty. + /// [Output("encryptionCertificateSha1")] public Output EncryptionCertificateSha1 { get; private set; } = null!; [Output("extraConfig")] public Output?> ExtraConfig { get; private set; } = null!; + /// + /// Ignore requested NameID subject format and use the one defined in `name_id_format` instead. Defaults to `false`. + /// [Output("forceNameIdFormat")] public Output ForceNameIdFormat { get; private set; } = null!; + /// + /// When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to `true`. + /// [Output("forcePostBinding")] public Output ForcePostBinding { get; private set; } = null!; + /// + /// When `true`, this client will require a browser redirect in order to perform a logout. Defaults to `true`. + /// [Output("frontChannelLogout")] public Output FrontChannelLogout { get; private set; } = null!; + /// + /// Allow to include all roles mappings in the access token + /// [Output("fullScopeAllowed")] public Output FullScopeAllowed { get; private set; } = null!; + /// + /// Relay state you want to send with SAML request when you want to do IDP Initiated SSO. + /// [Output("idpInitiatedSsoRelayState")] public Output IdpInitiatedSsoRelayState { get; private set; } = null!; + /// + /// URL fragment name to reference client when you want to do IDP Initiated SSO. + /// [Output("idpInitiatedSsoUrlName")] public Output IdpInitiatedSsoUrlName { get; private set; } = null!; + /// + /// When `true`, an `AuthnStatement` will be included in the SAML response. Defaults to `true`. + /// [Output("includeAuthnStatement")] public Output IncludeAuthnStatement { get; private set; } = null!; + /// + /// The login theme of this client. + /// [Output("loginTheme")] public Output LoginTheme { get; private set; } = null!; + /// + /// SAML POST Binding URL for the client's single logout service. + /// [Output("logoutServicePostBindingUrl")] public Output LogoutServicePostBindingUrl { get; private set; } = null!; + /// + /// SAML Redirect Binding URL for the client's single logout service. + /// [Output("logoutServiceRedirectBindingUrl")] public Output LogoutServiceRedirectBindingUrl { get; private set; } = null!; + /// + /// When specified, this URL will be used for all SAML requests. + /// [Output("masterSamlProcessingUrl")] public Output MasterSamlProcessingUrl { get; private set; } = null!; + /// + /// The display name of this client in the GUI. + /// [Output("name")] public Output Name { get; private set; } = null!; + /// + /// Sets the Name ID format for the subject. + /// [Output("nameIdFormat")] public Output NameIdFormat { get; private set; } = null!; + /// + /// The realm this client is attached to. + /// [Output("realmId")] public Output RealmId { get; private set; } = null!; + /// + /// When specified, this value is prepended to all relative URLs. + /// [Output("rootUrl")] public Output RootUrl { get; private set; } = null!; + /// + /// When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to `false`. + /// [Output("signAssertions")] public Output SignAssertions { get; private set; } = null!; + /// + /// When `true`, the SAML document will be signed by Keycloak using the realm's private key. Defaults to `true`. + /// [Output("signDocuments")] public Output SignDocuments { get; private set; } = null!; + /// + /// The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1". + /// [Output("signatureAlgorithm")] public Output SignatureAlgorithm { get; private set; } = null!; + /// + /// The value of the `KeyName` element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID". + /// [Output("signatureKeyName")] public Output SignatureKeyName { get; private set; } = null!; + /// + /// If documents or assertions from the client are signed, this certificate will be used to verify the signature. + /// [Output("signingCertificate")] public Output SigningCertificate { get; private set; } = null!; + /// + /// (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty. + /// [Output("signingCertificateSha1")] public Output SigningCertificateSha1 { get; private set; } = null!; + /// + /// If documents or assertions from the client are signed, this private key will be used to verify the signature. + /// [Output("signingPrivateKey")] public Output SigningPrivateKey { get; private set; } = null!; + /// + /// (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty. + /// [Output("signingPrivateKeySha1")] public Output SigningPrivateKeySha1 { get; private set; } = null!; + /// + /// When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. + /// [Output("validRedirectUris")] public Output> ValidRedirectUris { get; private set; } = null!; @@ -185,36 +297,69 @@ public static Client Get(string name, Input id, ClientState? state = nul public sealed class ClientArgs : global::Pulumi.ResourceArgs { + /// + /// SAML POST Binding URL for the client's assertion consumer service (login responses). + /// [Input("assertionConsumerPostUrl")] public Input? AssertionConsumerPostUrl { get; set; } + /// + /// SAML Redirect Binding URL for the client's assertion consumer service (login responses). + /// [Input("assertionConsumerRedirectUrl")] public Input? AssertionConsumerRedirectUrl { get; set; } + /// + /// Override realm authentication flow bindings + /// [Input("authenticationFlowBindingOverrides")] public Input? AuthenticationFlowBindingOverrides { get; set; } + /// + /// When specified, this URL will be used whenever Keycloak needs to link to this client. + /// [Input("baseUrl")] public Input? BaseUrl { get; set; } + /// + /// The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE". + /// [Input("canonicalizationMethod")] public Input? CanonicalizationMethod { get; set; } + /// + /// The unique ID of this client, referenced in the URI during authentication and in issued tokens. + /// [Input("clientId", required: true)] public Input ClientId { get; set; } = null!; + /// + /// When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signing_certificate` and `signing_private_key`. Defaults to `true`. + /// [Input("clientSignatureRequired")] public Input? ClientSignatureRequired { get; set; } + /// + /// The description of this client in the GUI. + /// [Input("description")] public Input? Description { get; set; } + /// + /// When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + /// [Input("enabled")] public Input? Enabled { get; set; } + /// + /// When `true`, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to `false`. + /// [Input("encryptAssertions")] public Input? EncryptAssertions { get; set; } + /// + /// If assertions for the client are encrypted, this certificate will be used for encryption. + /// [Input("encryptionCertificate")] public Input? EncryptionCertificate { get; set; } @@ -226,71 +371,138 @@ public InputMap ExtraConfig set => _extraConfig = value; } + /// + /// Ignore requested NameID subject format and use the one defined in `name_id_format` instead. Defaults to `false`. + /// [Input("forceNameIdFormat")] public Input? ForceNameIdFormat { get; set; } + /// + /// When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to `true`. + /// [Input("forcePostBinding")] public Input? ForcePostBinding { get; set; } + /// + /// When `true`, this client will require a browser redirect in order to perform a logout. Defaults to `true`. + /// [Input("frontChannelLogout")] public Input? FrontChannelLogout { get; set; } + /// + /// Allow to include all roles mappings in the access token + /// [Input("fullScopeAllowed")] public Input? FullScopeAllowed { get; set; } + /// + /// Relay state you want to send with SAML request when you want to do IDP Initiated SSO. + /// [Input("idpInitiatedSsoRelayState")] public Input? IdpInitiatedSsoRelayState { get; set; } + /// + /// URL fragment name to reference client when you want to do IDP Initiated SSO. + /// [Input("idpInitiatedSsoUrlName")] public Input? IdpInitiatedSsoUrlName { get; set; } + /// + /// When `true`, an `AuthnStatement` will be included in the SAML response. Defaults to `true`. + /// [Input("includeAuthnStatement")] public Input? IncludeAuthnStatement { get; set; } + /// + /// The login theme of this client. + /// [Input("loginTheme")] public Input? LoginTheme { get; set; } + /// + /// SAML POST Binding URL for the client's single logout service. + /// [Input("logoutServicePostBindingUrl")] public Input? LogoutServicePostBindingUrl { get; set; } + /// + /// SAML Redirect Binding URL for the client's single logout service. + /// [Input("logoutServiceRedirectBindingUrl")] public Input? LogoutServiceRedirectBindingUrl { get; set; } + /// + /// When specified, this URL will be used for all SAML requests. + /// [Input("masterSamlProcessingUrl")] public Input? MasterSamlProcessingUrl { get; set; } + /// + /// The display name of this client in the GUI. + /// [Input("name")] public Input? Name { get; set; } + /// + /// Sets the Name ID format for the subject. + /// [Input("nameIdFormat")] public Input? NameIdFormat { get; set; } + /// + /// The realm this client is attached to. + /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; + /// + /// When specified, this value is prepended to all relative URLs. + /// [Input("rootUrl")] public Input? RootUrl { get; set; } + /// + /// When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to `false`. + /// [Input("signAssertions")] public Input? SignAssertions { get; set; } + /// + /// When `true`, the SAML document will be signed by Keycloak using the realm's private key. Defaults to `true`. + /// [Input("signDocuments")] public Input? SignDocuments { get; set; } + /// + /// The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1". + /// [Input("signatureAlgorithm")] public Input? SignatureAlgorithm { get; set; } + /// + /// The value of the `KeyName` element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID". + /// [Input("signatureKeyName")] public Input? SignatureKeyName { get; set; } + /// + /// If documents or assertions from the client are signed, this certificate will be used to verify the signature. + /// [Input("signingCertificate")] public Input? SigningCertificate { get; set; } + /// + /// If documents or assertions from the client are signed, this private key will be used to verify the signature. + /// [Input("signingPrivateKey")] public Input? SigningPrivateKey { get; set; } [Input("validRedirectUris")] private InputList? _validRedirectUris; + + /// + /// When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. + /// public InputList ValidRedirectUris { get => _validRedirectUris ?? (_validRedirectUris = new InputList()); @@ -305,39 +517,75 @@ public ClientArgs() public sealed class ClientState : global::Pulumi.ResourceArgs { + /// + /// SAML POST Binding URL for the client's assertion consumer service (login responses). + /// [Input("assertionConsumerPostUrl")] public Input? AssertionConsumerPostUrl { get; set; } + /// + /// SAML Redirect Binding URL for the client's assertion consumer service (login responses). + /// [Input("assertionConsumerRedirectUrl")] public Input? AssertionConsumerRedirectUrl { get; set; } + /// + /// Override realm authentication flow bindings + /// [Input("authenticationFlowBindingOverrides")] public Input? AuthenticationFlowBindingOverrides { get; set; } + /// + /// When specified, this URL will be used whenever Keycloak needs to link to this client. + /// [Input("baseUrl")] public Input? BaseUrl { get; set; } + /// + /// The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE". + /// [Input("canonicalizationMethod")] public Input? CanonicalizationMethod { get; set; } + /// + /// The unique ID of this client, referenced in the URI during authentication and in issued tokens. + /// [Input("clientId")] public Input? ClientId { get; set; } + /// + /// When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signing_certificate` and `signing_private_key`. Defaults to `true`. + /// [Input("clientSignatureRequired")] public Input? ClientSignatureRequired { get; set; } + /// + /// The description of this client in the GUI. + /// [Input("description")] public Input? Description { get; set; } + /// + /// When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + /// [Input("enabled")] public Input? Enabled { get; set; } + /// + /// When `true`, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to `false`. + /// [Input("encryptAssertions")] public Input? EncryptAssertions { get; set; } + /// + /// If assertions for the client are encrypted, this certificate will be used for encryption. + /// [Input("encryptionCertificate")] public Input? EncryptionCertificate { get; set; } + /// + /// (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty. + /// [Input("encryptionCertificateSha1")] public Input? EncryptionCertificateSha1 { get; set; } @@ -349,77 +597,150 @@ public InputMap ExtraConfig set => _extraConfig = value; } + /// + /// Ignore requested NameID subject format and use the one defined in `name_id_format` instead. Defaults to `false`. + /// [Input("forceNameIdFormat")] public Input? ForceNameIdFormat { get; set; } + /// + /// When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to `true`. + /// [Input("forcePostBinding")] public Input? ForcePostBinding { get; set; } + /// + /// When `true`, this client will require a browser redirect in order to perform a logout. Defaults to `true`. + /// [Input("frontChannelLogout")] public Input? FrontChannelLogout { get; set; } + /// + /// Allow to include all roles mappings in the access token + /// [Input("fullScopeAllowed")] public Input? FullScopeAllowed { get; set; } + /// + /// Relay state you want to send with SAML request when you want to do IDP Initiated SSO. + /// [Input("idpInitiatedSsoRelayState")] public Input? IdpInitiatedSsoRelayState { get; set; } + /// + /// URL fragment name to reference client when you want to do IDP Initiated SSO. + /// [Input("idpInitiatedSsoUrlName")] public Input? IdpInitiatedSsoUrlName { get; set; } + /// + /// When `true`, an `AuthnStatement` will be included in the SAML response. Defaults to `true`. + /// [Input("includeAuthnStatement")] public Input? IncludeAuthnStatement { get; set; } + /// + /// The login theme of this client. + /// [Input("loginTheme")] public Input? LoginTheme { get; set; } + /// + /// SAML POST Binding URL for the client's single logout service. + /// [Input("logoutServicePostBindingUrl")] public Input? LogoutServicePostBindingUrl { get; set; } + /// + /// SAML Redirect Binding URL for the client's single logout service. + /// [Input("logoutServiceRedirectBindingUrl")] public Input? LogoutServiceRedirectBindingUrl { get; set; } + /// + /// When specified, this URL will be used for all SAML requests. + /// [Input("masterSamlProcessingUrl")] public Input? MasterSamlProcessingUrl { get; set; } + /// + /// The display name of this client in the GUI. + /// [Input("name")] public Input? Name { get; set; } + /// + /// Sets the Name ID format for the subject. + /// [Input("nameIdFormat")] public Input? NameIdFormat { get; set; } + /// + /// The realm this client is attached to. + /// [Input("realmId")] public Input? RealmId { get; set; } + /// + /// When specified, this value is prepended to all relative URLs. + /// [Input("rootUrl")] public Input? RootUrl { get; set; } + /// + /// When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to `false`. + /// [Input("signAssertions")] public Input? SignAssertions { get; set; } + /// + /// When `true`, the SAML document will be signed by Keycloak using the realm's private key. Defaults to `true`. + /// [Input("signDocuments")] public Input? SignDocuments { get; set; } + /// + /// The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1". + /// [Input("signatureAlgorithm")] public Input? SignatureAlgorithm { get; set; } + /// + /// The value of the `KeyName` element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID". + /// [Input("signatureKeyName")] public Input? SignatureKeyName { get; set; } + /// + /// If documents or assertions from the client are signed, this certificate will be used to verify the signature. + /// [Input("signingCertificate")] public Input? SigningCertificate { get; set; } + /// + /// (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty. + /// [Input("signingCertificateSha1")] public Input? SigningCertificateSha1 { get; set; } + /// + /// If documents or assertions from the client are signed, this private key will be used to verify the signature. + /// [Input("signingPrivateKey")] public Input? SigningPrivateKey { get; set; } + /// + /// (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty. + /// [Input("signingPrivateKeySha1")] public Input? SigningPrivateKeySha1 { get; set; } [Input("validRedirectUris")] private InputList? _validRedirectUris; + + /// + /// When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. + /// public InputList ValidRedirectUris { get => _validRedirectUris ?? (_validRedirectUris = new InputList()); diff --git a/sdk/dotnet/Saml/IdentityProvider.cs b/sdk/dotnet/Saml/IdentityProvider.cs index 1a2d3150..10ba9672 100644 --- a/sdk/dotnet/Saml/IdentityProvider.cs +++ b/sdk/dotnet/Saml/IdentityProvider.cs @@ -10,13 +10,11 @@ namespace Pulumi.Keycloak.Saml { /// - /// ## # keycloak.saml.IdentityProvider + /// Allows for creating and managing SAML Identity Providers within Keycloak. /// - /// Allows to create and manage SAML Identity Providers within Keycloak. + /// SAML (Security Assertion Markup Language) identity providers allows users to authenticate through a third-party system using the SAML protocol. /// - /// SAML (Security Assertion Markup Language) identity providers allows to authenticate through a third-party system, using SAML standard. - /// - /// ### Example Usage + /// ## Example Usage /// /// ```csharp /// using System.Collections.Generic; @@ -26,10 +24,17 @@ namespace Pulumi.Keycloak.Saml /// /// return await Deployment.RunAsync(() => /// { - /// var realmIdentityProvider = new Keycloak.Saml.IdentityProvider("realm_identity_provider", new() + /// var realm = new Keycloak.Realm("realm", new() + /// { + /// RealmName = "my-realm", + /// Enabled = true, + /// }); + /// + /// var realmSamlIdentityProvider = new Keycloak.Saml.IdentityProvider("realm_saml_identity_provider", new() /// { - /// Realm = "my-realm", - /// Alias = "my-idp", + /// Realm = realm.Id, + /// Alias = "my-saml-idp", + /// EntityId = "https://domain.com/entity_id", /// SingleSignOnServiceUrl = "https://domain.com/adfs/ls/", /// SingleLogoutServiceUrl = "https://domain.com/adfs/ls/?wa=wsignout1.0", /// BackchannelSupported = true, @@ -44,99 +49,71 @@ namespace Pulumi.Keycloak.Saml /// }); /// ``` /// - /// ### Argument Reference - /// - /// The following arguments are supported: - /// - /// - `realm` - (Required) The name of the realm. This is unique across Keycloak. - /// - `alias` - (Optional) The uniq name of identity provider. - /// - `enabled` - (Optional) When false, users and clients will not be able to access this realm. Defaults to `true`. - /// - `display_name` - (Optional) The display name for the realm that is shown when logging in to the admin console. - /// - `store_token` - (Optional) Enable/disable if tokens must be stored after authenticating users. Defaults to `true`. - /// - `add_read_token_role_on_create` - (Optional) Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. Defaults to `false`. - /// - `trust_email` - (Optional) If enabled then email provided by this provider is not verified even if verification is enabled for the realm. Defaults to `false`. - /// - `link_only` - (Optional) If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider. Defaults to `false`. - /// - `hide_on_login_page` - (Optional) If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. - /// - `first_broker_login_flow_alias` - (Optional) Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. - /// - `post_broker_login_flow_alias` - (Optional) Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. - /// - `authenticate_by_default` - (Optional) Authenticate users by default. Defaults to `false`. - /// - /// #### SAML Configuration - /// - /// - `single_sign_on_service_url` - (Optional) The Url that must be used to send authentication requests (SAML AuthnRequest). - /// - `single_logout_service_url` - (Optional) The Url that must be used to send logout requests. - /// - `backchannel_supported` - (Optional) Does the external IDP support back-channel logout ?. - /// - `name_id_policy_format` - (Optional) Specifies the URI reference corresponding to a name identifier format. Defaults to empty. - /// - `post_binding_response` - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. - /// - `post_binding_authn_request` - (Optional) Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. - /// - `post_binding_logout` - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. - /// - `want_assertions_signed` - (Optional) Indicates whether this service provider expects a signed Assertion. - /// - `want_assertions_encrypted` - (Optional) Indicates whether this service provider expects an encrypted Assertion. - /// - `force_authn` - (Optional) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. - /// - `validate_signature` - (Optional) Enable/disable signature validation of SAML responses. - /// - `signing_certificate` - (Optional) Signing Certificate. - /// - `signature_algorithm` - (Optional) Signing Algorithm. Defaults to empty. - /// - `xml_sign_key_info_key_name_transformer` - (Optional) Sign Key Transformer. Defaults to empty. - /// - /// ### Import + /// ## Import /// /// Identity providers can be imported using the format `{{realm_id}}/{{idp_alias}}`, where `idp_alias` is the identity provider alias. /// /// Example: + /// + /// bash + /// + /// ```sh + /// $ pulumi import keycloak:saml/identityProvider:IdentityProvider realm_saml_identity_provider my-realm/my-saml-idp + /// ``` /// [KeycloakResourceType("keycloak:saml/identityProvider:IdentityProvider")] public partial class IdentityProvider : global::Pulumi.CustomResource { /// - /// Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. + /// When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`. /// [Output("addReadTokenRoleOnCreate")] public Output AddReadTokenRoleOnCreate { get; private set; } = null!; /// - /// The alias uniquely identifies an identity provider and it is also used to build the redirect uri. + /// The unique name of identity provider. /// [Output("alias")] public Output Alias { get; private set; } = null!; /// - /// Enable/disable authenticate users by default. + /// Authenticate users by default. Defaults to `false`. /// [Output("authenticateByDefault")] public Output AuthenticateByDefault { get; private set; } = null!; /// - /// AuthnContext ClassRefs + /// Ordered list of requested AuthnContext ClassRefs. /// [Output("authnContextClassRefs")] public Output> AuthnContextClassRefs { get; private set; } = null!; /// - /// AuthnContext Comparison + /// Specifies the comparison method used to evaluate the requested context classes or statements. /// [Output("authnContextComparisonType")] public Output AuthnContextComparisonType { get; private set; } = null!; /// - /// AuthnContext DeclRefs + /// Ordered list of requested AuthnContext DeclRefs. /// [Output("authnContextDeclRefs")] public Output> AuthnContextDeclRefs { get; private set; } = null!; /// - /// Does the external IDP support backchannel logout? + /// Does the external IDP support backchannel logout?. Defaults to `false`. /// [Output("backchannelSupported")] public Output BackchannelSupported { get; private set; } = null!; /// - /// Friendly name for Identity Providers. + /// The display name for the realm that is shown when logging in to the admin console. /// [Output("displayName")] public Output DisplayName { get; private set; } = null!; /// - /// Enable/disable this identity provider. + /// When `false`, users and clients will not be able to access this realm. Defaults to `true`. /// [Output("enabled")] public Output Enabled { get; private set; } = null!; @@ -151,26 +128,25 @@ public partial class IdentityProvider : global::Pulumi.CustomResource public Output?> ExtraConfig { get; private set; } = null!; /// - /// Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means - /// that there is not yet existing Keycloak account linked with the authenticated identity provider account. + /// Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. /// [Output("firstBrokerLoginFlowAlias")] public Output FirstBrokerLoginFlowAlias { get; private set; } = null!; /// - /// Require Force Authn. + /// Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. /// [Output("forceAuthn")] public Output ForceAuthn { get; private set; } = null!; /// - /// GUI Order + /// A number defining the order of this identity provider in the GUI. /// [Output("guiOrder")] public Output GuiOrder { get; private set; } = null!; /// - /// Hide On Login Page. + /// If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. /// [Output("hideOnLoginPage")] public Output HideOnLoginPage { get; private set; } = null!; @@ -182,8 +158,7 @@ public partial class IdentityProvider : global::Pulumi.CustomResource public Output InternalId { get; private set; } = null!; /// - /// If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't - /// want to allow login from the provider, but want to integrate with a provider + /// When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`. /// [Output("linkOnly")] public Output LinkOnly { get; private set; } = null!; @@ -195,64 +170,61 @@ public partial class IdentityProvider : global::Pulumi.CustomResource public Output LoginHint { get; private set; } = null!; /// - /// Name ID Policy Format. + /// Specifies the URI reference corresponding to a name identifier format. Defaults to empty. /// [Output("nameIdPolicyFormat")] public Output NameIdPolicyFormat { get; private set; } = null!; /// - /// Post Binding Authn Request. + /// Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. /// [Output("postBindingAuthnRequest")] public Output PostBindingAuthnRequest { get; private set; } = null!; /// - /// Post Binding Logout. + /// Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. /// [Output("postBindingLogout")] public Output PostBindingLogout { get; private set; } = null!; /// - /// Post Binding Response. + /// Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. /// [Output("postBindingResponse")] public Output PostBindingResponse { get; private set; } = null!; /// - /// Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want - /// additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if - /// you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that - /// authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. + /// Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. /// [Output("postBrokerLoginFlowAlias")] public Output PostBrokerLoginFlowAlias { get; private set; } = null!; /// - /// Principal Attribute + /// The principal attribute. /// [Output("principalAttribute")] public Output PrincipalAttribute { get; private set; } = null!; /// - /// Principal Type + /// The principal type. Can be one of `SUBJECT`, `ATTRIBUTE` or `FRIENDLY_ATTRIBUTE`. /// [Output("principalType")] public Output PrincipalType { get; private set; } = null!; /// - /// provider id, is always saml, unless you have a custom implementation + /// The ID of the identity provider to use. Defaults to `saml`, which should be used unless you have extended Keycloak and provided your own implementation. /// [Output("providerId")] public Output ProviderId { get; private set; } = null!; /// - /// Realm Name + /// The name of the realm. This is unique across Keycloak. /// [Output("realm")] public Output Realm { get; private set; } = null!; /// - /// Signing Algorithm. + /// Signing Algorithm. Defaults to empty. /// [Output("signatureAlgorithm")] public Output SignatureAlgorithm { get; private set; } = null!; @@ -264,31 +236,31 @@ public partial class IdentityProvider : global::Pulumi.CustomResource public Output SigningCertificate { get; private set; } = null!; /// - /// Logout URL. + /// The Url that must be used to send logout requests. /// [Output("singleLogoutServiceUrl")] public Output SingleLogoutServiceUrl { get; private set; } = null!; /// - /// SSO Logout URL. + /// The Url that must be used to send authentication requests (SAML AuthnRequest). /// [Output("singleSignOnServiceUrl")] public Output SingleSignOnServiceUrl { get; private set; } = null!; /// - /// Enable/disable if tokens must be stored after authenticating users. + /// When `true`, tokens will be stored after authenticating users. Defaults to `true`. /// [Output("storeToken")] public Output StoreToken { get; private set; } = null!; /// - /// Sync Mode + /// The default sync mode to use for all mappers attached to this identity provider. Can be one of `IMPORT`, `FORCE`, or `LEGACY`. /// [Output("syncMode")] public Output SyncMode { get; private set; } = null!; /// - /// If enabled then email provided by this provider is not verified even if verification is enabled for the realm. + /// When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`. /// [Output("trustEmail")] public Output TrustEmail { get; private set; } = null!; @@ -300,19 +272,19 @@ public partial class IdentityProvider : global::Pulumi.CustomResource public Output ValidateSignature { get; private set; } = null!; /// - /// Want Assertions Encrypted. + /// Indicates whether this service provider expects an encrypted Assertion. /// [Output("wantAssertionsEncrypted")] public Output WantAssertionsEncrypted { get; private set; } = null!; /// - /// Want Assertions Signed. + /// Indicates whether this service provider expects a signed Assertion. /// [Output("wantAssertionsSigned")] public Output WantAssertionsSigned { get; private set; } = null!; /// - /// Sign Key Transformer. + /// The SAML signature key name. Can be one of `NONE`, `KEY_ID`, or `CERT_SUBJECT`. /// [Output("xmlSignKeyInfoKeyNameTransformer")] public Output XmlSignKeyInfoKeyNameTransformer { get; private set; } = null!; @@ -364,19 +336,19 @@ public static IdentityProvider Get(string name, Input id, IdentityProvid public sealed class IdentityProviderArgs : global::Pulumi.ResourceArgs { /// - /// Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. + /// When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`. /// [Input("addReadTokenRoleOnCreate")] public Input? AddReadTokenRoleOnCreate { get; set; } /// - /// The alias uniquely identifies an identity provider and it is also used to build the redirect uri. + /// The unique name of identity provider. /// [Input("alias", required: true)] public Input Alias { get; set; } = null!; /// - /// Enable/disable authenticate users by default. + /// Authenticate users by default. Defaults to `false`. /// [Input("authenticateByDefault")] public Input? AuthenticateByDefault { get; set; } @@ -385,7 +357,7 @@ public sealed class IdentityProviderArgs : global::Pulumi.ResourceArgs private InputList? _authnContextClassRefs; /// - /// AuthnContext ClassRefs + /// Ordered list of requested AuthnContext ClassRefs. /// public InputList AuthnContextClassRefs { @@ -394,7 +366,7 @@ public InputList AuthnContextClassRefs } /// - /// AuthnContext Comparison + /// Specifies the comparison method used to evaluate the requested context classes or statements. /// [Input("authnContextComparisonType")] public Input? AuthnContextComparisonType { get; set; } @@ -403,7 +375,7 @@ public InputList AuthnContextClassRefs private InputList? _authnContextDeclRefs; /// - /// AuthnContext DeclRefs + /// Ordered list of requested AuthnContext DeclRefs. /// public InputList AuthnContextDeclRefs { @@ -412,19 +384,19 @@ public InputList AuthnContextDeclRefs } /// - /// Does the external IDP support backchannel logout? + /// Does the external IDP support backchannel logout?. Defaults to `false`. /// [Input("backchannelSupported")] public Input? BackchannelSupported { get; set; } /// - /// Friendly name for Identity Providers. + /// The display name for the realm that is shown when logging in to the admin console. /// [Input("displayName")] public Input? DisplayName { get; set; } /// - /// Enable/disable this identity provider. + /// When `false`, users and clients will not be able to access this realm. Defaults to `true`. /// [Input("enabled")] public Input? Enabled { get; set; } @@ -444,33 +416,31 @@ public InputMap ExtraConfig } /// - /// Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means - /// that there is not yet existing Keycloak account linked with the authenticated identity provider account. + /// Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. /// [Input("firstBrokerLoginFlowAlias")] public Input? FirstBrokerLoginFlowAlias { get; set; } /// - /// Require Force Authn. + /// Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. /// [Input("forceAuthn")] public Input? ForceAuthn { get; set; } /// - /// GUI Order + /// A number defining the order of this identity provider in the GUI. /// [Input("guiOrder")] public Input? GuiOrder { get; set; } /// - /// Hide On Login Page. + /// If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. /// [Input("hideOnLoginPage")] public Input? HideOnLoginPage { get; set; } /// - /// If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't - /// want to allow login from the provider, but want to integrate with a provider + /// When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`. /// [Input("linkOnly")] public Input? LinkOnly { get; set; } @@ -482,64 +452,61 @@ public InputMap ExtraConfig public Input? LoginHint { get; set; } /// - /// Name ID Policy Format. + /// Specifies the URI reference corresponding to a name identifier format. Defaults to empty. /// [Input("nameIdPolicyFormat")] public Input? NameIdPolicyFormat { get; set; } /// - /// Post Binding Authn Request. + /// Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. /// [Input("postBindingAuthnRequest")] public Input? PostBindingAuthnRequest { get; set; } /// - /// Post Binding Logout. + /// Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. /// [Input("postBindingLogout")] public Input? PostBindingLogout { get; set; } /// - /// Post Binding Response. + /// Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. /// [Input("postBindingResponse")] public Input? PostBindingResponse { get; set; } /// - /// Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want - /// additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if - /// you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that - /// authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. + /// Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. /// [Input("postBrokerLoginFlowAlias")] public Input? PostBrokerLoginFlowAlias { get; set; } /// - /// Principal Attribute + /// The principal attribute. /// [Input("principalAttribute")] public Input? PrincipalAttribute { get; set; } /// - /// Principal Type + /// The principal type. Can be one of `SUBJECT`, `ATTRIBUTE` or `FRIENDLY_ATTRIBUTE`. /// [Input("principalType")] public Input? PrincipalType { get; set; } /// - /// provider id, is always saml, unless you have a custom implementation + /// The ID of the identity provider to use. Defaults to `saml`, which should be used unless you have extended Keycloak and provided your own implementation. /// [Input("providerId")] public Input? ProviderId { get; set; } /// - /// Realm Name + /// The name of the realm. This is unique across Keycloak. /// [Input("realm", required: true)] public Input Realm { get; set; } = null!; /// - /// Signing Algorithm. + /// Signing Algorithm. Defaults to empty. /// [Input("signatureAlgorithm")] public Input? SignatureAlgorithm { get; set; } @@ -551,31 +518,31 @@ public InputMap ExtraConfig public Input? SigningCertificate { get; set; } /// - /// Logout URL. + /// The Url that must be used to send logout requests. /// [Input("singleLogoutServiceUrl")] public Input? SingleLogoutServiceUrl { get; set; } /// - /// SSO Logout URL. + /// The Url that must be used to send authentication requests (SAML AuthnRequest). /// [Input("singleSignOnServiceUrl", required: true)] public Input SingleSignOnServiceUrl { get; set; } = null!; /// - /// Enable/disable if tokens must be stored after authenticating users. + /// When `true`, tokens will be stored after authenticating users. Defaults to `true`. /// [Input("storeToken")] public Input? StoreToken { get; set; } /// - /// Sync Mode + /// The default sync mode to use for all mappers attached to this identity provider. Can be one of `IMPORT`, `FORCE`, or `LEGACY`. /// [Input("syncMode")] public Input? SyncMode { get; set; } /// - /// If enabled then email provided by this provider is not verified even if verification is enabled for the realm. + /// When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`. /// [Input("trustEmail")] public Input? TrustEmail { get; set; } @@ -587,19 +554,19 @@ public InputMap ExtraConfig public Input? ValidateSignature { get; set; } /// - /// Want Assertions Encrypted. + /// Indicates whether this service provider expects an encrypted Assertion. /// [Input("wantAssertionsEncrypted")] public Input? WantAssertionsEncrypted { get; set; } /// - /// Want Assertions Signed. + /// Indicates whether this service provider expects a signed Assertion. /// [Input("wantAssertionsSigned")] public Input? WantAssertionsSigned { get; set; } /// - /// Sign Key Transformer. + /// The SAML signature key name. Can be one of `NONE`, `KEY_ID`, or `CERT_SUBJECT`. /// [Input("xmlSignKeyInfoKeyNameTransformer")] public Input? XmlSignKeyInfoKeyNameTransformer { get; set; } @@ -613,19 +580,19 @@ public IdentityProviderArgs() public sealed class IdentityProviderState : global::Pulumi.ResourceArgs { /// - /// Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. + /// When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`. /// [Input("addReadTokenRoleOnCreate")] public Input? AddReadTokenRoleOnCreate { get; set; } /// - /// The alias uniquely identifies an identity provider and it is also used to build the redirect uri. + /// The unique name of identity provider. /// [Input("alias")] public Input? Alias { get; set; } /// - /// Enable/disable authenticate users by default. + /// Authenticate users by default. Defaults to `false`. /// [Input("authenticateByDefault")] public Input? AuthenticateByDefault { get; set; } @@ -634,7 +601,7 @@ public sealed class IdentityProviderState : global::Pulumi.ResourceArgs private InputList? _authnContextClassRefs; /// - /// AuthnContext ClassRefs + /// Ordered list of requested AuthnContext ClassRefs. /// public InputList AuthnContextClassRefs { @@ -643,7 +610,7 @@ public InputList AuthnContextClassRefs } /// - /// AuthnContext Comparison + /// Specifies the comparison method used to evaluate the requested context classes or statements. /// [Input("authnContextComparisonType")] public Input? AuthnContextComparisonType { get; set; } @@ -652,7 +619,7 @@ public InputList AuthnContextClassRefs private InputList? _authnContextDeclRefs; /// - /// AuthnContext DeclRefs + /// Ordered list of requested AuthnContext DeclRefs. /// public InputList AuthnContextDeclRefs { @@ -661,19 +628,19 @@ public InputList AuthnContextDeclRefs } /// - /// Does the external IDP support backchannel logout? + /// Does the external IDP support backchannel logout?. Defaults to `false`. /// [Input("backchannelSupported")] public Input? BackchannelSupported { get; set; } /// - /// Friendly name for Identity Providers. + /// The display name for the realm that is shown when logging in to the admin console. /// [Input("displayName")] public Input? DisplayName { get; set; } /// - /// Enable/disable this identity provider. + /// When `false`, users and clients will not be able to access this realm. Defaults to `true`. /// [Input("enabled")] public Input? Enabled { get; set; } @@ -693,26 +660,25 @@ public InputMap ExtraConfig } /// - /// Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means - /// that there is not yet existing Keycloak account linked with the authenticated identity provider account. + /// Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. /// [Input("firstBrokerLoginFlowAlias")] public Input? FirstBrokerLoginFlowAlias { get; set; } /// - /// Require Force Authn. + /// Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. /// [Input("forceAuthn")] public Input? ForceAuthn { get; set; } /// - /// GUI Order + /// A number defining the order of this identity provider in the GUI. /// [Input("guiOrder")] public Input? GuiOrder { get; set; } /// - /// Hide On Login Page. + /// If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. /// [Input("hideOnLoginPage")] public Input? HideOnLoginPage { get; set; } @@ -724,8 +690,7 @@ public InputMap ExtraConfig public Input? InternalId { get; set; } /// - /// If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't - /// want to allow login from the provider, but want to integrate with a provider + /// When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`. /// [Input("linkOnly")] public Input? LinkOnly { get; set; } @@ -737,64 +702,61 @@ public InputMap ExtraConfig public Input? LoginHint { get; set; } /// - /// Name ID Policy Format. + /// Specifies the URI reference corresponding to a name identifier format. Defaults to empty. /// [Input("nameIdPolicyFormat")] public Input? NameIdPolicyFormat { get; set; } /// - /// Post Binding Authn Request. + /// Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. /// [Input("postBindingAuthnRequest")] public Input? PostBindingAuthnRequest { get; set; } /// - /// Post Binding Logout. + /// Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. /// [Input("postBindingLogout")] public Input? PostBindingLogout { get; set; } /// - /// Post Binding Response. + /// Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. /// [Input("postBindingResponse")] public Input? PostBindingResponse { get; set; } /// - /// Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want - /// additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if - /// you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that - /// authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. + /// Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. /// [Input("postBrokerLoginFlowAlias")] public Input? PostBrokerLoginFlowAlias { get; set; } /// - /// Principal Attribute + /// The principal attribute. /// [Input("principalAttribute")] public Input? PrincipalAttribute { get; set; } /// - /// Principal Type + /// The principal type. Can be one of `SUBJECT`, `ATTRIBUTE` or `FRIENDLY_ATTRIBUTE`. /// [Input("principalType")] public Input? PrincipalType { get; set; } /// - /// provider id, is always saml, unless you have a custom implementation + /// The ID of the identity provider to use. Defaults to `saml`, which should be used unless you have extended Keycloak and provided your own implementation. /// [Input("providerId")] public Input? ProviderId { get; set; } /// - /// Realm Name + /// The name of the realm. This is unique across Keycloak. /// [Input("realm")] public Input? Realm { get; set; } /// - /// Signing Algorithm. + /// Signing Algorithm. Defaults to empty. /// [Input("signatureAlgorithm")] public Input? SignatureAlgorithm { get; set; } @@ -806,31 +768,31 @@ public InputMap ExtraConfig public Input? SigningCertificate { get; set; } /// - /// Logout URL. + /// The Url that must be used to send logout requests. /// [Input("singleLogoutServiceUrl")] public Input? SingleLogoutServiceUrl { get; set; } /// - /// SSO Logout URL. + /// The Url that must be used to send authentication requests (SAML AuthnRequest). /// [Input("singleSignOnServiceUrl")] public Input? SingleSignOnServiceUrl { get; set; } /// - /// Enable/disable if tokens must be stored after authenticating users. + /// When `true`, tokens will be stored after authenticating users. Defaults to `true`. /// [Input("storeToken")] public Input? StoreToken { get; set; } /// - /// Sync Mode + /// The default sync mode to use for all mappers attached to this identity provider. Can be one of `IMPORT`, `FORCE`, or `LEGACY`. /// [Input("syncMode")] public Input? SyncMode { get; set; } /// - /// If enabled then email provided by this provider is not verified even if verification is enabled for the realm. + /// When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`. /// [Input("trustEmail")] public Input? TrustEmail { get; set; } @@ -842,19 +804,19 @@ public InputMap ExtraConfig public Input? ValidateSignature { get; set; } /// - /// Want Assertions Encrypted. + /// Indicates whether this service provider expects an encrypted Assertion. /// [Input("wantAssertionsEncrypted")] public Input? WantAssertionsEncrypted { get; set; } /// - /// Want Assertions Signed. + /// Indicates whether this service provider expects a signed Assertion. /// [Input("wantAssertionsSigned")] public Input? WantAssertionsSigned { get; set; } /// - /// Sign Key Transformer. + /// The SAML signature key name. Can be one of `NONE`, `KEY_ID`, or `CERT_SUBJECT`. /// [Input("xmlSignKeyInfoKeyNameTransformer")] public Input? XmlSignKeyInfoKeyNameTransformer { get; set; } diff --git a/sdk/dotnet/Saml/Inputs/ClientAuthenticationFlowBindingOverridesArgs.cs b/sdk/dotnet/Saml/Inputs/ClientAuthenticationFlowBindingOverridesArgs.cs index e5e416f9..493e05fa 100644 --- a/sdk/dotnet/Saml/Inputs/ClientAuthenticationFlowBindingOverridesArgs.cs +++ b/sdk/dotnet/Saml/Inputs/ClientAuthenticationFlowBindingOverridesArgs.cs @@ -12,9 +12,15 @@ namespace Pulumi.Keycloak.Saml.Inputs public sealed class ClientAuthenticationFlowBindingOverridesArgs : global::Pulumi.ResourceArgs { + /// + /// Browser flow id, (flow needs to exist) + /// [Input("browserId")] public Input? BrowserId { get; set; } + /// + /// Direct grant flow id (flow needs to exist) + /// [Input("directGrantId")] public Input? DirectGrantId { get; set; } diff --git a/sdk/dotnet/Saml/Inputs/ClientAuthenticationFlowBindingOverridesGetArgs.cs b/sdk/dotnet/Saml/Inputs/ClientAuthenticationFlowBindingOverridesGetArgs.cs index 72fe041b..400d9414 100644 --- a/sdk/dotnet/Saml/Inputs/ClientAuthenticationFlowBindingOverridesGetArgs.cs +++ b/sdk/dotnet/Saml/Inputs/ClientAuthenticationFlowBindingOverridesGetArgs.cs @@ -12,9 +12,15 @@ namespace Pulumi.Keycloak.Saml.Inputs public sealed class ClientAuthenticationFlowBindingOverridesGetArgs : global::Pulumi.ResourceArgs { + /// + /// Browser flow id, (flow needs to exist) + /// [Input("browserId")] public Input? BrowserId { get; set; } + /// + /// Direct grant flow id (flow needs to exist) + /// [Input("directGrantId")] public Input? DirectGrantId { get; set; } diff --git a/sdk/dotnet/Saml/Outputs/ClientAuthenticationFlowBindingOverrides.cs b/sdk/dotnet/Saml/Outputs/ClientAuthenticationFlowBindingOverrides.cs index b00a4eea..10e1e40f 100644 --- a/sdk/dotnet/Saml/Outputs/ClientAuthenticationFlowBindingOverrides.cs +++ b/sdk/dotnet/Saml/Outputs/ClientAuthenticationFlowBindingOverrides.cs @@ -13,7 +13,13 @@ namespace Pulumi.Keycloak.Saml.Outputs [OutputType] public sealed class ClientAuthenticationFlowBindingOverrides { + /// + /// Browser flow id, (flow needs to exist) + /// public readonly string? BrowserId; + /// + /// Direct grant flow id (flow needs to exist) + /// public readonly string? DirectGrantId; [OutputConstructor] diff --git a/sdk/dotnet/Saml/UserAttributeProtocolMapper.cs b/sdk/dotnet/Saml/UserAttributeProtocolMapper.cs index 9d770a30..89220cba 100644 --- a/sdk/dotnet/Saml/UserAttributeProtocolMapper.cs +++ b/sdk/dotnet/Saml/UserAttributeProtocolMapper.cs @@ -10,17 +10,15 @@ namespace Pulumi.Keycloak.Saml { /// - /// ## # keycloak.saml.UserAttributeProtocolMapper + /// Allows for creating and managing user attribute protocol mappers for SAML clients within Keycloak. /// - /// Allows for creating and managing user attribute protocol mappers for - /// SAML clients within Keycloak. + /// SAML user attribute protocol mappers allow you to map custom attributes defined for a user within Keycloak to an attribute + /// in a SAML assertion. /// - /// SAML user attribute protocol mappers allow you to map custom attributes defined - /// for a user within Keycloak to an attribute in a SAML assertion. Protocol mappers - /// can be defined for a single client, or they can be defined for a client scope which - /// can be shared between multiple different clients. + /// Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + /// multiple different clients. /// - /// ### Example Usage (Client) + /// ## Example Usage /// /// ```csharp /// using System.Collections.Generic; @@ -38,14 +36,14 @@ namespace Pulumi.Keycloak.Saml /// /// var samlClient = new Keycloak.Saml.Client("saml_client", new() /// { - /// RealmId = test.Id, - /// ClientId = "test-saml-client", - /// Name = "test-saml-client", + /// RealmId = realm.Id, + /// ClientId = "saml-client", + /// Name = "saml-client", /// }); /// /// var samlUserAttributeMapper = new Keycloak.Saml.UserAttributeProtocolMapper("saml_user_attribute_mapper", new() /// { - /// RealmId = test.Id, + /// RealmId = realm.Id, /// ClientId = samlClient.Id, /// Name = "displayname-user-attribute-mapper", /// UserAttribute = "displayName", @@ -56,51 +54,74 @@ namespace Pulumi.Keycloak.Saml /// }); /// ``` /// - /// ### Argument Reference - /// - /// The following arguments are supported: - /// - /// - `realm_id` - (Required) The realm this protocol mapper exists within. - /// - `client_id` - (Required if `client_scope_id` is not specified) The SAML client this protocol mapper is attached to. - /// - `client_scope_id` - (Required if `client_id` is not specified) The SAML client scope this protocol mapper is attached to. - /// - `name` - (Required) The display name of this protocol mapper in the GUI. - /// - `user_attribute` - (Required) The custom user attribute to map. - /// - `friendly_name` - (Optional) An optional human-friendly name for this attribute. - /// - `saml_attribute_name` - (Required) The name of the SAML attribute. - /// - `saml_attribute_name_format` - (Required) The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. - /// - /// ### Import + /// ## Import /// /// Protocol mappers can be imported using one of the following formats: + /// /// - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + /// /// - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` /// /// Example: + /// + /// bash + /// + /// ```sh + /// $ pulumi import keycloak:saml/userAttributeProtocolMapper:UserAttributeProtocolMapper saml_user_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + /// ``` + /// + /// ```sh + /// $ pulumi import keycloak:saml/userAttributeProtocolMapper:UserAttributeProtocolMapper saml_user_attribute_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + /// ``` /// [KeycloakResourceType("keycloak:saml/userAttributeProtocolMapper:UserAttributeProtocolMapper")] public partial class UserAttributeProtocolMapper : global::Pulumi.CustomResource { + /// + /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + /// [Output("clientId")] public Output ClientId { get; private set; } = null!; + /// + /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + /// [Output("clientScopeId")] public Output ClientScopeId { get; private set; } = null!; + /// + /// An optional human-friendly name for this attribute. + /// [Output("friendlyName")] public Output FriendlyName { get; private set; } = null!; + /// + /// The display name of this protocol mapper in the GUI. + /// [Output("name")] public Output Name { get; private set; } = null!; + /// + /// The realm this protocol mapper exists within. + /// [Output("realmId")] public Output RealmId { get; private set; } = null!; + /// + /// The name of the SAML attribute. + /// [Output("samlAttributeName")] public Output SamlAttributeName { get; private set; } = null!; + /// + /// The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + /// [Output("samlAttributeNameFormat")] public Output SamlAttributeNameFormat { get; private set; } = null!; + /// + /// The custom user attribute to map. + /// [Output("userAttribute")] public Output UserAttribute { get; private set; } = null!; @@ -150,27 +171,51 @@ public static UserAttributeProtocolMapper Get(string name, Input id, Use public sealed class UserAttributeProtocolMapperArgs : global::Pulumi.ResourceArgs { + /// + /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + /// [Input("clientId")] public Input? ClientId { get; set; } + /// + /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + /// [Input("clientScopeId")] public Input? ClientScopeId { get; set; } + /// + /// An optional human-friendly name for this attribute. + /// [Input("friendlyName")] public Input? FriendlyName { get; set; } + /// + /// The display name of this protocol mapper in the GUI. + /// [Input("name")] public Input? Name { get; set; } + /// + /// The realm this protocol mapper exists within. + /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; + /// + /// The name of the SAML attribute. + /// [Input("samlAttributeName", required: true)] public Input SamlAttributeName { get; set; } = null!; + /// + /// The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + /// [Input("samlAttributeNameFormat", required: true)] public Input SamlAttributeNameFormat { get; set; } = null!; + /// + /// The custom user attribute to map. + /// [Input("userAttribute", required: true)] public Input UserAttribute { get; set; } = null!; @@ -182,27 +227,51 @@ public UserAttributeProtocolMapperArgs() public sealed class UserAttributeProtocolMapperState : global::Pulumi.ResourceArgs { + /// + /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + /// [Input("clientId")] public Input? ClientId { get; set; } + /// + /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + /// [Input("clientScopeId")] public Input? ClientScopeId { get; set; } + /// + /// An optional human-friendly name for this attribute. + /// [Input("friendlyName")] public Input? FriendlyName { get; set; } + /// + /// The display name of this protocol mapper in the GUI. + /// [Input("name")] public Input? Name { get; set; } + /// + /// The realm this protocol mapper exists within. + /// [Input("realmId")] public Input? RealmId { get; set; } + /// + /// The name of the SAML attribute. + /// [Input("samlAttributeName")] public Input? SamlAttributeName { get; set; } + /// + /// The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + /// [Input("samlAttributeNameFormat")] public Input? SamlAttributeNameFormat { get; set; } + /// + /// The custom user attribute to map. + /// [Input("userAttribute")] public Input? UserAttribute { get; set; } diff --git a/sdk/dotnet/Saml/UserPropertyProtocolMapper.cs b/sdk/dotnet/Saml/UserPropertyProtocolMapper.cs index 339d70e1..89394912 100644 --- a/sdk/dotnet/Saml/UserPropertyProtocolMapper.cs +++ b/sdk/dotnet/Saml/UserPropertyProtocolMapper.cs @@ -10,17 +10,15 @@ namespace Pulumi.Keycloak.Saml { /// - /// ## # keycloak.saml.UserPropertyProtocolMapper - /// - /// Allows for creating and managing user property protocol mappers for - /// SAML clients within Keycloak. + /// Allows for creating and managing user property protocol mappers for SAML clients within Keycloak. /// /// SAML user property protocol mappers allow you to map properties of the Keycloak - /// user model to an attribute in a SAML assertion. Protocol mappers - /// can be defined for a single client, or they can be defined for a client scope which - /// can be shared between multiple different clients. + /// user model to an attribute in a SAML assertion. + /// + /// Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + /// multiple different clients. /// - /// ### Example Usage (Client) + /// ## Example Usage /// /// ```csharp /// using System.Collections.Generic; @@ -38,14 +36,14 @@ namespace Pulumi.Keycloak.Saml /// /// var samlClient = new Keycloak.Saml.Client("saml_client", new() /// { - /// RealmId = test.Id, - /// ClientId = "test-saml-client", - /// Name = "test-saml-client", + /// RealmId = realm.Id, + /// ClientId = "saml-client", + /// Name = "saml-client", /// }); /// /// var samlUserPropertyMapper = new Keycloak.Saml.UserPropertyProtocolMapper("saml_user_property_mapper", new() /// { - /// RealmId = test.Id, + /// RealmId = realm.Id, /// ClientId = samlClient.Id, /// Name = "email-user-property-mapper", /// UserProperty = "email", @@ -56,51 +54,74 @@ namespace Pulumi.Keycloak.Saml /// }); /// ``` /// - /// ### Argument Reference - /// - /// The following arguments are supported: - /// - /// - `realm_id` - (Required) The realm this protocol mapper exists within. - /// - `client_id` - (Required if `client_scope_id` is not specified) The SAML client this protocol mapper is attached to. - /// - `client_scope_id` - (Required if `client_id` is not specified) The SAML client scope this protocol mapper is attached to. - /// - `name` - (Required) The display name of this protocol mapper in the GUI. - /// - `user_property` - (Required) The property of the Keycloak user model to map. - /// - `friendly_name` - (Optional) An optional human-friendly name for this attribute. - /// - `saml_attribute_name` - (Required) The name of the SAML attribute. - /// - `saml_attribute_name_format` - (Required) The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. - /// - /// ### Import + /// ## Import /// /// Protocol mappers can be imported using one of the following formats: + /// /// - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + /// /// - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` /// /// Example: + /// + /// bash + /// + /// ```sh + /// $ pulumi import keycloak:saml/userPropertyProtocolMapper:UserPropertyProtocolMapper saml_user_property_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + /// ``` + /// + /// ```sh + /// $ pulumi import keycloak:saml/userPropertyProtocolMapper:UserPropertyProtocolMapper saml_user_property_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + /// ``` /// [KeycloakResourceType("keycloak:saml/userPropertyProtocolMapper:UserPropertyProtocolMapper")] public partial class UserPropertyProtocolMapper : global::Pulumi.CustomResource { + /// + /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + /// [Output("clientId")] public Output ClientId { get; private set; } = null!; + /// + /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + /// [Output("clientScopeId")] public Output ClientScopeId { get; private set; } = null!; + /// + /// An optional human-friendly name for this attribute. + /// [Output("friendlyName")] public Output FriendlyName { get; private set; } = null!; + /// + /// The display name of this protocol mapper in the GUI. + /// [Output("name")] public Output Name { get; private set; } = null!; + /// + /// The realm this protocol mapper exists within. + /// [Output("realmId")] public Output RealmId { get; private set; } = null!; + /// + /// The name of the SAML attribute. + /// [Output("samlAttributeName")] public Output SamlAttributeName { get; private set; } = null!; + /// + /// The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + /// [Output("samlAttributeNameFormat")] public Output SamlAttributeNameFormat { get; private set; } = null!; + /// + /// The property of the Keycloak user model to map. + /// [Output("userProperty")] public Output UserProperty { get; private set; } = null!; @@ -150,27 +171,51 @@ public static UserPropertyProtocolMapper Get(string name, Input id, User public sealed class UserPropertyProtocolMapperArgs : global::Pulumi.ResourceArgs { + /// + /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + /// [Input("clientId")] public Input? ClientId { get; set; } + /// + /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + /// [Input("clientScopeId")] public Input? ClientScopeId { get; set; } + /// + /// An optional human-friendly name for this attribute. + /// [Input("friendlyName")] public Input? FriendlyName { get; set; } + /// + /// The display name of this protocol mapper in the GUI. + /// [Input("name")] public Input? Name { get; set; } + /// + /// The realm this protocol mapper exists within. + /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; + /// + /// The name of the SAML attribute. + /// [Input("samlAttributeName", required: true)] public Input SamlAttributeName { get; set; } = null!; + /// + /// The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + /// [Input("samlAttributeNameFormat", required: true)] public Input SamlAttributeNameFormat { get; set; } = null!; + /// + /// The property of the Keycloak user model to map. + /// [Input("userProperty", required: true)] public Input UserProperty { get; set; } = null!; @@ -182,27 +227,51 @@ public UserPropertyProtocolMapperArgs() public sealed class UserPropertyProtocolMapperState : global::Pulumi.ResourceArgs { + /// + /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + /// [Input("clientId")] public Input? ClientId { get; set; } + /// + /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + /// [Input("clientScopeId")] public Input? ClientScopeId { get; set; } + /// + /// An optional human-friendly name for this attribute. + /// [Input("friendlyName")] public Input? FriendlyName { get; set; } + /// + /// The display name of this protocol mapper in the GUI. + /// [Input("name")] public Input? Name { get; set; } + /// + /// The realm this protocol mapper exists within. + /// [Input("realmId")] public Input? RealmId { get; set; } + /// + /// The name of the SAML attribute. + /// [Input("samlAttributeName")] public Input? SamlAttributeName { get; set; } + /// + /// The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + /// [Input("samlAttributeNameFormat")] public Input? SamlAttributeNameFormat { get; set; } + /// + /// The property of the Keycloak user model to map. + /// [Input("userProperty")] public Input? UserProperty { get; set; } diff --git a/sdk/dotnet/User.cs b/sdk/dotnet/User.cs index c65630da..3d3fc4a3 100644 --- a/sdk/dotnet/User.cs +++ b/sdk/dotnet/User.cs @@ -10,15 +10,13 @@ namespace Pulumi.Keycloak { /// - /// ## # keycloak.User - /// /// Allows for creating and managing Users within Keycloak. /// - /// This resource was created primarily to enable the acceptance tests for the `keycloak.Group` resource. - /// Creating users within Keycloak is not recommended. Instead, users should be federated from external sources - /// by configuring user federation providers or identity providers. + /// This resource was created primarily to enable the acceptance tests for the `keycloak.Group` resource. Creating users within + /// Keycloak is not recommended. Instead, users should be federated from external sources by configuring user federation providers + /// or identity providers. /// - /// ### Example Usage + /// ## Example Usage /// /// ```csharp /// using System.Collections.Generic; @@ -52,6 +50,11 @@ namespace Pulumi.Keycloak /// Email = "alice@domain.com", /// FirstName = "Alice", /// LastName = "Aliceberg", + /// Attributes = + /// { + /// { "foo", "bar" }, + /// { "multivalue", "value1##value2" }, + /// }, /// InitialPassword = new Keycloak.Inputs.UserInitialPasswordArgs /// { /// Value = "some password", @@ -62,61 +65,86 @@ namespace Pulumi.Keycloak /// }); /// ``` /// - /// ### Argument Reference - /// - /// The following arguments are supported: - /// - /// - `realm_id` - (Required) The realm this user belongs to. - /// - `username` - (Required) The unique username of this user. - /// - `initial_password` (Optional) When given, the user's initial password will be set. - /// This attribute is only respected during initial user creation. - /// - `value` (Required) The initial password. - /// - `temporary` (Optional) If set to `true`, the initial password is set up for renewal on first use. Default to `false`. - /// - `enabled` - (Optional) When false, this user cannot log in. Defaults to `true`. - /// - `email` - (Optional) The user's email. - /// - `first_name` - (Optional) The user's first name. - /// - `last_name` - (Optional) The user's last name. - /// - /// ### Import + /// ## Import /// /// Users can be imported using the format `{{realm_id}}/{{user_id}}`, where `user_id` is the unique ID that Keycloak + /// /// assigns to the user upon creation. This value can be found in the GUI when editing the user. /// /// Example: + /// + /// bash + /// + /// ```sh + /// $ pulumi import keycloak:index/user:User user my-realm/60c3f971-b1d3-4b3a-9035-d16d7540a5e4 + /// ``` /// [KeycloakResourceType("keycloak:index/user:User")] public partial class User : global::Pulumi.CustomResource { + /// + /// A map representing attributes for the user. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + /// [Output("attributes")] public Output?> Attributes { get; private set; } = null!; + /// + /// The user's email. + /// [Output("email")] public Output Email { get; private set; } = null!; + /// + /// Whether the email address was validated or not. Default to `false`. + /// [Output("emailVerified")] public Output EmailVerified { get; private set; } = null!; + /// + /// When false, this user cannot log in. Defaults to `true`. + /// [Output("enabled")] public Output Enabled { get; private set; } = null!; + /// + /// When specified, the user will be linked to a federated identity provider. Refer to the federated user example for more details. + /// [Output("federatedIdentities")] public Output> FederatedIdentities { get; private set; } = null!; + /// + /// The user's first name. + /// [Output("firstName")] public Output FirstName { get; private set; } = null!; + /// + /// When given, the user's initial password will be set. This attribute is only respected during initial user creation. + /// [Output("initialPassword")] public Output InitialPassword { get; private set; } = null!; + /// + /// The user's last name. + /// [Output("lastName")] public Output LastName { get; private set; } = null!; + /// + /// The realm this user belongs to. + /// [Output("realmId")] public Output RealmId { get; private set; } = null!; + /// + /// A list of required user actions. + /// [Output("requiredActions")] public Output> RequiredActions { get; private set; } = null!; + /// + /// The unique username of this user. + /// [Output("username")] public Output Username { get; private set; } = null!; @@ -168,49 +196,85 @@ public sealed class UserArgs : global::Pulumi.ResourceArgs { [Input("attributes")] private InputMap? _attributes; + + /// + /// A map representing attributes for the user. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + /// public InputMap Attributes { get => _attributes ?? (_attributes = new InputMap()); set => _attributes = value; } + /// + /// The user's email. + /// [Input("email")] public Input? Email { get; set; } + /// + /// Whether the email address was validated or not. Default to `false`. + /// [Input("emailVerified")] public Input? EmailVerified { get; set; } + /// + /// When false, this user cannot log in. Defaults to `true`. + /// [Input("enabled")] public Input? Enabled { get; set; } [Input("federatedIdentities")] private InputList? _federatedIdentities; + + /// + /// When specified, the user will be linked to a federated identity provider. Refer to the federated user example for more details. + /// public InputList FederatedIdentities { get => _federatedIdentities ?? (_federatedIdentities = new InputList()); set => _federatedIdentities = value; } + /// + /// The user's first name. + /// [Input("firstName")] public Input? FirstName { get; set; } + /// + /// When given, the user's initial password will be set. This attribute is only respected during initial user creation. + /// [Input("initialPassword")] public Input? InitialPassword { get; set; } + /// + /// The user's last name. + /// [Input("lastName")] public Input? LastName { get; set; } + /// + /// The realm this user belongs to. + /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; [Input("requiredActions")] private InputList? _requiredActions; + + /// + /// A list of required user actions. + /// public InputList RequiredActions { get => _requiredActions ?? (_requiredActions = new InputList()); set => _requiredActions = value; } + /// + /// The unique username of this user. + /// [Input("username", required: true)] public Input Username { get; set; } = null!; @@ -224,49 +288,85 @@ public sealed class UserState : global::Pulumi.ResourceArgs { [Input("attributes")] private InputMap? _attributes; + + /// + /// A map representing attributes for the user. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + /// public InputMap Attributes { get => _attributes ?? (_attributes = new InputMap()); set => _attributes = value; } + /// + /// The user's email. + /// [Input("email")] public Input? Email { get; set; } + /// + /// Whether the email address was validated or not. Default to `false`. + /// [Input("emailVerified")] public Input? EmailVerified { get; set; } + /// + /// When false, this user cannot log in. Defaults to `true`. + /// [Input("enabled")] public Input? Enabled { get; set; } [Input("federatedIdentities")] private InputList? _federatedIdentities; + + /// + /// When specified, the user will be linked to a federated identity provider. Refer to the federated user example for more details. + /// public InputList FederatedIdentities { get => _federatedIdentities ?? (_federatedIdentities = new InputList()); set => _federatedIdentities = value; } + /// + /// The user's first name. + /// [Input("firstName")] public Input? FirstName { get; set; } + /// + /// When given, the user's initial password will be set. This attribute is only respected during initial user creation. + /// [Input("initialPassword")] public Input? InitialPassword { get; set; } + /// + /// The user's last name. + /// [Input("lastName")] public Input? LastName { get; set; } + /// + /// The realm this user belongs to. + /// [Input("realmId")] public Input? RealmId { get; set; } [Input("requiredActions")] private InputList? _requiredActions; + + /// + /// A list of required user actions. + /// public InputList RequiredActions { get => _requiredActions ?? (_requiredActions = new InputList()); set => _requiredActions = value; } + /// + /// The unique username of this user. + /// [Input("username")] public Input? Username { get; set; } diff --git a/sdk/go/keycloak/attributeImporterIdentityProviderMapper.go b/sdk/go/keycloak/attributeImporterIdentityProviderMapper.go index 794d0fd5..94f9347e 100644 --- a/sdk/go/keycloak/attributeImporterIdentityProviderMapper.go +++ b/sdk/go/keycloak/attributeImporterIdentityProviderMapper.go @@ -12,11 +12,16 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## # AttributeImporterIdentityProviderMapper +// Allows for creating and managing an attribute importer identity provider mapper within Keycloak. // -// Allows to create and manage identity provider mappers within Keycloak. +// The attribute importer mapper can be used to map attributes from externally defined users to attributes or properties of the imported Keycloak user: +// - For the OIDC identity provider, this will map a claim on the ID or access token to an attribute for the imported Keycloak user. +// - For the SAML identity provider, this will map a SAML attribute found within the assertion to an attribute for the imported Keycloak user. +// - For social identity providers, this will map a JSON field from the user profile to an attribute for the imported Keycloak user. // -// ### Example Usage +// > If you are using Keycloak 10 or higher, you will need to specify the `extraConfig` argument in order to define a `syncMode` for the mapper. +// +// ## Example Usage // // ```go // package main @@ -24,18 +29,41 @@ import ( // import ( // // "github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak" +// "github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/oidc" // "github.com/pulumi/pulumi/sdk/v3/go/pulumi" // // ) // // func main() { // pulumi.Run(func(ctx *pulumi.Context) error { -// _, err := keycloak.NewAttributeImporterIdentityProviderMapper(ctx, "test_mapper", &keycloak.AttributeImporterIdentityProviderMapperArgs{ -// Realm: pulumi.String("my-realm"), -// Name: pulumi.String("my-mapper"), -// IdentityProviderAlias: pulumi.String("idp_alias"), -// AttributeName: pulumi.String("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"), -// UserAttribute: pulumi.String("lastName"), +// realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{ +// Realm: pulumi.String("my-realm"), +// Enabled: pulumi.Bool(true), +// }) +// if err != nil { +// return err +// } +// oidc, err := oidc.NewIdentityProvider(ctx, "oidc", &oidc.IdentityProviderArgs{ +// Realm: realm.ID(), +// Alias: pulumi.String("oidc"), +// AuthorizationUrl: pulumi.String("https://example.com/auth"), +// TokenUrl: pulumi.String("https://example.com/token"), +// ClientId: pulumi.String("example_id"), +// ClientSecret: pulumi.String("example_token"), +// DefaultScopes: pulumi.String("openid random profile"), +// }) +// if err != nil { +// return err +// } +// _, err = keycloak.NewAttributeImporterIdentityProviderMapper(ctx, "oidc", &keycloak.AttributeImporterIdentityProviderMapperArgs{ +// Realm: realm.ID(), +// Name: pulumi.String("email-attribute-importer"), +// ClaimName: pulumi.String("my-email-claim"), +// IdentityProviderAlias: oidc.Alias, +// UserAttribute: pulumi.String("email"), +// ExtraConfig: pulumi.StringMap{ +// "syncMode": pulumi.String("INHERIT"), +// }, // }) // if err != nil { // return err @@ -46,41 +74,37 @@ import ( // // ``` // -// ### Argument Reference -// -// The following arguments are supported: -// -// - `realm` - (Required) The name of the realm. -// - `name` - (Required) The name of the mapper. -// - `identityProviderAlias` - (Required) The alias of the associated identity provider. -// - `userAttribute` - (Required) The user attribute name to store SAML attribute. -// - `attributeName` - (Optional) The Name of attribute to search for in assertion. You can leave this blank and specify a friendly name instead. -// - `attributeFriendlyName` - (Optional) The friendly name of attribute to search for in assertion. You can leave this blank and specify an attribute name instead. -// - `claimName` - (Optional) The claim name. +// ## Import // -// ### Import +// Identity provider mappers can be imported using the format `{{realm_id}}/{{idp_alias}}/{{idp_mapper_id}}`, where `idp_alias` is the identity provider alias, and `idp_mapper_id` is the unique ID that Keycloak // -// Identity provider mapper can be imported using the format `{{realm_id}}/{{idp_alias}}/{{idp_mapper_id}}`, where `idpAlias` is the identity provider alias, and `idpMapperId` is the unique ID that Keycloak // assigns to the mapper upon creation. This value can be found in the URI when editing this mapper in the GUI, and is typically a GUID. // // Example: +// +// bash +// +// ```sh +// $ pulumi import keycloak:index/attributeImporterIdentityProviderMapper:AttributeImporterIdentityProviderMapper test_mapper my-realm/my-mapper/f446db98-7133-4e30-b18a-3d28fde7ca1b +// ``` type AttributeImporterIdentityProviderMapper struct { pulumi.CustomResourceState - // Attribute Friendly Name + // For SAML based providers, this is the friendly name of the attribute to search for in the assertion. Conflicts with `attributeName`. AttributeFriendlyName pulumi.StringPtrOutput `pulumi:"attributeFriendlyName"` - // Attribute Name + // For SAML based providers, this is the name of the attribute to search for in the assertion. Conflicts with `attributeFriendlyName`. AttributeName pulumi.StringPtrOutput `pulumi:"attributeName"` - // Claim Name - ClaimName pulumi.StringPtrOutput `pulumi:"claimName"` + // For OIDC based providers, this is the name of the claim to use. + ClaimName pulumi.StringPtrOutput `pulumi:"claimName"` + // Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. ExtraConfig pulumi.StringMapOutput `pulumi:"extraConfig"` - // IDP Alias + // The alias of the associated identity provider. IdentityProviderAlias pulumi.StringOutput `pulumi:"identityProviderAlias"` - // IDP Mapper Name + // The name of the mapper. Name pulumi.StringOutput `pulumi:"name"` - // Realm Name + // The name of the realm. Realm pulumi.StringOutput `pulumi:"realm"` - // User Attribute + // The user attribute or property name to store the mapped result. UserAttribute pulumi.StringOutput `pulumi:"userAttribute"` } @@ -123,38 +147,40 @@ func GetAttributeImporterIdentityProviderMapper(ctx *pulumi.Context, // Input properties used for looking up and filtering AttributeImporterIdentityProviderMapper resources. type attributeImporterIdentityProviderMapperState struct { - // Attribute Friendly Name + // For SAML based providers, this is the friendly name of the attribute to search for in the assertion. Conflicts with `attributeName`. AttributeFriendlyName *string `pulumi:"attributeFriendlyName"` - // Attribute Name + // For SAML based providers, this is the name of the attribute to search for in the assertion. Conflicts with `attributeFriendlyName`. AttributeName *string `pulumi:"attributeName"` - // Claim Name - ClaimName *string `pulumi:"claimName"` + // For OIDC based providers, this is the name of the claim to use. + ClaimName *string `pulumi:"claimName"` + // Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. ExtraConfig map[string]string `pulumi:"extraConfig"` - // IDP Alias + // The alias of the associated identity provider. IdentityProviderAlias *string `pulumi:"identityProviderAlias"` - // IDP Mapper Name + // The name of the mapper. Name *string `pulumi:"name"` - // Realm Name + // The name of the realm. Realm *string `pulumi:"realm"` - // User Attribute + // The user attribute or property name to store the mapped result. UserAttribute *string `pulumi:"userAttribute"` } type AttributeImporterIdentityProviderMapperState struct { - // Attribute Friendly Name + // For SAML based providers, this is the friendly name of the attribute to search for in the assertion. Conflicts with `attributeName`. AttributeFriendlyName pulumi.StringPtrInput - // Attribute Name + // For SAML based providers, this is the name of the attribute to search for in the assertion. Conflicts with `attributeFriendlyName`. AttributeName pulumi.StringPtrInput - // Claim Name - ClaimName pulumi.StringPtrInput + // For OIDC based providers, this is the name of the claim to use. + ClaimName pulumi.StringPtrInput + // Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. ExtraConfig pulumi.StringMapInput - // IDP Alias + // The alias of the associated identity provider. IdentityProviderAlias pulumi.StringPtrInput - // IDP Mapper Name + // The name of the mapper. Name pulumi.StringPtrInput - // Realm Name + // The name of the realm. Realm pulumi.StringPtrInput - // User Attribute + // The user attribute or property name to store the mapped result. UserAttribute pulumi.StringPtrInput } @@ -163,39 +189,41 @@ func (AttributeImporterIdentityProviderMapperState) ElementType() reflect.Type { } type attributeImporterIdentityProviderMapperArgs struct { - // Attribute Friendly Name + // For SAML based providers, this is the friendly name of the attribute to search for in the assertion. Conflicts with `attributeName`. AttributeFriendlyName *string `pulumi:"attributeFriendlyName"` - // Attribute Name + // For SAML based providers, this is the name of the attribute to search for in the assertion. Conflicts with `attributeFriendlyName`. AttributeName *string `pulumi:"attributeName"` - // Claim Name - ClaimName *string `pulumi:"claimName"` + // For OIDC based providers, this is the name of the claim to use. + ClaimName *string `pulumi:"claimName"` + // Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. ExtraConfig map[string]string `pulumi:"extraConfig"` - // IDP Alias + // The alias of the associated identity provider. IdentityProviderAlias string `pulumi:"identityProviderAlias"` - // IDP Mapper Name + // The name of the mapper. Name *string `pulumi:"name"` - // Realm Name + // The name of the realm. Realm string `pulumi:"realm"` - // User Attribute + // The user attribute or property name to store the mapped result. UserAttribute string `pulumi:"userAttribute"` } // The set of arguments for constructing a AttributeImporterIdentityProviderMapper resource. type AttributeImporterIdentityProviderMapperArgs struct { - // Attribute Friendly Name + // For SAML based providers, this is the friendly name of the attribute to search for in the assertion. Conflicts with `attributeName`. AttributeFriendlyName pulumi.StringPtrInput - // Attribute Name + // For SAML based providers, this is the name of the attribute to search for in the assertion. Conflicts with `attributeFriendlyName`. AttributeName pulumi.StringPtrInput - // Claim Name - ClaimName pulumi.StringPtrInput + // For OIDC based providers, this is the name of the claim to use. + ClaimName pulumi.StringPtrInput + // Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. ExtraConfig pulumi.StringMapInput - // IDP Alias + // The alias of the associated identity provider. IdentityProviderAlias pulumi.StringInput - // IDP Mapper Name + // The name of the mapper. Name pulumi.StringPtrInput - // Realm Name + // The name of the realm. Realm pulumi.StringInput - // User Attribute + // The user attribute or property name to store the mapped result. UserAttribute pulumi.StringInput } @@ -286,43 +314,44 @@ func (o AttributeImporterIdentityProviderMapperOutput) ToAttributeImporterIdenti return o } -// Attribute Friendly Name +// For SAML based providers, this is the friendly name of the attribute to search for in the assertion. Conflicts with `attributeName`. func (o AttributeImporterIdentityProviderMapperOutput) AttributeFriendlyName() pulumi.StringPtrOutput { return o.ApplyT(func(v *AttributeImporterIdentityProviderMapper) pulumi.StringPtrOutput { return v.AttributeFriendlyName }).(pulumi.StringPtrOutput) } -// Attribute Name +// For SAML based providers, this is the name of the attribute to search for in the assertion. Conflicts with `attributeFriendlyName`. func (o AttributeImporterIdentityProviderMapperOutput) AttributeName() pulumi.StringPtrOutput { return o.ApplyT(func(v *AttributeImporterIdentityProviderMapper) pulumi.StringPtrOutput { return v.AttributeName }).(pulumi.StringPtrOutput) } -// Claim Name +// For OIDC based providers, this is the name of the claim to use. func (o AttributeImporterIdentityProviderMapperOutput) ClaimName() pulumi.StringPtrOutput { return o.ApplyT(func(v *AttributeImporterIdentityProviderMapper) pulumi.StringPtrOutput { return v.ClaimName }).(pulumi.StringPtrOutput) } +// Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. func (o AttributeImporterIdentityProviderMapperOutput) ExtraConfig() pulumi.StringMapOutput { return o.ApplyT(func(v *AttributeImporterIdentityProviderMapper) pulumi.StringMapOutput { return v.ExtraConfig }).(pulumi.StringMapOutput) } -// IDP Alias +// The alias of the associated identity provider. func (o AttributeImporterIdentityProviderMapperOutput) IdentityProviderAlias() pulumi.StringOutput { return o.ApplyT(func(v *AttributeImporterIdentityProviderMapper) pulumi.StringOutput { return v.IdentityProviderAlias }).(pulumi.StringOutput) } -// IDP Mapper Name +// The name of the mapper. func (o AttributeImporterIdentityProviderMapperOutput) Name() pulumi.StringOutput { return o.ApplyT(func(v *AttributeImporterIdentityProviderMapper) pulumi.StringOutput { return v.Name }).(pulumi.StringOutput) } -// Realm Name +// The name of the realm. func (o AttributeImporterIdentityProviderMapperOutput) Realm() pulumi.StringOutput { return o.ApplyT(func(v *AttributeImporterIdentityProviderMapper) pulumi.StringOutput { return v.Realm }).(pulumi.StringOutput) } -// User Attribute +// The user attribute or property name to store the mapped result. func (o AttributeImporterIdentityProviderMapperOutput) UserAttribute() pulumi.StringOutput { return o.ApplyT(func(v *AttributeImporterIdentityProviderMapper) pulumi.StringOutput { return v.UserAttribute }).(pulumi.StringOutput) } diff --git a/sdk/go/keycloak/customUserFederation.go b/sdk/go/keycloak/customUserFederation.go index 31df602f..230dbef8 100644 --- a/sdk/go/keycloak/customUserFederation.go +++ b/sdk/go/keycloak/customUserFederation.go @@ -12,15 +12,12 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## # CustomUserFederation -// // Allows for creating and managing custom user federation providers within Keycloak. // -// A custom user federation provider is an implementation of Keycloak's -// [User Storage SPI](https://www.keycloak.org/docs/4.2/server_development/index.html#_user-storage-spi). +// A custom user federation provider is an implementation of Keycloak's [User Storage SPI](https://www.keycloak.org/docs/4.2/server_development/index.html#_user-storage-spi). // An example of this implementation can be found here. // -// ### Example Usage +// ## Example Usage // // ```go // package main @@ -46,6 +43,11 @@ import ( // RealmId: realm.ID(), // ProviderId: pulumi.String("custom"), // Enabled: pulumi.Bool(true), +// Config: pulumi.StringMap{ +// "dummyString": pulumi.String("foobar"), +// "dummyBool": pulumi.String("true"), +// "multivalue": pulumi.String("value1##value2"), +// }, // }) // if err != nil { // return err @@ -56,43 +58,39 @@ import ( // // ``` // -// ### Argument Reference +// ## Import // -// The following arguments are supported: +// Custom user federation providers can be imported using the format `{{realm_id}}/{{custom_user_federation_id}}`. // -// - `realmId` - (Required) The realm that this provider will provide user federation for. -// - `name` - (Required) Display name of the provider when displayed in the console. -// - `providerId` - (Required) The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. -// - `enabled` - (Optional) When `false`, this provider will not be used when performing queries for users. Defaults to `true`. -// - `priority` - (Optional) Priority of this provider when looking up users. Lower values are first. Defaults to `0`. -// - `cachePolicy` - (Optional) Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. +// The ID of the custom user federation provider can be found within the Keycloak GUI and is typically a GUID: // -// ### Import +// bash // -// Custom user federation providers can be imported using the format `{{realm_id}}/{{custom_user_federation_id}}`. -// The ID of the custom user federation provider can be found within the Keycloak GUI and is typically a GUID: +// ```sh +// $ pulumi import keycloak:index/customUserFederation:CustomUserFederation custom_user_federation my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860 +// ``` type CustomUserFederation struct { pulumi.CustomResourceState + // Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. CachePolicy pulumi.StringPtrOutput `pulumi:"cachePolicy"` - // How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users - // sync. - ChangedSyncPeriod pulumi.IntPtrOutput `pulumi:"changedSyncPeriod"` - Config pulumi.StringMapOutput `pulumi:"config"` - // When false, this provider will not be used when performing queries for users. + // How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users sync. + ChangedSyncPeriod pulumi.IntPtrOutput `pulumi:"changedSyncPeriod"` + // The provider configuration handed over to your custom user federation provider. In order to add multivalue settings, use `##` to seperate the values. + Config pulumi.StringMapOutput `pulumi:"config"` + // When `false`, this provider will not be used when performing queries for users. Defaults to `true`. Enabled pulumi.BoolPtrOutput `pulumi:"enabled"` // How frequently Keycloak should sync all users, in seconds. Omit this property to disable periodic full sync. FullSyncPeriod pulumi.IntPtrOutput `pulumi:"fullSyncPeriod"` // Display name of the provider when displayed in the console. Name pulumi.StringOutput `pulumi:"name"` - // The parentId of the generated component. will use realmId if not specified. + // Must be set to the realms' `internalId` when it differs from the realm. This can happen when existing resources are imported into the state. ParentId pulumi.StringOutput `pulumi:"parentId"` - // Priority of this provider when looking up users. Lower values are first. + // Priority of this provider when looking up users. Lower values are first. Defaults to `0`. Priority pulumi.IntPtrOutput `pulumi:"priority"` - // The unique ID of the custom provider, specified in the `getId` implementation for the UserStorageProviderFactory - // interface + // The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. ProviderId pulumi.StringOutput `pulumi:"providerId"` - // The realm (name) this provider will provide user federation for. + // The realm that this provider will provide user federation for. RealmId pulumi.StringOutput `pulumi:"realmId"` } @@ -132,48 +130,48 @@ func GetCustomUserFederation(ctx *pulumi.Context, // Input properties used for looking up and filtering CustomUserFederation resources. type customUserFederationState struct { + // Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. CachePolicy *string `pulumi:"cachePolicy"` - // How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users - // sync. - ChangedSyncPeriod *int `pulumi:"changedSyncPeriod"` - Config map[string]string `pulumi:"config"` - // When false, this provider will not be used when performing queries for users. + // How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users sync. + ChangedSyncPeriod *int `pulumi:"changedSyncPeriod"` + // The provider configuration handed over to your custom user federation provider. In order to add multivalue settings, use `##` to seperate the values. + Config map[string]string `pulumi:"config"` + // When `false`, this provider will not be used when performing queries for users. Defaults to `true`. Enabled *bool `pulumi:"enabled"` // How frequently Keycloak should sync all users, in seconds. Omit this property to disable periodic full sync. FullSyncPeriod *int `pulumi:"fullSyncPeriod"` // Display name of the provider when displayed in the console. Name *string `pulumi:"name"` - // The parentId of the generated component. will use realmId if not specified. + // Must be set to the realms' `internalId` when it differs from the realm. This can happen when existing resources are imported into the state. ParentId *string `pulumi:"parentId"` - // Priority of this provider when looking up users. Lower values are first. + // Priority of this provider when looking up users. Lower values are first. Defaults to `0`. Priority *int `pulumi:"priority"` - // The unique ID of the custom provider, specified in the `getId` implementation for the UserStorageProviderFactory - // interface + // The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. ProviderId *string `pulumi:"providerId"` - // The realm (name) this provider will provide user federation for. + // The realm that this provider will provide user federation for. RealmId *string `pulumi:"realmId"` } type CustomUserFederationState struct { + // Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. CachePolicy pulumi.StringPtrInput - // How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users - // sync. + // How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users sync. ChangedSyncPeriod pulumi.IntPtrInput - Config pulumi.StringMapInput - // When false, this provider will not be used when performing queries for users. + // The provider configuration handed over to your custom user federation provider. In order to add multivalue settings, use `##` to seperate the values. + Config pulumi.StringMapInput + // When `false`, this provider will not be used when performing queries for users. Defaults to `true`. Enabled pulumi.BoolPtrInput // How frequently Keycloak should sync all users, in seconds. Omit this property to disable periodic full sync. FullSyncPeriod pulumi.IntPtrInput // Display name of the provider when displayed in the console. Name pulumi.StringPtrInput - // The parentId of the generated component. will use realmId if not specified. + // Must be set to the realms' `internalId` when it differs from the realm. This can happen when existing resources are imported into the state. ParentId pulumi.StringPtrInput - // Priority of this provider when looking up users. Lower values are first. + // Priority of this provider when looking up users. Lower values are first. Defaults to `0`. Priority pulumi.IntPtrInput - // The unique ID of the custom provider, specified in the `getId` implementation for the UserStorageProviderFactory - // interface + // The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. ProviderId pulumi.StringPtrInput - // The realm (name) this provider will provide user federation for. + // The realm that this provider will provide user federation for. RealmId pulumi.StringPtrInput } @@ -182,49 +180,49 @@ func (CustomUserFederationState) ElementType() reflect.Type { } type customUserFederationArgs struct { + // Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. CachePolicy *string `pulumi:"cachePolicy"` - // How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users - // sync. - ChangedSyncPeriod *int `pulumi:"changedSyncPeriod"` - Config map[string]string `pulumi:"config"` - // When false, this provider will not be used when performing queries for users. + // How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users sync. + ChangedSyncPeriod *int `pulumi:"changedSyncPeriod"` + // The provider configuration handed over to your custom user federation provider. In order to add multivalue settings, use `##` to seperate the values. + Config map[string]string `pulumi:"config"` + // When `false`, this provider will not be used when performing queries for users. Defaults to `true`. Enabled *bool `pulumi:"enabled"` // How frequently Keycloak should sync all users, in seconds. Omit this property to disable periodic full sync. FullSyncPeriod *int `pulumi:"fullSyncPeriod"` // Display name of the provider when displayed in the console. Name *string `pulumi:"name"` - // The parentId of the generated component. will use realmId if not specified. + // Must be set to the realms' `internalId` when it differs from the realm. This can happen when existing resources are imported into the state. ParentId *string `pulumi:"parentId"` - // Priority of this provider when looking up users. Lower values are first. + // Priority of this provider when looking up users. Lower values are first. Defaults to `0`. Priority *int `pulumi:"priority"` - // The unique ID of the custom provider, specified in the `getId` implementation for the UserStorageProviderFactory - // interface + // The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. ProviderId string `pulumi:"providerId"` - // The realm (name) this provider will provide user federation for. + // The realm that this provider will provide user federation for. RealmId string `pulumi:"realmId"` } // The set of arguments for constructing a CustomUserFederation resource. type CustomUserFederationArgs struct { + // Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. CachePolicy pulumi.StringPtrInput - // How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users - // sync. + // How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users sync. ChangedSyncPeriod pulumi.IntPtrInput - Config pulumi.StringMapInput - // When false, this provider will not be used when performing queries for users. + // The provider configuration handed over to your custom user federation provider. In order to add multivalue settings, use `##` to seperate the values. + Config pulumi.StringMapInput + // When `false`, this provider will not be used when performing queries for users. Defaults to `true`. Enabled pulumi.BoolPtrInput // How frequently Keycloak should sync all users, in seconds. Omit this property to disable periodic full sync. FullSyncPeriod pulumi.IntPtrInput // Display name of the provider when displayed in the console. Name pulumi.StringPtrInput - // The parentId of the generated component. will use realmId if not specified. + // Must be set to the realms' `internalId` when it differs from the realm. This can happen when existing resources are imported into the state. ParentId pulumi.StringPtrInput - // Priority of this provider when looking up users. Lower values are first. + // Priority of this provider when looking up users. Lower values are first. Defaults to `0`. Priority pulumi.IntPtrInput - // The unique ID of the custom provider, specified in the `getId` implementation for the UserStorageProviderFactory - // interface + // The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. ProviderId pulumi.StringInput - // The realm (name) this provider will provide user federation for. + // The realm that this provider will provide user federation for. RealmId pulumi.StringInput } @@ -315,21 +313,22 @@ func (o CustomUserFederationOutput) ToCustomUserFederationOutputWithContext(ctx return o } +// Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. func (o CustomUserFederationOutput) CachePolicy() pulumi.StringPtrOutput { return o.ApplyT(func(v *CustomUserFederation) pulumi.StringPtrOutput { return v.CachePolicy }).(pulumi.StringPtrOutput) } -// How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users -// sync. +// How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users sync. func (o CustomUserFederationOutput) ChangedSyncPeriod() pulumi.IntPtrOutput { return o.ApplyT(func(v *CustomUserFederation) pulumi.IntPtrOutput { return v.ChangedSyncPeriod }).(pulumi.IntPtrOutput) } +// The provider configuration handed over to your custom user federation provider. In order to add multivalue settings, use `##` to seperate the values. func (o CustomUserFederationOutput) Config() pulumi.StringMapOutput { return o.ApplyT(func(v *CustomUserFederation) pulumi.StringMapOutput { return v.Config }).(pulumi.StringMapOutput) } -// When false, this provider will not be used when performing queries for users. +// When `false`, this provider will not be used when performing queries for users. Defaults to `true`. func (o CustomUserFederationOutput) Enabled() pulumi.BoolPtrOutput { return o.ApplyT(func(v *CustomUserFederation) pulumi.BoolPtrOutput { return v.Enabled }).(pulumi.BoolPtrOutput) } @@ -344,23 +343,22 @@ func (o CustomUserFederationOutput) Name() pulumi.StringOutput { return o.ApplyT(func(v *CustomUserFederation) pulumi.StringOutput { return v.Name }).(pulumi.StringOutput) } -// The parentId of the generated component. will use realmId if not specified. +// Must be set to the realms' `internalId` when it differs from the realm. This can happen when existing resources are imported into the state. func (o CustomUserFederationOutput) ParentId() pulumi.StringOutput { return o.ApplyT(func(v *CustomUserFederation) pulumi.StringOutput { return v.ParentId }).(pulumi.StringOutput) } -// Priority of this provider when looking up users. Lower values are first. +// Priority of this provider when looking up users. Lower values are first. Defaults to `0`. func (o CustomUserFederationOutput) Priority() pulumi.IntPtrOutput { return o.ApplyT(func(v *CustomUserFederation) pulumi.IntPtrOutput { return v.Priority }).(pulumi.IntPtrOutput) } -// The unique ID of the custom provider, specified in the `getId` implementation for the UserStorageProviderFactory -// interface +// The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. func (o CustomUserFederationOutput) ProviderId() pulumi.StringOutput { return o.ApplyT(func(v *CustomUserFederation) pulumi.StringOutput { return v.ProviderId }).(pulumi.StringOutput) } -// The realm (name) this provider will provide user federation for. +// The realm that this provider will provide user federation for. func (o CustomUserFederationOutput) RealmId() pulumi.StringOutput { return o.ApplyT(func(v *CustomUserFederation) pulumi.StringOutput { return v.RealmId }).(pulumi.StringOutput) } diff --git a/sdk/go/keycloak/defaultGroups.go b/sdk/go/keycloak/defaultGroups.go index a805281c..01e2026f 100644 --- a/sdk/go/keycloak/defaultGroups.go +++ b/sdk/go/keycloak/defaultGroups.go @@ -12,14 +12,11 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## # DefaultGroups -// // Allows for managing a realm's default groups. // -// Note that you should not use `DefaultGroups` with a group with memberships managed -// by `GroupMemberships`. +// > You should not use `DefaultGroups` with a group whose members are managed by `GroupMemberships`. // -// ### Example Usage +// ## Example Usage // // ```go // package main @@ -62,23 +59,24 @@ import ( // // ``` // -// ### Argument Reference -// -// The following arguments are supported: +// ## Import // -// - `realmId` - (Required) The realm this group exists in. -// - `groupIds` - (Required) A set of group ids that should be default groups on the realm referenced by `realmId`. +// Default groups can be imported using the format `{{realm_id}}` where `realm_id` is the realm the group exists in. // -// ### Import +// Example: // -// Groups can be imported using the format `{{realm_id}}` where `realmId` is the realm the group exists in. +// bash // -// Example: +// ```sh +// $ pulumi import keycloak:index/defaultGroups:DefaultGroups default my-realm +// ``` type DefaultGroups struct { pulumi.CustomResourceState + // A set of group ids that should be default groups on the realm referenced by `realmId`. GroupIds pulumi.StringArrayOutput `pulumi:"groupIds"` - RealmId pulumi.StringOutput `pulumi:"realmId"` + // The realm this group exists in. + RealmId pulumi.StringOutput `pulumi:"realmId"` } // NewDefaultGroups registers a new resource with the given unique name, arguments, and options. @@ -117,13 +115,17 @@ func GetDefaultGroups(ctx *pulumi.Context, // Input properties used for looking up and filtering DefaultGroups resources. type defaultGroupsState struct { + // A set of group ids that should be default groups on the realm referenced by `realmId`. GroupIds []string `pulumi:"groupIds"` - RealmId *string `pulumi:"realmId"` + // The realm this group exists in. + RealmId *string `pulumi:"realmId"` } type DefaultGroupsState struct { + // A set of group ids that should be default groups on the realm referenced by `realmId`. GroupIds pulumi.StringArrayInput - RealmId pulumi.StringPtrInput + // The realm this group exists in. + RealmId pulumi.StringPtrInput } func (DefaultGroupsState) ElementType() reflect.Type { @@ -131,14 +133,18 @@ func (DefaultGroupsState) ElementType() reflect.Type { } type defaultGroupsArgs struct { + // A set of group ids that should be default groups on the realm referenced by `realmId`. GroupIds []string `pulumi:"groupIds"` - RealmId string `pulumi:"realmId"` + // The realm this group exists in. + RealmId string `pulumi:"realmId"` } // The set of arguments for constructing a DefaultGroups resource. type DefaultGroupsArgs struct { + // A set of group ids that should be default groups on the realm referenced by `realmId`. GroupIds pulumi.StringArrayInput - RealmId pulumi.StringInput + // The realm this group exists in. + RealmId pulumi.StringInput } func (DefaultGroupsArgs) ElementType() reflect.Type { @@ -228,10 +234,12 @@ func (o DefaultGroupsOutput) ToDefaultGroupsOutputWithContext(ctx context.Contex return o } +// A set of group ids that should be default groups on the realm referenced by `realmId`. func (o DefaultGroupsOutput) GroupIds() pulumi.StringArrayOutput { return o.ApplyT(func(v *DefaultGroups) pulumi.StringArrayOutput { return v.GroupIds }).(pulumi.StringArrayOutput) } +// The realm this group exists in. func (o DefaultGroupsOutput) RealmId() pulumi.StringOutput { return o.ApplyT(func(v *DefaultGroups) pulumi.StringOutput { return v.RealmId }).(pulumi.StringOutput) } diff --git a/sdk/go/keycloak/genericClientProtocolMapper.go b/sdk/go/keycloak/genericClientProtocolMapper.go index 89a06f26..58af068a 100644 --- a/sdk/go/keycloak/genericClientProtocolMapper.go +++ b/sdk/go/keycloak/genericClientProtocolMapper.go @@ -12,9 +12,9 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## # GenericClientProtocolMapper +// !> **WARNING:** This resource is deprecated and will be removed in the next major version. Please use `GenericProtocolMapper` instead. // -// Allows for creating and managing protocol mapper for both types of clients (openid-connect and saml) within Keycloak. +// Allows for creating and managing protocol mappers for both types of clients (openid-connect and saml) within Keycloak. // // There are two uses cases for using this resource: // * If you implemented a custom protocol mapper, this resource can be used to configure it @@ -23,7 +23,7 @@ import ( // Due to the generic nature of this mapper, it is less user-friendly and more prone to configuration errors. // Therefore, if possible, a specific mapper should be used. // -// ### Example Usage +// ## Example Usage // // ```go // package main @@ -55,7 +55,7 @@ import ( // _, err = keycloak.NewGenericClientProtocolMapper(ctx, "saml_hardcode_attribute_mapper", &keycloak.GenericClientProtocolMapperArgs{ // RealmId: realm.ID(), // ClientId: samlClient.ID(), -// Name: pulumi.String("tes-mapper"), +// Name: pulumi.String("test-mapper"), // Protocol: pulumi.String("saml"), // ProtocolMapper: pulumi.String("saml-hardcode-attribute-mapper"), // Config: pulumi.StringMap{ @@ -74,38 +74,33 @@ import ( // // ``` // -// ### Argument Reference -// -// The following arguments are supported: -// -// - `realmId` - (Required) The realm this protocol mapper exists within. -// - `clientId` - (Required) The client this protocol mapper is attached to. -// - `name` - (Required) The display name of this protocol mapper in the GUI. -// - `protocol` - (Required) The type of client (either `openid-connect` or `saml`). The type must match the type of the client. -// - `protocolMapper` - (Required) The name of the protocol mapper. The protocol mapper must be -// compatible with the specified client. -// - `config` - (Required) A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. -// -// ### Import +// ## Import // // Protocol mappers can be imported using the following format: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` // // Example: +// +// bash +// +// ```sh +// $ pulumi import keycloak:index/genericClientProtocolMapper:GenericClientProtocolMapper saml_hardcode_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +// ``` type GenericClientProtocolMapper struct { pulumi.CustomResourceState - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // The client this protocol mapper is attached to. ClientId pulumi.StringPtrOutput `pulumi:"clientId"` // The mapper's associated client scope. Cannot be used at the same time as client_id. ClientScopeId pulumi.StringPtrOutput `pulumi:"clientScopeId"` - Config pulumi.StringMapOutput `pulumi:"config"` - // A human-friendly name that will appear in the Keycloak console. + // A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. + Config pulumi.StringMapOutput `pulumi:"config"` + // The display name of this protocol mapper in the GUI. Name pulumi.StringOutput `pulumi:"name"` - // The protocol of the client (openid-connect / saml). + // The type of client (either `openid-connect` or `saml`). The type must match the type of the client. Protocol pulumi.StringOutput `pulumi:"protocol"` - // The type of the protocol mapper. + // The name of the protocol mapper. The protocol mapper must be compatible with the specified client. ProtocolMapper pulumi.StringOutput `pulumi:"protocolMapper"` - // The realm id where the associated client or client scope exists. + // The realm this protocol mapper exists within. RealmId pulumi.StringOutput `pulumi:"realmId"` } @@ -151,34 +146,36 @@ func GetGenericClientProtocolMapper(ctx *pulumi.Context, // Input properties used for looking up and filtering GenericClientProtocolMapper resources. type genericClientProtocolMapperState struct { - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // The client this protocol mapper is attached to. ClientId *string `pulumi:"clientId"` // The mapper's associated client scope. Cannot be used at the same time as client_id. - ClientScopeId *string `pulumi:"clientScopeId"` - Config map[string]string `pulumi:"config"` - // A human-friendly name that will appear in the Keycloak console. + ClientScopeId *string `pulumi:"clientScopeId"` + // A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. + Config map[string]string `pulumi:"config"` + // The display name of this protocol mapper in the GUI. Name *string `pulumi:"name"` - // The protocol of the client (openid-connect / saml). + // The type of client (either `openid-connect` or `saml`). The type must match the type of the client. Protocol *string `pulumi:"protocol"` - // The type of the protocol mapper. + // The name of the protocol mapper. The protocol mapper must be compatible with the specified client. ProtocolMapper *string `pulumi:"protocolMapper"` - // The realm id where the associated client or client scope exists. + // The realm this protocol mapper exists within. RealmId *string `pulumi:"realmId"` } type GenericClientProtocolMapperState struct { - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // The client this protocol mapper is attached to. ClientId pulumi.StringPtrInput // The mapper's associated client scope. Cannot be used at the same time as client_id. ClientScopeId pulumi.StringPtrInput - Config pulumi.StringMapInput - // A human-friendly name that will appear in the Keycloak console. + // A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. + Config pulumi.StringMapInput + // The display name of this protocol mapper in the GUI. Name pulumi.StringPtrInput - // The protocol of the client (openid-connect / saml). + // The type of client (either `openid-connect` or `saml`). The type must match the type of the client. Protocol pulumi.StringPtrInput - // The type of the protocol mapper. + // The name of the protocol mapper. The protocol mapper must be compatible with the specified client. ProtocolMapper pulumi.StringPtrInput - // The realm id where the associated client or client scope exists. + // The realm this protocol mapper exists within. RealmId pulumi.StringPtrInput } @@ -187,35 +184,37 @@ func (GenericClientProtocolMapperState) ElementType() reflect.Type { } type genericClientProtocolMapperArgs struct { - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // The client this protocol mapper is attached to. ClientId *string `pulumi:"clientId"` // The mapper's associated client scope. Cannot be used at the same time as client_id. - ClientScopeId *string `pulumi:"clientScopeId"` - Config map[string]string `pulumi:"config"` - // A human-friendly name that will appear in the Keycloak console. + ClientScopeId *string `pulumi:"clientScopeId"` + // A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. + Config map[string]string `pulumi:"config"` + // The display name of this protocol mapper in the GUI. Name *string `pulumi:"name"` - // The protocol of the client (openid-connect / saml). + // The type of client (either `openid-connect` or `saml`). The type must match the type of the client. Protocol string `pulumi:"protocol"` - // The type of the protocol mapper. + // The name of the protocol mapper. The protocol mapper must be compatible with the specified client. ProtocolMapper string `pulumi:"protocolMapper"` - // The realm id where the associated client or client scope exists. + // The realm this protocol mapper exists within. RealmId string `pulumi:"realmId"` } // The set of arguments for constructing a GenericClientProtocolMapper resource. type GenericClientProtocolMapperArgs struct { - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // The client this protocol mapper is attached to. ClientId pulumi.StringPtrInput // The mapper's associated client scope. Cannot be used at the same time as client_id. ClientScopeId pulumi.StringPtrInput - Config pulumi.StringMapInput - // A human-friendly name that will appear in the Keycloak console. + // A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. + Config pulumi.StringMapInput + // The display name of this protocol mapper in the GUI. Name pulumi.StringPtrInput - // The protocol of the client (openid-connect / saml). + // The type of client (either `openid-connect` or `saml`). The type must match the type of the client. Protocol pulumi.StringInput - // The type of the protocol mapper. + // The name of the protocol mapper. The protocol mapper must be compatible with the specified client. ProtocolMapper pulumi.StringInput - // The realm id where the associated client or client scope exists. + // The realm this protocol mapper exists within. RealmId pulumi.StringInput } @@ -306,7 +305,7 @@ func (o GenericClientProtocolMapperOutput) ToGenericClientProtocolMapperOutputWi return o } -// The mapper's associated client. Cannot be used at the same time as client_scope_id. +// The client this protocol mapper is attached to. func (o GenericClientProtocolMapperOutput) ClientId() pulumi.StringPtrOutput { return o.ApplyT(func(v *GenericClientProtocolMapper) pulumi.StringPtrOutput { return v.ClientId }).(pulumi.StringPtrOutput) } @@ -316,26 +315,27 @@ func (o GenericClientProtocolMapperOutput) ClientScopeId() pulumi.StringPtrOutpu return o.ApplyT(func(v *GenericClientProtocolMapper) pulumi.StringPtrOutput { return v.ClientScopeId }).(pulumi.StringPtrOutput) } +// A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. func (o GenericClientProtocolMapperOutput) Config() pulumi.StringMapOutput { return o.ApplyT(func(v *GenericClientProtocolMapper) pulumi.StringMapOutput { return v.Config }).(pulumi.StringMapOutput) } -// A human-friendly name that will appear in the Keycloak console. +// The display name of this protocol mapper in the GUI. func (o GenericClientProtocolMapperOutput) Name() pulumi.StringOutput { return o.ApplyT(func(v *GenericClientProtocolMapper) pulumi.StringOutput { return v.Name }).(pulumi.StringOutput) } -// The protocol of the client (openid-connect / saml). +// The type of client (either `openid-connect` or `saml`). The type must match the type of the client. func (o GenericClientProtocolMapperOutput) Protocol() pulumi.StringOutput { return o.ApplyT(func(v *GenericClientProtocolMapper) pulumi.StringOutput { return v.Protocol }).(pulumi.StringOutput) } -// The type of the protocol mapper. +// The name of the protocol mapper. The protocol mapper must be compatible with the specified client. func (o GenericClientProtocolMapperOutput) ProtocolMapper() pulumi.StringOutput { return o.ApplyT(func(v *GenericClientProtocolMapper) pulumi.StringOutput { return v.ProtocolMapper }).(pulumi.StringOutput) } -// The realm id where the associated client or client scope exists. +// The realm this protocol mapper exists within. func (o GenericClientProtocolMapperOutput) RealmId() pulumi.StringOutput { return o.ApplyT(func(v *GenericClientProtocolMapper) pulumi.StringOutput { return v.RealmId }).(pulumi.StringOutput) } diff --git a/sdk/go/keycloak/getGroup.go b/sdk/go/keycloak/getGroup.go index 74cbd6b8..80394b4c 100644 --- a/sdk/go/keycloak/getGroup.go +++ b/sdk/go/keycloak/getGroup.go @@ -11,10 +11,57 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## # Group data source -// // This data source can be used to fetch properties of a Keycloak group for // usage with other resources, such as `GroupRoles`. +// +// ## Example Usage +// +// ```go +// package main +// +// import ( +// +// "github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak" +// "github.com/pulumi/pulumi/sdk/v3/go/pulumi" +// +// ) +// +// func main() { +// pulumi.Run(func(ctx *pulumi.Context) error { +// realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{ +// Realm: pulumi.String("my-realm"), +// Enabled: pulumi.Bool(true), +// }) +// if err != nil { +// return err +// } +// offlineAccess := keycloak.LookupRoleOutput(ctx, keycloak.GetRoleOutputArgs{ +// RealmId: realm.ID(), +// Name: pulumi.String("offline_access"), +// }, nil) +// group := keycloak.LookupGroupOutput(ctx, keycloak.GetGroupOutputArgs{ +// RealmId: realm.ID(), +// Name: pulumi.String("group"), +// }, nil) +// _, err = keycloak.NewGroupRoles(ctx, "group_roles", &keycloak.GroupRolesArgs{ +// RealmId: realm.ID(), +// GroupId: pulumi.String(group.ApplyT(func(group keycloak.GetGroupResult) (*string, error) { +// return &group.Id, nil +// }).(pulumi.StringPtrOutput)), +// RoleIds: pulumi.StringArray{ +// pulumi.String(offlineAccess.ApplyT(func(offlineAccess keycloak.GetRoleResult) (*string, error) { +// return &offlineAccess.Id, nil +// }).(pulumi.StringPtrOutput)), +// }, +// }) +// if err != nil { +// return err +// } +// return nil +// }) +// } +// +// ``` func LookupGroup(ctx *pulumi.Context, args *LookupGroupArgs, opts ...pulumi.InvokeOption) (*LookupGroupResult, error) { opts = internal.PkgInvokeDefaultOpts(opts) var rv LookupGroupResult @@ -27,7 +74,9 @@ func LookupGroup(ctx *pulumi.Context, args *LookupGroupArgs, opts ...pulumi.Invo // A collection of arguments for invoking getGroup. type LookupGroupArgs struct { - Name string `pulumi:"name"` + // The name of the group. If there are multiple groups match `name`, the first result will be returned. + Name string `pulumi:"name"` + // The realm this group exists within. RealmId string `pulumi:"realmId"` } @@ -63,7 +112,9 @@ func LookupGroupOutput(ctx *pulumi.Context, args LookupGroupOutputArgs, opts ... // A collection of arguments for invoking getGroup. type LookupGroupOutputArgs struct { - Name pulumi.StringInput `pulumi:"name"` + // The name of the group. If there are multiple groups match `name`, the first result will be returned. + Name pulumi.StringInput `pulumi:"name"` + // The realm this group exists within. RealmId pulumi.StringInput `pulumi:"realmId"` } diff --git a/sdk/go/keycloak/getRealm.go b/sdk/go/keycloak/getRealm.go index 19eef43e..15f855bf 100644 --- a/sdk/go/keycloak/getRealm.go +++ b/sdk/go/keycloak/getRealm.go @@ -11,12 +11,10 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## # Realm data source -// // This data source can be used to fetch properties of a Keycloak realm for // usage with other resources. // -// ### Example Usage +// ## Example Usage // // ```go // package main @@ -30,7 +28,7 @@ import ( // // func main() { // pulumi.Run(func(ctx *pulumi.Context) error { -// _, err := keycloak.LookupRealm(ctx, &keycloak.LookupRealmArgs{ +// realm, err := keycloak.LookupRealm(ctx, &keycloak.LookupRealmArgs{ // Realm: "my-realm", // }, nil) // if err != nil { @@ -38,7 +36,7 @@ import ( // } // // use the data source // _, err = keycloak.NewRole(ctx, "group", &keycloak.RoleArgs{ -// RealmId: pulumi.Any(id), +// RealmId: pulumi.String(realm.Id), // Name: pulumi.String("group"), // }) // if err != nil { @@ -49,16 +47,6 @@ import ( // } // // ``` -// -// ### Argument Reference -// -// The following arguments are supported: -// -// - `realm` - (Required) The realm name. -// -// ### Attributes Reference -// -// See the docs for the `Realm` resource for details on the exported attributes. func LookupRealm(ctx *pulumi.Context, args *LookupRealmArgs, opts ...pulumi.InvokeOption) (*LookupRealmResult, error) { opts = internal.PkgInvokeDefaultOpts(opts) var rv LookupRealmResult @@ -71,17 +59,18 @@ func LookupRealm(ctx *pulumi.Context, args *LookupRealmArgs, opts ...pulumi.Invo // A collection of arguments for invoking getRealm. type LookupRealmArgs struct { - Attributes map[string]string `pulumi:"attributes"` - DefaultDefaultClientScopes []string `pulumi:"defaultDefaultClientScopes"` - DefaultOptionalClientScopes []string `pulumi:"defaultOptionalClientScopes"` - DisplayNameHtml *string `pulumi:"displayNameHtml"` - Internationalizations []GetRealmInternationalization `pulumi:"internationalizations"` - OtpPolicy *GetRealmOtpPolicy `pulumi:"otpPolicy"` - Realm string `pulumi:"realm"` - SecurityDefenses []GetRealmSecurityDefense `pulumi:"securityDefenses"` - SmtpServers []GetRealmSmtpServer `pulumi:"smtpServers"` - WebAuthnPasswordlessPolicy *GetRealmWebAuthnPasswordlessPolicy `pulumi:"webAuthnPasswordlessPolicy"` - WebAuthnPolicy *GetRealmWebAuthnPolicy `pulumi:"webAuthnPolicy"` + Attributes map[string]string `pulumi:"attributes"` + DefaultDefaultClientScopes []string `pulumi:"defaultDefaultClientScopes"` + DefaultOptionalClientScopes []string `pulumi:"defaultOptionalClientScopes"` + DisplayNameHtml *string `pulumi:"displayNameHtml"` + Internationalizations []GetRealmInternationalization `pulumi:"internationalizations"` + OtpPolicy *GetRealmOtpPolicy `pulumi:"otpPolicy"` + // The realm name. + Realm string `pulumi:"realm"` + SecurityDefenses []GetRealmSecurityDefense `pulumi:"securityDefenses"` + SmtpServers []GetRealmSmtpServer `pulumi:"smtpServers"` + WebAuthnPasswordlessPolicy *GetRealmWebAuthnPasswordlessPolicy `pulumi:"webAuthnPasswordlessPolicy"` + WebAuthnPolicy *GetRealmWebAuthnPolicy `pulumi:"webAuthnPolicy"` } // A collection of values returned by getRealm. @@ -167,17 +156,18 @@ func LookupRealmOutput(ctx *pulumi.Context, args LookupRealmOutputArgs, opts ... // A collection of arguments for invoking getRealm. type LookupRealmOutputArgs struct { - Attributes pulumi.StringMapInput `pulumi:"attributes"` - DefaultDefaultClientScopes pulumi.StringArrayInput `pulumi:"defaultDefaultClientScopes"` - DefaultOptionalClientScopes pulumi.StringArrayInput `pulumi:"defaultOptionalClientScopes"` - DisplayNameHtml pulumi.StringPtrInput `pulumi:"displayNameHtml"` - Internationalizations GetRealmInternationalizationArrayInput `pulumi:"internationalizations"` - OtpPolicy GetRealmOtpPolicyPtrInput `pulumi:"otpPolicy"` - Realm pulumi.StringInput `pulumi:"realm"` - SecurityDefenses GetRealmSecurityDefenseArrayInput `pulumi:"securityDefenses"` - SmtpServers GetRealmSmtpServerArrayInput `pulumi:"smtpServers"` - WebAuthnPasswordlessPolicy GetRealmWebAuthnPasswordlessPolicyPtrInput `pulumi:"webAuthnPasswordlessPolicy"` - WebAuthnPolicy GetRealmWebAuthnPolicyPtrInput `pulumi:"webAuthnPolicy"` + Attributes pulumi.StringMapInput `pulumi:"attributes"` + DefaultDefaultClientScopes pulumi.StringArrayInput `pulumi:"defaultDefaultClientScopes"` + DefaultOptionalClientScopes pulumi.StringArrayInput `pulumi:"defaultOptionalClientScopes"` + DisplayNameHtml pulumi.StringPtrInput `pulumi:"displayNameHtml"` + Internationalizations GetRealmInternationalizationArrayInput `pulumi:"internationalizations"` + OtpPolicy GetRealmOtpPolicyPtrInput `pulumi:"otpPolicy"` + // The realm name. + Realm pulumi.StringInput `pulumi:"realm"` + SecurityDefenses GetRealmSecurityDefenseArrayInput `pulumi:"securityDefenses"` + SmtpServers GetRealmSmtpServerArrayInput `pulumi:"smtpServers"` + WebAuthnPasswordlessPolicy GetRealmWebAuthnPasswordlessPolicyPtrInput `pulumi:"webAuthnPasswordlessPolicy"` + WebAuthnPolicy GetRealmWebAuthnPolicyPtrInput `pulumi:"webAuthnPolicy"` } func (LookupRealmOutputArgs) ElementType() reflect.Type { diff --git a/sdk/go/keycloak/getRealmKeys.go b/sdk/go/keycloak/getRealmKeys.go index dc719645..10e07fc8 100644 --- a/sdk/go/keycloak/getRealmKeys.go +++ b/sdk/go/keycloak/getRealmKeys.go @@ -11,15 +11,13 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## # getRealmKeys data source -// // Use this data source to get the keys of a realm. Keys can be filtered by algorithm and status. // // Remarks: // // - A key must meet all filter criteria -// - This datasource may return more than one value. -// - If no key matches the filter criteria, then an error is returned. +// - This data source may return more than one value. +// - If no key matches the filter criteria, then an error will be returned. func GetRealmKeys(ctx *pulumi.Context, args *GetRealmKeysArgs, opts ...pulumi.InvokeOption) (*GetRealmKeysResult, error) { opts = internal.PkgInvokeDefaultOpts(opts) var rv GetRealmKeysResult @@ -32,19 +30,24 @@ func GetRealmKeys(ctx *pulumi.Context, args *GetRealmKeysArgs, opts ...pulumi.In // A collection of arguments for invoking getRealmKeys. type GetRealmKeysArgs struct { + // When specified, keys will be filtered by algorithm. The algorithms can be any of `HS256`, `RS256`,`AES`, etc. Algorithms []string `pulumi:"algorithms"` - RealmId string `pulumi:"realmId"` - Statuses []string `pulumi:"statuses"` + // The realm from which the keys will be retrieved. + RealmId string `pulumi:"realmId"` + // When specified, keys will be filtered by status. The statuses can be any of `ACTIVE`, `DISABLED` and `PASSIVE`. + Statuses []string `pulumi:"statuses"` } // A collection of values returned by getRealmKeys. type GetRealmKeysResult struct { Algorithms []string `pulumi:"algorithms"` // The provider-assigned unique ID for this managed resource. - Id string `pulumi:"id"` - Keys []GetRealmKeysKey `pulumi:"keys"` - RealmId string `pulumi:"realmId"` - Statuses []string `pulumi:"statuses"` + Id string `pulumi:"id"` + // (Computed) A list of keys that match the filter criteria. Each key has the following attributes: + Keys []GetRealmKeysKey `pulumi:"keys"` + RealmId string `pulumi:"realmId"` + // Key status (string) + Statuses []string `pulumi:"statuses"` } func GetRealmKeysOutput(ctx *pulumi.Context, args GetRealmKeysOutputArgs, opts ...pulumi.InvokeOption) GetRealmKeysResultOutput { @@ -68,9 +71,12 @@ func GetRealmKeysOutput(ctx *pulumi.Context, args GetRealmKeysOutputArgs, opts . // A collection of arguments for invoking getRealmKeys. type GetRealmKeysOutputArgs struct { + // When specified, keys will be filtered by algorithm. The algorithms can be any of `HS256`, `RS256`,`AES`, etc. Algorithms pulumi.StringArrayInput `pulumi:"algorithms"` - RealmId pulumi.StringInput `pulumi:"realmId"` - Statuses pulumi.StringArrayInput `pulumi:"statuses"` + // The realm from which the keys will be retrieved. + RealmId pulumi.StringInput `pulumi:"realmId"` + // When specified, keys will be filtered by status. The statuses can be any of `ACTIVE`, `DISABLED` and `PASSIVE`. + Statuses pulumi.StringArrayInput `pulumi:"statuses"` } func (GetRealmKeysOutputArgs) ElementType() reflect.Type { @@ -101,6 +107,7 @@ func (o GetRealmKeysResultOutput) Id() pulumi.StringOutput { return o.ApplyT(func(v GetRealmKeysResult) string { return v.Id }).(pulumi.StringOutput) } +// (Computed) A list of keys that match the filter criteria. Each key has the following attributes: func (o GetRealmKeysResultOutput) Keys() GetRealmKeysKeyArrayOutput { return o.ApplyT(func(v GetRealmKeysResult) []GetRealmKeysKey { return v.Keys }).(GetRealmKeysKeyArrayOutput) } @@ -109,6 +116,7 @@ func (o GetRealmKeysResultOutput) RealmId() pulumi.StringOutput { return o.ApplyT(func(v GetRealmKeysResult) string { return v.RealmId }).(pulumi.StringOutput) } +// Key status (string) func (o GetRealmKeysResultOutput) Statuses() pulumi.StringArrayOutput { return o.ApplyT(func(v GetRealmKeysResult) []string { return v.Statuses }).(pulumi.StringArrayOutput) } diff --git a/sdk/go/keycloak/getRole.go b/sdk/go/keycloak/getRole.go index ad344425..5447d922 100644 --- a/sdk/go/keycloak/getRole.go +++ b/sdk/go/keycloak/getRole.go @@ -11,10 +11,59 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## # Role data source -// // This data source can be used to fetch properties of a Keycloak role for // usage with other resources, such as `GroupRoles`. +// +// ## Example Usage +// +// ```go +// package main +// +// import ( +// +// "github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak" +// "github.com/pulumi/pulumi/sdk/v3/go/pulumi" +// +// ) +// +// func main() { +// pulumi.Run(func(ctx *pulumi.Context) error { +// realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{ +// Realm: pulumi.String("my-realm"), +// Enabled: pulumi.Bool(true), +// }) +// if err != nil { +// return err +// } +// offlineAccess := keycloak.LookupRoleOutput(ctx, keycloak.GetRoleOutputArgs{ +// RealmId: realm.ID(), +// Name: pulumi.String("offline_access"), +// }, nil) +// // use the data source +// group, err := keycloak.NewGroup(ctx, "group", &keycloak.GroupArgs{ +// RealmId: realm.ID(), +// Name: pulumi.String("group"), +// }) +// if err != nil { +// return err +// } +// _, err = keycloak.NewGroupRoles(ctx, "group_roles", &keycloak.GroupRolesArgs{ +// RealmId: realm.ID(), +// GroupId: group.ID(), +// RoleIds: pulumi.StringArray{ +// pulumi.String(offlineAccess.ApplyT(func(offlineAccess keycloak.GetRoleResult) (*string, error) { +// return &offlineAccess.Id, nil +// }).(pulumi.StringPtrOutput)), +// }, +// }) +// if err != nil { +// return err +// } +// return nil +// }) +// } +// +// ``` func LookupRole(ctx *pulumi.Context, args *LookupRoleArgs, opts ...pulumi.InvokeOption) (*LookupRoleResult, error) { opts = internal.PkgInvokeDefaultOpts(opts) var rv LookupRoleResult @@ -27,9 +76,12 @@ func LookupRole(ctx *pulumi.Context, args *LookupRoleArgs, opts ...pulumi.Invoke // A collection of arguments for invoking getRole. type LookupRoleArgs struct { + // When specified, this role is assumed to be a client role belonging to the client with the provided ID. The `id` attribute of a `keycloakClient` resource should be used here. ClientId *string `pulumi:"clientId"` - Name string `pulumi:"name"` - RealmId string `pulumi:"realmId"` + // The name of the role. + Name string `pulumi:"name"` + // The realm this role exists within. + RealmId string `pulumi:"realmId"` } // A collection of values returned by getRole. @@ -37,7 +89,8 @@ type LookupRoleResult struct { Attributes map[string]string `pulumi:"attributes"` ClientId *string `pulumi:"clientId"` CompositeRoles []string `pulumi:"compositeRoles"` - Description string `pulumi:"description"` + // (Computed) The description of the role. + Description string `pulumi:"description"` // The provider-assigned unique ID for this managed resource. Id string `pulumi:"id"` Name string `pulumi:"name"` @@ -65,9 +118,12 @@ func LookupRoleOutput(ctx *pulumi.Context, args LookupRoleOutputArgs, opts ...pu // A collection of arguments for invoking getRole. type LookupRoleOutputArgs struct { + // When specified, this role is assumed to be a client role belonging to the client with the provided ID. The `id` attribute of a `keycloakClient` resource should be used here. ClientId pulumi.StringPtrInput `pulumi:"clientId"` - Name pulumi.StringInput `pulumi:"name"` - RealmId pulumi.StringInput `pulumi:"realmId"` + // The name of the role. + Name pulumi.StringInput `pulumi:"name"` + // The realm this role exists within. + RealmId pulumi.StringInput `pulumi:"realmId"` } func (LookupRoleOutputArgs) ElementType() reflect.Type { @@ -101,6 +157,7 @@ func (o LookupRoleResultOutput) CompositeRoles() pulumi.StringArrayOutput { return o.ApplyT(func(v LookupRoleResult) []string { return v.CompositeRoles }).(pulumi.StringArrayOutput) } +// (Computed) The description of the role. func (o LookupRoleResultOutput) Description() pulumi.StringOutput { return o.ApplyT(func(v LookupRoleResult) string { return v.Description }).(pulumi.StringOutput) } diff --git a/sdk/go/keycloak/group.go b/sdk/go/keycloak/group.go index e72ff9b8..c648a57f 100644 --- a/sdk/go/keycloak/group.go +++ b/sdk/go/keycloak/group.go @@ -12,20 +12,17 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## # Group -// // Allows for creating and managing Groups within Keycloak. // -// Groups provide a logical wrapping for users within Keycloak. Users within a -// group can share attributes and roles, and group membership can be mapped -// to a claim. +// Groups provide a logical wrapping for users within Keycloak. Users within a group can share attributes and roles, and +// group membership can be mapped to a claim. // // Attributes can also be defined on Groups. // -// Groups can also be federated from external data sources, such as LDAP or Active Directory. -// This resource **should not** be used to manage groups that were created this way. +// Groups can also be federated from external data sources, such as LDAP or Active Directory. This resource **should not** +// be used to manage groups that were created this way. // -// ### Example Usage +// ## Example Usage // // ```go // package main @@ -66,8 +63,8 @@ import ( // ParentId: parentGroup.ID(), // Name: pulumi.String("child-group-with-optional-attributes"), // Attributes: pulumi.StringMap{ -// "key1": pulumi.String("value1"), -// "key2": pulumi.String("value2"), +// "foo": pulumi.String("bar"), +// "multivalue": pulumi.String("value1##value2"), // }, // }) // if err != nil { @@ -79,35 +76,32 @@ import ( // // ``` // -// ### Argument Reference -// -// The following arguments are supported: -// -// - `realmId` - (Required) The realm this group exists in. -// - `parentId` - (Optional) The ID of this group's parent. If omitted, this group will be defined at the root level. -// - `name` - (Required) The name of the group. -// - `attributes` - (Optional) A dict of key/value pairs to set as custom attributes for the group. -// -// ### Attributes Reference -// -// In addition to the arguments listed above, the following computed attributes are exported: +// ## Import // -// - `path` - The complete path of the group. For example, the child group's path in the example configuration would be `/parent-group/child-group`. +// Groups can be imported using the format `{{realm_id}}/{{group_id}}`, where `group_id` is the unique ID that Keycloak // -// ### Import -// -// Groups can be imported using the format `{{realm_id}}/{{group_id}}`, where `groupId` is the unique ID that Keycloak // assigns to the group upon creation. This value can be found in the URI when editing this group in the GUI, and is typically a GUID. // // Example: +// +// bash +// +// ```sh +// $ pulumi import keycloak:index/group:Group child_group my-realm/934a4a4e-28bd-4703-a0fa-332df153aabd +// ``` type Group struct { pulumi.CustomResourceState + // A map representing attributes for the group. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars Attributes pulumi.StringMapOutput `pulumi:"attributes"` - Name pulumi.StringOutput `pulumi:"name"` - ParentId pulumi.StringPtrOutput `pulumi:"parentId"` - Path pulumi.StringOutput `pulumi:"path"` - RealmId pulumi.StringOutput `pulumi:"realmId"` + // The name of the group. + Name pulumi.StringOutput `pulumi:"name"` + // The ID of this group's parent. If omitted, this group will be defined at the root level. + ParentId pulumi.StringPtrOutput `pulumi:"parentId"` + // (Computed) The complete path of the group. For example, the child group's path in the example configuration would be `/parent-group/child-group`. + Path pulumi.StringOutput `pulumi:"path"` + // The realm this group exists in. + RealmId pulumi.StringOutput `pulumi:"realmId"` } // NewGroup registers a new resource with the given unique name, arguments, and options. @@ -143,19 +137,29 @@ func GetGroup(ctx *pulumi.Context, // Input properties used for looking up and filtering Group resources. type groupState struct { + // A map representing attributes for the group. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars Attributes map[string]string `pulumi:"attributes"` - Name *string `pulumi:"name"` - ParentId *string `pulumi:"parentId"` - Path *string `pulumi:"path"` - RealmId *string `pulumi:"realmId"` + // The name of the group. + Name *string `pulumi:"name"` + // The ID of this group's parent. If omitted, this group will be defined at the root level. + ParentId *string `pulumi:"parentId"` + // (Computed) The complete path of the group. For example, the child group's path in the example configuration would be `/parent-group/child-group`. + Path *string `pulumi:"path"` + // The realm this group exists in. + RealmId *string `pulumi:"realmId"` } type GroupState struct { + // A map representing attributes for the group. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars Attributes pulumi.StringMapInput - Name pulumi.StringPtrInput - ParentId pulumi.StringPtrInput - Path pulumi.StringPtrInput - RealmId pulumi.StringPtrInput + // The name of the group. + Name pulumi.StringPtrInput + // The ID of this group's parent. If omitted, this group will be defined at the root level. + ParentId pulumi.StringPtrInput + // (Computed) The complete path of the group. For example, the child group's path in the example configuration would be `/parent-group/child-group`. + Path pulumi.StringPtrInput + // The realm this group exists in. + RealmId pulumi.StringPtrInput } func (GroupState) ElementType() reflect.Type { @@ -163,18 +167,26 @@ func (GroupState) ElementType() reflect.Type { } type groupArgs struct { + // A map representing attributes for the group. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars Attributes map[string]string `pulumi:"attributes"` - Name *string `pulumi:"name"` - ParentId *string `pulumi:"parentId"` - RealmId string `pulumi:"realmId"` + // The name of the group. + Name *string `pulumi:"name"` + // The ID of this group's parent. If omitted, this group will be defined at the root level. + ParentId *string `pulumi:"parentId"` + // The realm this group exists in. + RealmId string `pulumi:"realmId"` } // The set of arguments for constructing a Group resource. type GroupArgs struct { + // A map representing attributes for the group. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars Attributes pulumi.StringMapInput - Name pulumi.StringPtrInput - ParentId pulumi.StringPtrInput - RealmId pulumi.StringInput + // The name of the group. + Name pulumi.StringPtrInput + // The ID of this group's parent. If omitted, this group will be defined at the root level. + ParentId pulumi.StringPtrInput + // The realm this group exists in. + RealmId pulumi.StringInput } func (GroupArgs) ElementType() reflect.Type { @@ -264,22 +276,27 @@ func (o GroupOutput) ToGroupOutputWithContext(ctx context.Context) GroupOutput { return o } +// A map representing attributes for the group. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars func (o GroupOutput) Attributes() pulumi.StringMapOutput { return o.ApplyT(func(v *Group) pulumi.StringMapOutput { return v.Attributes }).(pulumi.StringMapOutput) } +// The name of the group. func (o GroupOutput) Name() pulumi.StringOutput { return o.ApplyT(func(v *Group) pulumi.StringOutput { return v.Name }).(pulumi.StringOutput) } +// The ID of this group's parent. If omitted, this group will be defined at the root level. func (o GroupOutput) ParentId() pulumi.StringPtrOutput { return o.ApplyT(func(v *Group) pulumi.StringPtrOutput { return v.ParentId }).(pulumi.StringPtrOutput) } +// (Computed) The complete path of the group. For example, the child group's path in the example configuration would be `/parent-group/child-group`. func (o GroupOutput) Path() pulumi.StringOutput { return o.ApplyT(func(v *Group) pulumi.StringOutput { return v.Path }).(pulumi.StringOutput) } +// The realm this group exists in. func (o GroupOutput) RealmId() pulumi.StringOutput { return o.ApplyT(func(v *Group) pulumi.StringOutput { return v.RealmId }).(pulumi.StringOutput) } diff --git a/sdk/go/keycloak/groupMemberships.go b/sdk/go/keycloak/groupMemberships.go index 1cefffb0..98ba094d 100644 --- a/sdk/go/keycloak/groupMemberships.go +++ b/sdk/go/keycloak/groupMemberships.go @@ -12,23 +12,23 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## # GroupMemberships -// // Allows for managing a Keycloak group's members. // -// Note that this resource attempts to be an **authoritative** source over group members. -// When this resource takes control over a group's members, users that are manually added -// to the group will be removed, and users that are manually removed from the group will -// be added upon the next run of `pulumi up`. Eventually, a non-authoritative resource -// for group membership will be added to this provider. +// Note that this resource attempts to be an **authoritative** source over group members. When this resource takes control +// over a group's members, users that are manually added to the group will be removed, and users that are manually removed +// from the group will be added upon the next run of `pulumi up`. +// +// Also note that you should not use `GroupMemberships` with a group has been assigned as a default group via +// `DefaultGroups`. // -// Also note that you should not use `GroupMemberships` with a group has been assigned -// as a default group via `DefaultGroups`. +// This resource **should not** be used to control membership of a group that has its members federated from an external +// source via group mapping. // -// This resource **should not** be used to control membership of a group that has its members -// federated from an external source via group mapping. +// To non-exclusively manage the group's of a user, see the [`UserGroups` resource][1] // -// ### Example Usage +// This resource paginates its data loading on refresh by 50 items. +// +// ## Example Usage // // ```go // package main @@ -79,24 +79,22 @@ import ( // // ``` // -// ### Argument Reference -// -// The following arguments are supported: -// -// - `realmId` - (Required) The realm this group exists in. -// - `groupId` - (Required) The ID of the group this resource should manage memberships for. -// - `members` - (Required) An array of usernames that belong to this group. -// -// ### Import +// ## Import // // This resource does not support import. Instead of importing, feel free to create this resource +// // as if it did not already exist on the server. +// +// [1]: providers/mrparkers/keycloak/latest/docs/resources/group_memberships type GroupMemberships struct { pulumi.CustomResourceState - GroupId pulumi.StringPtrOutput `pulumi:"groupId"` + // The ID of the group this resource should manage memberships for. + GroupId pulumi.StringPtrOutput `pulumi:"groupId"` + // A list of usernames that belong to this group. Members pulumi.StringArrayOutput `pulumi:"members"` - RealmId pulumi.StringOutput `pulumi:"realmId"` + // The realm this group exists in. + RealmId pulumi.StringOutput `pulumi:"realmId"` } // NewGroupMemberships registers a new resource with the given unique name, arguments, and options. @@ -135,14 +133,20 @@ func GetGroupMemberships(ctx *pulumi.Context, // Input properties used for looking up and filtering GroupMemberships resources. type groupMembershipsState struct { - GroupId *string `pulumi:"groupId"` + // The ID of the group this resource should manage memberships for. + GroupId *string `pulumi:"groupId"` + // A list of usernames that belong to this group. Members []string `pulumi:"members"` - RealmId *string `pulumi:"realmId"` + // The realm this group exists in. + RealmId *string `pulumi:"realmId"` } type GroupMembershipsState struct { + // The ID of the group this resource should manage memberships for. GroupId pulumi.StringPtrInput + // A list of usernames that belong to this group. Members pulumi.StringArrayInput + // The realm this group exists in. RealmId pulumi.StringPtrInput } @@ -151,15 +155,21 @@ func (GroupMembershipsState) ElementType() reflect.Type { } type groupMembershipsArgs struct { - GroupId *string `pulumi:"groupId"` + // The ID of the group this resource should manage memberships for. + GroupId *string `pulumi:"groupId"` + // A list of usernames that belong to this group. Members []string `pulumi:"members"` - RealmId string `pulumi:"realmId"` + // The realm this group exists in. + RealmId string `pulumi:"realmId"` } // The set of arguments for constructing a GroupMemberships resource. type GroupMembershipsArgs struct { + // The ID of the group this resource should manage memberships for. GroupId pulumi.StringPtrInput + // A list of usernames that belong to this group. Members pulumi.StringArrayInput + // The realm this group exists in. RealmId pulumi.StringInput } @@ -250,14 +260,17 @@ func (o GroupMembershipsOutput) ToGroupMembershipsOutputWithContext(ctx context. return o } +// The ID of the group this resource should manage memberships for. func (o GroupMembershipsOutput) GroupId() pulumi.StringPtrOutput { return o.ApplyT(func(v *GroupMemberships) pulumi.StringPtrOutput { return v.GroupId }).(pulumi.StringPtrOutput) } +// A list of usernames that belong to this group. func (o GroupMembershipsOutput) Members() pulumi.StringArrayOutput { return o.ApplyT(func(v *GroupMemberships) pulumi.StringArrayOutput { return v.Members }).(pulumi.StringArrayOutput) } +// The realm this group exists in. func (o GroupMembershipsOutput) RealmId() pulumi.StringOutput { return o.ApplyT(func(v *GroupMemberships) pulumi.StringOutput { return v.RealmId }).(pulumi.StringOutput) } diff --git a/sdk/go/keycloak/groupRoles.go b/sdk/go/keycloak/groupRoles.go index e05fef16..dc77c561 100644 --- a/sdk/go/keycloak/groupRoles.go +++ b/sdk/go/keycloak/groupRoles.go @@ -12,21 +12,18 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## # GroupRoles -// // Allows you to manage roles assigned to a Keycloak group. // -// Note that this resource attempts to be an **authoritative** source over -// group roles. When this resource takes control over a group's roles, -// roles that are manually added to the group will be removed, and roles -// that are manually removed from the group will be added upon the next run -// of `pulumi up`. +// If `exhaustive` is true, this resource attempts to be an **authoritative** source over group roles: roles that are manually added to the group will be removed, and roles that are manually removed from the +// group will be added upon the next run of `pulumi up`. +// If `exhaustive` is false, this resource is a partial assignation of roles to a group. As a result, you can get multiple `GroupRoles` for the same `groupId`. +// +// Note that when assigning composite roles to a group, you may see a non-empty plan following a `pulumi up` if you +// assign a role and a composite that includes that role to the same group. // -// Note that when assigning composite roles to a group, you may see a -// non-empty plan following a `pulumi up` if you assign a role and a -// composite that includes that role to the same group. +// ## Example Usage // -// ### Example Usage +// ### Exhaustive Roles) // // ```go // package main @@ -99,30 +96,116 @@ import ( // // ``` // -// ### Argument Reference +// ### Non Exhaustive Roles) // -// The following arguments are supported: +// ```go +// package main // -// - `realmId` - (Required) The realm this group exists in. -// - `groupId` - (Required) The ID of the group this resource should -// manage roles for. -// - `roleIds` - (Required) A list of role IDs to map to the group +// import ( // -// ### Import +// "github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak" +// "github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid" +// "github.com/pulumi/pulumi/sdk/v3/go/pulumi" // -// This resource can be imported using the format -// `{{realm_id}}/{{group_id}}`, where `groupId` is the unique ID that -// Keycloak assigns to the group upon creation. This value can be found in -// the URI when editing this group in the GUI, and is typically a GUID. +// ) +// +// func main() { +// pulumi.Run(func(ctx *pulumi.Context) error { +// realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{ +// Realm: pulumi.String("my-realm"), +// Enabled: pulumi.Bool(true), +// }) +// if err != nil { +// return err +// } +// realmRole, err := keycloak.NewRole(ctx, "realm_role", &keycloak.RoleArgs{ +// RealmId: realm.ID(), +// Name: pulumi.String("my-realm-role"), +// Description: pulumi.String("My Realm Role"), +// }) +// if err != nil { +// return err +// } +// _, err = openid.NewClient(ctx, "client", &openid.ClientArgs{ +// RealmId: realm.ID(), +// ClientId: pulumi.String("client"), +// Name: pulumi.String("client"), +// Enabled: pulumi.Bool(true), +// AccessType: pulumi.String("BEARER-ONLY"), +// }) +// if err != nil { +// return err +// } +// clientRole, err := keycloak.NewRole(ctx, "client_role", &keycloak.RoleArgs{ +// RealmId: realm.ID(), +// ClientId: pulumi.Any(clientKeycloakClient.Id), +// Name: pulumi.String("my-client-role"), +// Description: pulumi.String("My Client Role"), +// }) +// if err != nil { +// return err +// } +// group, err := keycloak.NewGroup(ctx, "group", &keycloak.GroupArgs{ +// RealmId: realm.ID(), +// Name: pulumi.String("my-group"), +// }) +// if err != nil { +// return err +// } +// _, err = keycloak.NewGroupRoles(ctx, "group_role_association1", &keycloak.GroupRolesArgs{ +// RealmId: realm.ID(), +// GroupId: group.ID(), +// Exhaustive: pulumi.Bool(false), +// RoleIds: pulumi.StringArray{ +// realmRole.ID(), +// }, +// }) +// if err != nil { +// return err +// } +// _, err = keycloak.NewGroupRoles(ctx, "group_role_association2", &keycloak.GroupRolesArgs{ +// RealmId: realm.ID(), +// GroupId: group.ID(), +// Exhaustive: pulumi.Bool(false), +// RoleIds: pulumi.StringArray{ +// clientRole.ID(), +// }, +// }) +// if err != nil { +// return err +// } +// return nil +// }) +// } +// +// ``` +// +// ## Import +// +// This resource can be imported using the format `{{realm_id}}/{{group_id}}`, where `group_id` is the unique ID that Keycloak +// +// assigns to the group upon creation. This value can be found in the URI when editing this group in the GUI, and is typically +// +// a GUID. // // Example: +// +// bash +// +// ```sh +// $ pulumi import keycloak:index/groupRoles:GroupRoles group_roles my-realm/18cc6b87-2ce7-4e59-bdc8-b9d49ec98a94 +// ``` type GroupRoles struct { pulumi.CustomResourceState - Exhaustive pulumi.BoolPtrOutput `pulumi:"exhaustive"` - GroupId pulumi.StringOutput `pulumi:"groupId"` - RealmId pulumi.StringOutput `pulumi:"realmId"` - RoleIds pulumi.StringArrayOutput `pulumi:"roleIds"` + // Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the group will be removed. Defaults to `true`. + Exhaustive pulumi.BoolPtrOutput `pulumi:"exhaustive"` + // The ID of the group this resource should manage roles for. + GroupId pulumi.StringOutput `pulumi:"groupId"` + // The realm this group exists in. + RealmId pulumi.StringOutput `pulumi:"realmId"` + // A list of role IDs to map to the group. + RoleIds pulumi.StringArrayOutput `pulumi:"roleIds"` } // NewGroupRoles registers a new resource with the given unique name, arguments, and options. @@ -164,17 +247,25 @@ func GetGroupRoles(ctx *pulumi.Context, // Input properties used for looking up and filtering GroupRoles resources. type groupRolesState struct { - Exhaustive *bool `pulumi:"exhaustive"` - GroupId *string `pulumi:"groupId"` - RealmId *string `pulumi:"realmId"` - RoleIds []string `pulumi:"roleIds"` + // Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the group will be removed. Defaults to `true`. + Exhaustive *bool `pulumi:"exhaustive"` + // The ID of the group this resource should manage roles for. + GroupId *string `pulumi:"groupId"` + // The realm this group exists in. + RealmId *string `pulumi:"realmId"` + // A list of role IDs to map to the group. + RoleIds []string `pulumi:"roleIds"` } type GroupRolesState struct { + // Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the group will be removed. Defaults to `true`. Exhaustive pulumi.BoolPtrInput - GroupId pulumi.StringPtrInput - RealmId pulumi.StringPtrInput - RoleIds pulumi.StringArrayInput + // The ID of the group this resource should manage roles for. + GroupId pulumi.StringPtrInput + // The realm this group exists in. + RealmId pulumi.StringPtrInput + // A list of role IDs to map to the group. + RoleIds pulumi.StringArrayInput } func (GroupRolesState) ElementType() reflect.Type { @@ -182,18 +273,26 @@ func (GroupRolesState) ElementType() reflect.Type { } type groupRolesArgs struct { - Exhaustive *bool `pulumi:"exhaustive"` - GroupId string `pulumi:"groupId"` - RealmId string `pulumi:"realmId"` - RoleIds []string `pulumi:"roleIds"` + // Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the group will be removed. Defaults to `true`. + Exhaustive *bool `pulumi:"exhaustive"` + // The ID of the group this resource should manage roles for. + GroupId string `pulumi:"groupId"` + // The realm this group exists in. + RealmId string `pulumi:"realmId"` + // A list of role IDs to map to the group. + RoleIds []string `pulumi:"roleIds"` } // The set of arguments for constructing a GroupRoles resource. type GroupRolesArgs struct { + // Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the group will be removed. Defaults to `true`. Exhaustive pulumi.BoolPtrInput - GroupId pulumi.StringInput - RealmId pulumi.StringInput - RoleIds pulumi.StringArrayInput + // The ID of the group this resource should manage roles for. + GroupId pulumi.StringInput + // The realm this group exists in. + RealmId pulumi.StringInput + // A list of role IDs to map to the group. + RoleIds pulumi.StringArrayInput } func (GroupRolesArgs) ElementType() reflect.Type { @@ -283,18 +382,22 @@ func (o GroupRolesOutput) ToGroupRolesOutputWithContext(ctx context.Context) Gro return o } +// Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the group will be removed. Defaults to `true`. func (o GroupRolesOutput) Exhaustive() pulumi.BoolPtrOutput { return o.ApplyT(func(v *GroupRoles) pulumi.BoolPtrOutput { return v.Exhaustive }).(pulumi.BoolPtrOutput) } +// The ID of the group this resource should manage roles for. func (o GroupRolesOutput) GroupId() pulumi.StringOutput { return o.ApplyT(func(v *GroupRoles) pulumi.StringOutput { return v.GroupId }).(pulumi.StringOutput) } +// The realm this group exists in. func (o GroupRolesOutput) RealmId() pulumi.StringOutput { return o.ApplyT(func(v *GroupRoles) pulumi.StringOutput { return v.RealmId }).(pulumi.StringOutput) } +// A list of role IDs to map to the group. func (o GroupRolesOutput) RoleIds() pulumi.StringArrayOutput { return o.ApplyT(func(v *GroupRoles) pulumi.StringArrayOutput { return v.RoleIds }).(pulumi.StringArrayOutput) } diff --git a/sdk/go/keycloak/ldap/fullNameMapper.go b/sdk/go/keycloak/ldap/fullNameMapper.go index e1392788..6fbbfd68 100644 --- a/sdk/go/keycloak/ldap/fullNameMapper.go +++ b/sdk/go/keycloak/ldap/fullNameMapper.go @@ -12,15 +12,12 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## # ldap.FullNameMapper +// Allows for creating and managing full name mappers for Keycloak users federated via LDAP. // -// Allows for creating and managing full name mappers for Keycloak users federated -// via LDAP. +// The LDAP full name mapper can map a user's full name from an LDAP attribute to the first and last name attributes of a +// Keycloak user. // -// The LDAP full name mapper can map a user's full name from an LDAP attribute -// to the first and last name attributes of a Keycloak user. -// -// ### Example Usage +// ## Example Usage // // ```go // package main @@ -36,7 +33,7 @@ import ( // func main() { // pulumi.Run(func(ctx *pulumi.Context) error { // realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{ -// Realm: pulumi.String("test"), +// Realm: pulumi.String("my-realm"), // Enabled: pulumi.Bool(true), // }) // if err != nil { @@ -75,33 +72,33 @@ import ( // // ``` // -// ### Argument Reference +// ## Import // -// The following arguments are supported: +// LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. // -// - `realmId` - (Required) The realm that this LDAP mapper will exist in. -// - `ldapUserFederationId` - (Required) The ID of the LDAP user federation provider to attach this mapper to. -// - `name` - (Required) Display name of this mapper when displayed in the console. -// - `ldapFullNameAttribute` - (Required) The name of the LDAP attribute containing the user's full name. -// - `readOnly` - (Optional) When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. -// - `writeOnly` - (Optional) When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. +// The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. // -// ### Import +// Example: // -// LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. -// The ID of the LDAP user federation provider and the mapper can be found within -// the Keycloak GUI, and they are typically GUIDs: +// bash +// +// ```sh +// $ pulumi import keycloak:ldap/fullNameMapper:FullNameMapper ldap_full_name_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 +// ``` type FullNameMapper struct { pulumi.CustomResourceState + // The name of the LDAP attribute containing the user's full name. LdapFullNameAttribute pulumi.StringOutput `pulumi:"ldapFullNameAttribute"` - // The ldap user federation provider to attach this mapper to. + // The ID of the LDAP user federation provider to attach this mapper to. LdapUserFederationId pulumi.StringOutput `pulumi:"ldapUserFederationId"` - // Display name of the mapper when displayed in the console. - Name pulumi.StringOutput `pulumi:"name"` + // Display name of this mapper when displayed in the console. + Name pulumi.StringOutput `pulumi:"name"` + // When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. ReadOnly pulumi.BoolPtrOutput `pulumi:"readOnly"` - // The realm in which the ldap user federation provider exists. - RealmId pulumi.StringOutput `pulumi:"realmId"` + // The realm that this LDAP mapper will exist in. + RealmId pulumi.StringOutput `pulumi:"realmId"` + // When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. WriteOnly pulumi.BoolPtrOutput `pulumi:"writeOnly"` } @@ -144,26 +141,32 @@ func GetFullNameMapper(ctx *pulumi.Context, // Input properties used for looking up and filtering FullNameMapper resources. type fullNameMapperState struct { + // The name of the LDAP attribute containing the user's full name. LdapFullNameAttribute *string `pulumi:"ldapFullNameAttribute"` - // The ldap user federation provider to attach this mapper to. + // The ID of the LDAP user federation provider to attach this mapper to. LdapUserFederationId *string `pulumi:"ldapUserFederationId"` - // Display name of the mapper when displayed in the console. - Name *string `pulumi:"name"` - ReadOnly *bool `pulumi:"readOnly"` - // The realm in which the ldap user federation provider exists. - RealmId *string `pulumi:"realmId"` - WriteOnly *bool `pulumi:"writeOnly"` + // Display name of this mapper when displayed in the console. + Name *string `pulumi:"name"` + // When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. + ReadOnly *bool `pulumi:"readOnly"` + // The realm that this LDAP mapper will exist in. + RealmId *string `pulumi:"realmId"` + // When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. + WriteOnly *bool `pulumi:"writeOnly"` } type FullNameMapperState struct { + // The name of the LDAP attribute containing the user's full name. LdapFullNameAttribute pulumi.StringPtrInput - // The ldap user federation provider to attach this mapper to. + // The ID of the LDAP user federation provider to attach this mapper to. LdapUserFederationId pulumi.StringPtrInput - // Display name of the mapper when displayed in the console. - Name pulumi.StringPtrInput + // Display name of this mapper when displayed in the console. + Name pulumi.StringPtrInput + // When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. ReadOnly pulumi.BoolPtrInput - // The realm in which the ldap user federation provider exists. - RealmId pulumi.StringPtrInput + // The realm that this LDAP mapper will exist in. + RealmId pulumi.StringPtrInput + // When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. WriteOnly pulumi.BoolPtrInput } @@ -172,27 +175,33 @@ func (FullNameMapperState) ElementType() reflect.Type { } type fullNameMapperArgs struct { + // The name of the LDAP attribute containing the user's full name. LdapFullNameAttribute string `pulumi:"ldapFullNameAttribute"` - // The ldap user federation provider to attach this mapper to. + // The ID of the LDAP user federation provider to attach this mapper to. LdapUserFederationId string `pulumi:"ldapUserFederationId"` - // Display name of the mapper when displayed in the console. - Name *string `pulumi:"name"` - ReadOnly *bool `pulumi:"readOnly"` - // The realm in which the ldap user federation provider exists. - RealmId string `pulumi:"realmId"` - WriteOnly *bool `pulumi:"writeOnly"` + // Display name of this mapper when displayed in the console. + Name *string `pulumi:"name"` + // When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. + ReadOnly *bool `pulumi:"readOnly"` + // The realm that this LDAP mapper will exist in. + RealmId string `pulumi:"realmId"` + // When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. + WriteOnly *bool `pulumi:"writeOnly"` } // The set of arguments for constructing a FullNameMapper resource. type FullNameMapperArgs struct { + // The name of the LDAP attribute containing the user's full name. LdapFullNameAttribute pulumi.StringInput - // The ldap user federation provider to attach this mapper to. + // The ID of the LDAP user federation provider to attach this mapper to. LdapUserFederationId pulumi.StringInput - // Display name of the mapper when displayed in the console. - Name pulumi.StringPtrInput + // Display name of this mapper when displayed in the console. + Name pulumi.StringPtrInput + // When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. ReadOnly pulumi.BoolPtrInput - // The realm in which the ldap user federation provider exists. - RealmId pulumi.StringInput + // The realm that this LDAP mapper will exist in. + RealmId pulumi.StringInput + // When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. WriteOnly pulumi.BoolPtrInput } @@ -283,29 +292,32 @@ func (o FullNameMapperOutput) ToFullNameMapperOutputWithContext(ctx context.Cont return o } +// The name of the LDAP attribute containing the user's full name. func (o FullNameMapperOutput) LdapFullNameAttribute() pulumi.StringOutput { return o.ApplyT(func(v *FullNameMapper) pulumi.StringOutput { return v.LdapFullNameAttribute }).(pulumi.StringOutput) } -// The ldap user federation provider to attach this mapper to. +// The ID of the LDAP user federation provider to attach this mapper to. func (o FullNameMapperOutput) LdapUserFederationId() pulumi.StringOutput { return o.ApplyT(func(v *FullNameMapper) pulumi.StringOutput { return v.LdapUserFederationId }).(pulumi.StringOutput) } -// Display name of the mapper when displayed in the console. +// Display name of this mapper when displayed in the console. func (o FullNameMapperOutput) Name() pulumi.StringOutput { return o.ApplyT(func(v *FullNameMapper) pulumi.StringOutput { return v.Name }).(pulumi.StringOutput) } +// When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. func (o FullNameMapperOutput) ReadOnly() pulumi.BoolPtrOutput { return o.ApplyT(func(v *FullNameMapper) pulumi.BoolPtrOutput { return v.ReadOnly }).(pulumi.BoolPtrOutput) } -// The realm in which the ldap user federation provider exists. +// The realm that this LDAP mapper will exist in. func (o FullNameMapperOutput) RealmId() pulumi.StringOutput { return o.ApplyT(func(v *FullNameMapper) pulumi.StringOutput { return v.RealmId }).(pulumi.StringOutput) } +// When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. func (o FullNameMapperOutput) WriteOnly() pulumi.BoolPtrOutput { return o.ApplyT(func(v *FullNameMapper) pulumi.BoolPtrOutput { return v.WriteOnly }).(pulumi.BoolPtrOutput) } diff --git a/sdk/go/keycloak/ldap/groupMapper.go b/sdk/go/keycloak/ldap/groupMapper.go index 9ebce1fc..863bfb16 100644 --- a/sdk/go/keycloak/ldap/groupMapper.go +++ b/sdk/go/keycloak/ldap/groupMapper.go @@ -12,16 +12,12 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## # ldap.GroupMapper +// Allows for creating and managing group mappers for Keycloak users federated via LDAP. // -// Allows for creating and managing group mappers for Keycloak users federated -// via LDAP. +// The LDAP group mapper can be used to map an LDAP user's groups from some DN to Keycloak groups. This group mapper will also +// create the groups within Keycloak if they do not already exist. // -// The LDAP group mapper can be used to map an LDAP user's groups from some DN -// to Keycloak groups. This group mapper will also create the groups within Keycloak -// if they do not already exist. -// -// ### Example Usage +// ## Example Usage // // ```go // package main @@ -37,7 +33,7 @@ import ( // func main() { // pulumi.Run(func(ctx *pulumi.Context) error { // realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{ -// Realm: pulumi.String("test"), +// Realm: pulumi.String("my-realm"), // Enabled: pulumi.Bool(true), // }) // if err != nil { @@ -84,56 +80,57 @@ import ( // // ``` // -// ### Argument Reference +// ## Import // -// The following arguments are supported: +// LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. // -// - `realmId` - (Required) The realm that this LDAP mapper will exist in. -// - `ldapUserFederationId` - (Required) The ID of the LDAP user federation provider to attach this mapper to. -// - `name` - (Required) Display name of this mapper when displayed in the console. -// - `ldapGroupsDn` - (Required) The LDAP DN where groups can be found. -// - `groupNameLdapAttribute` - (Required) The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. -// - `groupObjectClasses` - (Required) Array of strings representing the object classes for the group. Must contain at least one. -// - `preserveGroupInheritance` - (Optional) When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. -// - `ignoreMissingGroups` - (Optional) When `true`, missing groups in the hierarchy will be ignored. -// - `membershipLdapAttribute` - (Required) The name of the LDAP attribute that is used for membership mappings. -// - `membershipAttributeType` - (Optional) Can be one of `DN` or `UID`. Defaults to `DN`. -// - `membershipUserLdapAttribute` - (Required) The name of the LDAP attribute on a user that is used for membership mappings. -// - `groupsLdapFilter` - (Optional) When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. -// - `mode` - (Optional) Can be one of `READ_ONLY` or `LDAP_ONLY`. Defaults to `READ_ONLY`. -// - `userRolesRetrieveStrategy` - (Optional) Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. -// - `memberofLdapAttribute` - (Optional) Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. -// - `mappedGroupAttributes` - (Optional) Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. -// - `dropNonExistingGroupsDuringSync` - (Optional) When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. +// The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. // -// ### Import +// Example: // -// LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. -// The ID of the LDAP user federation provider and the mapper can be found within -// the Keycloak GUI, and they are typically GUIDs: +// bash +// +// ```sh +// $ pulumi import keycloak:ldap/groupMapper:GroupMapper ldap_group_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 +// ``` type GroupMapper struct { pulumi.CustomResourceState - DropNonExistingGroupsDuringSync pulumi.BoolPtrOutput `pulumi:"dropNonExistingGroupsDuringSync"` - GroupNameLdapAttribute pulumi.StringOutput `pulumi:"groupNameLdapAttribute"` - GroupObjectClasses pulumi.StringArrayOutput `pulumi:"groupObjectClasses"` - GroupsLdapFilter pulumi.StringPtrOutput `pulumi:"groupsLdapFilter"` - GroupsPath pulumi.StringOutput `pulumi:"groupsPath"` - IgnoreMissingGroups pulumi.BoolPtrOutput `pulumi:"ignoreMissingGroups"` - LdapGroupsDn pulumi.StringOutput `pulumi:"ldapGroupsDn"` - // The ldap user federation provider to attach this mapper to. - LdapUserFederationId pulumi.StringOutput `pulumi:"ldapUserFederationId"` - MappedGroupAttributes pulumi.StringArrayOutput `pulumi:"mappedGroupAttributes"` - MemberofLdapAttribute pulumi.StringPtrOutput `pulumi:"memberofLdapAttribute"` - MembershipAttributeType pulumi.StringPtrOutput `pulumi:"membershipAttributeType"` - MembershipLdapAttribute pulumi.StringOutput `pulumi:"membershipLdapAttribute"` - MembershipUserLdapAttribute pulumi.StringOutput `pulumi:"membershipUserLdapAttribute"` - Mode pulumi.StringPtrOutput `pulumi:"mode"` - // Display name of the mapper when displayed in the console. - Name pulumi.StringOutput `pulumi:"name"` + // When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. + DropNonExistingGroupsDuringSync pulumi.BoolPtrOutput `pulumi:"dropNonExistingGroupsDuringSync"` + // The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. + GroupNameLdapAttribute pulumi.StringOutput `pulumi:"groupNameLdapAttribute"` + // List of strings representing the object classes for the group. Must contain at least one. + GroupObjectClasses pulumi.StringArrayOutput `pulumi:"groupObjectClasses"` + // When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. + GroupsLdapFilter pulumi.StringPtrOutput `pulumi:"groupsLdapFilter"` + // Keycloak group path the LDAP groups are added to. For example if value `/Applications/App1` is used, then LDAP groups will be available in Keycloak under group `App1`, which is the child of top level group `Applications`. The configured group path must already exist in Keycloak when creating this mapper. + GroupsPath pulumi.StringOutput `pulumi:"groupsPath"` + // When `true`, missing groups in the hierarchy will be ignored. + IgnoreMissingGroups pulumi.BoolPtrOutput `pulumi:"ignoreMissingGroups"` + // The LDAP DN where groups can be found. + LdapGroupsDn pulumi.StringOutput `pulumi:"ldapGroupsDn"` + // The ID of the LDAP user federation provider to attach this mapper to. + LdapUserFederationId pulumi.StringOutput `pulumi:"ldapUserFederationId"` + // Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. + MappedGroupAttributes pulumi.StringArrayOutput `pulumi:"mappedGroupAttributes"` + // Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. + MemberofLdapAttribute pulumi.StringPtrOutput `pulumi:"memberofLdapAttribute"` + // Can be one of `DN` or `UID`. Defaults to `DN`. + MembershipAttributeType pulumi.StringPtrOutput `pulumi:"membershipAttributeType"` + // The name of the LDAP attribute that is used for membership mappings. + MembershipLdapAttribute pulumi.StringOutput `pulumi:"membershipLdapAttribute"` + // The name of the LDAP attribute on a user that is used for membership mappings. + MembershipUserLdapAttribute pulumi.StringOutput `pulumi:"membershipUserLdapAttribute"` + // Can be one of `READ_ONLY`, `LDAP_ONLY` or `IMPORT`. Defaults to `READ_ONLY`. + Mode pulumi.StringPtrOutput `pulumi:"mode"` + // Display name of this mapper when displayed in the console. + Name pulumi.StringOutput `pulumi:"name"` + // When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. PreserveGroupInheritance pulumi.BoolPtrOutput `pulumi:"preserveGroupInheritance"` - // The realm in which the ldap user federation provider exists. - RealmId pulumi.StringOutput `pulumi:"realmId"` + // The realm that this LDAP mapper will exist in. + RealmId pulumi.StringOutput `pulumi:"realmId"` + // Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. UserRolesRetrieveStrategy pulumi.StringPtrOutput `pulumi:"userRolesRetrieveStrategy"` } @@ -188,50 +185,80 @@ func GetGroupMapper(ctx *pulumi.Context, // Input properties used for looking up and filtering GroupMapper resources. type groupMapperState struct { - DropNonExistingGroupsDuringSync *bool `pulumi:"dropNonExistingGroupsDuringSync"` - GroupNameLdapAttribute *string `pulumi:"groupNameLdapAttribute"` - GroupObjectClasses []string `pulumi:"groupObjectClasses"` - GroupsLdapFilter *string `pulumi:"groupsLdapFilter"` - GroupsPath *string `pulumi:"groupsPath"` - IgnoreMissingGroups *bool `pulumi:"ignoreMissingGroups"` - LdapGroupsDn *string `pulumi:"ldapGroupsDn"` - // The ldap user federation provider to attach this mapper to. - LdapUserFederationId *string `pulumi:"ldapUserFederationId"` - MappedGroupAttributes []string `pulumi:"mappedGroupAttributes"` - MemberofLdapAttribute *string `pulumi:"memberofLdapAttribute"` - MembershipAttributeType *string `pulumi:"membershipAttributeType"` - MembershipLdapAttribute *string `pulumi:"membershipLdapAttribute"` - MembershipUserLdapAttribute *string `pulumi:"membershipUserLdapAttribute"` - Mode *string `pulumi:"mode"` - // Display name of the mapper when displayed in the console. - Name *string `pulumi:"name"` - PreserveGroupInheritance *bool `pulumi:"preserveGroupInheritance"` - // The realm in which the ldap user federation provider exists. - RealmId *string `pulumi:"realmId"` + // When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. + DropNonExistingGroupsDuringSync *bool `pulumi:"dropNonExistingGroupsDuringSync"` + // The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. + GroupNameLdapAttribute *string `pulumi:"groupNameLdapAttribute"` + // List of strings representing the object classes for the group. Must contain at least one. + GroupObjectClasses []string `pulumi:"groupObjectClasses"` + // When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. + GroupsLdapFilter *string `pulumi:"groupsLdapFilter"` + // Keycloak group path the LDAP groups are added to. For example if value `/Applications/App1` is used, then LDAP groups will be available in Keycloak under group `App1`, which is the child of top level group `Applications`. The configured group path must already exist in Keycloak when creating this mapper. + GroupsPath *string `pulumi:"groupsPath"` + // When `true`, missing groups in the hierarchy will be ignored. + IgnoreMissingGroups *bool `pulumi:"ignoreMissingGroups"` + // The LDAP DN where groups can be found. + LdapGroupsDn *string `pulumi:"ldapGroupsDn"` + // The ID of the LDAP user federation provider to attach this mapper to. + LdapUserFederationId *string `pulumi:"ldapUserFederationId"` + // Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. + MappedGroupAttributes []string `pulumi:"mappedGroupAttributes"` + // Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. + MemberofLdapAttribute *string `pulumi:"memberofLdapAttribute"` + // Can be one of `DN` or `UID`. Defaults to `DN`. + MembershipAttributeType *string `pulumi:"membershipAttributeType"` + // The name of the LDAP attribute that is used for membership mappings. + MembershipLdapAttribute *string `pulumi:"membershipLdapAttribute"` + // The name of the LDAP attribute on a user that is used for membership mappings. + MembershipUserLdapAttribute *string `pulumi:"membershipUserLdapAttribute"` + // Can be one of `READ_ONLY`, `LDAP_ONLY` or `IMPORT`. Defaults to `READ_ONLY`. + Mode *string `pulumi:"mode"` + // Display name of this mapper when displayed in the console. + Name *string `pulumi:"name"` + // When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. + PreserveGroupInheritance *bool `pulumi:"preserveGroupInheritance"` + // The realm that this LDAP mapper will exist in. + RealmId *string `pulumi:"realmId"` + // Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. UserRolesRetrieveStrategy *string `pulumi:"userRolesRetrieveStrategy"` } type GroupMapperState struct { + // When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. DropNonExistingGroupsDuringSync pulumi.BoolPtrInput - GroupNameLdapAttribute pulumi.StringPtrInput - GroupObjectClasses pulumi.StringArrayInput - GroupsLdapFilter pulumi.StringPtrInput - GroupsPath pulumi.StringPtrInput - IgnoreMissingGroups pulumi.BoolPtrInput - LdapGroupsDn pulumi.StringPtrInput - // The ldap user federation provider to attach this mapper to. - LdapUserFederationId pulumi.StringPtrInput - MappedGroupAttributes pulumi.StringArrayInput - MemberofLdapAttribute pulumi.StringPtrInput - MembershipAttributeType pulumi.StringPtrInput - MembershipLdapAttribute pulumi.StringPtrInput + // The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. + GroupNameLdapAttribute pulumi.StringPtrInput + // List of strings representing the object classes for the group. Must contain at least one. + GroupObjectClasses pulumi.StringArrayInput + // When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. + GroupsLdapFilter pulumi.StringPtrInput + // Keycloak group path the LDAP groups are added to. For example if value `/Applications/App1` is used, then LDAP groups will be available in Keycloak under group `App1`, which is the child of top level group `Applications`. The configured group path must already exist in Keycloak when creating this mapper. + GroupsPath pulumi.StringPtrInput + // When `true`, missing groups in the hierarchy will be ignored. + IgnoreMissingGroups pulumi.BoolPtrInput + // The LDAP DN where groups can be found. + LdapGroupsDn pulumi.StringPtrInput + // The ID of the LDAP user federation provider to attach this mapper to. + LdapUserFederationId pulumi.StringPtrInput + // Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. + MappedGroupAttributes pulumi.StringArrayInput + // Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. + MemberofLdapAttribute pulumi.StringPtrInput + // Can be one of `DN` or `UID`. Defaults to `DN`. + MembershipAttributeType pulumi.StringPtrInput + // The name of the LDAP attribute that is used for membership mappings. + MembershipLdapAttribute pulumi.StringPtrInput + // The name of the LDAP attribute on a user that is used for membership mappings. MembershipUserLdapAttribute pulumi.StringPtrInput - Mode pulumi.StringPtrInput - // Display name of the mapper when displayed in the console. - Name pulumi.StringPtrInput + // Can be one of `READ_ONLY`, `LDAP_ONLY` or `IMPORT`. Defaults to `READ_ONLY`. + Mode pulumi.StringPtrInput + // Display name of this mapper when displayed in the console. + Name pulumi.StringPtrInput + // When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. PreserveGroupInheritance pulumi.BoolPtrInput - // The realm in which the ldap user federation provider exists. - RealmId pulumi.StringPtrInput + // The realm that this LDAP mapper will exist in. + RealmId pulumi.StringPtrInput + // Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. UserRolesRetrieveStrategy pulumi.StringPtrInput } @@ -240,51 +267,81 @@ func (GroupMapperState) ElementType() reflect.Type { } type groupMapperArgs struct { - DropNonExistingGroupsDuringSync *bool `pulumi:"dropNonExistingGroupsDuringSync"` - GroupNameLdapAttribute string `pulumi:"groupNameLdapAttribute"` - GroupObjectClasses []string `pulumi:"groupObjectClasses"` - GroupsLdapFilter *string `pulumi:"groupsLdapFilter"` - GroupsPath *string `pulumi:"groupsPath"` - IgnoreMissingGroups *bool `pulumi:"ignoreMissingGroups"` - LdapGroupsDn string `pulumi:"ldapGroupsDn"` - // The ldap user federation provider to attach this mapper to. - LdapUserFederationId string `pulumi:"ldapUserFederationId"` - MappedGroupAttributes []string `pulumi:"mappedGroupAttributes"` - MemberofLdapAttribute *string `pulumi:"memberofLdapAttribute"` - MembershipAttributeType *string `pulumi:"membershipAttributeType"` - MembershipLdapAttribute string `pulumi:"membershipLdapAttribute"` - MembershipUserLdapAttribute string `pulumi:"membershipUserLdapAttribute"` - Mode *string `pulumi:"mode"` - // Display name of the mapper when displayed in the console. - Name *string `pulumi:"name"` - PreserveGroupInheritance *bool `pulumi:"preserveGroupInheritance"` - // The realm in which the ldap user federation provider exists. - RealmId string `pulumi:"realmId"` + // When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. + DropNonExistingGroupsDuringSync *bool `pulumi:"dropNonExistingGroupsDuringSync"` + // The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. + GroupNameLdapAttribute string `pulumi:"groupNameLdapAttribute"` + // List of strings representing the object classes for the group. Must contain at least one. + GroupObjectClasses []string `pulumi:"groupObjectClasses"` + // When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. + GroupsLdapFilter *string `pulumi:"groupsLdapFilter"` + // Keycloak group path the LDAP groups are added to. For example if value `/Applications/App1` is used, then LDAP groups will be available in Keycloak under group `App1`, which is the child of top level group `Applications`. The configured group path must already exist in Keycloak when creating this mapper. + GroupsPath *string `pulumi:"groupsPath"` + // When `true`, missing groups in the hierarchy will be ignored. + IgnoreMissingGroups *bool `pulumi:"ignoreMissingGroups"` + // The LDAP DN where groups can be found. + LdapGroupsDn string `pulumi:"ldapGroupsDn"` + // The ID of the LDAP user federation provider to attach this mapper to. + LdapUserFederationId string `pulumi:"ldapUserFederationId"` + // Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. + MappedGroupAttributes []string `pulumi:"mappedGroupAttributes"` + // Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. + MemberofLdapAttribute *string `pulumi:"memberofLdapAttribute"` + // Can be one of `DN` or `UID`. Defaults to `DN`. + MembershipAttributeType *string `pulumi:"membershipAttributeType"` + // The name of the LDAP attribute that is used for membership mappings. + MembershipLdapAttribute string `pulumi:"membershipLdapAttribute"` + // The name of the LDAP attribute on a user that is used for membership mappings. + MembershipUserLdapAttribute string `pulumi:"membershipUserLdapAttribute"` + // Can be one of `READ_ONLY`, `LDAP_ONLY` or `IMPORT`. Defaults to `READ_ONLY`. + Mode *string `pulumi:"mode"` + // Display name of this mapper when displayed in the console. + Name *string `pulumi:"name"` + // When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. + PreserveGroupInheritance *bool `pulumi:"preserveGroupInheritance"` + // The realm that this LDAP mapper will exist in. + RealmId string `pulumi:"realmId"` + // Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. UserRolesRetrieveStrategy *string `pulumi:"userRolesRetrieveStrategy"` } // The set of arguments for constructing a GroupMapper resource. type GroupMapperArgs struct { + // When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. DropNonExistingGroupsDuringSync pulumi.BoolPtrInput - GroupNameLdapAttribute pulumi.StringInput - GroupObjectClasses pulumi.StringArrayInput - GroupsLdapFilter pulumi.StringPtrInput - GroupsPath pulumi.StringPtrInput - IgnoreMissingGroups pulumi.BoolPtrInput - LdapGroupsDn pulumi.StringInput - // The ldap user federation provider to attach this mapper to. - LdapUserFederationId pulumi.StringInput - MappedGroupAttributes pulumi.StringArrayInput - MemberofLdapAttribute pulumi.StringPtrInput - MembershipAttributeType pulumi.StringPtrInput - MembershipLdapAttribute pulumi.StringInput + // The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. + GroupNameLdapAttribute pulumi.StringInput + // List of strings representing the object classes for the group. Must contain at least one. + GroupObjectClasses pulumi.StringArrayInput + // When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. + GroupsLdapFilter pulumi.StringPtrInput + // Keycloak group path the LDAP groups are added to. For example if value `/Applications/App1` is used, then LDAP groups will be available in Keycloak under group `App1`, which is the child of top level group `Applications`. The configured group path must already exist in Keycloak when creating this mapper. + GroupsPath pulumi.StringPtrInput + // When `true`, missing groups in the hierarchy will be ignored. + IgnoreMissingGroups pulumi.BoolPtrInput + // The LDAP DN where groups can be found. + LdapGroupsDn pulumi.StringInput + // The ID of the LDAP user federation provider to attach this mapper to. + LdapUserFederationId pulumi.StringInput + // Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. + MappedGroupAttributes pulumi.StringArrayInput + // Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. + MemberofLdapAttribute pulumi.StringPtrInput + // Can be one of `DN` or `UID`. Defaults to `DN`. + MembershipAttributeType pulumi.StringPtrInput + // The name of the LDAP attribute that is used for membership mappings. + MembershipLdapAttribute pulumi.StringInput + // The name of the LDAP attribute on a user that is used for membership mappings. MembershipUserLdapAttribute pulumi.StringInput - Mode pulumi.StringPtrInput - // Display name of the mapper when displayed in the console. - Name pulumi.StringPtrInput + // Can be one of `READ_ONLY`, `LDAP_ONLY` or `IMPORT`. Defaults to `READ_ONLY`. + Mode pulumi.StringPtrInput + // Display name of this mapper when displayed in the console. + Name pulumi.StringPtrInput + // When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. PreserveGroupInheritance pulumi.BoolPtrInput - // The realm in which the ldap user federation provider exists. - RealmId pulumi.StringInput + // The realm that this LDAP mapper will exist in. + RealmId pulumi.StringInput + // Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. UserRolesRetrieveStrategy pulumi.StringPtrInput } @@ -375,77 +432,92 @@ func (o GroupMapperOutput) ToGroupMapperOutputWithContext(ctx context.Context) G return o } +// When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. func (o GroupMapperOutput) DropNonExistingGroupsDuringSync() pulumi.BoolPtrOutput { return o.ApplyT(func(v *GroupMapper) pulumi.BoolPtrOutput { return v.DropNonExistingGroupsDuringSync }).(pulumi.BoolPtrOutput) } +// The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. func (o GroupMapperOutput) GroupNameLdapAttribute() pulumi.StringOutput { return o.ApplyT(func(v *GroupMapper) pulumi.StringOutput { return v.GroupNameLdapAttribute }).(pulumi.StringOutput) } +// List of strings representing the object classes for the group. Must contain at least one. func (o GroupMapperOutput) GroupObjectClasses() pulumi.StringArrayOutput { return o.ApplyT(func(v *GroupMapper) pulumi.StringArrayOutput { return v.GroupObjectClasses }).(pulumi.StringArrayOutput) } +// When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. func (o GroupMapperOutput) GroupsLdapFilter() pulumi.StringPtrOutput { return o.ApplyT(func(v *GroupMapper) pulumi.StringPtrOutput { return v.GroupsLdapFilter }).(pulumi.StringPtrOutput) } +// Keycloak group path the LDAP groups are added to. For example if value `/Applications/App1` is used, then LDAP groups will be available in Keycloak under group `App1`, which is the child of top level group `Applications`. The configured group path must already exist in Keycloak when creating this mapper. func (o GroupMapperOutput) GroupsPath() pulumi.StringOutput { return o.ApplyT(func(v *GroupMapper) pulumi.StringOutput { return v.GroupsPath }).(pulumi.StringOutput) } +// When `true`, missing groups in the hierarchy will be ignored. func (o GroupMapperOutput) IgnoreMissingGroups() pulumi.BoolPtrOutput { return o.ApplyT(func(v *GroupMapper) pulumi.BoolPtrOutput { return v.IgnoreMissingGroups }).(pulumi.BoolPtrOutput) } +// The LDAP DN where groups can be found. func (o GroupMapperOutput) LdapGroupsDn() pulumi.StringOutput { return o.ApplyT(func(v *GroupMapper) pulumi.StringOutput { return v.LdapGroupsDn }).(pulumi.StringOutput) } -// The ldap user federation provider to attach this mapper to. +// The ID of the LDAP user federation provider to attach this mapper to. func (o GroupMapperOutput) LdapUserFederationId() pulumi.StringOutput { return o.ApplyT(func(v *GroupMapper) pulumi.StringOutput { return v.LdapUserFederationId }).(pulumi.StringOutput) } +// Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. func (o GroupMapperOutput) MappedGroupAttributes() pulumi.StringArrayOutput { return o.ApplyT(func(v *GroupMapper) pulumi.StringArrayOutput { return v.MappedGroupAttributes }).(pulumi.StringArrayOutput) } +// Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. func (o GroupMapperOutput) MemberofLdapAttribute() pulumi.StringPtrOutput { return o.ApplyT(func(v *GroupMapper) pulumi.StringPtrOutput { return v.MemberofLdapAttribute }).(pulumi.StringPtrOutput) } +// Can be one of `DN` or `UID`. Defaults to `DN`. func (o GroupMapperOutput) MembershipAttributeType() pulumi.StringPtrOutput { return o.ApplyT(func(v *GroupMapper) pulumi.StringPtrOutput { return v.MembershipAttributeType }).(pulumi.StringPtrOutput) } +// The name of the LDAP attribute that is used for membership mappings. func (o GroupMapperOutput) MembershipLdapAttribute() pulumi.StringOutput { return o.ApplyT(func(v *GroupMapper) pulumi.StringOutput { return v.MembershipLdapAttribute }).(pulumi.StringOutput) } +// The name of the LDAP attribute on a user that is used for membership mappings. func (o GroupMapperOutput) MembershipUserLdapAttribute() pulumi.StringOutput { return o.ApplyT(func(v *GroupMapper) pulumi.StringOutput { return v.MembershipUserLdapAttribute }).(pulumi.StringOutput) } +// Can be one of `READ_ONLY`, `LDAP_ONLY` or `IMPORT`. Defaults to `READ_ONLY`. func (o GroupMapperOutput) Mode() pulumi.StringPtrOutput { return o.ApplyT(func(v *GroupMapper) pulumi.StringPtrOutput { return v.Mode }).(pulumi.StringPtrOutput) } -// Display name of the mapper when displayed in the console. +// Display name of this mapper when displayed in the console. func (o GroupMapperOutput) Name() pulumi.StringOutput { return o.ApplyT(func(v *GroupMapper) pulumi.StringOutput { return v.Name }).(pulumi.StringOutput) } +// When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. func (o GroupMapperOutput) PreserveGroupInheritance() pulumi.BoolPtrOutput { return o.ApplyT(func(v *GroupMapper) pulumi.BoolPtrOutput { return v.PreserveGroupInheritance }).(pulumi.BoolPtrOutput) } -// The realm in which the ldap user federation provider exists. +// The realm that this LDAP mapper will exist in. func (o GroupMapperOutput) RealmId() pulumi.StringOutput { return o.ApplyT(func(v *GroupMapper) pulumi.StringOutput { return v.RealmId }).(pulumi.StringOutput) } +// Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. func (o GroupMapperOutput) UserRolesRetrieveStrategy() pulumi.StringPtrOutput { return o.ApplyT(func(v *GroupMapper) pulumi.StringPtrOutput { return v.UserRolesRetrieveStrategy }).(pulumi.StringPtrOutput) } diff --git a/sdk/go/keycloak/ldap/hardcodedRoleMapper.go b/sdk/go/keycloak/ldap/hardcodedRoleMapper.go index 319c189b..af76741a 100644 --- a/sdk/go/keycloak/ldap/hardcodedRoleMapper.go +++ b/sdk/go/keycloak/ldap/hardcodedRoleMapper.go @@ -12,11 +12,13 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## # ldap.HardcodedRoleMapper +// Allows for creating and managing hardcoded role mappers for Keycloak users federated via LDAP. // -// This mapper will grant a specified Keycloak role to each Keycloak user linked with LDAP. +// The LDAP hardcoded role mapper will grant a specified Keycloak role to each Keycloak user linked with LDAP. // -// ### Example Usage +// ## Example Usage +// +// ### Realm Role) // // ```go // package main @@ -32,7 +34,7 @@ import ( // func main() { // pulumi.Run(func(ctx *pulumi.Context) error { // realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{ -// Realm: pulumi.String("test"), +// Realm: pulumi.String("my-realm"), // Enabled: pulumi.Bool(true), // }) // if err != nil { @@ -56,11 +58,19 @@ import ( // if err != nil { // return err // } +// realmAdminRole, err := keycloak.NewRole(ctx, "realm_admin_role", &keycloak.RoleArgs{ +// RealmId: realm.ID(), +// Name: pulumi.String("my-admin-role"), +// Description: pulumi.String("My Realm Role"), +// }) +// if err != nil { +// return err +// } // _, err = ldap.NewHardcodedRoleMapper(ctx, "assign_admin_role_to_all_users", &ldap.HardcodedRoleMapperArgs{ // RealmId: realm.ID(), // LdapUserFederationId: ldapUserFederation.ID(), // Name: pulumi.String("assign-admin-role-to-all-users"), -// Role: pulumi.String("admin"), +// Role: realmAdminRole.Name, // }) // if err != nil { // return err @@ -71,30 +81,105 @@ import ( // // ``` // -// ### Argument Reference +// ### Client Role) +// +// ```go +// package main +// +// import ( +// +// "fmt" +// +// "github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak" +// "github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/ldap" +// "github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid" +// "github.com/pulumi/pulumi/sdk/v3/go/pulumi" +// +// ) // -// The following arguments are supported: +// func main() { +// pulumi.Run(func(ctx *pulumi.Context) error { +// realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{ +// Realm: pulumi.String("my-realm"), +// Enabled: pulumi.Bool(true), +// }) +// if err != nil { +// return err +// } +// ldapUserFederation, err := ldap.NewUserFederation(ctx, "ldap_user_federation", &ldap.UserFederationArgs{ +// Name: pulumi.String("openldap"), +// RealmId: realm.ID(), +// UsernameLdapAttribute: pulumi.String("cn"), +// RdnLdapAttribute: pulumi.String("cn"), +// UuidLdapAttribute: pulumi.String("entryDN"), +// UserObjectClasses: pulumi.StringArray{ +// pulumi.String("simpleSecurityObject"), +// pulumi.String("organizationalRole"), +// }, +// ConnectionUrl: pulumi.String("ldap://openldap"), +// UsersDn: pulumi.String("dc=example,dc=org"), +// BindDn: pulumi.String("cn=admin,dc=example,dc=org"), +// BindCredential: pulumi.String("admin"), +// }) +// if err != nil { +// return err +// } +// // data sources aren't technically necessary here, but they are helpful for demonstration purposes +// realmManagement := openid.LookupClientOutput(ctx, openid.GetClientOutputArgs{ +// RealmId: realm.ID(), +// ClientId: pulumi.String("realm-management"), +// }, nil) +// createClient := pulumi.All(realm.ID(), realmManagement).ApplyT(func(_args []interface{}) (keycloak.GetRoleResult, error) { +// id := _args[0].(string) +// realmManagement := _args[1].(openid.GetClientResult) +// return keycloak.GetRoleResult(interface{}(keycloak.LookupRoleOutput(ctx, keycloak.GetRoleOutputArgs{ +// RealmId: id, +// ClientId: realmManagement.Id, +// Name: "create-client", +// }, nil))), nil +// }).(keycloak.GetRoleResultOutput) +// _, err = ldap.NewHardcodedRoleMapper(ctx, "assign_admin_role_to_all_users", &ldap.HardcodedRoleMapperArgs{ +// RealmId: realm.ID(), +// LdapUserFederationId: ldapUserFederation.ID(), +// Name: pulumi.String("assign-admin-role-to-all-users"), +// Role: pulumi.All(realmManagement, createClient).ApplyT(func(_args []interface{}) (string, error) { +// realmManagement := _args[0].(openid.GetClientResult) +// createClient := _args[1].(keycloak.GetRoleResult) +// return fmt.Sprintf("%v.%v", realmManagement.ClientId, createClient.Name), nil +// }).(pulumi.StringOutput), +// }) +// if err != nil { +// return err +// } +// return nil +// }) +// } // -// - `realmId` - (Required) The realm that this LDAP mapper will exist in. -// - `ldapUserFederationId` - (Required) The ID of the LDAP user federation provider to attach this mapper to. -// - `name` - (Required) Display name of this mapper when displayed in the console. -// - `role` - (Required) The role which should be assigned to the users. +// ``` // -// ### Import +// ## Import // // LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. -// The ID of the LDAP user federation provider and the mapper can be found within -// the Keycloak GUI, and they are typically GUIDs: +// +// The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. +// +// Example: +// +// bash +// +// ```sh +// $ pulumi import keycloak:ldap/hardcodedRoleMapper:HardcodedRoleMapper assign_admin_role_to_all_users my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 +// ``` type HardcodedRoleMapper struct { pulumi.CustomResourceState - // The ldap user federation provider to attach this mapper to. + // The ID of the LDAP user federation provider to attach this mapper to. LdapUserFederationId pulumi.StringOutput `pulumi:"ldapUserFederationId"` - // Display name of the mapper when displayed in the console. + // Display name of this mapper when displayed in the console. Name pulumi.StringOutput `pulumi:"name"` - // The realm in which the ldap user federation provider exists. + // The realm that this LDAP mapper will exist in. RealmId pulumi.StringOutput `pulumi:"realmId"` - // Role to grant to user. + // The name of the role which should be assigned to the users. Client roles should use the format `{{client_id}}.{{client_role_name}}`. Role pulumi.StringOutput `pulumi:"role"` } @@ -137,24 +222,24 @@ func GetHardcodedRoleMapper(ctx *pulumi.Context, // Input properties used for looking up and filtering HardcodedRoleMapper resources. type hardcodedRoleMapperState struct { - // The ldap user federation provider to attach this mapper to. + // The ID of the LDAP user federation provider to attach this mapper to. LdapUserFederationId *string `pulumi:"ldapUserFederationId"` - // Display name of the mapper when displayed in the console. + // Display name of this mapper when displayed in the console. Name *string `pulumi:"name"` - // The realm in which the ldap user federation provider exists. + // The realm that this LDAP mapper will exist in. RealmId *string `pulumi:"realmId"` - // Role to grant to user. + // The name of the role which should be assigned to the users. Client roles should use the format `{{client_id}}.{{client_role_name}}`. Role *string `pulumi:"role"` } type HardcodedRoleMapperState struct { - // The ldap user federation provider to attach this mapper to. + // The ID of the LDAP user federation provider to attach this mapper to. LdapUserFederationId pulumi.StringPtrInput - // Display name of the mapper when displayed in the console. + // Display name of this mapper when displayed in the console. Name pulumi.StringPtrInput - // The realm in which the ldap user federation provider exists. + // The realm that this LDAP mapper will exist in. RealmId pulumi.StringPtrInput - // Role to grant to user. + // The name of the role which should be assigned to the users. Client roles should use the format `{{client_id}}.{{client_role_name}}`. Role pulumi.StringPtrInput } @@ -163,25 +248,25 @@ func (HardcodedRoleMapperState) ElementType() reflect.Type { } type hardcodedRoleMapperArgs struct { - // The ldap user federation provider to attach this mapper to. + // The ID of the LDAP user federation provider to attach this mapper to. LdapUserFederationId string `pulumi:"ldapUserFederationId"` - // Display name of the mapper when displayed in the console. + // Display name of this mapper when displayed in the console. Name *string `pulumi:"name"` - // The realm in which the ldap user federation provider exists. + // The realm that this LDAP mapper will exist in. RealmId string `pulumi:"realmId"` - // Role to grant to user. + // The name of the role which should be assigned to the users. Client roles should use the format `{{client_id}}.{{client_role_name}}`. Role string `pulumi:"role"` } // The set of arguments for constructing a HardcodedRoleMapper resource. type HardcodedRoleMapperArgs struct { - // The ldap user federation provider to attach this mapper to. + // The ID of the LDAP user federation provider to attach this mapper to. LdapUserFederationId pulumi.StringInput - // Display name of the mapper when displayed in the console. + // Display name of this mapper when displayed in the console. Name pulumi.StringPtrInput - // The realm in which the ldap user federation provider exists. + // The realm that this LDAP mapper will exist in. RealmId pulumi.StringInput - // Role to grant to user. + // The name of the role which should be assigned to the users. Client roles should use the format `{{client_id}}.{{client_role_name}}`. Role pulumi.StringInput } @@ -272,22 +357,22 @@ func (o HardcodedRoleMapperOutput) ToHardcodedRoleMapperOutputWithContext(ctx co return o } -// The ldap user federation provider to attach this mapper to. +// The ID of the LDAP user federation provider to attach this mapper to. func (o HardcodedRoleMapperOutput) LdapUserFederationId() pulumi.StringOutput { return o.ApplyT(func(v *HardcodedRoleMapper) pulumi.StringOutput { return v.LdapUserFederationId }).(pulumi.StringOutput) } -// Display name of the mapper when displayed in the console. +// Display name of this mapper when displayed in the console. func (o HardcodedRoleMapperOutput) Name() pulumi.StringOutput { return o.ApplyT(func(v *HardcodedRoleMapper) pulumi.StringOutput { return v.Name }).(pulumi.StringOutput) } -// The realm in which the ldap user federation provider exists. +// The realm that this LDAP mapper will exist in. func (o HardcodedRoleMapperOutput) RealmId() pulumi.StringOutput { return o.ApplyT(func(v *HardcodedRoleMapper) pulumi.StringOutput { return v.RealmId }).(pulumi.StringOutput) } -// Role to grant to user. +// The name of the role which should be assigned to the users. Client roles should use the format `{{client_id}}.{{client_role_name}}`. func (o HardcodedRoleMapperOutput) Role() pulumi.StringOutput { return o.ApplyT(func(v *HardcodedRoleMapper) pulumi.StringOutput { return v.Role }).(pulumi.StringOutput) } diff --git a/sdk/go/keycloak/ldap/msadUserAccountControlMapper.go b/sdk/go/keycloak/ldap/msadUserAccountControlMapper.go index 136b7f55..de8c5751 100644 --- a/sdk/go/keycloak/ldap/msadUserAccountControlMapper.go +++ b/sdk/go/keycloak/ldap/msadUserAccountControlMapper.go @@ -12,8 +12,6 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## # ldap.MsadUserAccountControlMapper -// // Allows for creating and managing MSAD user account control mappers for Keycloak // users federated via LDAP. // @@ -22,7 +20,7 @@ import ( // AD user state to Keycloak in order to enforce settings like expired passwords // or disabled accounts. // -// ### Example Usage +// ## Example Usage // // ```go // package main @@ -38,7 +36,7 @@ import ( // func main() { // pulumi.Run(func(ctx *pulumi.Context) error { // realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{ -// Realm: pulumi.String("test"), +// Realm: pulumi.String("my-realm"), // Enabled: pulumi.Bool(true), // }) // if err != nil { @@ -77,29 +75,29 @@ import ( // // ``` // -// ### Argument Reference +// ## Import // -// The following arguments are supported: +// LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. // -// - `realmId` - (Required) The realm that this LDAP mapper will exist in. -// - `ldapUserFederationId` - (Required) The ID of the LDAP user federation provider to attach this mapper to. -// - `name` - (Required) Display name of this mapper when displayed in the console. -// - `ldapPasswordPolicyHintsEnabled` - (Optional) When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. +// The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. // -// ### Import +// Example: // -// LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. -// The ID of the LDAP user federation provider and the mapper can be found within -// the Keycloak GUI, and they are typically GUIDs: +// bash +// +// ```sh +// $ pulumi import keycloak:ldap/msadUserAccountControlMapper:MsadUserAccountControlMapper msad_user_account_control_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 +// ``` type MsadUserAccountControlMapper struct { pulumi.CustomResourceState + // When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. LdapPasswordPolicyHintsEnabled pulumi.BoolPtrOutput `pulumi:"ldapPasswordPolicyHintsEnabled"` - // The ldap user federation provider to attach this mapper to. + // The ID of the LDAP user federation provider to attach this mapper to. LdapUserFederationId pulumi.StringOutput `pulumi:"ldapUserFederationId"` - // Display name of the mapper when displayed in the console. + // Display name of this mapper when displayed in the console. Name pulumi.StringOutput `pulumi:"name"` - // The realm in which the ldap user federation provider exists. + // The realm that this LDAP mapper will exist in. RealmId pulumi.StringOutput `pulumi:"realmId"` } @@ -139,22 +137,24 @@ func GetMsadUserAccountControlMapper(ctx *pulumi.Context, // Input properties used for looking up and filtering MsadUserAccountControlMapper resources. type msadUserAccountControlMapperState struct { + // When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. LdapPasswordPolicyHintsEnabled *bool `pulumi:"ldapPasswordPolicyHintsEnabled"` - // The ldap user federation provider to attach this mapper to. + // The ID of the LDAP user federation provider to attach this mapper to. LdapUserFederationId *string `pulumi:"ldapUserFederationId"` - // Display name of the mapper when displayed in the console. + // Display name of this mapper when displayed in the console. Name *string `pulumi:"name"` - // The realm in which the ldap user federation provider exists. + // The realm that this LDAP mapper will exist in. RealmId *string `pulumi:"realmId"` } type MsadUserAccountControlMapperState struct { + // When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. LdapPasswordPolicyHintsEnabled pulumi.BoolPtrInput - // The ldap user federation provider to attach this mapper to. + // The ID of the LDAP user federation provider to attach this mapper to. LdapUserFederationId pulumi.StringPtrInput - // Display name of the mapper when displayed in the console. + // Display name of this mapper when displayed in the console. Name pulumi.StringPtrInput - // The realm in which the ldap user federation provider exists. + // The realm that this LDAP mapper will exist in. RealmId pulumi.StringPtrInput } @@ -163,23 +163,25 @@ func (MsadUserAccountControlMapperState) ElementType() reflect.Type { } type msadUserAccountControlMapperArgs struct { + // When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. LdapPasswordPolicyHintsEnabled *bool `pulumi:"ldapPasswordPolicyHintsEnabled"` - // The ldap user federation provider to attach this mapper to. + // The ID of the LDAP user federation provider to attach this mapper to. LdapUserFederationId string `pulumi:"ldapUserFederationId"` - // Display name of the mapper when displayed in the console. + // Display name of this mapper when displayed in the console. Name *string `pulumi:"name"` - // The realm in which the ldap user federation provider exists. + // The realm that this LDAP mapper will exist in. RealmId string `pulumi:"realmId"` } // The set of arguments for constructing a MsadUserAccountControlMapper resource. type MsadUserAccountControlMapperArgs struct { + // When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. LdapPasswordPolicyHintsEnabled pulumi.BoolPtrInput - // The ldap user federation provider to attach this mapper to. + // The ID of the LDAP user federation provider to attach this mapper to. LdapUserFederationId pulumi.StringInput - // Display name of the mapper when displayed in the console. + // Display name of this mapper when displayed in the console. Name pulumi.StringPtrInput - // The realm in which the ldap user federation provider exists. + // The realm that this LDAP mapper will exist in. RealmId pulumi.StringInput } @@ -270,21 +272,22 @@ func (o MsadUserAccountControlMapperOutput) ToMsadUserAccountControlMapperOutput return o } +// When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. func (o MsadUserAccountControlMapperOutput) LdapPasswordPolicyHintsEnabled() pulumi.BoolPtrOutput { return o.ApplyT(func(v *MsadUserAccountControlMapper) pulumi.BoolPtrOutput { return v.LdapPasswordPolicyHintsEnabled }).(pulumi.BoolPtrOutput) } -// The ldap user federation provider to attach this mapper to. +// The ID of the LDAP user federation provider to attach this mapper to. func (o MsadUserAccountControlMapperOutput) LdapUserFederationId() pulumi.StringOutput { return o.ApplyT(func(v *MsadUserAccountControlMapper) pulumi.StringOutput { return v.LdapUserFederationId }).(pulumi.StringOutput) } -// Display name of the mapper when displayed in the console. +// Display name of this mapper when displayed in the console. func (o MsadUserAccountControlMapperOutput) Name() pulumi.StringOutput { return o.ApplyT(func(v *MsadUserAccountControlMapper) pulumi.StringOutput { return v.Name }).(pulumi.StringOutput) } -// The realm in which the ldap user federation provider exists. +// The realm that this LDAP mapper will exist in. func (o MsadUserAccountControlMapperOutput) RealmId() pulumi.StringOutput { return o.ApplyT(func(v *MsadUserAccountControlMapper) pulumi.StringOutput { return v.RealmId }).(pulumi.StringOutput) } diff --git a/sdk/go/keycloak/ldap/pulumiTypes.go b/sdk/go/keycloak/ldap/pulumiTypes.go index 3161c5dc..cfada68a 100644 --- a/sdk/go/keycloak/ldap/pulumiTypes.go +++ b/sdk/go/keycloak/ldap/pulumiTypes.go @@ -14,7 +14,7 @@ import ( var _ = internal.GetEnvOrDefault type UserFederationCache struct { - // Day of the week the entry will become invalid on. + // Day of the week the entry will become invalid on EvictionDay *int `pulumi:"evictionDay"` // Hour of day the entry will become invalid on. EvictionHour *int `pulumi:"evictionHour"` @@ -22,7 +22,8 @@ type UserFederationCache struct { EvictionMinute *int `pulumi:"evictionMinute"` // Max lifespan of cache entry (duration string). MaxLifespan *string `pulumi:"maxLifespan"` - Policy *string `pulumi:"policy"` + // Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + Policy *string `pulumi:"policy"` } // UserFederationCacheInput is an input type that accepts UserFederationCacheArgs and UserFederationCacheOutput values. @@ -37,7 +38,7 @@ type UserFederationCacheInput interface { } type UserFederationCacheArgs struct { - // Day of the week the entry will become invalid on. + // Day of the week the entry will become invalid on EvictionDay pulumi.IntPtrInput `pulumi:"evictionDay"` // Hour of day the entry will become invalid on. EvictionHour pulumi.IntPtrInput `pulumi:"evictionHour"` @@ -45,7 +46,8 @@ type UserFederationCacheArgs struct { EvictionMinute pulumi.IntPtrInput `pulumi:"evictionMinute"` // Max lifespan of cache entry (duration string). MaxLifespan pulumi.StringPtrInput `pulumi:"maxLifespan"` - Policy pulumi.StringPtrInput `pulumi:"policy"` + // Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + Policy pulumi.StringPtrInput `pulumi:"policy"` } func (UserFederationCacheArgs) ElementType() reflect.Type { @@ -125,7 +127,7 @@ func (o UserFederationCacheOutput) ToUserFederationCachePtrOutputWithContext(ctx }).(UserFederationCachePtrOutput) } -// Day of the week the entry will become invalid on. +// Day of the week the entry will become invalid on func (o UserFederationCacheOutput) EvictionDay() pulumi.IntPtrOutput { return o.ApplyT(func(v UserFederationCache) *int { return v.EvictionDay }).(pulumi.IntPtrOutput) } @@ -145,6 +147,7 @@ func (o UserFederationCacheOutput) MaxLifespan() pulumi.StringPtrOutput { return o.ApplyT(func(v UserFederationCache) *string { return v.MaxLifespan }).(pulumi.StringPtrOutput) } +// Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. func (o UserFederationCacheOutput) Policy() pulumi.StringPtrOutput { return o.ApplyT(func(v UserFederationCache) *string { return v.Policy }).(pulumi.StringPtrOutput) } @@ -173,7 +176,7 @@ func (o UserFederationCachePtrOutput) Elem() UserFederationCacheOutput { }).(UserFederationCacheOutput) } -// Day of the week the entry will become invalid on. +// Day of the week the entry will become invalid on func (o UserFederationCachePtrOutput) EvictionDay() pulumi.IntPtrOutput { return o.ApplyT(func(v *UserFederationCache) *int { if v == nil { @@ -213,6 +216,7 @@ func (o UserFederationCachePtrOutput) MaxLifespan() pulumi.StringPtrOutput { }).(pulumi.StringPtrOutput) } +// Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. func (o UserFederationCachePtrOutput) Policy() pulumi.StringPtrOutput { return o.ApplyT(func(v *UserFederationCache) *string { if v == nil { @@ -223,7 +227,7 @@ func (o UserFederationCachePtrOutput) Policy() pulumi.StringPtrOutput { } type UserFederationKerberos struct { - // The name of the kerberos realm, e.g. FOO.LOCAL + // The name of the kerberos realm, e.g. FOO.LOCAL. KerberosRealm string `pulumi:"kerberosRealm"` // Path to the kerberos keytab file on the server with credentials of the service principal. KeyTab string `pulumi:"keyTab"` @@ -245,7 +249,7 @@ type UserFederationKerberosInput interface { } type UserFederationKerberosArgs struct { - // The name of the kerberos realm, e.g. FOO.LOCAL + // The name of the kerberos realm, e.g. FOO.LOCAL. KerberosRealm pulumi.StringInput `pulumi:"kerberosRealm"` // Path to the kerberos keytab file on the server with credentials of the service principal. KeyTab pulumi.StringInput `pulumi:"keyTab"` @@ -332,7 +336,7 @@ func (o UserFederationKerberosOutput) ToUserFederationKerberosPtrOutputWithConte }).(UserFederationKerberosPtrOutput) } -// The name of the kerberos realm, e.g. FOO.LOCAL +// The name of the kerberos realm, e.g. FOO.LOCAL. func (o UserFederationKerberosOutput) KerberosRealm() pulumi.StringOutput { return o.ApplyT(func(v UserFederationKerberos) string { return v.KerberosRealm }).(pulumi.StringOutput) } @@ -376,7 +380,7 @@ func (o UserFederationKerberosPtrOutput) Elem() UserFederationKerberosOutput { }).(UserFederationKerberosOutput) } -// The name of the kerberos realm, e.g. FOO.LOCAL +// The name of the kerberos realm, e.g. FOO.LOCAL. func (o UserFederationKerberosPtrOutput) KerberosRealm() pulumi.StringPtrOutput { return o.ApplyT(func(v *UserFederationKerberos) *string { if v == nil { diff --git a/sdk/go/keycloak/ldap/userAttributeMapper.go b/sdk/go/keycloak/ldap/userAttributeMapper.go index 3faedfb3..7f45b6af 100644 --- a/sdk/go/keycloak/ldap/userAttributeMapper.go +++ b/sdk/go/keycloak/ldap/userAttributeMapper.go @@ -12,15 +12,13 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## # ldap.UserAttributeMapper -// // Allows for creating and managing user attribute mappers for Keycloak users // federated via LDAP. // // The LDAP user attribute mapper can be used to map a single LDAP attribute // to an attribute on the Keycloak user model. // -// ### Example Usage +// ## Example Usage // // ```go // package main @@ -36,7 +34,7 @@ import ( // func main() { // pulumi.Run(func(ctx *pulumi.Context) error { // realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{ -// Realm: pulumi.String("test"), +// Realm: pulumi.String("my-realm"), // Enabled: pulumi.Bool(true), // }) // if err != nil { @@ -76,46 +74,41 @@ import ( // // ``` // -// ### Argument Reference +// ## Import // -// The following arguments are supported: +// LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. // -// - `realmId` - (Required) The realm that this LDAP mapper will exist in. -// - `ldapUserFederationId` - (Required) The ID of the LDAP user federation provider to attach this mapper to. -// - `name` - (Required) Display name of this mapper when displayed in the console. -// - `userModelAttribute` - (Required) Name of the user property or attribute you want to map the LDAP attribute into. -// - `ldapAttribute` - (Required) Name of the mapped attribute on the LDAP object. -// - `readOnly` - (Optional) When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. -// - `alwaysReadValueFromLdap` - (Optional) When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. -// - `isMandatoryInLdap` - (Optional) When `true`, this attribute must exist in LDAP. Defaults to `false`. +// The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. // -// ### Import +// Example: // -// LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. -// The ID of the LDAP user federation provider and the mapper can be found within -// the Keycloak GUI, and they are typically GUIDs: +// bash +// +// ```sh +// $ pulumi import keycloak:ldap/userAttributeMapper:UserAttributeMapper ldap_user_attribute_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 +// ``` type UserAttributeMapper struct { pulumi.CustomResourceState - // When true, the value fetched from LDAP will override the value stored in Keycloak. + // When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. AlwaysReadValueFromLdap pulumi.BoolPtrOutput `pulumi:"alwaysReadValueFromLdap"` - // Default value to set in LDAP if isMandatoryInLdap and the value is empty + // Default value to set in LDAP if `isMandatoryInLdap` is true and the value is empty. AttributeDefaultValue pulumi.StringPtrOutput `pulumi:"attributeDefaultValue"` - // Should be true for binary LDAP attributes + // Should be true for binary LDAP attributes. IsBinaryAttribute pulumi.BoolPtrOutput `pulumi:"isBinaryAttribute"` - // When true, this attribute must exist in LDAP. + // When `true`, this attribute must exist in LDAP. Defaults to `false`. IsMandatoryInLdap pulumi.BoolPtrOutput `pulumi:"isMandatoryInLdap"` - // Name of the mapped attribute on LDAP object. + // Name of the mapped attribute on the LDAP object. LdapAttribute pulumi.StringOutput `pulumi:"ldapAttribute"` - // The ldap user federation provider to attach this mapper to. + // The ID of the LDAP user federation provider to attach this mapper to. LdapUserFederationId pulumi.StringOutput `pulumi:"ldapUserFederationId"` - // Display name of the mapper when displayed in the console. + // Display name of this mapper when displayed in the console. Name pulumi.StringOutput `pulumi:"name"` - // When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. + // When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. ReadOnly pulumi.BoolPtrOutput `pulumi:"readOnly"` - // The realm in which the ldap user federation provider exists. + // The realm that this LDAP mapper will exist in. RealmId pulumi.StringOutput `pulumi:"realmId"` - // Name of the UserModel property or attribute you want to map the LDAP attribute into. + // Name of the user property or attribute you want to map the LDAP attribute into. UserModelAttribute pulumi.StringOutput `pulumi:"userModelAttribute"` } @@ -161,48 +154,48 @@ func GetUserAttributeMapper(ctx *pulumi.Context, // Input properties used for looking up and filtering UserAttributeMapper resources. type userAttributeMapperState struct { - // When true, the value fetched from LDAP will override the value stored in Keycloak. + // When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. AlwaysReadValueFromLdap *bool `pulumi:"alwaysReadValueFromLdap"` - // Default value to set in LDAP if isMandatoryInLdap and the value is empty + // Default value to set in LDAP if `isMandatoryInLdap` is true and the value is empty. AttributeDefaultValue *string `pulumi:"attributeDefaultValue"` - // Should be true for binary LDAP attributes + // Should be true for binary LDAP attributes. IsBinaryAttribute *bool `pulumi:"isBinaryAttribute"` - // When true, this attribute must exist in LDAP. + // When `true`, this attribute must exist in LDAP. Defaults to `false`. IsMandatoryInLdap *bool `pulumi:"isMandatoryInLdap"` - // Name of the mapped attribute on LDAP object. + // Name of the mapped attribute on the LDAP object. LdapAttribute *string `pulumi:"ldapAttribute"` - // The ldap user federation provider to attach this mapper to. + // The ID of the LDAP user federation provider to attach this mapper to. LdapUserFederationId *string `pulumi:"ldapUserFederationId"` - // Display name of the mapper when displayed in the console. + // Display name of this mapper when displayed in the console. Name *string `pulumi:"name"` - // When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. + // When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. ReadOnly *bool `pulumi:"readOnly"` - // The realm in which the ldap user federation provider exists. + // The realm that this LDAP mapper will exist in. RealmId *string `pulumi:"realmId"` - // Name of the UserModel property or attribute you want to map the LDAP attribute into. + // Name of the user property or attribute you want to map the LDAP attribute into. UserModelAttribute *string `pulumi:"userModelAttribute"` } type UserAttributeMapperState struct { - // When true, the value fetched from LDAP will override the value stored in Keycloak. + // When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. AlwaysReadValueFromLdap pulumi.BoolPtrInput - // Default value to set in LDAP if isMandatoryInLdap and the value is empty + // Default value to set in LDAP if `isMandatoryInLdap` is true and the value is empty. AttributeDefaultValue pulumi.StringPtrInput - // Should be true for binary LDAP attributes + // Should be true for binary LDAP attributes. IsBinaryAttribute pulumi.BoolPtrInput - // When true, this attribute must exist in LDAP. + // When `true`, this attribute must exist in LDAP. Defaults to `false`. IsMandatoryInLdap pulumi.BoolPtrInput - // Name of the mapped attribute on LDAP object. + // Name of the mapped attribute on the LDAP object. LdapAttribute pulumi.StringPtrInput - // The ldap user federation provider to attach this mapper to. + // The ID of the LDAP user federation provider to attach this mapper to. LdapUserFederationId pulumi.StringPtrInput - // Display name of the mapper when displayed in the console. + // Display name of this mapper when displayed in the console. Name pulumi.StringPtrInput - // When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. + // When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. ReadOnly pulumi.BoolPtrInput - // The realm in which the ldap user federation provider exists. + // The realm that this LDAP mapper will exist in. RealmId pulumi.StringPtrInput - // Name of the UserModel property or attribute you want to map the LDAP attribute into. + // Name of the user property or attribute you want to map the LDAP attribute into. UserModelAttribute pulumi.StringPtrInput } @@ -211,49 +204,49 @@ func (UserAttributeMapperState) ElementType() reflect.Type { } type userAttributeMapperArgs struct { - // When true, the value fetched from LDAP will override the value stored in Keycloak. + // When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. AlwaysReadValueFromLdap *bool `pulumi:"alwaysReadValueFromLdap"` - // Default value to set in LDAP if isMandatoryInLdap and the value is empty + // Default value to set in LDAP if `isMandatoryInLdap` is true and the value is empty. AttributeDefaultValue *string `pulumi:"attributeDefaultValue"` - // Should be true for binary LDAP attributes + // Should be true for binary LDAP attributes. IsBinaryAttribute *bool `pulumi:"isBinaryAttribute"` - // When true, this attribute must exist in LDAP. + // When `true`, this attribute must exist in LDAP. Defaults to `false`. IsMandatoryInLdap *bool `pulumi:"isMandatoryInLdap"` - // Name of the mapped attribute on LDAP object. + // Name of the mapped attribute on the LDAP object. LdapAttribute string `pulumi:"ldapAttribute"` - // The ldap user federation provider to attach this mapper to. + // The ID of the LDAP user federation provider to attach this mapper to. LdapUserFederationId string `pulumi:"ldapUserFederationId"` - // Display name of the mapper when displayed in the console. + // Display name of this mapper when displayed in the console. Name *string `pulumi:"name"` - // When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. + // When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. ReadOnly *bool `pulumi:"readOnly"` - // The realm in which the ldap user federation provider exists. + // The realm that this LDAP mapper will exist in. RealmId string `pulumi:"realmId"` - // Name of the UserModel property or attribute you want to map the LDAP attribute into. + // Name of the user property or attribute you want to map the LDAP attribute into. UserModelAttribute string `pulumi:"userModelAttribute"` } // The set of arguments for constructing a UserAttributeMapper resource. type UserAttributeMapperArgs struct { - // When true, the value fetched from LDAP will override the value stored in Keycloak. + // When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. AlwaysReadValueFromLdap pulumi.BoolPtrInput - // Default value to set in LDAP if isMandatoryInLdap and the value is empty + // Default value to set in LDAP if `isMandatoryInLdap` is true and the value is empty. AttributeDefaultValue pulumi.StringPtrInput - // Should be true for binary LDAP attributes + // Should be true for binary LDAP attributes. IsBinaryAttribute pulumi.BoolPtrInput - // When true, this attribute must exist in LDAP. + // When `true`, this attribute must exist in LDAP. Defaults to `false`. IsMandatoryInLdap pulumi.BoolPtrInput - // Name of the mapped attribute on LDAP object. + // Name of the mapped attribute on the LDAP object. LdapAttribute pulumi.StringInput - // The ldap user federation provider to attach this mapper to. + // The ID of the LDAP user federation provider to attach this mapper to. LdapUserFederationId pulumi.StringInput - // Display name of the mapper when displayed in the console. + // Display name of this mapper when displayed in the console. Name pulumi.StringPtrInput - // When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. + // When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. ReadOnly pulumi.BoolPtrInput - // The realm in which the ldap user federation provider exists. + // The realm that this LDAP mapper will exist in. RealmId pulumi.StringInput - // Name of the UserModel property or attribute you want to map the LDAP attribute into. + // Name of the user property or attribute you want to map the LDAP attribute into. UserModelAttribute pulumi.StringInput } @@ -344,52 +337,52 @@ func (o UserAttributeMapperOutput) ToUserAttributeMapperOutputWithContext(ctx co return o } -// When true, the value fetched from LDAP will override the value stored in Keycloak. +// When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. func (o UserAttributeMapperOutput) AlwaysReadValueFromLdap() pulumi.BoolPtrOutput { return o.ApplyT(func(v *UserAttributeMapper) pulumi.BoolPtrOutput { return v.AlwaysReadValueFromLdap }).(pulumi.BoolPtrOutput) } -// Default value to set in LDAP if isMandatoryInLdap and the value is empty +// Default value to set in LDAP if `isMandatoryInLdap` is true and the value is empty. func (o UserAttributeMapperOutput) AttributeDefaultValue() pulumi.StringPtrOutput { return o.ApplyT(func(v *UserAttributeMapper) pulumi.StringPtrOutput { return v.AttributeDefaultValue }).(pulumi.StringPtrOutput) } -// Should be true for binary LDAP attributes +// Should be true for binary LDAP attributes. func (o UserAttributeMapperOutput) IsBinaryAttribute() pulumi.BoolPtrOutput { return o.ApplyT(func(v *UserAttributeMapper) pulumi.BoolPtrOutput { return v.IsBinaryAttribute }).(pulumi.BoolPtrOutput) } -// When true, this attribute must exist in LDAP. +// When `true`, this attribute must exist in LDAP. Defaults to `false`. func (o UserAttributeMapperOutput) IsMandatoryInLdap() pulumi.BoolPtrOutput { return o.ApplyT(func(v *UserAttributeMapper) pulumi.BoolPtrOutput { return v.IsMandatoryInLdap }).(pulumi.BoolPtrOutput) } -// Name of the mapped attribute on LDAP object. +// Name of the mapped attribute on the LDAP object. func (o UserAttributeMapperOutput) LdapAttribute() pulumi.StringOutput { return o.ApplyT(func(v *UserAttributeMapper) pulumi.StringOutput { return v.LdapAttribute }).(pulumi.StringOutput) } -// The ldap user federation provider to attach this mapper to. +// The ID of the LDAP user federation provider to attach this mapper to. func (o UserAttributeMapperOutput) LdapUserFederationId() pulumi.StringOutput { return o.ApplyT(func(v *UserAttributeMapper) pulumi.StringOutput { return v.LdapUserFederationId }).(pulumi.StringOutput) } -// Display name of the mapper when displayed in the console. +// Display name of this mapper when displayed in the console. func (o UserAttributeMapperOutput) Name() pulumi.StringOutput { return o.ApplyT(func(v *UserAttributeMapper) pulumi.StringOutput { return v.Name }).(pulumi.StringOutput) } -// When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. +// When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. func (o UserAttributeMapperOutput) ReadOnly() pulumi.BoolPtrOutput { return o.ApplyT(func(v *UserAttributeMapper) pulumi.BoolPtrOutput { return v.ReadOnly }).(pulumi.BoolPtrOutput) } -// The realm in which the ldap user federation provider exists. +// The realm that this LDAP mapper will exist in. func (o UserAttributeMapperOutput) RealmId() pulumi.StringOutput { return o.ApplyT(func(v *UserAttributeMapper) pulumi.StringOutput { return v.RealmId }).(pulumi.StringOutput) } -// Name of the UserModel property or attribute you want to map the LDAP attribute into. +// Name of the user property or attribute you want to map the LDAP attribute into. func (o UserAttributeMapperOutput) UserModelAttribute() pulumi.StringOutput { return o.ApplyT(func(v *UserAttributeMapper) pulumi.StringOutput { return v.UserModelAttribute }).(pulumi.StringOutput) } diff --git a/sdk/go/keycloak/ldap/userFederation.go b/sdk/go/keycloak/ldap/userFederation.go index 767710b3..9365d77b 100644 --- a/sdk/go/keycloak/ldap/userFederation.go +++ b/sdk/go/keycloak/ldap/userFederation.go @@ -12,8 +12,6 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## # ldap.UserFederation -// // Allows for creating and managing LDAP user federation providers within Keycloak. // // Keycloak can use an LDAP user federation provider to federate users to Keycloak @@ -21,7 +19,7 @@ import ( // will exist within the realm and will be able to log in to clients. Federated // users can have their attributes defined using mappers. // -// ### Example Usage +// ## Example Usage // // ```go // package main @@ -37,7 +35,7 @@ import ( // func main() { // pulumi.Run(func(ctx *pulumi.Context) error { // realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{ -// Realm: pulumi.String("test"), +// Realm: pulumi.String("my-realm"), // Enabled: pulumi.Bool(true), // }) // if err != nil { @@ -60,6 +58,11 @@ import ( // BindCredential: pulumi.String("admin"), // ConnectionTimeout: pulumi.String("5s"), // ReadTimeout: pulumi.String("10s"), +// Kerberos: &ldap.UserFederationKerberosArgs{ +// KerberosRealm: pulumi.String("FOO.LOCAL"), +// ServerPrincipal: pulumi.String("HTTP/host.foo.com@FOO.LOCAL"), +// KeyTab: pulumi.String("/etc/host.keytab"), +// }, // }) // if err != nil { // return err @@ -70,106 +73,78 @@ import ( // // ``` // -// ### Argument Reference -// -// The following arguments are supported: +// ## Import // -// - `realmId` - (Required) The realm that this provider will provide user federation for. -// - `name` - (Required) Display name of the provider when displayed in the console. -// - `enabled` - (Optional) When `false`, this provider will not be used when performing queries for users. Defaults to `true`. -// - `priority` - (Optional) Priority of this provider when looking up users. Lower values are first. Defaults to `0`. -// - `importEnabled` - (Optional) When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. -// - `editMode` - (Optional) Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. -// - `syncRegistrations` - (Optional) When `true`, newly created users will be synced back to LDAP. Defaults to `false`. -// - `vendor` - (Optional) Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OPTIONAL`. -// - `usernameLdapAttribute` - (Required) Name of the LDAP attribute to use as the Keycloak username. -// - `rdnLdapAttribute` - (Required) Name of the LDAP attribute to use as the relative distinguished name. -// - `uuidLdapAttribute` - (Required) Name of the LDAP attribute to use as a unique object identifier for objects in LDAP. -// - `userObjectClasses` - (Required) Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. -// - `connectionUrl` - (Required) Connection URL to the LDAP server. -// - `usersDn` - (Required) Full DN of LDAP tree where your users are. -// - `bindDn` - (Optional) DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bindCredential` is set. -// - `bindCredential` - (Optional) Password of LDAP admin. This attribute must be set if `bindDn` is set. -// - `customUserSearchFilter` - (Optional) Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. -// - `searchScope` - (Optional) Can be one of `ONE_LEVEL` or `SUBTREE`: -// - `ONE_LEVEL`: Only search for users in the DN specified by `userDn`. -// - `SUBTREE`: Search entire LDAP subtree. -// -// - `validatePasswordPolicy` - (Optional) When `true`, Keycloak will validate passwords using the realm policy before updating it. -// - `useTruststoreSpi` - (Optional) Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: -// - `ALWAYS` - Always use the truststore SPI for LDAP connections. -// - `NEVER` - Never use the truststore SPI for LDAP connections. -// - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. +// LDAP user federation providers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}`. // -// - `connectionTimeout` - (Optional) LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). -// - `readTimeout` - (Optional) LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). -// - `pagination` - (Optional) When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. -// - `batchSizeForSync` - (Optional) The number of users to sync within a single transaction. Defaults to `1000`. -// - `fullSyncPeriod` - (Optional) How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync. -// - `changedSyncPeriod` - (Optional) How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. -// - `cachePolicy` - (Optional) Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. +// The ID of the LDAP user federation provider can be found within the Keycloak GUI and is typically a GUID: // -// ### Import +// bash // -// LDAP user federation providers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}`. -// The ID of the LDAP user federation provider can be found within the Keycloak GUI and is typically a GUID: +// ```sh +// $ pulumi import keycloak:ldap/userFederation:UserFederation ldap_user_federation my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860 +// ``` type UserFederation struct { pulumi.CustomResourceState - // The number of users to sync within a single transaction. + // The number of users to sync within a single transaction. Defaults to `1000`. BatchSizeForSync pulumi.IntPtrOutput `pulumi:"batchSizeForSync"` - // Password of LDAP admin. + // Password of LDAP admin. This attribute must be set if `bindDn` is set. BindCredential pulumi.StringPtrOutput `pulumi:"bindCredential"` - // DN of LDAP admin, which will be used by Keycloak to access LDAP server. + // DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bindCredential` is set. BindDn pulumi.StringPtrOutput `pulumi:"bindDn"` - // Settings regarding cache policy for this realm. + // A block containing the cache settings. Cache UserFederationCachePtrOutput `pulumi:"cache"` - // How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users - // sync. + // How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. ChangedSyncPeriod pulumi.IntPtrOutput `pulumi:"changedSyncPeriod"` - // LDAP connection timeout (duration string) + // LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). ConnectionTimeout pulumi.StringPtrOutput `pulumi:"connectionTimeout"` // Connection URL to the LDAP server. ConnectionUrl pulumi.StringOutput `pulumi:"connectionUrl"` - // Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'. + // Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. CustomUserSearchFilter pulumi.StringPtrOutput `pulumi:"customUserSearchFilter"` - // When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP - // user federation provider. + // When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to `false`. DeleteDefaultMappers pulumi.BoolPtrOutput `pulumi:"deleteDefaultMappers"` - // READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP. + // Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. EditMode pulumi.StringPtrOutput `pulumi:"editMode"` - // When false, this provider will not be used when performing queries for users. + // When `false`, this provider will not be used when performing queries for users. Defaults to `true`. Enabled pulumi.BoolPtrOutput `pulumi:"enabled"` // How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync. FullSyncPeriod pulumi.IntPtrOutput `pulumi:"fullSyncPeriod"` - // When true, LDAP users will be imported into the Keycloak database. + // When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. ImportEnabled pulumi.BoolPtrOutput `pulumi:"importEnabled"` - // Settings regarding kerberos authentication for this realm. + // A block containing the kerberos settings. Kerberos UserFederationKerberosPtrOutput `pulumi:"kerberos"` // Display name of the provider when displayed in the console. Name pulumi.StringOutput `pulumi:"name"` - // When true, Keycloak assumes the LDAP server supports pagination. + // When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. Pagination pulumi.BoolPtrOutput `pulumi:"pagination"` - // Priority of this provider when looking up users. Lower values are first. + // Priority of this provider when looking up users. Lower values are first. Defaults to `0`. Priority pulumi.IntPtrOutput `pulumi:"priority"` // Name of the LDAP attribute to use as the relative distinguished name. RdnLdapAttribute pulumi.StringOutput `pulumi:"rdnLdapAttribute"` - // LDAP read timeout (duration string) + // LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). ReadTimeout pulumi.StringPtrOutput `pulumi:"readTimeout"` - // The realm this provider will provide user federation for. + // The realm that this provider will provide user federation for. RealmId pulumi.StringOutput `pulumi:"realmId"` - // ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree. + // Can be one of `ONE_LEVEL` or `SUBTREE`: + // - `ONE_LEVEL`: Only search for users in the DN specified by `userDn`. + // - `SUBTREE`: Search entire LDAP subtree. SearchScope pulumi.StringPtrOutput `pulumi:"searchScope"` - // When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. + // When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. StartTls pulumi.BoolPtrOutput `pulumi:"startTls"` - // When true, newly created users will be synced back to LDAP. + // When `true`, newly created users will be synced back to LDAP. Defaults to `false`. SyncRegistrations pulumi.BoolPtrOutput `pulumi:"syncRegistrations"` // If enabled, email provided by this provider is not verified even if verification is enabled for the realm. TrustEmail pulumi.BoolPtrOutput `pulumi:"trustEmail"` // When `true`, use the LDAPv3 Password Modify Extended Operation (RFC-3062). - UsePasswordModifyExtendedOp pulumi.BoolPtrOutput `pulumi:"usePasswordModifyExtendedOp"` - UseTruststoreSpi pulumi.StringPtrOutput `pulumi:"useTruststoreSpi"` - // All values of LDAP objectClass attribute for users in LDAP. + UsePasswordModifyExtendedOp pulumi.BoolPtrOutput `pulumi:"usePasswordModifyExtendedOp"` + // Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: + // - `ALWAYS` - Always use the truststore SPI for LDAP connections. + // - `NEVER` - Never use the truststore SPI for LDAP connections. + // - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. + UseTruststoreSpi pulumi.StringPtrOutput `pulumi:"useTruststoreSpi"` + // Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. UserObjectClasses pulumi.StringArrayOutput `pulumi:"userObjectClasses"` // Name of the LDAP attribute to use as the Keycloak username. UsernameLdapAttribute pulumi.StringOutput `pulumi:"usernameLdapAttribute"` @@ -177,9 +152,9 @@ type UserFederation struct { UsersDn pulumi.StringOutput `pulumi:"usersDn"` // Name of the LDAP attribute to use as a unique object identifier for objects in LDAP. UuidLdapAttribute pulumi.StringOutput `pulumi:"uuidLdapAttribute"` - // When true, Keycloak will validate passwords using the realm policy before updating it. + // When `true`, Keycloak will validate passwords using the realm policy before updating it. ValidatePasswordPolicy pulumi.BoolPtrOutput `pulumi:"validatePasswordPolicy"` - // LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required. + // Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`. Vendor pulumi.StringPtrOutput `pulumi:"vendor"` } @@ -241,60 +216,64 @@ func GetUserFederation(ctx *pulumi.Context, // Input properties used for looking up and filtering UserFederation resources. type userFederationState struct { - // The number of users to sync within a single transaction. + // The number of users to sync within a single transaction. Defaults to `1000`. BatchSizeForSync *int `pulumi:"batchSizeForSync"` - // Password of LDAP admin. + // Password of LDAP admin. This attribute must be set if `bindDn` is set. BindCredential *string `pulumi:"bindCredential"` - // DN of LDAP admin, which will be used by Keycloak to access LDAP server. + // DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bindCredential` is set. BindDn *string `pulumi:"bindDn"` - // Settings regarding cache policy for this realm. + // A block containing the cache settings. Cache *UserFederationCache `pulumi:"cache"` - // How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users - // sync. + // How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. ChangedSyncPeriod *int `pulumi:"changedSyncPeriod"` - // LDAP connection timeout (duration string) + // LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). ConnectionTimeout *string `pulumi:"connectionTimeout"` // Connection URL to the LDAP server. ConnectionUrl *string `pulumi:"connectionUrl"` - // Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'. + // Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. CustomUserSearchFilter *string `pulumi:"customUserSearchFilter"` - // When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP - // user federation provider. + // When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to `false`. DeleteDefaultMappers *bool `pulumi:"deleteDefaultMappers"` - // READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP. + // Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. EditMode *string `pulumi:"editMode"` - // When false, this provider will not be used when performing queries for users. + // When `false`, this provider will not be used when performing queries for users. Defaults to `true`. Enabled *bool `pulumi:"enabled"` // How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync. FullSyncPeriod *int `pulumi:"fullSyncPeriod"` - // When true, LDAP users will be imported into the Keycloak database. + // When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. ImportEnabled *bool `pulumi:"importEnabled"` - // Settings regarding kerberos authentication for this realm. + // A block containing the kerberos settings. Kerberos *UserFederationKerberos `pulumi:"kerberos"` // Display name of the provider when displayed in the console. Name *string `pulumi:"name"` - // When true, Keycloak assumes the LDAP server supports pagination. + // When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. Pagination *bool `pulumi:"pagination"` - // Priority of this provider when looking up users. Lower values are first. + // Priority of this provider when looking up users. Lower values are first. Defaults to `0`. Priority *int `pulumi:"priority"` // Name of the LDAP attribute to use as the relative distinguished name. RdnLdapAttribute *string `pulumi:"rdnLdapAttribute"` - // LDAP read timeout (duration string) + // LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). ReadTimeout *string `pulumi:"readTimeout"` - // The realm this provider will provide user federation for. + // The realm that this provider will provide user federation for. RealmId *string `pulumi:"realmId"` - // ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree. + // Can be one of `ONE_LEVEL` or `SUBTREE`: + // - `ONE_LEVEL`: Only search for users in the DN specified by `userDn`. + // - `SUBTREE`: Search entire LDAP subtree. SearchScope *string `pulumi:"searchScope"` - // When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. + // When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. StartTls *bool `pulumi:"startTls"` - // When true, newly created users will be synced back to LDAP. + // When `true`, newly created users will be synced back to LDAP. Defaults to `false`. SyncRegistrations *bool `pulumi:"syncRegistrations"` // If enabled, email provided by this provider is not verified even if verification is enabled for the realm. TrustEmail *bool `pulumi:"trustEmail"` // When `true`, use the LDAPv3 Password Modify Extended Operation (RFC-3062). - UsePasswordModifyExtendedOp *bool `pulumi:"usePasswordModifyExtendedOp"` - UseTruststoreSpi *string `pulumi:"useTruststoreSpi"` - // All values of LDAP objectClass attribute for users in LDAP. + UsePasswordModifyExtendedOp *bool `pulumi:"usePasswordModifyExtendedOp"` + // Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: + // - `ALWAYS` - Always use the truststore SPI for LDAP connections. + // - `NEVER` - Never use the truststore SPI for LDAP connections. + // - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. + UseTruststoreSpi *string `pulumi:"useTruststoreSpi"` + // Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. UserObjectClasses []string `pulumi:"userObjectClasses"` // Name of the LDAP attribute to use as the Keycloak username. UsernameLdapAttribute *string `pulumi:"usernameLdapAttribute"` @@ -302,67 +281,71 @@ type userFederationState struct { UsersDn *string `pulumi:"usersDn"` // Name of the LDAP attribute to use as a unique object identifier for objects in LDAP. UuidLdapAttribute *string `pulumi:"uuidLdapAttribute"` - // When true, Keycloak will validate passwords using the realm policy before updating it. + // When `true`, Keycloak will validate passwords using the realm policy before updating it. ValidatePasswordPolicy *bool `pulumi:"validatePasswordPolicy"` - // LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required. + // Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`. Vendor *string `pulumi:"vendor"` } type UserFederationState struct { - // The number of users to sync within a single transaction. + // The number of users to sync within a single transaction. Defaults to `1000`. BatchSizeForSync pulumi.IntPtrInput - // Password of LDAP admin. + // Password of LDAP admin. This attribute must be set if `bindDn` is set. BindCredential pulumi.StringPtrInput - // DN of LDAP admin, which will be used by Keycloak to access LDAP server. + // DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bindCredential` is set. BindDn pulumi.StringPtrInput - // Settings regarding cache policy for this realm. + // A block containing the cache settings. Cache UserFederationCachePtrInput - // How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users - // sync. + // How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. ChangedSyncPeriod pulumi.IntPtrInput - // LDAP connection timeout (duration string) + // LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). ConnectionTimeout pulumi.StringPtrInput // Connection URL to the LDAP server. ConnectionUrl pulumi.StringPtrInput - // Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'. + // Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. CustomUserSearchFilter pulumi.StringPtrInput - // When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP - // user federation provider. + // When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to `false`. DeleteDefaultMappers pulumi.BoolPtrInput - // READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP. + // Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. EditMode pulumi.StringPtrInput - // When false, this provider will not be used when performing queries for users. + // When `false`, this provider will not be used when performing queries for users. Defaults to `true`. Enabled pulumi.BoolPtrInput // How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync. FullSyncPeriod pulumi.IntPtrInput - // When true, LDAP users will be imported into the Keycloak database. + // When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. ImportEnabled pulumi.BoolPtrInput - // Settings regarding kerberos authentication for this realm. + // A block containing the kerberos settings. Kerberos UserFederationKerberosPtrInput // Display name of the provider when displayed in the console. Name pulumi.StringPtrInput - // When true, Keycloak assumes the LDAP server supports pagination. + // When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. Pagination pulumi.BoolPtrInput - // Priority of this provider when looking up users. Lower values are first. + // Priority of this provider when looking up users. Lower values are first. Defaults to `0`. Priority pulumi.IntPtrInput // Name of the LDAP attribute to use as the relative distinguished name. RdnLdapAttribute pulumi.StringPtrInput - // LDAP read timeout (duration string) + // LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). ReadTimeout pulumi.StringPtrInput - // The realm this provider will provide user federation for. + // The realm that this provider will provide user federation for. RealmId pulumi.StringPtrInput - // ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree. + // Can be one of `ONE_LEVEL` or `SUBTREE`: + // - `ONE_LEVEL`: Only search for users in the DN specified by `userDn`. + // - `SUBTREE`: Search entire LDAP subtree. SearchScope pulumi.StringPtrInput - // When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. + // When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. StartTls pulumi.BoolPtrInput - // When true, newly created users will be synced back to LDAP. + // When `true`, newly created users will be synced back to LDAP. Defaults to `false`. SyncRegistrations pulumi.BoolPtrInput // If enabled, email provided by this provider is not verified even if verification is enabled for the realm. TrustEmail pulumi.BoolPtrInput // When `true`, use the LDAPv3 Password Modify Extended Operation (RFC-3062). UsePasswordModifyExtendedOp pulumi.BoolPtrInput - UseTruststoreSpi pulumi.StringPtrInput - // All values of LDAP objectClass attribute for users in LDAP. + // Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: + // - `ALWAYS` - Always use the truststore SPI for LDAP connections. + // - `NEVER` - Never use the truststore SPI for LDAP connections. + // - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. + UseTruststoreSpi pulumi.StringPtrInput + // Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. UserObjectClasses pulumi.StringArrayInput // Name of the LDAP attribute to use as the Keycloak username. UsernameLdapAttribute pulumi.StringPtrInput @@ -370,9 +353,9 @@ type UserFederationState struct { UsersDn pulumi.StringPtrInput // Name of the LDAP attribute to use as a unique object identifier for objects in LDAP. UuidLdapAttribute pulumi.StringPtrInput - // When true, Keycloak will validate passwords using the realm policy before updating it. + // When `true`, Keycloak will validate passwords using the realm policy before updating it. ValidatePasswordPolicy pulumi.BoolPtrInput - // LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required. + // Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`. Vendor pulumi.StringPtrInput } @@ -381,60 +364,64 @@ func (UserFederationState) ElementType() reflect.Type { } type userFederationArgs struct { - // The number of users to sync within a single transaction. + // The number of users to sync within a single transaction. Defaults to `1000`. BatchSizeForSync *int `pulumi:"batchSizeForSync"` - // Password of LDAP admin. + // Password of LDAP admin. This attribute must be set if `bindDn` is set. BindCredential *string `pulumi:"bindCredential"` - // DN of LDAP admin, which will be used by Keycloak to access LDAP server. + // DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bindCredential` is set. BindDn *string `pulumi:"bindDn"` - // Settings regarding cache policy for this realm. + // A block containing the cache settings. Cache *UserFederationCache `pulumi:"cache"` - // How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users - // sync. + // How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. ChangedSyncPeriod *int `pulumi:"changedSyncPeriod"` - // LDAP connection timeout (duration string) + // LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). ConnectionTimeout *string `pulumi:"connectionTimeout"` // Connection URL to the LDAP server. ConnectionUrl string `pulumi:"connectionUrl"` - // Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'. + // Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. CustomUserSearchFilter *string `pulumi:"customUserSearchFilter"` - // When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP - // user federation provider. + // When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to `false`. DeleteDefaultMappers *bool `pulumi:"deleteDefaultMappers"` - // READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP. + // Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. EditMode *string `pulumi:"editMode"` - // When false, this provider will not be used when performing queries for users. + // When `false`, this provider will not be used when performing queries for users. Defaults to `true`. Enabled *bool `pulumi:"enabled"` // How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync. FullSyncPeriod *int `pulumi:"fullSyncPeriod"` - // When true, LDAP users will be imported into the Keycloak database. + // When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. ImportEnabled *bool `pulumi:"importEnabled"` - // Settings regarding kerberos authentication for this realm. + // A block containing the kerberos settings. Kerberos *UserFederationKerberos `pulumi:"kerberos"` // Display name of the provider when displayed in the console. Name *string `pulumi:"name"` - // When true, Keycloak assumes the LDAP server supports pagination. + // When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. Pagination *bool `pulumi:"pagination"` - // Priority of this provider when looking up users. Lower values are first. + // Priority of this provider when looking up users. Lower values are first. Defaults to `0`. Priority *int `pulumi:"priority"` // Name of the LDAP attribute to use as the relative distinguished name. RdnLdapAttribute string `pulumi:"rdnLdapAttribute"` - // LDAP read timeout (duration string) + // LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). ReadTimeout *string `pulumi:"readTimeout"` - // The realm this provider will provide user federation for. + // The realm that this provider will provide user federation for. RealmId string `pulumi:"realmId"` - // ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree. + // Can be one of `ONE_LEVEL` or `SUBTREE`: + // - `ONE_LEVEL`: Only search for users in the DN specified by `userDn`. + // - `SUBTREE`: Search entire LDAP subtree. SearchScope *string `pulumi:"searchScope"` - // When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. + // When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. StartTls *bool `pulumi:"startTls"` - // When true, newly created users will be synced back to LDAP. + // When `true`, newly created users will be synced back to LDAP. Defaults to `false`. SyncRegistrations *bool `pulumi:"syncRegistrations"` // If enabled, email provided by this provider is not verified even if verification is enabled for the realm. TrustEmail *bool `pulumi:"trustEmail"` // When `true`, use the LDAPv3 Password Modify Extended Operation (RFC-3062). - UsePasswordModifyExtendedOp *bool `pulumi:"usePasswordModifyExtendedOp"` - UseTruststoreSpi *string `pulumi:"useTruststoreSpi"` - // All values of LDAP objectClass attribute for users in LDAP. + UsePasswordModifyExtendedOp *bool `pulumi:"usePasswordModifyExtendedOp"` + // Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: + // - `ALWAYS` - Always use the truststore SPI for LDAP connections. + // - `NEVER` - Never use the truststore SPI for LDAP connections. + // - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. + UseTruststoreSpi *string `pulumi:"useTruststoreSpi"` + // Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. UserObjectClasses []string `pulumi:"userObjectClasses"` // Name of the LDAP attribute to use as the Keycloak username. UsernameLdapAttribute string `pulumi:"usernameLdapAttribute"` @@ -442,68 +429,72 @@ type userFederationArgs struct { UsersDn string `pulumi:"usersDn"` // Name of the LDAP attribute to use as a unique object identifier for objects in LDAP. UuidLdapAttribute string `pulumi:"uuidLdapAttribute"` - // When true, Keycloak will validate passwords using the realm policy before updating it. + // When `true`, Keycloak will validate passwords using the realm policy before updating it. ValidatePasswordPolicy *bool `pulumi:"validatePasswordPolicy"` - // LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required. + // Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`. Vendor *string `pulumi:"vendor"` } // The set of arguments for constructing a UserFederation resource. type UserFederationArgs struct { - // The number of users to sync within a single transaction. + // The number of users to sync within a single transaction. Defaults to `1000`. BatchSizeForSync pulumi.IntPtrInput - // Password of LDAP admin. + // Password of LDAP admin. This attribute must be set if `bindDn` is set. BindCredential pulumi.StringPtrInput - // DN of LDAP admin, which will be used by Keycloak to access LDAP server. + // DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bindCredential` is set. BindDn pulumi.StringPtrInput - // Settings regarding cache policy for this realm. + // A block containing the cache settings. Cache UserFederationCachePtrInput - // How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users - // sync. + // How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. ChangedSyncPeriod pulumi.IntPtrInput - // LDAP connection timeout (duration string) + // LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). ConnectionTimeout pulumi.StringPtrInput // Connection URL to the LDAP server. ConnectionUrl pulumi.StringInput - // Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'. + // Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. CustomUserSearchFilter pulumi.StringPtrInput - // When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP - // user federation provider. + // When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to `false`. DeleteDefaultMappers pulumi.BoolPtrInput - // READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP. + // Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. EditMode pulumi.StringPtrInput - // When false, this provider will not be used when performing queries for users. + // When `false`, this provider will not be used when performing queries for users. Defaults to `true`. Enabled pulumi.BoolPtrInput // How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync. FullSyncPeriod pulumi.IntPtrInput - // When true, LDAP users will be imported into the Keycloak database. + // When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. ImportEnabled pulumi.BoolPtrInput - // Settings regarding kerberos authentication for this realm. + // A block containing the kerberos settings. Kerberos UserFederationKerberosPtrInput // Display name of the provider when displayed in the console. Name pulumi.StringPtrInput - // When true, Keycloak assumes the LDAP server supports pagination. + // When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. Pagination pulumi.BoolPtrInput - // Priority of this provider when looking up users. Lower values are first. + // Priority of this provider when looking up users. Lower values are first. Defaults to `0`. Priority pulumi.IntPtrInput // Name of the LDAP attribute to use as the relative distinguished name. RdnLdapAttribute pulumi.StringInput - // LDAP read timeout (duration string) + // LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). ReadTimeout pulumi.StringPtrInput - // The realm this provider will provide user federation for. + // The realm that this provider will provide user federation for. RealmId pulumi.StringInput - // ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree. + // Can be one of `ONE_LEVEL` or `SUBTREE`: + // - `ONE_LEVEL`: Only search for users in the DN specified by `userDn`. + // - `SUBTREE`: Search entire LDAP subtree. SearchScope pulumi.StringPtrInput - // When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. + // When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. StartTls pulumi.BoolPtrInput - // When true, newly created users will be synced back to LDAP. + // When `true`, newly created users will be synced back to LDAP. Defaults to `false`. SyncRegistrations pulumi.BoolPtrInput // If enabled, email provided by this provider is not verified even if verification is enabled for the realm. TrustEmail pulumi.BoolPtrInput // When `true`, use the LDAPv3 Password Modify Extended Operation (RFC-3062). UsePasswordModifyExtendedOp pulumi.BoolPtrInput - UseTruststoreSpi pulumi.StringPtrInput - // All values of LDAP objectClass attribute for users in LDAP. + // Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: + // - `ALWAYS` - Always use the truststore SPI for LDAP connections. + // - `NEVER` - Never use the truststore SPI for LDAP connections. + // - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. + UseTruststoreSpi pulumi.StringPtrInput + // Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. UserObjectClasses pulumi.StringArrayInput // Name of the LDAP attribute to use as the Keycloak username. UsernameLdapAttribute pulumi.StringInput @@ -511,9 +502,9 @@ type UserFederationArgs struct { UsersDn pulumi.StringInput // Name of the LDAP attribute to use as a unique object identifier for objects in LDAP. UuidLdapAttribute pulumi.StringInput - // When true, Keycloak will validate passwords using the realm policy before updating it. + // When `true`, Keycloak will validate passwords using the realm policy before updating it. ValidatePasswordPolicy pulumi.BoolPtrInput - // LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required. + // Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`. Vendor pulumi.StringPtrInput } @@ -604,33 +595,32 @@ func (o UserFederationOutput) ToUserFederationOutputWithContext(ctx context.Cont return o } -// The number of users to sync within a single transaction. +// The number of users to sync within a single transaction. Defaults to `1000`. func (o UserFederationOutput) BatchSizeForSync() pulumi.IntPtrOutput { return o.ApplyT(func(v *UserFederation) pulumi.IntPtrOutput { return v.BatchSizeForSync }).(pulumi.IntPtrOutput) } -// Password of LDAP admin. +// Password of LDAP admin. This attribute must be set if `bindDn` is set. func (o UserFederationOutput) BindCredential() pulumi.StringPtrOutput { return o.ApplyT(func(v *UserFederation) pulumi.StringPtrOutput { return v.BindCredential }).(pulumi.StringPtrOutput) } -// DN of LDAP admin, which will be used by Keycloak to access LDAP server. +// DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bindCredential` is set. func (o UserFederationOutput) BindDn() pulumi.StringPtrOutput { return o.ApplyT(func(v *UserFederation) pulumi.StringPtrOutput { return v.BindDn }).(pulumi.StringPtrOutput) } -// Settings regarding cache policy for this realm. +// A block containing the cache settings. func (o UserFederationOutput) Cache() UserFederationCachePtrOutput { return o.ApplyT(func(v *UserFederation) UserFederationCachePtrOutput { return v.Cache }).(UserFederationCachePtrOutput) } -// How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users -// sync. +// How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. func (o UserFederationOutput) ChangedSyncPeriod() pulumi.IntPtrOutput { return o.ApplyT(func(v *UserFederation) pulumi.IntPtrOutput { return v.ChangedSyncPeriod }).(pulumi.IntPtrOutput) } -// LDAP connection timeout (duration string) +// LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). func (o UserFederationOutput) ConnectionTimeout() pulumi.StringPtrOutput { return o.ApplyT(func(v *UserFederation) pulumi.StringPtrOutput { return v.ConnectionTimeout }).(pulumi.StringPtrOutput) } @@ -640,23 +630,22 @@ func (o UserFederationOutput) ConnectionUrl() pulumi.StringOutput { return o.ApplyT(func(v *UserFederation) pulumi.StringOutput { return v.ConnectionUrl }).(pulumi.StringOutput) } -// Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'. +// Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. func (o UserFederationOutput) CustomUserSearchFilter() pulumi.StringPtrOutput { return o.ApplyT(func(v *UserFederation) pulumi.StringPtrOutput { return v.CustomUserSearchFilter }).(pulumi.StringPtrOutput) } -// When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP -// user federation provider. +// When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to `false`. func (o UserFederationOutput) DeleteDefaultMappers() pulumi.BoolPtrOutput { return o.ApplyT(func(v *UserFederation) pulumi.BoolPtrOutput { return v.DeleteDefaultMappers }).(pulumi.BoolPtrOutput) } -// READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP. +// Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. func (o UserFederationOutput) EditMode() pulumi.StringPtrOutput { return o.ApplyT(func(v *UserFederation) pulumi.StringPtrOutput { return v.EditMode }).(pulumi.StringPtrOutput) } -// When false, this provider will not be used when performing queries for users. +// When `false`, this provider will not be used when performing queries for users. Defaults to `true`. func (o UserFederationOutput) Enabled() pulumi.BoolPtrOutput { return o.ApplyT(func(v *UserFederation) pulumi.BoolPtrOutput { return v.Enabled }).(pulumi.BoolPtrOutput) } @@ -666,12 +655,12 @@ func (o UserFederationOutput) FullSyncPeriod() pulumi.IntPtrOutput { return o.ApplyT(func(v *UserFederation) pulumi.IntPtrOutput { return v.FullSyncPeriod }).(pulumi.IntPtrOutput) } -// When true, LDAP users will be imported into the Keycloak database. +// When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. func (o UserFederationOutput) ImportEnabled() pulumi.BoolPtrOutput { return o.ApplyT(func(v *UserFederation) pulumi.BoolPtrOutput { return v.ImportEnabled }).(pulumi.BoolPtrOutput) } -// Settings regarding kerberos authentication for this realm. +// A block containing the kerberos settings. func (o UserFederationOutput) Kerberos() UserFederationKerberosPtrOutput { return o.ApplyT(func(v *UserFederation) UserFederationKerberosPtrOutput { return v.Kerberos }).(UserFederationKerberosPtrOutput) } @@ -681,12 +670,12 @@ func (o UserFederationOutput) Name() pulumi.StringOutput { return o.ApplyT(func(v *UserFederation) pulumi.StringOutput { return v.Name }).(pulumi.StringOutput) } -// When true, Keycloak assumes the LDAP server supports pagination. +// When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. func (o UserFederationOutput) Pagination() pulumi.BoolPtrOutput { return o.ApplyT(func(v *UserFederation) pulumi.BoolPtrOutput { return v.Pagination }).(pulumi.BoolPtrOutput) } -// Priority of this provider when looking up users. Lower values are first. +// Priority of this provider when looking up users. Lower values are first. Defaults to `0`. func (o UserFederationOutput) Priority() pulumi.IntPtrOutput { return o.ApplyT(func(v *UserFederation) pulumi.IntPtrOutput { return v.Priority }).(pulumi.IntPtrOutput) } @@ -696,27 +685,29 @@ func (o UserFederationOutput) RdnLdapAttribute() pulumi.StringOutput { return o.ApplyT(func(v *UserFederation) pulumi.StringOutput { return v.RdnLdapAttribute }).(pulumi.StringOutput) } -// LDAP read timeout (duration string) +// LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). func (o UserFederationOutput) ReadTimeout() pulumi.StringPtrOutput { return o.ApplyT(func(v *UserFederation) pulumi.StringPtrOutput { return v.ReadTimeout }).(pulumi.StringPtrOutput) } -// The realm this provider will provide user federation for. +// The realm that this provider will provide user federation for. func (o UserFederationOutput) RealmId() pulumi.StringOutput { return o.ApplyT(func(v *UserFederation) pulumi.StringOutput { return v.RealmId }).(pulumi.StringOutput) } -// ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree. +// Can be one of `ONE_LEVEL` or `SUBTREE`: +// - `ONE_LEVEL`: Only search for users in the DN specified by `userDn`. +// - `SUBTREE`: Search entire LDAP subtree. func (o UserFederationOutput) SearchScope() pulumi.StringPtrOutput { return o.ApplyT(func(v *UserFederation) pulumi.StringPtrOutput { return v.SearchScope }).(pulumi.StringPtrOutput) } -// When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. +// When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. func (o UserFederationOutput) StartTls() pulumi.BoolPtrOutput { return o.ApplyT(func(v *UserFederation) pulumi.BoolPtrOutput { return v.StartTls }).(pulumi.BoolPtrOutput) } -// When true, newly created users will be synced back to LDAP. +// When `true`, newly created users will be synced back to LDAP. Defaults to `false`. func (o UserFederationOutput) SyncRegistrations() pulumi.BoolPtrOutput { return o.ApplyT(func(v *UserFederation) pulumi.BoolPtrOutput { return v.SyncRegistrations }).(pulumi.BoolPtrOutput) } @@ -731,11 +722,15 @@ func (o UserFederationOutput) UsePasswordModifyExtendedOp() pulumi.BoolPtrOutput return o.ApplyT(func(v *UserFederation) pulumi.BoolPtrOutput { return v.UsePasswordModifyExtendedOp }).(pulumi.BoolPtrOutput) } +// Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: +// - `ALWAYS` - Always use the truststore SPI for LDAP connections. +// - `NEVER` - Never use the truststore SPI for LDAP connections. +// - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. func (o UserFederationOutput) UseTruststoreSpi() pulumi.StringPtrOutput { return o.ApplyT(func(v *UserFederation) pulumi.StringPtrOutput { return v.UseTruststoreSpi }).(pulumi.StringPtrOutput) } -// All values of LDAP objectClass attribute for users in LDAP. +// Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. func (o UserFederationOutput) UserObjectClasses() pulumi.StringArrayOutput { return o.ApplyT(func(v *UserFederation) pulumi.StringArrayOutput { return v.UserObjectClasses }).(pulumi.StringArrayOutput) } @@ -755,12 +750,12 @@ func (o UserFederationOutput) UuidLdapAttribute() pulumi.StringOutput { return o.ApplyT(func(v *UserFederation) pulumi.StringOutput { return v.UuidLdapAttribute }).(pulumi.StringOutput) } -// When true, Keycloak will validate passwords using the realm policy before updating it. +// When `true`, Keycloak will validate passwords using the realm policy before updating it. func (o UserFederationOutput) ValidatePasswordPolicy() pulumi.BoolPtrOutput { return o.ApplyT(func(v *UserFederation) pulumi.BoolPtrOutput { return v.ValidatePasswordPolicy }).(pulumi.BoolPtrOutput) } -// LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required. +// Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`. func (o UserFederationOutput) Vendor() pulumi.StringPtrOutput { return o.ApplyT(func(v *UserFederation) pulumi.StringPtrOutput { return v.Vendor }).(pulumi.StringPtrOutput) } diff --git a/sdk/go/keycloak/openid/audienceProtocolMapper.go b/sdk/go/keycloak/openid/audienceProtocolMapper.go index d4583e34..a11d116b 100644 --- a/sdk/go/keycloak/openid/audienceProtocolMapper.go +++ b/sdk/go/keycloak/openid/audienceProtocolMapper.go @@ -12,16 +12,14 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## # openid.AudienceProtocolMapper +// Allows for creating and managing audience protocol mappers within Keycloak. // -// Allows for creating and managing audience protocol mappers within -// Keycloak. This mapper was added in Keycloak v4.6.0.Final. +// Audience protocol mappers allow you add audiences to the `aud` claim within issued tokens. The audience can be a custom +// string, or it can be mapped to the ID of a pre-existing client. // -// Audience protocol mappers allow you add audiences to the `aud` claim -// within issued tokens. The audience can be a custom string, or it can be -// mapped to the ID of a pre-existing client. +// ## Example Usage // -// ### Example Usage (Client) +// ### Client) // // ```go // package main @@ -45,8 +43,8 @@ import ( // } // openidClient, err := openid.NewClient(ctx, "openid_client", &openid.ClientArgs{ // RealmId: realm.ID(), -// ClientId: pulumi.String("test-client"), -// Name: pulumi.String("test client"), +// ClientId: pulumi.String("client"), +// Name: pulumi.String("client"), // Enabled: pulumi.Bool(true), // AccessType: pulumi.String("CONFIDENTIAL"), // ValidRedirectUris: pulumi.StringArray{ @@ -71,7 +69,7 @@ import ( // // ``` // -// ### Example Usage (Client Scope) +// ### Client Scope) // // ```go // package main @@ -115,44 +113,43 @@ import ( // // ``` // -// ### Argument Reference -// -// The following arguments are supported: -// -// - `realmId` - (Required) The realm this protocol mapper exists within. -// - `clientId` - (Required if `clientScopeId` is not specified) The client this protocol mapper is attached to. -// - `clientScopeId` - (Required if `clientId` is not specified) The client scope this protocol mapper is attached to. -// - `name` - (Required) The display name of this protocol mapper in the GUI. -// - `includedClientAudience` - (Required if `includedCustomAudience` is not specified) A client ID to include within the token's `aud` claim. -// - `includedCustomAudience` - (Required if `includedClientAudience` is not specified) A custom audience to include within the token's `aud` claim. -// - `addToIdToken` - (Optional) Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. -// - `addToAccessToken` - (Optional) Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. -// -// ### Import +// ## Import // // Protocol mappers can be imported using one of the following formats: +// // - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` +// // - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` // // Example: +// +// bash +// +// ```sh +// $ pulumi import keycloak:openid/audienceProtocolMapper:AudienceProtocolMapper audience_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +// ``` +// +// ```sh +// $ pulumi import keycloak:openid/audienceProtocolMapper:AudienceProtocolMapper audience_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +// ``` type AudienceProtocolMapper struct { pulumi.CustomResourceState - // Indicates if this claim should be added to the access token. + // Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. AddToAccessToken pulumi.BoolPtrOutput `pulumi:"addToAccessToken"` - // Indicates if this claim should be added to the id token. + // Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. AddToIdToken pulumi.BoolPtrOutput `pulumi:"addToIdToken"` - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId pulumi.StringPtrOutput `pulumi:"clientId"` - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. ClientScopeId pulumi.StringPtrOutput `pulumi:"clientScopeId"` - // A client ID to include within the token's `aud` claim. Cannot be used with included_custom_audience + // A client ID to include within the token's `aud` claim. Conflicts with `includedCustomAudience`. One of `includedClientAudience` or `includedCustomAudience` must be specified. IncludedClientAudience pulumi.StringPtrOutput `pulumi:"includedClientAudience"` - // A custom audience to include within the token's `aud` claim. Cannot be used with included_custom_audience + // A custom audience to include within the token's `aud` claim. Conflicts with `includedClientAudience`. One of `includedClientAudience` or `includedCustomAudience` must be specified. IncludedCustomAudience pulumi.StringPtrOutput `pulumi:"includedCustomAudience"` - // A human-friendly name that will appear in the Keycloak console. + // The display name of this protocol mapper in the GUI. Name pulumi.StringOutput `pulumi:"name"` - // The realm id where the associated client or client scope exists. + // The realm this protocol mapper exists within. RealmId pulumi.StringOutput `pulumi:"realmId"` } @@ -189,40 +186,40 @@ func GetAudienceProtocolMapper(ctx *pulumi.Context, // Input properties used for looking up and filtering AudienceProtocolMapper resources. type audienceProtocolMapperState struct { - // Indicates if this claim should be added to the access token. + // Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. AddToAccessToken *bool `pulumi:"addToAccessToken"` - // Indicates if this claim should be added to the id token. + // Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. AddToIdToken *bool `pulumi:"addToIdToken"` - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId *string `pulumi:"clientId"` - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. ClientScopeId *string `pulumi:"clientScopeId"` - // A client ID to include within the token's `aud` claim. Cannot be used with included_custom_audience + // A client ID to include within the token's `aud` claim. Conflicts with `includedCustomAudience`. One of `includedClientAudience` or `includedCustomAudience` must be specified. IncludedClientAudience *string `pulumi:"includedClientAudience"` - // A custom audience to include within the token's `aud` claim. Cannot be used with included_custom_audience + // A custom audience to include within the token's `aud` claim. Conflicts with `includedClientAudience`. One of `includedClientAudience` or `includedCustomAudience` must be specified. IncludedCustomAudience *string `pulumi:"includedCustomAudience"` - // A human-friendly name that will appear in the Keycloak console. + // The display name of this protocol mapper in the GUI. Name *string `pulumi:"name"` - // The realm id where the associated client or client scope exists. + // The realm this protocol mapper exists within. RealmId *string `pulumi:"realmId"` } type AudienceProtocolMapperState struct { - // Indicates if this claim should be added to the access token. + // Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. AddToAccessToken pulumi.BoolPtrInput - // Indicates if this claim should be added to the id token. + // Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. AddToIdToken pulumi.BoolPtrInput - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId pulumi.StringPtrInput - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. ClientScopeId pulumi.StringPtrInput - // A client ID to include within the token's `aud` claim. Cannot be used with included_custom_audience + // A client ID to include within the token's `aud` claim. Conflicts with `includedCustomAudience`. One of `includedClientAudience` or `includedCustomAudience` must be specified. IncludedClientAudience pulumi.StringPtrInput - // A custom audience to include within the token's `aud` claim. Cannot be used with included_custom_audience + // A custom audience to include within the token's `aud` claim. Conflicts with `includedClientAudience`. One of `includedClientAudience` or `includedCustomAudience` must be specified. IncludedCustomAudience pulumi.StringPtrInput - // A human-friendly name that will appear in the Keycloak console. + // The display name of this protocol mapper in the GUI. Name pulumi.StringPtrInput - // The realm id where the associated client or client scope exists. + // The realm this protocol mapper exists within. RealmId pulumi.StringPtrInput } @@ -231,41 +228,41 @@ func (AudienceProtocolMapperState) ElementType() reflect.Type { } type audienceProtocolMapperArgs struct { - // Indicates if this claim should be added to the access token. + // Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. AddToAccessToken *bool `pulumi:"addToAccessToken"` - // Indicates if this claim should be added to the id token. + // Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. AddToIdToken *bool `pulumi:"addToIdToken"` - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId *string `pulumi:"clientId"` - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. ClientScopeId *string `pulumi:"clientScopeId"` - // A client ID to include within the token's `aud` claim. Cannot be used with included_custom_audience + // A client ID to include within the token's `aud` claim. Conflicts with `includedCustomAudience`. One of `includedClientAudience` or `includedCustomAudience` must be specified. IncludedClientAudience *string `pulumi:"includedClientAudience"` - // A custom audience to include within the token's `aud` claim. Cannot be used with included_custom_audience + // A custom audience to include within the token's `aud` claim. Conflicts with `includedClientAudience`. One of `includedClientAudience` or `includedCustomAudience` must be specified. IncludedCustomAudience *string `pulumi:"includedCustomAudience"` - // A human-friendly name that will appear in the Keycloak console. + // The display name of this protocol mapper in the GUI. Name *string `pulumi:"name"` - // The realm id where the associated client or client scope exists. + // The realm this protocol mapper exists within. RealmId string `pulumi:"realmId"` } // The set of arguments for constructing a AudienceProtocolMapper resource. type AudienceProtocolMapperArgs struct { - // Indicates if this claim should be added to the access token. + // Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. AddToAccessToken pulumi.BoolPtrInput - // Indicates if this claim should be added to the id token. + // Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. AddToIdToken pulumi.BoolPtrInput - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId pulumi.StringPtrInput - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. ClientScopeId pulumi.StringPtrInput - // A client ID to include within the token's `aud` claim. Cannot be used with included_custom_audience + // A client ID to include within the token's `aud` claim. Conflicts with `includedCustomAudience`. One of `includedClientAudience` or `includedCustomAudience` must be specified. IncludedClientAudience pulumi.StringPtrInput - // A custom audience to include within the token's `aud` claim. Cannot be used with included_custom_audience + // A custom audience to include within the token's `aud` claim. Conflicts with `includedClientAudience`. One of `includedClientAudience` or `includedCustomAudience` must be specified. IncludedCustomAudience pulumi.StringPtrInput - // A human-friendly name that will appear in the Keycloak console. + // The display name of this protocol mapper in the GUI. Name pulumi.StringPtrInput - // The realm id where the associated client or client scope exists. + // The realm this protocol mapper exists within. RealmId pulumi.StringInput } @@ -356,42 +353,42 @@ func (o AudienceProtocolMapperOutput) ToAudienceProtocolMapperOutputWithContext( return o } -// Indicates if this claim should be added to the access token. +// Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. func (o AudienceProtocolMapperOutput) AddToAccessToken() pulumi.BoolPtrOutput { return o.ApplyT(func(v *AudienceProtocolMapper) pulumi.BoolPtrOutput { return v.AddToAccessToken }).(pulumi.BoolPtrOutput) } -// Indicates if this claim should be added to the id token. +// Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. func (o AudienceProtocolMapperOutput) AddToIdToken() pulumi.BoolPtrOutput { return o.ApplyT(func(v *AudienceProtocolMapper) pulumi.BoolPtrOutput { return v.AddToIdToken }).(pulumi.BoolPtrOutput) } -// The mapper's associated client. Cannot be used at the same time as client_scope_id. +// The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. func (o AudienceProtocolMapperOutput) ClientId() pulumi.StringPtrOutput { return o.ApplyT(func(v *AudienceProtocolMapper) pulumi.StringPtrOutput { return v.ClientId }).(pulumi.StringPtrOutput) } -// The mapper's associated client scope. Cannot be used at the same time as client_id. +// The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. func (o AudienceProtocolMapperOutput) ClientScopeId() pulumi.StringPtrOutput { return o.ApplyT(func(v *AudienceProtocolMapper) pulumi.StringPtrOutput { return v.ClientScopeId }).(pulumi.StringPtrOutput) } -// A client ID to include within the token's `aud` claim. Cannot be used with included_custom_audience +// A client ID to include within the token's `aud` claim. Conflicts with `includedCustomAudience`. One of `includedClientAudience` or `includedCustomAudience` must be specified. func (o AudienceProtocolMapperOutput) IncludedClientAudience() pulumi.StringPtrOutput { return o.ApplyT(func(v *AudienceProtocolMapper) pulumi.StringPtrOutput { return v.IncludedClientAudience }).(pulumi.StringPtrOutput) } -// A custom audience to include within the token's `aud` claim. Cannot be used with included_custom_audience +// A custom audience to include within the token's `aud` claim. Conflicts with `includedClientAudience`. One of `includedClientAudience` or `includedCustomAudience` must be specified. func (o AudienceProtocolMapperOutput) IncludedCustomAudience() pulumi.StringPtrOutput { return o.ApplyT(func(v *AudienceProtocolMapper) pulumi.StringPtrOutput { return v.IncludedCustomAudience }).(pulumi.StringPtrOutput) } -// A human-friendly name that will appear in the Keycloak console. +// The display name of this protocol mapper in the GUI. func (o AudienceProtocolMapperOutput) Name() pulumi.StringOutput { return o.ApplyT(func(v *AudienceProtocolMapper) pulumi.StringOutput { return v.Name }).(pulumi.StringOutput) } -// The realm id where the associated client or client scope exists. +// The realm this protocol mapper exists within. func (o AudienceProtocolMapperOutput) RealmId() pulumi.StringOutput { return o.ApplyT(func(v *AudienceProtocolMapper) pulumi.StringOutput { return v.RealmId }).(pulumi.StringOutput) } diff --git a/sdk/go/keycloak/openid/client.go b/sdk/go/keycloak/openid/client.go index f418ed3e..5b2ebb7f 100644 --- a/sdk/go/keycloak/openid/client.go +++ b/sdk/go/keycloak/openid/client.go @@ -12,15 +12,13 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## # openid.Client -// // Allows for creating and managing Keycloak clients that use the OpenID Connect protocol. // // Clients are entities that can use Keycloak for user authentication. Typically, // clients are applications that redirect users to Keycloak for authentication // in order to take advantage of Keycloak's user sessions for SSO. // -// ### Example Usage +// ## Example Usage // // ```go // package main @@ -51,6 +49,11 @@ import ( // ValidRedirectUris: pulumi.StringArray{ // pulumi.String("http://localhost:8080/openid-callback"), // }, +// LoginTheme: pulumi.String("keycloak"), +// ExtraConfig: pulumi.StringMap{ +// "key1": pulumi.String("value1"), +// "key2": pulumi.String("value2"), +// }, // }) // if err != nil { // return err @@ -61,97 +64,124 @@ import ( // // ``` // -// ### Argument Reference -// -// The following arguments are supported: -// -// - `realmId` - (Required) The realm this client is attached to. -// - `clientId` - (Required) The unique ID of this client, referenced in the URI during authentication and in issued tokens. -// - `name` - (Optional) The display name of this client in the GUI. -// - `enabled` - (Optional) When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. -// - `description` - (Optional) The description of this client in the GUI. -// - `accessType` - (Required) Specifies the type of client, which can be one of the following: -// - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. -// This client should be used for applications using the Authorization Code or Client Credentials grant flows. -// - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect -// URIs for security. This client should be used for applications using the Implicit grant flow. -// - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. -// - `clientSecret` - (Optional) The secret for clients with an `accessType` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and -// should be treated with the same care as a password. If omitted, Keycloak will generate a GUID for this attribute. -// - `standardFlowEnabled` - (Optional) When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. -// - `implicitFlowEnabled` - (Optional) When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. -// - `directAccessGrantsEnabled` - (Optional) When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. -// - `serviceAccountsEnabled` - (Optional) When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. -// - `validRedirectUris` - (Optional) A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple -// wildcards in the form of an asterisk can be used here. This attribute must be set if either `standardFlowEnabled` or `implicitFlowEnabled` -// is set to `true`. -// - `webOrigins` - (Optional) A list of allowed CORS origins. `+` can be used to permit all valid redirect URIs, and `*` can be used to permit all origins. -// - `adminUrl` - (Optional) URL to the admin interface of the client. -// - `baseUrl` - (Optional) Default URL to use when the auth server needs to redirect or link back to the client. -// - `pkceCodeChallengeMethod` - (Optional) The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value “. -// - `fullScopeAllowed` - (Optional) - Allow to include all roles mappings in the access token. -// -// ### Attributes Reference +// ## Import // -// In addition to the arguments listed above, the following computed attributes are exported: +// Clients can be imported using the format `{{realm_id}}/{{client_keycloak_id}}`, where `client_keycloak_id` is the unique ID that Keycloak // -// - `serviceAccountUserId` - When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account. -// -// ### Import -// -// Clients can be imported using the format `{{realm_id}}/{{client_keycloak_id}}`, where `clientKeycloakId` is the unique ID that Keycloak // assigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID. // // Example: +// +// bash +// +// ```sh +// $ pulumi import keycloak:openid/client:Client openid_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352 +// ``` type Client struct { pulumi.CustomResourceState - AccessTokenLifespan pulumi.StringOutput `pulumi:"accessTokenLifespan"` - AccessType pulumi.StringOutput `pulumi:"accessType"` - AdminUrl pulumi.StringOutput `pulumi:"adminUrl"` - AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesPtrOutput `pulumi:"authenticationFlowBindingOverrides"` - Authorization ClientAuthorizationPtrOutput `pulumi:"authorization"` - BackchannelLogoutRevokeOfflineSessions pulumi.BoolPtrOutput `pulumi:"backchannelLogoutRevokeOfflineSessions"` - BackchannelLogoutSessionRequired pulumi.BoolPtrOutput `pulumi:"backchannelLogoutSessionRequired"` - BackchannelLogoutUrl pulumi.StringPtrOutput `pulumi:"backchannelLogoutUrl"` - BaseUrl pulumi.StringOutput `pulumi:"baseUrl"` - ClientAuthenticatorType pulumi.StringPtrOutput `pulumi:"clientAuthenticatorType"` - ClientId pulumi.StringOutput `pulumi:"clientId"` - ClientOfflineSessionIdleTimeout pulumi.StringOutput `pulumi:"clientOfflineSessionIdleTimeout"` - ClientOfflineSessionMaxLifespan pulumi.StringOutput `pulumi:"clientOfflineSessionMaxLifespan"` - ClientSecret pulumi.StringOutput `pulumi:"clientSecret"` - ClientSessionIdleTimeout pulumi.StringOutput `pulumi:"clientSessionIdleTimeout"` - ClientSessionMaxLifespan pulumi.StringOutput `pulumi:"clientSessionMaxLifespan"` - ConsentRequired pulumi.BoolOutput `pulumi:"consentRequired"` - ConsentScreenText pulumi.StringOutput `pulumi:"consentScreenText"` - Description pulumi.StringOutput `pulumi:"description"` - DirectAccessGrantsEnabled pulumi.BoolOutput `pulumi:"directAccessGrantsEnabled"` - DisplayOnConsentScreen pulumi.BoolOutput `pulumi:"displayOnConsentScreen"` - Enabled pulumi.BoolPtrOutput `pulumi:"enabled"` - ExcludeSessionStateFromAuthResponse pulumi.BoolOutput `pulumi:"excludeSessionStateFromAuthResponse"` - ExtraConfig pulumi.StringMapOutput `pulumi:"extraConfig"` - FrontchannelLogoutEnabled pulumi.BoolOutput `pulumi:"frontchannelLogoutEnabled"` - FrontchannelLogoutUrl pulumi.StringPtrOutput `pulumi:"frontchannelLogoutUrl"` - FullScopeAllowed pulumi.BoolPtrOutput `pulumi:"fullScopeAllowed"` - ImplicitFlowEnabled pulumi.BoolOutput `pulumi:"implicitFlowEnabled"` - Import pulumi.BoolPtrOutput `pulumi:"import"` - LoginTheme pulumi.StringPtrOutput `pulumi:"loginTheme"` - Name pulumi.StringOutput `pulumi:"name"` - Oauth2DeviceAuthorizationGrantEnabled pulumi.BoolPtrOutput `pulumi:"oauth2DeviceAuthorizationGrantEnabled"` - Oauth2DeviceCodeLifespan pulumi.StringPtrOutput `pulumi:"oauth2DeviceCodeLifespan"` - Oauth2DevicePollingInterval pulumi.StringPtrOutput `pulumi:"oauth2DevicePollingInterval"` - PkceCodeChallengeMethod pulumi.StringPtrOutput `pulumi:"pkceCodeChallengeMethod"` - RealmId pulumi.StringOutput `pulumi:"realmId"` - ResourceServerId pulumi.StringOutput `pulumi:"resourceServerId"` - RootUrl pulumi.StringOutput `pulumi:"rootUrl"` - ServiceAccountUserId pulumi.StringOutput `pulumi:"serviceAccountUserId"` - ServiceAccountsEnabled pulumi.BoolOutput `pulumi:"serviceAccountsEnabled"` - StandardFlowEnabled pulumi.BoolOutput `pulumi:"standardFlowEnabled"` - UseRefreshTokens pulumi.BoolPtrOutput `pulumi:"useRefreshTokens"` - UseRefreshTokensClientCredentials pulumi.BoolPtrOutput `pulumi:"useRefreshTokensClientCredentials"` - ValidPostLogoutRedirectUris pulumi.StringArrayOutput `pulumi:"validPostLogoutRedirectUris"` - ValidRedirectUris pulumi.StringArrayOutput `pulumi:"validRedirectUris"` - WebOrigins pulumi.StringArrayOutput `pulumi:"webOrigins"` + // The amount of time in seconds before an access token expires. This will override the default for the realm. + AccessTokenLifespan pulumi.StringOutput `pulumi:"accessTokenLifespan"` + // Specifies the type of client, which can be one of the following: + // - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. + // This client should be used for applications using the Authorization Code or Client Credentials grant flows. + // - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect + // URIs for security. This client should be used for applications using the Implicit grant flow. + // - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. + AccessType pulumi.StringOutput `pulumi:"accessType"` + // URL to the admin interface of the client. + AdminUrl pulumi.StringOutput `pulumi:"adminUrl"` + // Override realm authentication flow bindings + AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesPtrOutput `pulumi:"authenticationFlowBindingOverrides"` + // When this block is present, fine-grained authorization will be enabled for this client. The client's `accessType` must be `CONFIDENTIAL`, and `serviceAccountsEnabled` must be `true`. This block has the following arguments: + Authorization ClientAuthorizationPtrOutput `pulumi:"authorization"` + // Specifying whether a "revokeOfflineAccess" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event. + BackchannelLogoutRevokeOfflineSessions pulumi.BoolPtrOutput `pulumi:"backchannelLogoutRevokeOfflineSessions"` + // When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`. + BackchannelLogoutSessionRequired pulumi.BoolPtrOutput `pulumi:"backchannelLogoutSessionRequired"` + // The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case. + BackchannelLogoutUrl pulumi.StringPtrOutput `pulumi:"backchannelLogoutUrl"` + // Default URL to use when the auth server needs to redirect or link back to the client. + BaseUrl pulumi.StringOutput `pulumi:"baseUrl"` + // Defaults to `client-secret`. The authenticator type for clients with an `accessType` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types: + // - `client-secret` (Default) Use client id and client secret to authenticate client. + // - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extraConfig` with `attributes.token.endpoint.auth.signing.alg = ` + // - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extraConfig` with `attributes.x509.subjectdn = ` + // - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extraConfig` with `attributes.token.endpoint.auth.signing.alg = ` + ClientAuthenticatorType pulumi.StringPtrOutput `pulumi:"clientAuthenticatorType"` + // The Client ID for this client, referenced in the URI during authentication and in issued tokens. + ClientId pulumi.StringOutput `pulumi:"clientId"` + // Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value. + ClientOfflineSessionIdleTimeout pulumi.StringOutput `pulumi:"clientOfflineSessionIdleTimeout"` + // Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value. + ClientOfflineSessionMaxLifespan pulumi.StringOutput `pulumi:"clientOfflineSessionMaxLifespan"` + // The secret for clients with an `accessType` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. + ClientSecret pulumi.StringOutput `pulumi:"clientSecret"` + // Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value. + ClientSessionIdleTimeout pulumi.StringOutput `pulumi:"clientSessionIdleTimeout"` + // Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value. + ClientSessionMaxLifespan pulumi.StringOutput `pulumi:"clientSessionMaxLifespan"` + // When `true`, users have to consent to client access. Defaults to `false`. + ConsentRequired pulumi.BoolOutput `pulumi:"consentRequired"` + // The text to display on the consent screen about permissions specific to this client. This is applicable only when `displayOnConsentScreen` is `true`. + ConsentScreenText pulumi.StringOutput `pulumi:"consentScreenText"` + // The description of this client in the GUI. + Description pulumi.StringOutput `pulumi:"description"` + // When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. + DirectAccessGrantsEnabled pulumi.BoolOutput `pulumi:"directAccessGrantsEnabled"` + // When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consentRequired` is `true`. + DisplayOnConsentScreen pulumi.BoolOutput `pulumi:"displayOnConsentScreen"` + // When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + Enabled pulumi.BoolPtrOutput `pulumi:"enabled"` + // When `true`, the parameter `sessionState` will not be included in OpenID Connect Authentication Response. + ExcludeSessionStateFromAuthResponse pulumi.BoolOutput `pulumi:"excludeSessionStateFromAuthResponse"` + ExtraConfig pulumi.StringMapOutput `pulumi:"extraConfig"` + // When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannelLogoutUrl`. Defaults to `false`. + FrontchannelLogoutEnabled pulumi.BoolOutput `pulumi:"frontchannelLogoutEnabled"` + // The frontchannel logout url. This is applicable only when `frontchannelLogoutEnabled` is `true`. + FrontchannelLogoutUrl pulumi.StringPtrOutput `pulumi:"frontchannelLogoutUrl"` + // Allow to include all roles mappings in the access token. + FullScopeAllowed pulumi.BoolPtrOutput `pulumi:"fullScopeAllowed"` + // When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. + ImplicitFlowEnabled pulumi.BoolOutput `pulumi:"implicitFlowEnabled"` + // When `true`, the client with the specified `clientId` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`. + Import pulumi.BoolPtrOutput `pulumi:"import"` + // The client login theme. This will override the default theme for the realm. + LoginTheme pulumi.StringPtrOutput `pulumi:"loginTheme"` + // The display name of this client in the GUI. + Name pulumi.StringOutput `pulumi:"name"` + // Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser. + Oauth2DeviceAuthorizationGrantEnabled pulumi.BoolPtrOutput `pulumi:"oauth2DeviceAuthorizationGrantEnabled"` + // The maximum amount of time a client has to finish the device code flow before it expires. + Oauth2DeviceCodeLifespan pulumi.StringPtrOutput `pulumi:"oauth2DeviceCodeLifespan"` + // The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint. + Oauth2DevicePollingInterval pulumi.StringPtrOutput `pulumi:"oauth2DevicePollingInterval"` + // The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. + PkceCodeChallengeMethod pulumi.StringPtrOutput `pulumi:"pkceCodeChallengeMethod"` + // The realm this client is attached to. + RealmId pulumi.StringOutput `pulumi:"realmId"` + // (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the `.id` attribute). + ResourceServerId pulumi.StringOutput `pulumi:"resourceServerId"` + // When specified, this URL is prepended to any relative URLs found within `validRedirectUris`, `webOrigins`, and `adminUrl`. NOTE: Due to limitations in the Keycloak API, when the `rootUrl` attribute is used, the `validRedirectUris`, `webOrigins`, and `adminUrl` attributes will be required. + RootUrl pulumi.StringOutput `pulumi:"rootUrl"` + // (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account. + ServiceAccountUserId pulumi.StringOutput `pulumi:"serviceAccountUserId"` + // When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. + ServiceAccountsEnabled pulumi.BoolOutput `pulumi:"serviceAccountsEnabled"` + // When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. + StandardFlowEnabled pulumi.BoolOutput `pulumi:"standardFlowEnabled"` + // If this is `true`, a refreshToken will be created and added to the token response. If this is `false` then no refreshToken will be generated. Defaults to `true`. + UseRefreshTokens pulumi.BoolPtrOutput `pulumi:"useRefreshTokens"` + // If this is `true`, a refreshToken will be created and added to the token response if the clientCredentials grant is used and a user session will be created. If this is `false` then no refreshToken will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`. + UseRefreshTokensClientCredentials pulumi.BoolPtrOutput `pulumi:"useRefreshTokensClientCredentials"` + // A list of valid URIs a browser is permitted to redirect to after a successful logout. + ValidPostLogoutRedirectUris pulumi.StringArrayOutput `pulumi:"validPostLogoutRedirectUris"` + // A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple + // wildcards in the form of an asterisk can be used here. This attribute must be set if either `standardFlowEnabled` or `implicitFlowEnabled` + // is set to `true`. + ValidRedirectUris pulumi.StringArrayOutput `pulumi:"validRedirectUris"` + // A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`." + WebOrigins pulumi.StringArrayOutput `pulumi:"webOrigins"` } // NewClient registers a new resource with the given unique name, arguments, and options. @@ -200,101 +230,213 @@ func GetClient(ctx *pulumi.Context, // Input properties used for looking up and filtering Client resources. type clientState struct { - AccessTokenLifespan *string `pulumi:"accessTokenLifespan"` - AccessType *string `pulumi:"accessType"` - AdminUrl *string `pulumi:"adminUrl"` - AuthenticationFlowBindingOverrides *ClientAuthenticationFlowBindingOverrides `pulumi:"authenticationFlowBindingOverrides"` - Authorization *ClientAuthorization `pulumi:"authorization"` - BackchannelLogoutRevokeOfflineSessions *bool `pulumi:"backchannelLogoutRevokeOfflineSessions"` - BackchannelLogoutSessionRequired *bool `pulumi:"backchannelLogoutSessionRequired"` - BackchannelLogoutUrl *string `pulumi:"backchannelLogoutUrl"` - BaseUrl *string `pulumi:"baseUrl"` - ClientAuthenticatorType *string `pulumi:"clientAuthenticatorType"` - ClientId *string `pulumi:"clientId"` - ClientOfflineSessionIdleTimeout *string `pulumi:"clientOfflineSessionIdleTimeout"` - ClientOfflineSessionMaxLifespan *string `pulumi:"clientOfflineSessionMaxLifespan"` - ClientSecret *string `pulumi:"clientSecret"` - ClientSessionIdleTimeout *string `pulumi:"clientSessionIdleTimeout"` - ClientSessionMaxLifespan *string `pulumi:"clientSessionMaxLifespan"` - ConsentRequired *bool `pulumi:"consentRequired"` - ConsentScreenText *string `pulumi:"consentScreenText"` - Description *string `pulumi:"description"` - DirectAccessGrantsEnabled *bool `pulumi:"directAccessGrantsEnabled"` - DisplayOnConsentScreen *bool `pulumi:"displayOnConsentScreen"` - Enabled *bool `pulumi:"enabled"` - ExcludeSessionStateFromAuthResponse *bool `pulumi:"excludeSessionStateFromAuthResponse"` - ExtraConfig map[string]string `pulumi:"extraConfig"` - FrontchannelLogoutEnabled *bool `pulumi:"frontchannelLogoutEnabled"` - FrontchannelLogoutUrl *string `pulumi:"frontchannelLogoutUrl"` - FullScopeAllowed *bool `pulumi:"fullScopeAllowed"` - ImplicitFlowEnabled *bool `pulumi:"implicitFlowEnabled"` - Import *bool `pulumi:"import"` - LoginTheme *string `pulumi:"loginTheme"` - Name *string `pulumi:"name"` - Oauth2DeviceAuthorizationGrantEnabled *bool `pulumi:"oauth2DeviceAuthorizationGrantEnabled"` - Oauth2DeviceCodeLifespan *string `pulumi:"oauth2DeviceCodeLifespan"` - Oauth2DevicePollingInterval *string `pulumi:"oauth2DevicePollingInterval"` - PkceCodeChallengeMethod *string `pulumi:"pkceCodeChallengeMethod"` - RealmId *string `pulumi:"realmId"` - ResourceServerId *string `pulumi:"resourceServerId"` - RootUrl *string `pulumi:"rootUrl"` - ServiceAccountUserId *string `pulumi:"serviceAccountUserId"` - ServiceAccountsEnabled *bool `pulumi:"serviceAccountsEnabled"` - StandardFlowEnabled *bool `pulumi:"standardFlowEnabled"` - UseRefreshTokens *bool `pulumi:"useRefreshTokens"` - UseRefreshTokensClientCredentials *bool `pulumi:"useRefreshTokensClientCredentials"` - ValidPostLogoutRedirectUris []string `pulumi:"validPostLogoutRedirectUris"` - ValidRedirectUris []string `pulumi:"validRedirectUris"` - WebOrigins []string `pulumi:"webOrigins"` + // The amount of time in seconds before an access token expires. This will override the default for the realm. + AccessTokenLifespan *string `pulumi:"accessTokenLifespan"` + // Specifies the type of client, which can be one of the following: + // - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. + // This client should be used for applications using the Authorization Code or Client Credentials grant flows. + // - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect + // URIs for security. This client should be used for applications using the Implicit grant flow. + // - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. + AccessType *string `pulumi:"accessType"` + // URL to the admin interface of the client. + AdminUrl *string `pulumi:"adminUrl"` + // Override realm authentication flow bindings + AuthenticationFlowBindingOverrides *ClientAuthenticationFlowBindingOverrides `pulumi:"authenticationFlowBindingOverrides"` + // When this block is present, fine-grained authorization will be enabled for this client. The client's `accessType` must be `CONFIDENTIAL`, and `serviceAccountsEnabled` must be `true`. This block has the following arguments: + Authorization *ClientAuthorization `pulumi:"authorization"` + // Specifying whether a "revokeOfflineAccess" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event. + BackchannelLogoutRevokeOfflineSessions *bool `pulumi:"backchannelLogoutRevokeOfflineSessions"` + // When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`. + BackchannelLogoutSessionRequired *bool `pulumi:"backchannelLogoutSessionRequired"` + // The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case. + BackchannelLogoutUrl *string `pulumi:"backchannelLogoutUrl"` + // Default URL to use when the auth server needs to redirect or link back to the client. + BaseUrl *string `pulumi:"baseUrl"` + // Defaults to `client-secret`. The authenticator type for clients with an `accessType` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types: + // - `client-secret` (Default) Use client id and client secret to authenticate client. + // - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extraConfig` with `attributes.token.endpoint.auth.signing.alg = ` + // - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extraConfig` with `attributes.x509.subjectdn = ` + // - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extraConfig` with `attributes.token.endpoint.auth.signing.alg = ` + ClientAuthenticatorType *string `pulumi:"clientAuthenticatorType"` + // The Client ID for this client, referenced in the URI during authentication and in issued tokens. + ClientId *string `pulumi:"clientId"` + // Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value. + ClientOfflineSessionIdleTimeout *string `pulumi:"clientOfflineSessionIdleTimeout"` + // Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value. + ClientOfflineSessionMaxLifespan *string `pulumi:"clientOfflineSessionMaxLifespan"` + // The secret for clients with an `accessType` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. + ClientSecret *string `pulumi:"clientSecret"` + // Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value. + ClientSessionIdleTimeout *string `pulumi:"clientSessionIdleTimeout"` + // Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value. + ClientSessionMaxLifespan *string `pulumi:"clientSessionMaxLifespan"` + // When `true`, users have to consent to client access. Defaults to `false`. + ConsentRequired *bool `pulumi:"consentRequired"` + // The text to display on the consent screen about permissions specific to this client. This is applicable only when `displayOnConsentScreen` is `true`. + ConsentScreenText *string `pulumi:"consentScreenText"` + // The description of this client in the GUI. + Description *string `pulumi:"description"` + // When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. + DirectAccessGrantsEnabled *bool `pulumi:"directAccessGrantsEnabled"` + // When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consentRequired` is `true`. + DisplayOnConsentScreen *bool `pulumi:"displayOnConsentScreen"` + // When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + Enabled *bool `pulumi:"enabled"` + // When `true`, the parameter `sessionState` will not be included in OpenID Connect Authentication Response. + ExcludeSessionStateFromAuthResponse *bool `pulumi:"excludeSessionStateFromAuthResponse"` + ExtraConfig map[string]string `pulumi:"extraConfig"` + // When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannelLogoutUrl`. Defaults to `false`. + FrontchannelLogoutEnabled *bool `pulumi:"frontchannelLogoutEnabled"` + // The frontchannel logout url. This is applicable only when `frontchannelLogoutEnabled` is `true`. + FrontchannelLogoutUrl *string `pulumi:"frontchannelLogoutUrl"` + // Allow to include all roles mappings in the access token. + FullScopeAllowed *bool `pulumi:"fullScopeAllowed"` + // When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. + ImplicitFlowEnabled *bool `pulumi:"implicitFlowEnabled"` + // When `true`, the client with the specified `clientId` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`. + Import *bool `pulumi:"import"` + // The client login theme. This will override the default theme for the realm. + LoginTheme *string `pulumi:"loginTheme"` + // The display name of this client in the GUI. + Name *string `pulumi:"name"` + // Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser. + Oauth2DeviceAuthorizationGrantEnabled *bool `pulumi:"oauth2DeviceAuthorizationGrantEnabled"` + // The maximum amount of time a client has to finish the device code flow before it expires. + Oauth2DeviceCodeLifespan *string `pulumi:"oauth2DeviceCodeLifespan"` + // The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint. + Oauth2DevicePollingInterval *string `pulumi:"oauth2DevicePollingInterval"` + // The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. + PkceCodeChallengeMethod *string `pulumi:"pkceCodeChallengeMethod"` + // The realm this client is attached to. + RealmId *string `pulumi:"realmId"` + // (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the `.id` attribute). + ResourceServerId *string `pulumi:"resourceServerId"` + // When specified, this URL is prepended to any relative URLs found within `validRedirectUris`, `webOrigins`, and `adminUrl`. NOTE: Due to limitations in the Keycloak API, when the `rootUrl` attribute is used, the `validRedirectUris`, `webOrigins`, and `adminUrl` attributes will be required. + RootUrl *string `pulumi:"rootUrl"` + // (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account. + ServiceAccountUserId *string `pulumi:"serviceAccountUserId"` + // When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. + ServiceAccountsEnabled *bool `pulumi:"serviceAccountsEnabled"` + // When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. + StandardFlowEnabled *bool `pulumi:"standardFlowEnabled"` + // If this is `true`, a refreshToken will be created and added to the token response. If this is `false` then no refreshToken will be generated. Defaults to `true`. + UseRefreshTokens *bool `pulumi:"useRefreshTokens"` + // If this is `true`, a refreshToken will be created and added to the token response if the clientCredentials grant is used and a user session will be created. If this is `false` then no refreshToken will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`. + UseRefreshTokensClientCredentials *bool `pulumi:"useRefreshTokensClientCredentials"` + // A list of valid URIs a browser is permitted to redirect to after a successful logout. + ValidPostLogoutRedirectUris []string `pulumi:"validPostLogoutRedirectUris"` + // A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple + // wildcards in the form of an asterisk can be used here. This attribute must be set if either `standardFlowEnabled` or `implicitFlowEnabled` + // is set to `true`. + ValidRedirectUris []string `pulumi:"validRedirectUris"` + // A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`." + WebOrigins []string `pulumi:"webOrigins"` } type ClientState struct { - AccessTokenLifespan pulumi.StringPtrInput - AccessType pulumi.StringPtrInput - AdminUrl pulumi.StringPtrInput - AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesPtrInput - Authorization ClientAuthorizationPtrInput + // The amount of time in seconds before an access token expires. This will override the default for the realm. + AccessTokenLifespan pulumi.StringPtrInput + // Specifies the type of client, which can be one of the following: + // - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. + // This client should be used for applications using the Authorization Code or Client Credentials grant flows. + // - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect + // URIs for security. This client should be used for applications using the Implicit grant flow. + // - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. + AccessType pulumi.StringPtrInput + // URL to the admin interface of the client. + AdminUrl pulumi.StringPtrInput + // Override realm authentication flow bindings + AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesPtrInput + // When this block is present, fine-grained authorization will be enabled for this client. The client's `accessType` must be `CONFIDENTIAL`, and `serviceAccountsEnabled` must be `true`. This block has the following arguments: + Authorization ClientAuthorizationPtrInput + // Specifying whether a "revokeOfflineAccess" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event. BackchannelLogoutRevokeOfflineSessions pulumi.BoolPtrInput - BackchannelLogoutSessionRequired pulumi.BoolPtrInput - BackchannelLogoutUrl pulumi.StringPtrInput - BaseUrl pulumi.StringPtrInput - ClientAuthenticatorType pulumi.StringPtrInput - ClientId pulumi.StringPtrInput - ClientOfflineSessionIdleTimeout pulumi.StringPtrInput - ClientOfflineSessionMaxLifespan pulumi.StringPtrInput - ClientSecret pulumi.StringPtrInput - ClientSessionIdleTimeout pulumi.StringPtrInput - ClientSessionMaxLifespan pulumi.StringPtrInput - ConsentRequired pulumi.BoolPtrInput - ConsentScreenText pulumi.StringPtrInput - Description pulumi.StringPtrInput - DirectAccessGrantsEnabled pulumi.BoolPtrInput - DisplayOnConsentScreen pulumi.BoolPtrInput - Enabled pulumi.BoolPtrInput - ExcludeSessionStateFromAuthResponse pulumi.BoolPtrInput - ExtraConfig pulumi.StringMapInput - FrontchannelLogoutEnabled pulumi.BoolPtrInput - FrontchannelLogoutUrl pulumi.StringPtrInput - FullScopeAllowed pulumi.BoolPtrInput - ImplicitFlowEnabled pulumi.BoolPtrInput - Import pulumi.BoolPtrInput - LoginTheme pulumi.StringPtrInput - Name pulumi.StringPtrInput - Oauth2DeviceAuthorizationGrantEnabled pulumi.BoolPtrInput - Oauth2DeviceCodeLifespan pulumi.StringPtrInput - Oauth2DevicePollingInterval pulumi.StringPtrInput - PkceCodeChallengeMethod pulumi.StringPtrInput - RealmId pulumi.StringPtrInput - ResourceServerId pulumi.StringPtrInput - RootUrl pulumi.StringPtrInput - ServiceAccountUserId pulumi.StringPtrInput - ServiceAccountsEnabled pulumi.BoolPtrInput - StandardFlowEnabled pulumi.BoolPtrInput - UseRefreshTokens pulumi.BoolPtrInput - UseRefreshTokensClientCredentials pulumi.BoolPtrInput - ValidPostLogoutRedirectUris pulumi.StringArrayInput - ValidRedirectUris pulumi.StringArrayInput - WebOrigins pulumi.StringArrayInput + // When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`. + BackchannelLogoutSessionRequired pulumi.BoolPtrInput + // The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case. + BackchannelLogoutUrl pulumi.StringPtrInput + // Default URL to use when the auth server needs to redirect or link back to the client. + BaseUrl pulumi.StringPtrInput + // Defaults to `client-secret`. The authenticator type for clients with an `accessType` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types: + // - `client-secret` (Default) Use client id and client secret to authenticate client. + // - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extraConfig` with `attributes.token.endpoint.auth.signing.alg = ` + // - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extraConfig` with `attributes.x509.subjectdn = ` + // - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extraConfig` with `attributes.token.endpoint.auth.signing.alg = ` + ClientAuthenticatorType pulumi.StringPtrInput + // The Client ID for this client, referenced in the URI during authentication and in issued tokens. + ClientId pulumi.StringPtrInput + // Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value. + ClientOfflineSessionIdleTimeout pulumi.StringPtrInput + // Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value. + ClientOfflineSessionMaxLifespan pulumi.StringPtrInput + // The secret for clients with an `accessType` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. + ClientSecret pulumi.StringPtrInput + // Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value. + ClientSessionIdleTimeout pulumi.StringPtrInput + // Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value. + ClientSessionMaxLifespan pulumi.StringPtrInput + // When `true`, users have to consent to client access. Defaults to `false`. + ConsentRequired pulumi.BoolPtrInput + // The text to display on the consent screen about permissions specific to this client. This is applicable only when `displayOnConsentScreen` is `true`. + ConsentScreenText pulumi.StringPtrInput + // The description of this client in the GUI. + Description pulumi.StringPtrInput + // When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. + DirectAccessGrantsEnabled pulumi.BoolPtrInput + // When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consentRequired` is `true`. + DisplayOnConsentScreen pulumi.BoolPtrInput + // When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + Enabled pulumi.BoolPtrInput + // When `true`, the parameter `sessionState` will not be included in OpenID Connect Authentication Response. + ExcludeSessionStateFromAuthResponse pulumi.BoolPtrInput + ExtraConfig pulumi.StringMapInput + // When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannelLogoutUrl`. Defaults to `false`. + FrontchannelLogoutEnabled pulumi.BoolPtrInput + // The frontchannel logout url. This is applicable only when `frontchannelLogoutEnabled` is `true`. + FrontchannelLogoutUrl pulumi.StringPtrInput + // Allow to include all roles mappings in the access token. + FullScopeAllowed pulumi.BoolPtrInput + // When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. + ImplicitFlowEnabled pulumi.BoolPtrInput + // When `true`, the client with the specified `clientId` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`. + Import pulumi.BoolPtrInput + // The client login theme. This will override the default theme for the realm. + LoginTheme pulumi.StringPtrInput + // The display name of this client in the GUI. + Name pulumi.StringPtrInput + // Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser. + Oauth2DeviceAuthorizationGrantEnabled pulumi.BoolPtrInput + // The maximum amount of time a client has to finish the device code flow before it expires. + Oauth2DeviceCodeLifespan pulumi.StringPtrInput + // The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint. + Oauth2DevicePollingInterval pulumi.StringPtrInput + // The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. + PkceCodeChallengeMethod pulumi.StringPtrInput + // The realm this client is attached to. + RealmId pulumi.StringPtrInput + // (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the `.id` attribute). + ResourceServerId pulumi.StringPtrInput + // When specified, this URL is prepended to any relative URLs found within `validRedirectUris`, `webOrigins`, and `adminUrl`. NOTE: Due to limitations in the Keycloak API, when the `rootUrl` attribute is used, the `validRedirectUris`, `webOrigins`, and `adminUrl` attributes will be required. + RootUrl pulumi.StringPtrInput + // (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account. + ServiceAccountUserId pulumi.StringPtrInput + // When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. + ServiceAccountsEnabled pulumi.BoolPtrInput + // When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. + StandardFlowEnabled pulumi.BoolPtrInput + // If this is `true`, a refreshToken will be created and added to the token response. If this is `false` then no refreshToken will be generated. Defaults to `true`. + UseRefreshTokens pulumi.BoolPtrInput + // If this is `true`, a refreshToken will be created and added to the token response if the clientCredentials grant is used and a user session will be created. If this is `false` then no refreshToken will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`. + UseRefreshTokensClientCredentials pulumi.BoolPtrInput + // A list of valid URIs a browser is permitted to redirect to after a successful logout. + ValidPostLogoutRedirectUris pulumi.StringArrayInput + // A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple + // wildcards in the form of an asterisk can be used here. This attribute must be set if either `standardFlowEnabled` or `implicitFlowEnabled` + // is set to `true`. + ValidRedirectUris pulumi.StringArrayInput + // A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`." + WebOrigins pulumi.StringArrayInput } func (ClientState) ElementType() reflect.Type { @@ -302,98 +444,206 @@ func (ClientState) ElementType() reflect.Type { } type clientArgs struct { - AccessTokenLifespan *string `pulumi:"accessTokenLifespan"` - AccessType string `pulumi:"accessType"` - AdminUrl *string `pulumi:"adminUrl"` - AuthenticationFlowBindingOverrides *ClientAuthenticationFlowBindingOverrides `pulumi:"authenticationFlowBindingOverrides"` - Authorization *ClientAuthorization `pulumi:"authorization"` - BackchannelLogoutRevokeOfflineSessions *bool `pulumi:"backchannelLogoutRevokeOfflineSessions"` - BackchannelLogoutSessionRequired *bool `pulumi:"backchannelLogoutSessionRequired"` - BackchannelLogoutUrl *string `pulumi:"backchannelLogoutUrl"` - BaseUrl *string `pulumi:"baseUrl"` - ClientAuthenticatorType *string `pulumi:"clientAuthenticatorType"` - ClientId string `pulumi:"clientId"` - ClientOfflineSessionIdleTimeout *string `pulumi:"clientOfflineSessionIdleTimeout"` - ClientOfflineSessionMaxLifespan *string `pulumi:"clientOfflineSessionMaxLifespan"` - ClientSecret *string `pulumi:"clientSecret"` - ClientSessionIdleTimeout *string `pulumi:"clientSessionIdleTimeout"` - ClientSessionMaxLifespan *string `pulumi:"clientSessionMaxLifespan"` - ConsentRequired *bool `pulumi:"consentRequired"` - ConsentScreenText *string `pulumi:"consentScreenText"` - Description *string `pulumi:"description"` - DirectAccessGrantsEnabled *bool `pulumi:"directAccessGrantsEnabled"` - DisplayOnConsentScreen *bool `pulumi:"displayOnConsentScreen"` - Enabled *bool `pulumi:"enabled"` - ExcludeSessionStateFromAuthResponse *bool `pulumi:"excludeSessionStateFromAuthResponse"` - ExtraConfig map[string]string `pulumi:"extraConfig"` - FrontchannelLogoutEnabled *bool `pulumi:"frontchannelLogoutEnabled"` - FrontchannelLogoutUrl *string `pulumi:"frontchannelLogoutUrl"` - FullScopeAllowed *bool `pulumi:"fullScopeAllowed"` - ImplicitFlowEnabled *bool `pulumi:"implicitFlowEnabled"` - Import *bool `pulumi:"import"` - LoginTheme *string `pulumi:"loginTheme"` - Name *string `pulumi:"name"` - Oauth2DeviceAuthorizationGrantEnabled *bool `pulumi:"oauth2DeviceAuthorizationGrantEnabled"` - Oauth2DeviceCodeLifespan *string `pulumi:"oauth2DeviceCodeLifespan"` - Oauth2DevicePollingInterval *string `pulumi:"oauth2DevicePollingInterval"` - PkceCodeChallengeMethod *string `pulumi:"pkceCodeChallengeMethod"` - RealmId string `pulumi:"realmId"` - RootUrl *string `pulumi:"rootUrl"` - ServiceAccountsEnabled *bool `pulumi:"serviceAccountsEnabled"` - StandardFlowEnabled *bool `pulumi:"standardFlowEnabled"` - UseRefreshTokens *bool `pulumi:"useRefreshTokens"` - UseRefreshTokensClientCredentials *bool `pulumi:"useRefreshTokensClientCredentials"` - ValidPostLogoutRedirectUris []string `pulumi:"validPostLogoutRedirectUris"` - ValidRedirectUris []string `pulumi:"validRedirectUris"` - WebOrigins []string `pulumi:"webOrigins"` + // The amount of time in seconds before an access token expires. This will override the default for the realm. + AccessTokenLifespan *string `pulumi:"accessTokenLifespan"` + // Specifies the type of client, which can be one of the following: + // - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. + // This client should be used for applications using the Authorization Code or Client Credentials grant flows. + // - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect + // URIs for security. This client should be used for applications using the Implicit grant flow. + // - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. + AccessType string `pulumi:"accessType"` + // URL to the admin interface of the client. + AdminUrl *string `pulumi:"adminUrl"` + // Override realm authentication flow bindings + AuthenticationFlowBindingOverrides *ClientAuthenticationFlowBindingOverrides `pulumi:"authenticationFlowBindingOverrides"` + // When this block is present, fine-grained authorization will be enabled for this client. The client's `accessType` must be `CONFIDENTIAL`, and `serviceAccountsEnabled` must be `true`. This block has the following arguments: + Authorization *ClientAuthorization `pulumi:"authorization"` + // Specifying whether a "revokeOfflineAccess" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event. + BackchannelLogoutRevokeOfflineSessions *bool `pulumi:"backchannelLogoutRevokeOfflineSessions"` + // When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`. + BackchannelLogoutSessionRequired *bool `pulumi:"backchannelLogoutSessionRequired"` + // The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case. + BackchannelLogoutUrl *string `pulumi:"backchannelLogoutUrl"` + // Default URL to use when the auth server needs to redirect or link back to the client. + BaseUrl *string `pulumi:"baseUrl"` + // Defaults to `client-secret`. The authenticator type for clients with an `accessType` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types: + // - `client-secret` (Default) Use client id and client secret to authenticate client. + // - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extraConfig` with `attributes.token.endpoint.auth.signing.alg = ` + // - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extraConfig` with `attributes.x509.subjectdn = ` + // - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extraConfig` with `attributes.token.endpoint.auth.signing.alg = ` + ClientAuthenticatorType *string `pulumi:"clientAuthenticatorType"` + // The Client ID for this client, referenced in the URI during authentication and in issued tokens. + ClientId string `pulumi:"clientId"` + // Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value. + ClientOfflineSessionIdleTimeout *string `pulumi:"clientOfflineSessionIdleTimeout"` + // Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value. + ClientOfflineSessionMaxLifespan *string `pulumi:"clientOfflineSessionMaxLifespan"` + // The secret for clients with an `accessType` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. + ClientSecret *string `pulumi:"clientSecret"` + // Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value. + ClientSessionIdleTimeout *string `pulumi:"clientSessionIdleTimeout"` + // Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value. + ClientSessionMaxLifespan *string `pulumi:"clientSessionMaxLifespan"` + // When `true`, users have to consent to client access. Defaults to `false`. + ConsentRequired *bool `pulumi:"consentRequired"` + // The text to display on the consent screen about permissions specific to this client. This is applicable only when `displayOnConsentScreen` is `true`. + ConsentScreenText *string `pulumi:"consentScreenText"` + // The description of this client in the GUI. + Description *string `pulumi:"description"` + // When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. + DirectAccessGrantsEnabled *bool `pulumi:"directAccessGrantsEnabled"` + // When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consentRequired` is `true`. + DisplayOnConsentScreen *bool `pulumi:"displayOnConsentScreen"` + // When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + Enabled *bool `pulumi:"enabled"` + // When `true`, the parameter `sessionState` will not be included in OpenID Connect Authentication Response. + ExcludeSessionStateFromAuthResponse *bool `pulumi:"excludeSessionStateFromAuthResponse"` + ExtraConfig map[string]string `pulumi:"extraConfig"` + // When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannelLogoutUrl`. Defaults to `false`. + FrontchannelLogoutEnabled *bool `pulumi:"frontchannelLogoutEnabled"` + // The frontchannel logout url. This is applicable only when `frontchannelLogoutEnabled` is `true`. + FrontchannelLogoutUrl *string `pulumi:"frontchannelLogoutUrl"` + // Allow to include all roles mappings in the access token. + FullScopeAllowed *bool `pulumi:"fullScopeAllowed"` + // When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. + ImplicitFlowEnabled *bool `pulumi:"implicitFlowEnabled"` + // When `true`, the client with the specified `clientId` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`. + Import *bool `pulumi:"import"` + // The client login theme. This will override the default theme for the realm. + LoginTheme *string `pulumi:"loginTheme"` + // The display name of this client in the GUI. + Name *string `pulumi:"name"` + // Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser. + Oauth2DeviceAuthorizationGrantEnabled *bool `pulumi:"oauth2DeviceAuthorizationGrantEnabled"` + // The maximum amount of time a client has to finish the device code flow before it expires. + Oauth2DeviceCodeLifespan *string `pulumi:"oauth2DeviceCodeLifespan"` + // The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint. + Oauth2DevicePollingInterval *string `pulumi:"oauth2DevicePollingInterval"` + // The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. + PkceCodeChallengeMethod *string `pulumi:"pkceCodeChallengeMethod"` + // The realm this client is attached to. + RealmId string `pulumi:"realmId"` + // When specified, this URL is prepended to any relative URLs found within `validRedirectUris`, `webOrigins`, and `adminUrl`. NOTE: Due to limitations in the Keycloak API, when the `rootUrl` attribute is used, the `validRedirectUris`, `webOrigins`, and `adminUrl` attributes will be required. + RootUrl *string `pulumi:"rootUrl"` + // When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. + ServiceAccountsEnabled *bool `pulumi:"serviceAccountsEnabled"` + // When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. + StandardFlowEnabled *bool `pulumi:"standardFlowEnabled"` + // If this is `true`, a refreshToken will be created and added to the token response. If this is `false` then no refreshToken will be generated. Defaults to `true`. + UseRefreshTokens *bool `pulumi:"useRefreshTokens"` + // If this is `true`, a refreshToken will be created and added to the token response if the clientCredentials grant is used and a user session will be created. If this is `false` then no refreshToken will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`. + UseRefreshTokensClientCredentials *bool `pulumi:"useRefreshTokensClientCredentials"` + // A list of valid URIs a browser is permitted to redirect to after a successful logout. + ValidPostLogoutRedirectUris []string `pulumi:"validPostLogoutRedirectUris"` + // A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple + // wildcards in the form of an asterisk can be used here. This attribute must be set if either `standardFlowEnabled` or `implicitFlowEnabled` + // is set to `true`. + ValidRedirectUris []string `pulumi:"validRedirectUris"` + // A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`." + WebOrigins []string `pulumi:"webOrigins"` } // The set of arguments for constructing a Client resource. type ClientArgs struct { - AccessTokenLifespan pulumi.StringPtrInput - AccessType pulumi.StringInput - AdminUrl pulumi.StringPtrInput - AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesPtrInput - Authorization ClientAuthorizationPtrInput + // The amount of time in seconds before an access token expires. This will override the default for the realm. + AccessTokenLifespan pulumi.StringPtrInput + // Specifies the type of client, which can be one of the following: + // - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. + // This client should be used for applications using the Authorization Code or Client Credentials grant flows. + // - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect + // URIs for security. This client should be used for applications using the Implicit grant flow. + // - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. + AccessType pulumi.StringInput + // URL to the admin interface of the client. + AdminUrl pulumi.StringPtrInput + // Override realm authentication flow bindings + AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesPtrInput + // When this block is present, fine-grained authorization will be enabled for this client. The client's `accessType` must be `CONFIDENTIAL`, and `serviceAccountsEnabled` must be `true`. This block has the following arguments: + Authorization ClientAuthorizationPtrInput + // Specifying whether a "revokeOfflineAccess" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event. BackchannelLogoutRevokeOfflineSessions pulumi.BoolPtrInput - BackchannelLogoutSessionRequired pulumi.BoolPtrInput - BackchannelLogoutUrl pulumi.StringPtrInput - BaseUrl pulumi.StringPtrInput - ClientAuthenticatorType pulumi.StringPtrInput - ClientId pulumi.StringInput - ClientOfflineSessionIdleTimeout pulumi.StringPtrInput - ClientOfflineSessionMaxLifespan pulumi.StringPtrInput - ClientSecret pulumi.StringPtrInput - ClientSessionIdleTimeout pulumi.StringPtrInput - ClientSessionMaxLifespan pulumi.StringPtrInput - ConsentRequired pulumi.BoolPtrInput - ConsentScreenText pulumi.StringPtrInput - Description pulumi.StringPtrInput - DirectAccessGrantsEnabled pulumi.BoolPtrInput - DisplayOnConsentScreen pulumi.BoolPtrInput - Enabled pulumi.BoolPtrInput - ExcludeSessionStateFromAuthResponse pulumi.BoolPtrInput - ExtraConfig pulumi.StringMapInput - FrontchannelLogoutEnabled pulumi.BoolPtrInput - FrontchannelLogoutUrl pulumi.StringPtrInput - FullScopeAllowed pulumi.BoolPtrInput - ImplicitFlowEnabled pulumi.BoolPtrInput - Import pulumi.BoolPtrInput - LoginTheme pulumi.StringPtrInput - Name pulumi.StringPtrInput - Oauth2DeviceAuthorizationGrantEnabled pulumi.BoolPtrInput - Oauth2DeviceCodeLifespan pulumi.StringPtrInput - Oauth2DevicePollingInterval pulumi.StringPtrInput - PkceCodeChallengeMethod pulumi.StringPtrInput - RealmId pulumi.StringInput - RootUrl pulumi.StringPtrInput - ServiceAccountsEnabled pulumi.BoolPtrInput - StandardFlowEnabled pulumi.BoolPtrInput - UseRefreshTokens pulumi.BoolPtrInput - UseRefreshTokensClientCredentials pulumi.BoolPtrInput - ValidPostLogoutRedirectUris pulumi.StringArrayInput - ValidRedirectUris pulumi.StringArrayInput - WebOrigins pulumi.StringArrayInput + // When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`. + BackchannelLogoutSessionRequired pulumi.BoolPtrInput + // The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case. + BackchannelLogoutUrl pulumi.StringPtrInput + // Default URL to use when the auth server needs to redirect or link back to the client. + BaseUrl pulumi.StringPtrInput + // Defaults to `client-secret`. The authenticator type for clients with an `accessType` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types: + // - `client-secret` (Default) Use client id and client secret to authenticate client. + // - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extraConfig` with `attributes.token.endpoint.auth.signing.alg = ` + // - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extraConfig` with `attributes.x509.subjectdn = ` + // - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extraConfig` with `attributes.token.endpoint.auth.signing.alg = ` + ClientAuthenticatorType pulumi.StringPtrInput + // The Client ID for this client, referenced in the URI during authentication and in issued tokens. + ClientId pulumi.StringInput + // Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value. + ClientOfflineSessionIdleTimeout pulumi.StringPtrInput + // Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value. + ClientOfflineSessionMaxLifespan pulumi.StringPtrInput + // The secret for clients with an `accessType` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. + ClientSecret pulumi.StringPtrInput + // Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value. + ClientSessionIdleTimeout pulumi.StringPtrInput + // Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value. + ClientSessionMaxLifespan pulumi.StringPtrInput + // When `true`, users have to consent to client access. Defaults to `false`. + ConsentRequired pulumi.BoolPtrInput + // The text to display on the consent screen about permissions specific to this client. This is applicable only when `displayOnConsentScreen` is `true`. + ConsentScreenText pulumi.StringPtrInput + // The description of this client in the GUI. + Description pulumi.StringPtrInput + // When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. + DirectAccessGrantsEnabled pulumi.BoolPtrInput + // When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consentRequired` is `true`. + DisplayOnConsentScreen pulumi.BoolPtrInput + // When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + Enabled pulumi.BoolPtrInput + // When `true`, the parameter `sessionState` will not be included in OpenID Connect Authentication Response. + ExcludeSessionStateFromAuthResponse pulumi.BoolPtrInput + ExtraConfig pulumi.StringMapInput + // When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannelLogoutUrl`. Defaults to `false`. + FrontchannelLogoutEnabled pulumi.BoolPtrInput + // The frontchannel logout url. This is applicable only when `frontchannelLogoutEnabled` is `true`. + FrontchannelLogoutUrl pulumi.StringPtrInput + // Allow to include all roles mappings in the access token. + FullScopeAllowed pulumi.BoolPtrInput + // When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. + ImplicitFlowEnabled pulumi.BoolPtrInput + // When `true`, the client with the specified `clientId` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`. + Import pulumi.BoolPtrInput + // The client login theme. This will override the default theme for the realm. + LoginTheme pulumi.StringPtrInput + // The display name of this client in the GUI. + Name pulumi.StringPtrInput + // Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser. + Oauth2DeviceAuthorizationGrantEnabled pulumi.BoolPtrInput + // The maximum amount of time a client has to finish the device code flow before it expires. + Oauth2DeviceCodeLifespan pulumi.StringPtrInput + // The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint. + Oauth2DevicePollingInterval pulumi.StringPtrInput + // The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. + PkceCodeChallengeMethod pulumi.StringPtrInput + // The realm this client is attached to. + RealmId pulumi.StringInput + // When specified, this URL is prepended to any relative URLs found within `validRedirectUris`, `webOrigins`, and `adminUrl`. NOTE: Due to limitations in the Keycloak API, when the `rootUrl` attribute is used, the `validRedirectUris`, `webOrigins`, and `adminUrl` attributes will be required. + RootUrl pulumi.StringPtrInput + // When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. + ServiceAccountsEnabled pulumi.BoolPtrInput + // When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. + StandardFlowEnabled pulumi.BoolPtrInput + // If this is `true`, a refreshToken will be created and added to the token response. If this is `false` then no refreshToken will be generated. Defaults to `true`. + UseRefreshTokens pulumi.BoolPtrInput + // If this is `true`, a refreshToken will be created and added to the token response if the clientCredentials grant is used and a user session will be created. If this is `false` then no refreshToken will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`. + UseRefreshTokensClientCredentials pulumi.BoolPtrInput + // A list of valid URIs a browser is permitted to redirect to after a successful logout. + ValidPostLogoutRedirectUris pulumi.StringArrayInput + // A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple + // wildcards in the form of an asterisk can be used here. This attribute must be set if either `standardFlowEnabled` or `implicitFlowEnabled` + // is set to `true`. + ValidRedirectUris pulumi.StringArrayInput + // A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`." + WebOrigins pulumi.StringArrayInput } func (ClientArgs) ElementType() reflect.Type { @@ -483,96 +733,128 @@ func (o ClientOutput) ToClientOutputWithContext(ctx context.Context) ClientOutpu return o } +// The amount of time in seconds before an access token expires. This will override the default for the realm. func (o ClientOutput) AccessTokenLifespan() pulumi.StringOutput { return o.ApplyT(func(v *Client) pulumi.StringOutput { return v.AccessTokenLifespan }).(pulumi.StringOutput) } +// Specifies the type of client, which can be one of the following: +// - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. +// This client should be used for applications using the Authorization Code or Client Credentials grant flows. +// - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect +// URIs for security. This client should be used for applications using the Implicit grant flow. +// - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. func (o ClientOutput) AccessType() pulumi.StringOutput { return o.ApplyT(func(v *Client) pulumi.StringOutput { return v.AccessType }).(pulumi.StringOutput) } +// URL to the admin interface of the client. func (o ClientOutput) AdminUrl() pulumi.StringOutput { return o.ApplyT(func(v *Client) pulumi.StringOutput { return v.AdminUrl }).(pulumi.StringOutput) } +// Override realm authentication flow bindings func (o ClientOutput) AuthenticationFlowBindingOverrides() ClientAuthenticationFlowBindingOverridesPtrOutput { return o.ApplyT(func(v *Client) ClientAuthenticationFlowBindingOverridesPtrOutput { return v.AuthenticationFlowBindingOverrides }).(ClientAuthenticationFlowBindingOverridesPtrOutput) } +// When this block is present, fine-grained authorization will be enabled for this client. The client's `accessType` must be `CONFIDENTIAL`, and `serviceAccountsEnabled` must be `true`. This block has the following arguments: func (o ClientOutput) Authorization() ClientAuthorizationPtrOutput { return o.ApplyT(func(v *Client) ClientAuthorizationPtrOutput { return v.Authorization }).(ClientAuthorizationPtrOutput) } +// Specifying whether a "revokeOfflineAccess" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event. func (o ClientOutput) BackchannelLogoutRevokeOfflineSessions() pulumi.BoolPtrOutput { return o.ApplyT(func(v *Client) pulumi.BoolPtrOutput { return v.BackchannelLogoutRevokeOfflineSessions }).(pulumi.BoolPtrOutput) } +// When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`. func (o ClientOutput) BackchannelLogoutSessionRequired() pulumi.BoolPtrOutput { return o.ApplyT(func(v *Client) pulumi.BoolPtrOutput { return v.BackchannelLogoutSessionRequired }).(pulumi.BoolPtrOutput) } +// The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case. func (o ClientOutput) BackchannelLogoutUrl() pulumi.StringPtrOutput { return o.ApplyT(func(v *Client) pulumi.StringPtrOutput { return v.BackchannelLogoutUrl }).(pulumi.StringPtrOutput) } +// Default URL to use when the auth server needs to redirect or link back to the client. func (o ClientOutput) BaseUrl() pulumi.StringOutput { return o.ApplyT(func(v *Client) pulumi.StringOutput { return v.BaseUrl }).(pulumi.StringOutput) } +// Defaults to `client-secret`. The authenticator type for clients with an `accessType` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types: +// - `client-secret` (Default) Use client id and client secret to authenticate client. +// - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extraConfig` with `attributes.token.endpoint.auth.signing.alg = ` +// - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extraConfig` with `attributes.x509.subjectdn = ` +// - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extraConfig` with `attributes.token.endpoint.auth.signing.alg = ` func (o ClientOutput) ClientAuthenticatorType() pulumi.StringPtrOutput { return o.ApplyT(func(v *Client) pulumi.StringPtrOutput { return v.ClientAuthenticatorType }).(pulumi.StringPtrOutput) } +// The Client ID for this client, referenced in the URI during authentication and in issued tokens. func (o ClientOutput) ClientId() pulumi.StringOutput { return o.ApplyT(func(v *Client) pulumi.StringOutput { return v.ClientId }).(pulumi.StringOutput) } +// Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value. func (o ClientOutput) ClientOfflineSessionIdleTimeout() pulumi.StringOutput { return o.ApplyT(func(v *Client) pulumi.StringOutput { return v.ClientOfflineSessionIdleTimeout }).(pulumi.StringOutput) } +// Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value. func (o ClientOutput) ClientOfflineSessionMaxLifespan() pulumi.StringOutput { return o.ApplyT(func(v *Client) pulumi.StringOutput { return v.ClientOfflineSessionMaxLifespan }).(pulumi.StringOutput) } +// The secret for clients with an `accessType` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. func (o ClientOutput) ClientSecret() pulumi.StringOutput { return o.ApplyT(func(v *Client) pulumi.StringOutput { return v.ClientSecret }).(pulumi.StringOutput) } +// Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value. func (o ClientOutput) ClientSessionIdleTimeout() pulumi.StringOutput { return o.ApplyT(func(v *Client) pulumi.StringOutput { return v.ClientSessionIdleTimeout }).(pulumi.StringOutput) } +// Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value. func (o ClientOutput) ClientSessionMaxLifespan() pulumi.StringOutput { return o.ApplyT(func(v *Client) pulumi.StringOutput { return v.ClientSessionMaxLifespan }).(pulumi.StringOutput) } +// When `true`, users have to consent to client access. Defaults to `false`. func (o ClientOutput) ConsentRequired() pulumi.BoolOutput { return o.ApplyT(func(v *Client) pulumi.BoolOutput { return v.ConsentRequired }).(pulumi.BoolOutput) } +// The text to display on the consent screen about permissions specific to this client. This is applicable only when `displayOnConsentScreen` is `true`. func (o ClientOutput) ConsentScreenText() pulumi.StringOutput { return o.ApplyT(func(v *Client) pulumi.StringOutput { return v.ConsentScreenText }).(pulumi.StringOutput) } +// The description of this client in the GUI. func (o ClientOutput) Description() pulumi.StringOutput { return o.ApplyT(func(v *Client) pulumi.StringOutput { return v.Description }).(pulumi.StringOutput) } +// When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. func (o ClientOutput) DirectAccessGrantsEnabled() pulumi.BoolOutput { return o.ApplyT(func(v *Client) pulumi.BoolOutput { return v.DirectAccessGrantsEnabled }).(pulumi.BoolOutput) } +// When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consentRequired` is `true`. func (o ClientOutput) DisplayOnConsentScreen() pulumi.BoolOutput { return o.ApplyT(func(v *Client) pulumi.BoolOutput { return v.DisplayOnConsentScreen }).(pulumi.BoolOutput) } +// When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. func (o ClientOutput) Enabled() pulumi.BoolPtrOutput { return o.ApplyT(func(v *Client) pulumi.BoolPtrOutput { return v.Enabled }).(pulumi.BoolPtrOutput) } +// When `true`, the parameter `sessionState` will not be included in OpenID Connect Authentication Response. func (o ClientOutput) ExcludeSessionStateFromAuthResponse() pulumi.BoolOutput { return o.ApplyT(func(v *Client) pulumi.BoolOutput { return v.ExcludeSessionStateFromAuthResponse }).(pulumi.BoolOutput) } @@ -581,90 +863,114 @@ func (o ClientOutput) ExtraConfig() pulumi.StringMapOutput { return o.ApplyT(func(v *Client) pulumi.StringMapOutput { return v.ExtraConfig }).(pulumi.StringMapOutput) } +// When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannelLogoutUrl`. Defaults to `false`. func (o ClientOutput) FrontchannelLogoutEnabled() pulumi.BoolOutput { return o.ApplyT(func(v *Client) pulumi.BoolOutput { return v.FrontchannelLogoutEnabled }).(pulumi.BoolOutput) } +// The frontchannel logout url. This is applicable only when `frontchannelLogoutEnabled` is `true`. func (o ClientOutput) FrontchannelLogoutUrl() pulumi.StringPtrOutput { return o.ApplyT(func(v *Client) pulumi.StringPtrOutput { return v.FrontchannelLogoutUrl }).(pulumi.StringPtrOutput) } +// Allow to include all roles mappings in the access token. func (o ClientOutput) FullScopeAllowed() pulumi.BoolPtrOutput { return o.ApplyT(func(v *Client) pulumi.BoolPtrOutput { return v.FullScopeAllowed }).(pulumi.BoolPtrOutput) } +// When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. func (o ClientOutput) ImplicitFlowEnabled() pulumi.BoolOutput { return o.ApplyT(func(v *Client) pulumi.BoolOutput { return v.ImplicitFlowEnabled }).(pulumi.BoolOutput) } +// When `true`, the client with the specified `clientId` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`. func (o ClientOutput) Import() pulumi.BoolPtrOutput { return o.ApplyT(func(v *Client) pulumi.BoolPtrOutput { return v.Import }).(pulumi.BoolPtrOutput) } +// The client login theme. This will override the default theme for the realm. func (o ClientOutput) LoginTheme() pulumi.StringPtrOutput { return o.ApplyT(func(v *Client) pulumi.StringPtrOutput { return v.LoginTheme }).(pulumi.StringPtrOutput) } +// The display name of this client in the GUI. func (o ClientOutput) Name() pulumi.StringOutput { return o.ApplyT(func(v *Client) pulumi.StringOutput { return v.Name }).(pulumi.StringOutput) } +// Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser. func (o ClientOutput) Oauth2DeviceAuthorizationGrantEnabled() pulumi.BoolPtrOutput { return o.ApplyT(func(v *Client) pulumi.BoolPtrOutput { return v.Oauth2DeviceAuthorizationGrantEnabled }).(pulumi.BoolPtrOutput) } +// The maximum amount of time a client has to finish the device code flow before it expires. func (o ClientOutput) Oauth2DeviceCodeLifespan() pulumi.StringPtrOutput { return o.ApplyT(func(v *Client) pulumi.StringPtrOutput { return v.Oauth2DeviceCodeLifespan }).(pulumi.StringPtrOutput) } +// The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint. func (o ClientOutput) Oauth2DevicePollingInterval() pulumi.StringPtrOutput { return o.ApplyT(func(v *Client) pulumi.StringPtrOutput { return v.Oauth2DevicePollingInterval }).(pulumi.StringPtrOutput) } +// The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value “. func (o ClientOutput) PkceCodeChallengeMethod() pulumi.StringPtrOutput { return o.ApplyT(func(v *Client) pulumi.StringPtrOutput { return v.PkceCodeChallengeMethod }).(pulumi.StringPtrOutput) } +// The realm this client is attached to. func (o ClientOutput) RealmId() pulumi.StringOutput { return o.ApplyT(func(v *Client) pulumi.StringOutput { return v.RealmId }).(pulumi.StringOutput) } +// (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the `.id` attribute). func (o ClientOutput) ResourceServerId() pulumi.StringOutput { return o.ApplyT(func(v *Client) pulumi.StringOutput { return v.ResourceServerId }).(pulumi.StringOutput) } +// When specified, this URL is prepended to any relative URLs found within `validRedirectUris`, `webOrigins`, and `adminUrl`. NOTE: Due to limitations in the Keycloak API, when the `rootUrl` attribute is used, the `validRedirectUris`, `webOrigins`, and `adminUrl` attributes will be required. func (o ClientOutput) RootUrl() pulumi.StringOutput { return o.ApplyT(func(v *Client) pulumi.StringOutput { return v.RootUrl }).(pulumi.StringOutput) } +// (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account. func (o ClientOutput) ServiceAccountUserId() pulumi.StringOutput { return o.ApplyT(func(v *Client) pulumi.StringOutput { return v.ServiceAccountUserId }).(pulumi.StringOutput) } +// When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. func (o ClientOutput) ServiceAccountsEnabled() pulumi.BoolOutput { return o.ApplyT(func(v *Client) pulumi.BoolOutput { return v.ServiceAccountsEnabled }).(pulumi.BoolOutput) } +// When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. func (o ClientOutput) StandardFlowEnabled() pulumi.BoolOutput { return o.ApplyT(func(v *Client) pulumi.BoolOutput { return v.StandardFlowEnabled }).(pulumi.BoolOutput) } +// If this is `true`, a refreshToken will be created and added to the token response. If this is `false` then no refreshToken will be generated. Defaults to `true`. func (o ClientOutput) UseRefreshTokens() pulumi.BoolPtrOutput { return o.ApplyT(func(v *Client) pulumi.BoolPtrOutput { return v.UseRefreshTokens }).(pulumi.BoolPtrOutput) } +// If this is `true`, a refreshToken will be created and added to the token response if the clientCredentials grant is used and a user session will be created. If this is `false` then no refreshToken will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`. func (o ClientOutput) UseRefreshTokensClientCredentials() pulumi.BoolPtrOutput { return o.ApplyT(func(v *Client) pulumi.BoolPtrOutput { return v.UseRefreshTokensClientCredentials }).(pulumi.BoolPtrOutput) } +// A list of valid URIs a browser is permitted to redirect to after a successful logout. func (o ClientOutput) ValidPostLogoutRedirectUris() pulumi.StringArrayOutput { return o.ApplyT(func(v *Client) pulumi.StringArrayOutput { return v.ValidPostLogoutRedirectUris }).(pulumi.StringArrayOutput) } +// A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple +// wildcards in the form of an asterisk can be used here. This attribute must be set if either `standardFlowEnabled` or `implicitFlowEnabled` +// is set to `true`. func (o ClientOutput) ValidRedirectUris() pulumi.StringArrayOutput { return o.ApplyT(func(v *Client) pulumi.StringArrayOutput { return v.ValidRedirectUris }).(pulumi.StringArrayOutput) } +// A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`." func (o ClientOutput) WebOrigins() pulumi.StringArrayOutput { return o.ApplyT(func(v *Client) pulumi.StringArrayOutput { return v.WebOrigins }).(pulumi.StringArrayOutput) } diff --git a/sdk/go/keycloak/openid/clientDefaultScopes.go b/sdk/go/keycloak/openid/clientDefaultScopes.go index ac871c32..52bae770 100644 --- a/sdk/go/keycloak/openid/clientDefaultScopes.go +++ b/sdk/go/keycloak/openid/clientDefaultScopes.go @@ -69,24 +69,20 @@ import ( // // ``` // -// ### Argument Reference -// -// The following arguments are supported: -// -// - `realmId` - (Required) The realm this client and scopes exists in. -// - `clientId` - (Required) The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. -// - `defaultScopes` - (Required) An array of client scope names to attach to this client. -// -// ### Import +// ## Import // // This resource does not support import. Instead of importing, feel free to create this resource +// // as if it did not already exist on the server. type ClientDefaultScopes struct { pulumi.CustomResourceState - ClientId pulumi.StringOutput `pulumi:"clientId"` + // The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. + ClientId pulumi.StringOutput `pulumi:"clientId"` + // An array of client scope names to attach to this client. DefaultScopes pulumi.StringArrayOutput `pulumi:"defaultScopes"` - RealmId pulumi.StringOutput `pulumi:"realmId"` + // The realm this client and scopes exists in. + RealmId pulumi.StringOutput `pulumi:"realmId"` } // NewClientDefaultScopes registers a new resource with the given unique name, arguments, and options. @@ -128,15 +124,21 @@ func GetClientDefaultScopes(ctx *pulumi.Context, // Input properties used for looking up and filtering ClientDefaultScopes resources. type clientDefaultScopesState struct { - ClientId *string `pulumi:"clientId"` + // The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. + ClientId *string `pulumi:"clientId"` + // An array of client scope names to attach to this client. DefaultScopes []string `pulumi:"defaultScopes"` - RealmId *string `pulumi:"realmId"` + // The realm this client and scopes exists in. + RealmId *string `pulumi:"realmId"` } type ClientDefaultScopesState struct { - ClientId pulumi.StringPtrInput + // The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. + ClientId pulumi.StringPtrInput + // An array of client scope names to attach to this client. DefaultScopes pulumi.StringArrayInput - RealmId pulumi.StringPtrInput + // The realm this client and scopes exists in. + RealmId pulumi.StringPtrInput } func (ClientDefaultScopesState) ElementType() reflect.Type { @@ -144,16 +146,22 @@ func (ClientDefaultScopesState) ElementType() reflect.Type { } type clientDefaultScopesArgs struct { - ClientId string `pulumi:"clientId"` + // The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. + ClientId string `pulumi:"clientId"` + // An array of client scope names to attach to this client. DefaultScopes []string `pulumi:"defaultScopes"` - RealmId string `pulumi:"realmId"` + // The realm this client and scopes exists in. + RealmId string `pulumi:"realmId"` } // The set of arguments for constructing a ClientDefaultScopes resource. type ClientDefaultScopesArgs struct { - ClientId pulumi.StringInput + // The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. + ClientId pulumi.StringInput + // An array of client scope names to attach to this client. DefaultScopes pulumi.StringArrayInput - RealmId pulumi.StringInput + // The realm this client and scopes exists in. + RealmId pulumi.StringInput } func (ClientDefaultScopesArgs) ElementType() reflect.Type { @@ -243,14 +251,17 @@ func (o ClientDefaultScopesOutput) ToClientDefaultScopesOutputWithContext(ctx co return o } +// The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. func (o ClientDefaultScopesOutput) ClientId() pulumi.StringOutput { return o.ApplyT(func(v *ClientDefaultScopes) pulumi.StringOutput { return v.ClientId }).(pulumi.StringOutput) } +// An array of client scope names to attach to this client. func (o ClientDefaultScopesOutput) DefaultScopes() pulumi.StringArrayOutput { return o.ApplyT(func(v *ClientDefaultScopes) pulumi.StringArrayOutput { return v.DefaultScopes }).(pulumi.StringArrayOutput) } +// The realm this client and scopes exists in. func (o ClientDefaultScopesOutput) RealmId() pulumi.StringOutput { return o.ApplyT(func(v *ClientDefaultScopes) pulumi.StringOutput { return v.RealmId }).(pulumi.StringOutput) } diff --git a/sdk/go/keycloak/openid/clientOptionalScopes.go b/sdk/go/keycloak/openid/clientOptionalScopes.go index 19121232..c4a272b8 100644 --- a/sdk/go/keycloak/openid/clientOptionalScopes.go +++ b/sdk/go/keycloak/openid/clientOptionalScopes.go @@ -56,6 +56,7 @@ import ( // pulumi.String("address"), // pulumi.String("phone"), // pulumi.String("offline_access"), +// pulumi.String("microprofile-jwt"), // clientScope.Name, // }, // }) @@ -68,24 +69,20 @@ import ( // // ``` // -// ### Argument Reference -// -// The following arguments are supported: -// -// - `realmId` - (Required) The realm this client and scopes exists in. -// - `clientId` - (Required) The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. -// - `optionalScopes` - (Required) An array of client scope names to attach to this client as optional scopes. -// -// ### Import +// ## Import // // This resource does not support import. Instead of importing, feel free to create this resource +// // as if it did not already exist on the server. type ClientOptionalScopes struct { pulumi.CustomResourceState - ClientId pulumi.StringOutput `pulumi:"clientId"` + // The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. + ClientId pulumi.StringOutput `pulumi:"clientId"` + // An array of client scope names to attach to this client as optional scopes. OptionalScopes pulumi.StringArrayOutput `pulumi:"optionalScopes"` - RealmId pulumi.StringOutput `pulumi:"realmId"` + // The realm this client and scopes exists in. + RealmId pulumi.StringOutput `pulumi:"realmId"` } // NewClientOptionalScopes registers a new resource with the given unique name, arguments, and options. @@ -127,15 +124,21 @@ func GetClientOptionalScopes(ctx *pulumi.Context, // Input properties used for looking up and filtering ClientOptionalScopes resources. type clientOptionalScopesState struct { - ClientId *string `pulumi:"clientId"` + // The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. + ClientId *string `pulumi:"clientId"` + // An array of client scope names to attach to this client as optional scopes. OptionalScopes []string `pulumi:"optionalScopes"` - RealmId *string `pulumi:"realmId"` + // The realm this client and scopes exists in. + RealmId *string `pulumi:"realmId"` } type ClientOptionalScopesState struct { - ClientId pulumi.StringPtrInput + // The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. + ClientId pulumi.StringPtrInput + // An array of client scope names to attach to this client as optional scopes. OptionalScopes pulumi.StringArrayInput - RealmId pulumi.StringPtrInput + // The realm this client and scopes exists in. + RealmId pulumi.StringPtrInput } func (ClientOptionalScopesState) ElementType() reflect.Type { @@ -143,16 +146,22 @@ func (ClientOptionalScopesState) ElementType() reflect.Type { } type clientOptionalScopesArgs struct { - ClientId string `pulumi:"clientId"` + // The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. + ClientId string `pulumi:"clientId"` + // An array of client scope names to attach to this client as optional scopes. OptionalScopes []string `pulumi:"optionalScopes"` - RealmId string `pulumi:"realmId"` + // The realm this client and scopes exists in. + RealmId string `pulumi:"realmId"` } // The set of arguments for constructing a ClientOptionalScopes resource. type ClientOptionalScopesArgs struct { - ClientId pulumi.StringInput + // The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. + ClientId pulumi.StringInput + // An array of client scope names to attach to this client as optional scopes. OptionalScopes pulumi.StringArrayInput - RealmId pulumi.StringInput + // The realm this client and scopes exists in. + RealmId pulumi.StringInput } func (ClientOptionalScopesArgs) ElementType() reflect.Type { @@ -242,14 +251,17 @@ func (o ClientOptionalScopesOutput) ToClientOptionalScopesOutputWithContext(ctx return o } +// The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. func (o ClientOptionalScopesOutput) ClientId() pulumi.StringOutput { return o.ApplyT(func(v *ClientOptionalScopes) pulumi.StringOutput { return v.ClientId }).(pulumi.StringOutput) } +// An array of client scope names to attach to this client as optional scopes. func (o ClientOptionalScopesOutput) OptionalScopes() pulumi.StringArrayOutput { return o.ApplyT(func(v *ClientOptionalScopes) pulumi.StringArrayOutput { return v.OptionalScopes }).(pulumi.StringArrayOutput) } +// The realm this client and scopes exists in. func (o ClientOptionalScopesOutput) RealmId() pulumi.StringOutput { return o.ApplyT(func(v *ClientOptionalScopes) pulumi.StringOutput { return v.RealmId }).(pulumi.StringOutput) } diff --git a/sdk/go/keycloak/openid/clientScope.go b/sdk/go/keycloak/openid/clientScope.go index f17a6e92..528466e5 100644 --- a/sdk/go/keycloak/openid/clientScope.go +++ b/sdk/go/keycloak/openid/clientScope.go @@ -12,16 +12,12 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## # openid.ClientScope +// Allows for creating and managing Keycloak client scopes that can be attached to clients that use the OpenID Connect protocol. // -// Allows for creating and managing Keycloak client scopes that can be attached to -// clients that use the OpenID Connect protocol. +// Client Scopes can be used to share common protocol and role mappings between multiple clients within a realm. They can also +// be used by clients to conditionally request claims or roles for a user based on the OAuth 2.0 `scope` parameter. // -// Client Scopes can be used to share common protocol and role mappings between multiple -// clients within a realm. They can also be used by clients to conditionally request -// claims or roles for a user based on the OAuth 2.0 `scope` parameter. -// -// ### Example Usage +// ## Example Usage // // ```go // package main @@ -44,9 +40,11 @@ import ( // return err // } // _, err = openid.NewClientScope(ctx, "openid_client_scope", &openid.ClientScopeArgs{ -// RealmId: realm.ID(), -// Name: pulumi.String("groups"), -// Description: pulumi.String("When requested, this scope will map a user's group memberships to a claim"), +// RealmId: realm.ID(), +// Name: pulumi.String("groups"), +// Description: pulumi.String("When requested, this scope will map a user's group memberships to a claim"), +// IncludeInTokenScope: pulumi.Bool(true), +// GuiOrder: pulumi.Int(1), // }) // if err != nil { // return err @@ -57,32 +55,34 @@ import ( // // ``` // -// ### Argument Reference -// -// The following arguments are supported: -// -// - `realmId` - (Required) The realm this client scope belongs to. -// - `name` - (Required) The display name of this client scope in the GUI. -// - `description` - (Optional) The description of this client scope in the GUI. -// - `consentScreenText` - (Optional) When set, a consent screen will be displayed to users -// authenticating to clients with this scope attached. The consent screen will display the string -// value of this attribute. +// ## Import // -// ### Import +// Client scopes can be imported using the format `{{realm_id}}/{{client_scope_id}}`, where `client_scope_id` is the unique ID that Keycloak // -// Client scopes can be imported using the format `{{realm_id}}/{{client_scope_id}}`, where `clientScopeId` is the unique ID that Keycloak // assigns to the client scope upon creation. This value can be found in the URI when editing this client scope in the GUI, and is typically a GUID. // // Example: +// +// bash +// +// ```sh +// $ pulumi import keycloak:openid/clientScope:ClientScope openid_client_scope my-realm/8e8f7fe1-df9b-40ed-bed3-4597aa0dac52 +// ``` type ClientScope struct { pulumi.CustomResourceState - ConsentScreenText pulumi.StringPtrOutput `pulumi:"consentScreenText"` - Description pulumi.StringPtrOutput `pulumi:"description"` - GuiOrder pulumi.IntPtrOutput `pulumi:"guiOrder"` - IncludeInTokenScope pulumi.BoolPtrOutput `pulumi:"includeInTokenScope"` - Name pulumi.StringOutput `pulumi:"name"` - RealmId pulumi.StringOutput `pulumi:"realmId"` + // When set, a consent screen will be displayed to users authenticating to clients with this scope attached. The consent screen will display the string value of this attribute. + ConsentScreenText pulumi.StringPtrOutput `pulumi:"consentScreenText"` + // The description of this client scope in the GUI. + Description pulumi.StringPtrOutput `pulumi:"description"` + // Specify order of the client scope in GUI (such as in Consent page) as integer. + GuiOrder pulumi.IntPtrOutput `pulumi:"guiOrder"` + // When `true`, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response. + IncludeInTokenScope pulumi.BoolPtrOutput `pulumi:"includeInTokenScope"` + // The display name of this client scope in the GUI. + Name pulumi.StringOutput `pulumi:"name"` + // The realm this client scope belongs to. + RealmId pulumi.StringOutput `pulumi:"realmId"` } // NewClientScope registers a new resource with the given unique name, arguments, and options. @@ -118,21 +118,33 @@ func GetClientScope(ctx *pulumi.Context, // Input properties used for looking up and filtering ClientScope resources. type clientScopeState struct { - ConsentScreenText *string `pulumi:"consentScreenText"` - Description *string `pulumi:"description"` - GuiOrder *int `pulumi:"guiOrder"` - IncludeInTokenScope *bool `pulumi:"includeInTokenScope"` - Name *string `pulumi:"name"` - RealmId *string `pulumi:"realmId"` + // When set, a consent screen will be displayed to users authenticating to clients with this scope attached. The consent screen will display the string value of this attribute. + ConsentScreenText *string `pulumi:"consentScreenText"` + // The description of this client scope in the GUI. + Description *string `pulumi:"description"` + // Specify order of the client scope in GUI (such as in Consent page) as integer. + GuiOrder *int `pulumi:"guiOrder"` + // When `true`, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response. + IncludeInTokenScope *bool `pulumi:"includeInTokenScope"` + // The display name of this client scope in the GUI. + Name *string `pulumi:"name"` + // The realm this client scope belongs to. + RealmId *string `pulumi:"realmId"` } type ClientScopeState struct { - ConsentScreenText pulumi.StringPtrInput - Description pulumi.StringPtrInput - GuiOrder pulumi.IntPtrInput + // When set, a consent screen will be displayed to users authenticating to clients with this scope attached. The consent screen will display the string value of this attribute. + ConsentScreenText pulumi.StringPtrInput + // The description of this client scope in the GUI. + Description pulumi.StringPtrInput + // Specify order of the client scope in GUI (such as in Consent page) as integer. + GuiOrder pulumi.IntPtrInput + // When `true`, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response. IncludeInTokenScope pulumi.BoolPtrInput - Name pulumi.StringPtrInput - RealmId pulumi.StringPtrInput + // The display name of this client scope in the GUI. + Name pulumi.StringPtrInput + // The realm this client scope belongs to. + RealmId pulumi.StringPtrInput } func (ClientScopeState) ElementType() reflect.Type { @@ -140,22 +152,34 @@ func (ClientScopeState) ElementType() reflect.Type { } type clientScopeArgs struct { - ConsentScreenText *string `pulumi:"consentScreenText"` - Description *string `pulumi:"description"` - GuiOrder *int `pulumi:"guiOrder"` - IncludeInTokenScope *bool `pulumi:"includeInTokenScope"` - Name *string `pulumi:"name"` - RealmId string `pulumi:"realmId"` + // When set, a consent screen will be displayed to users authenticating to clients with this scope attached. The consent screen will display the string value of this attribute. + ConsentScreenText *string `pulumi:"consentScreenText"` + // The description of this client scope in the GUI. + Description *string `pulumi:"description"` + // Specify order of the client scope in GUI (such as in Consent page) as integer. + GuiOrder *int `pulumi:"guiOrder"` + // When `true`, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response. + IncludeInTokenScope *bool `pulumi:"includeInTokenScope"` + // The display name of this client scope in the GUI. + Name *string `pulumi:"name"` + // The realm this client scope belongs to. + RealmId string `pulumi:"realmId"` } // The set of arguments for constructing a ClientScope resource. type ClientScopeArgs struct { - ConsentScreenText pulumi.StringPtrInput - Description pulumi.StringPtrInput - GuiOrder pulumi.IntPtrInput + // When set, a consent screen will be displayed to users authenticating to clients with this scope attached. The consent screen will display the string value of this attribute. + ConsentScreenText pulumi.StringPtrInput + // The description of this client scope in the GUI. + Description pulumi.StringPtrInput + // Specify order of the client scope in GUI (such as in Consent page) as integer. + GuiOrder pulumi.IntPtrInput + // When `true`, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response. IncludeInTokenScope pulumi.BoolPtrInput - Name pulumi.StringPtrInput - RealmId pulumi.StringInput + // The display name of this client scope in the GUI. + Name pulumi.StringPtrInput + // The realm this client scope belongs to. + RealmId pulumi.StringInput } func (ClientScopeArgs) ElementType() reflect.Type { @@ -245,26 +269,32 @@ func (o ClientScopeOutput) ToClientScopeOutputWithContext(ctx context.Context) C return o } +// When set, a consent screen will be displayed to users authenticating to clients with this scope attached. The consent screen will display the string value of this attribute. func (o ClientScopeOutput) ConsentScreenText() pulumi.StringPtrOutput { return o.ApplyT(func(v *ClientScope) pulumi.StringPtrOutput { return v.ConsentScreenText }).(pulumi.StringPtrOutput) } +// The description of this client scope in the GUI. func (o ClientScopeOutput) Description() pulumi.StringPtrOutput { return o.ApplyT(func(v *ClientScope) pulumi.StringPtrOutput { return v.Description }).(pulumi.StringPtrOutput) } +// Specify order of the client scope in GUI (such as in Consent page) as integer. func (o ClientScopeOutput) GuiOrder() pulumi.IntPtrOutput { return o.ApplyT(func(v *ClientScope) pulumi.IntPtrOutput { return v.GuiOrder }).(pulumi.IntPtrOutput) } +// When `true`, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response. func (o ClientScopeOutput) IncludeInTokenScope() pulumi.BoolPtrOutput { return o.ApplyT(func(v *ClientScope) pulumi.BoolPtrOutput { return v.IncludeInTokenScope }).(pulumi.BoolPtrOutput) } +// The display name of this client scope in the GUI. func (o ClientScopeOutput) Name() pulumi.StringOutput { return o.ApplyT(func(v *ClientScope) pulumi.StringOutput { return v.Name }).(pulumi.StringOutput) } +// The realm this client scope belongs to. func (o ClientScopeOutput) RealmId() pulumi.StringOutput { return o.ApplyT(func(v *ClientScope) pulumi.StringOutput { return v.RealmId }).(pulumi.StringOutput) } diff --git a/sdk/go/keycloak/openid/fullNameProtocolMapper.go b/sdk/go/keycloak/openid/fullNameProtocolMapper.go index 603f56ac..4767d479 100644 --- a/sdk/go/keycloak/openid/fullNameProtocolMapper.go +++ b/sdk/go/keycloak/openid/fullNameProtocolMapper.go @@ -12,17 +12,16 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## # openid.FullNameProtocolMapper +// Allows for creating and managing full name protocol mappers within Keycloak. // -// Allows for creating and managing full name protocol mappers within -// Keycloak. +// Full name protocol mappers allow you to map a user's first and last name to the OpenID Connect `name` claim in a token. // -// Full name protocol mappers allow you to map a user's first and last name -// to the OpenID Connect `name` claim in a token. Protocol mappers can be defined -// for a single client, or they can be defined for a client scope which can -// be shared between multiple different clients. +// Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between +// multiple different clients. // -// ### Example Usage (Client) +// ## Example Usage +// +// ### Client) // // ```go // package main @@ -46,8 +45,8 @@ import ( // } // openidClient, err := openid.NewClient(ctx, "openid_client", &openid.ClientArgs{ // RealmId: realm.ID(), -// ClientId: pulumi.String("test-client"), -// Name: pulumi.String("test client"), +// ClientId: pulumi.String("client"), +// Name: pulumi.String("client"), // Enabled: pulumi.Bool(true), // AccessType: pulumi.String("CONFIDENTIAL"), // ValidRedirectUris: pulumi.StringArray{ @@ -71,7 +70,7 @@ import ( // // ``` // -// ### Example Usage (Client Scope) +// ### Client Scope) // // ```go // package main @@ -95,7 +94,7 @@ import ( // } // clientScope, err := openid.NewClientScope(ctx, "client_scope", &openid.ClientScopeArgs{ // RealmId: realm.ID(), -// Name: pulumi.String("test-client-scope"), +// Name: pulumi.String("client-scope"), // }) // if err != nil { // return err @@ -114,38 +113,41 @@ import ( // // ``` // -// ### Argument Reference -// -// The following arguments are supported: -// -// - `realmId` - (Required) The realm this protocol mapper exists within. -// - `clientId` - (Required if `clientScopeId` is not specified) The client this protocol mapper is attached to. -// - `clientScopeId` - (Required if `clientId` is not specified) The client scope this protocol mapper is attached to. -// - `name` - (Required) The display name of this protocol mapper in the GUI. -// - `addToIdToken` - (Optional) Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. -// - `addToAccessToken` - (Optional) Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. -// - `addToUserinfo` - (Optional) Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. -// -// ### Import +// ## Import // // Protocol mappers can be imported using one of the following formats: +// // - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` +// // - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` // // Example: +// +// bash +// +// ```sh +// $ pulumi import keycloak:openid/fullNameProtocolMapper:FullNameProtocolMapper full_name_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +// ``` +// +// ```sh +// $ pulumi import keycloak:openid/fullNameProtocolMapper:FullNameProtocolMapper full_name_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +// ``` type FullNameProtocolMapper struct { pulumi.CustomResourceState + // Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. AddToAccessToken pulumi.BoolPtrOutput `pulumi:"addToAccessToken"` - AddToIdToken pulumi.BoolPtrOutput `pulumi:"addToIdToken"` - AddToUserinfo pulumi.BoolPtrOutput `pulumi:"addToUserinfo"` - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. + AddToIdToken pulumi.BoolPtrOutput `pulumi:"addToIdToken"` + // Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. + AddToUserinfo pulumi.BoolPtrOutput `pulumi:"addToUserinfo"` + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId pulumi.StringPtrOutput `pulumi:"clientId"` - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. ClientScopeId pulumi.StringPtrOutput `pulumi:"clientScopeId"` - // A human-friendly name that will appear in the Keycloak console. + // The display name of this protocol mapper in the GUI. Name pulumi.StringOutput `pulumi:"name"` - // The realm id where the associated client or client scope exists. + // The realm this protocol mapper exists within. RealmId pulumi.StringOutput `pulumi:"realmId"` } @@ -182,30 +184,36 @@ func GetFullNameProtocolMapper(ctx *pulumi.Context, // Input properties used for looking up and filtering FullNameProtocolMapper resources. type fullNameProtocolMapperState struct { + // Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. AddToAccessToken *bool `pulumi:"addToAccessToken"` - AddToIdToken *bool `pulumi:"addToIdToken"` - AddToUserinfo *bool `pulumi:"addToUserinfo"` - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. + AddToIdToken *bool `pulumi:"addToIdToken"` + // Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. + AddToUserinfo *bool `pulumi:"addToUserinfo"` + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId *string `pulumi:"clientId"` - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. ClientScopeId *string `pulumi:"clientScopeId"` - // A human-friendly name that will appear in the Keycloak console. + // The display name of this protocol mapper in the GUI. Name *string `pulumi:"name"` - // The realm id where the associated client or client scope exists. + // The realm this protocol mapper exists within. RealmId *string `pulumi:"realmId"` } type FullNameProtocolMapperState struct { + // Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. AddToAccessToken pulumi.BoolPtrInput - AddToIdToken pulumi.BoolPtrInput - AddToUserinfo pulumi.BoolPtrInput - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. + AddToIdToken pulumi.BoolPtrInput + // Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. + AddToUserinfo pulumi.BoolPtrInput + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId pulumi.StringPtrInput - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. ClientScopeId pulumi.StringPtrInput - // A human-friendly name that will appear in the Keycloak console. + // The display name of this protocol mapper in the GUI. Name pulumi.StringPtrInput - // The realm id where the associated client or client scope exists. + // The realm this protocol mapper exists within. RealmId pulumi.StringPtrInput } @@ -214,31 +222,37 @@ func (FullNameProtocolMapperState) ElementType() reflect.Type { } type fullNameProtocolMapperArgs struct { + // Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. AddToAccessToken *bool `pulumi:"addToAccessToken"` - AddToIdToken *bool `pulumi:"addToIdToken"` - AddToUserinfo *bool `pulumi:"addToUserinfo"` - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. + AddToIdToken *bool `pulumi:"addToIdToken"` + // Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. + AddToUserinfo *bool `pulumi:"addToUserinfo"` + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId *string `pulumi:"clientId"` - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. ClientScopeId *string `pulumi:"clientScopeId"` - // A human-friendly name that will appear in the Keycloak console. + // The display name of this protocol mapper in the GUI. Name *string `pulumi:"name"` - // The realm id where the associated client or client scope exists. + // The realm this protocol mapper exists within. RealmId string `pulumi:"realmId"` } // The set of arguments for constructing a FullNameProtocolMapper resource. type FullNameProtocolMapperArgs struct { + // Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. AddToAccessToken pulumi.BoolPtrInput - AddToIdToken pulumi.BoolPtrInput - AddToUserinfo pulumi.BoolPtrInput - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. + AddToIdToken pulumi.BoolPtrInput + // Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. + AddToUserinfo pulumi.BoolPtrInput + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId pulumi.StringPtrInput - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. ClientScopeId pulumi.StringPtrInput - // A human-friendly name that will appear in the Keycloak console. + // The display name of this protocol mapper in the GUI. Name pulumi.StringPtrInput - // The realm id where the associated client or client scope exists. + // The realm this protocol mapper exists within. RealmId pulumi.StringInput } @@ -329,34 +343,37 @@ func (o FullNameProtocolMapperOutput) ToFullNameProtocolMapperOutputWithContext( return o } +// Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. func (o FullNameProtocolMapperOutput) AddToAccessToken() pulumi.BoolPtrOutput { return o.ApplyT(func(v *FullNameProtocolMapper) pulumi.BoolPtrOutput { return v.AddToAccessToken }).(pulumi.BoolPtrOutput) } +// Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. func (o FullNameProtocolMapperOutput) AddToIdToken() pulumi.BoolPtrOutput { return o.ApplyT(func(v *FullNameProtocolMapper) pulumi.BoolPtrOutput { return v.AddToIdToken }).(pulumi.BoolPtrOutput) } +// Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. func (o FullNameProtocolMapperOutput) AddToUserinfo() pulumi.BoolPtrOutput { return o.ApplyT(func(v *FullNameProtocolMapper) pulumi.BoolPtrOutput { return v.AddToUserinfo }).(pulumi.BoolPtrOutput) } -// The mapper's associated client. Cannot be used at the same time as client_scope_id. +// The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. func (o FullNameProtocolMapperOutput) ClientId() pulumi.StringPtrOutput { return o.ApplyT(func(v *FullNameProtocolMapper) pulumi.StringPtrOutput { return v.ClientId }).(pulumi.StringPtrOutput) } -// The mapper's associated client scope. Cannot be used at the same time as client_id. +// The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. func (o FullNameProtocolMapperOutput) ClientScopeId() pulumi.StringPtrOutput { return o.ApplyT(func(v *FullNameProtocolMapper) pulumi.StringPtrOutput { return v.ClientScopeId }).(pulumi.StringPtrOutput) } -// A human-friendly name that will appear in the Keycloak console. +// The display name of this protocol mapper in the GUI. func (o FullNameProtocolMapperOutput) Name() pulumi.StringOutput { return o.ApplyT(func(v *FullNameProtocolMapper) pulumi.StringOutput { return v.Name }).(pulumi.StringOutput) } -// The realm id where the associated client or client scope exists. +// The realm this protocol mapper exists within. func (o FullNameProtocolMapperOutput) RealmId() pulumi.StringOutput { return o.ApplyT(func(v *FullNameProtocolMapper) pulumi.StringOutput { return v.RealmId }).(pulumi.StringOutput) } diff --git a/sdk/go/keycloak/openid/getClient.go b/sdk/go/keycloak/openid/getClient.go index c31f8e14..00591df3 100644 --- a/sdk/go/keycloak/openid/getClient.go +++ b/sdk/go/keycloak/openid/getClient.go @@ -11,11 +11,9 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## # openid.Client data source -// // This data source can be used to fetch properties of a Keycloak OpenID client for usage with other resources. // -// ### Example Usage +// ## Example Usage // // ```go // package main @@ -51,17 +49,6 @@ import ( // } // // ``` -// -// ### Argument Reference -// -// The following arguments are supported: -// -// - `realmId` - (Required) The realm id. -// - `clientId` - (Required) The client id. -// -// ### Attributes Reference -// -// See the docs for the `openid.Client` resource for details on the exported attributes. func LookupClient(ctx *pulumi.Context, args *LookupClientArgs, opts ...pulumi.InvokeOption) (*LookupClientResult, error) { opts = internal.PkgInvokeDefaultOpts(opts) var rv LookupClientResult @@ -74,6 +61,7 @@ func LookupClient(ctx *pulumi.Context, args *LookupClientArgs, opts ...pulumi.In // A collection of arguments for invoking getClient. type LookupClientArgs struct { + // The client id (not its unique ID). ClientId string `pulumi:"clientId"` ConsentScreenText *string `pulumi:"consentScreenText"` DisplayOnConsentScreen *bool `pulumi:"displayOnConsentScreen"` @@ -81,7 +69,8 @@ type LookupClientArgs struct { Oauth2DeviceAuthorizationGrantEnabled *bool `pulumi:"oauth2DeviceAuthorizationGrantEnabled"` Oauth2DeviceCodeLifespan *string `pulumi:"oauth2DeviceCodeLifespan"` Oauth2DevicePollingInterval *string `pulumi:"oauth2DevicePollingInterval"` - RealmId string `pulumi:"realmId"` + // The realm id. + RealmId string `pulumi:"realmId"` } // A collection of values returned by getClient. @@ -156,6 +145,7 @@ func LookupClientOutput(ctx *pulumi.Context, args LookupClientOutputArgs, opts . // A collection of arguments for invoking getClient. type LookupClientOutputArgs struct { + // The client id (not its unique ID). ClientId pulumi.StringInput `pulumi:"clientId"` ConsentScreenText pulumi.StringPtrInput `pulumi:"consentScreenText"` DisplayOnConsentScreen pulumi.BoolPtrInput `pulumi:"displayOnConsentScreen"` @@ -163,7 +153,8 @@ type LookupClientOutputArgs struct { Oauth2DeviceAuthorizationGrantEnabled pulumi.BoolPtrInput `pulumi:"oauth2DeviceAuthorizationGrantEnabled"` Oauth2DeviceCodeLifespan pulumi.StringPtrInput `pulumi:"oauth2DeviceCodeLifespan"` Oauth2DevicePollingInterval pulumi.StringPtrInput `pulumi:"oauth2DevicePollingInterval"` - RealmId pulumi.StringInput `pulumi:"realmId"` + // The realm id. + RealmId pulumi.StringInput `pulumi:"realmId"` } func (LookupClientOutputArgs) ElementType() reflect.Type { diff --git a/sdk/go/keycloak/openid/groupMembershipProtocolMapper.go b/sdk/go/keycloak/openid/groupMembershipProtocolMapper.go index 891b1fd6..81dd2d47 100644 --- a/sdk/go/keycloak/openid/groupMembershipProtocolMapper.go +++ b/sdk/go/keycloak/openid/groupMembershipProtocolMapper.go @@ -12,17 +12,16 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## # openid.GroupMembershipProtocolMapper +// Allows for creating and managing group membership protocol mappers within Keycloak. // -// Allows for creating and managing group membership protocol mappers within -// Keycloak. +// Group membership protocol mappers allow you to map a user's group memberships to a claim in a token. // -// Group membership protocol mappers allow you to map a user's group memberships -// to a claim in a token. Protocol mappers can be defined for a single client, -// or they can be defined for a client scope which can be shared between multiple -// different clients. +// Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between +// multiple different clients. // -// ### Example Usage (Client) +// ## Example Usage +// +// ### Client) // // ```go // package main @@ -46,8 +45,8 @@ import ( // } // openidClient, err := openid.NewClient(ctx, "openid_client", &openid.ClientArgs{ // RealmId: realm.ID(), -// ClientId: pulumi.String("test-client"), -// Name: pulumi.String("test client"), +// ClientId: pulumi.String("client"), +// Name: pulumi.String("client"), // Enabled: pulumi.Bool(true), // AccessType: pulumi.String("CONFIDENTIAL"), // ValidRedirectUris: pulumi.StringArray{ @@ -72,7 +71,7 @@ import ( // // ``` // -// ### Example Usage (Client Scope) +// ### Client Scope) // // ```go // package main @@ -96,7 +95,7 @@ import ( // } // clientScope, err := openid.NewClientScope(ctx, "client_scope", &openid.ClientScopeArgs{ // RealmId: realm.ID(), -// Name: pulumi.String("test-client-scope"), +// Name: pulumi.String("client-scope"), // }) // if err != nil { // return err @@ -116,42 +115,45 @@ import ( // // ``` // -// ### Argument Reference -// -// The following arguments are supported: -// -// - `realmId` - (Required) The realm this protocol mapper exists within. -// - `clientId` - (Required if `clientScopeId` is not specified) The client this protocol mapper is attached to. -// - `clientScopeId` - (Required if `clientId` is not specified) The client scope this protocol mapper is attached to. -// - `name` - (Required) The display name of this protocol mapper in the GUI. -// - `claimName` - (Required) The name of the claim to insert into a token. -// - `fullPath` - (Optional) Indicates whether the full path of the group including its parents will be used. Defaults to `true`. -// - `addToIdToken` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. -// - `addToAccessToken` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. -// - `addToUserinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. -// -// ### Import +// ## Import // // Protocol mappers can be imported using one of the following formats: +// // - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` +// // - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` // // Example: +// +// bash +// +// ```sh +// $ pulumi import keycloak:openid/groupMembershipProtocolMapper:GroupMembershipProtocolMapper group_membership_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +// ``` +// +// ```sh +// $ pulumi import keycloak:openid/groupMembershipProtocolMapper:GroupMembershipProtocolMapper group_membership_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +// ``` type GroupMembershipProtocolMapper struct { pulumi.CustomResourceState + // Indicates if the property should be added as a claim to the access token. Defaults to `true`. AddToAccessToken pulumi.BoolPtrOutput `pulumi:"addToAccessToken"` - AddToIdToken pulumi.BoolPtrOutput `pulumi:"addToIdToken"` - AddToUserinfo pulumi.BoolPtrOutput `pulumi:"addToUserinfo"` - ClaimName pulumi.StringOutput `pulumi:"claimName"` - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // Indicates if the property should be added as a claim to the id token. Defaults to `true`. + AddToIdToken pulumi.BoolPtrOutput `pulumi:"addToIdToken"` + // Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + AddToUserinfo pulumi.BoolPtrOutput `pulumi:"addToUserinfo"` + // The name of the claim to insert into a token. + ClaimName pulumi.StringOutput `pulumi:"claimName"` + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId pulumi.StringPtrOutput `pulumi:"clientId"` - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. ClientScopeId pulumi.StringPtrOutput `pulumi:"clientScopeId"` - FullPath pulumi.BoolPtrOutput `pulumi:"fullPath"` - // A human-friendly name that will appear in the Keycloak console. + // Indicates whether the full path of the group including its parents will be used. Defaults to `true`. + FullPath pulumi.BoolPtrOutput `pulumi:"fullPath"` + // The display name of this protocol mapper in the GUI. Name pulumi.StringOutput `pulumi:"name"` - // The realm id where the associated client or client scope exists. + // The realm this protocol mapper exists within. RealmId pulumi.StringOutput `pulumi:"realmId"` } @@ -191,34 +193,44 @@ func GetGroupMembershipProtocolMapper(ctx *pulumi.Context, // Input properties used for looking up and filtering GroupMembershipProtocolMapper resources. type groupMembershipProtocolMapperState struct { - AddToAccessToken *bool `pulumi:"addToAccessToken"` - AddToIdToken *bool `pulumi:"addToIdToken"` - AddToUserinfo *bool `pulumi:"addToUserinfo"` - ClaimName *string `pulumi:"claimName"` - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // Indicates if the property should be added as a claim to the access token. Defaults to `true`. + AddToAccessToken *bool `pulumi:"addToAccessToken"` + // Indicates if the property should be added as a claim to the id token. Defaults to `true`. + AddToIdToken *bool `pulumi:"addToIdToken"` + // Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + AddToUserinfo *bool `pulumi:"addToUserinfo"` + // The name of the claim to insert into a token. + ClaimName *string `pulumi:"claimName"` + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId *string `pulumi:"clientId"` - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. ClientScopeId *string `pulumi:"clientScopeId"` - FullPath *bool `pulumi:"fullPath"` - // A human-friendly name that will appear in the Keycloak console. + // Indicates whether the full path of the group including its parents will be used. Defaults to `true`. + FullPath *bool `pulumi:"fullPath"` + // The display name of this protocol mapper in the GUI. Name *string `pulumi:"name"` - // The realm id where the associated client or client scope exists. + // The realm this protocol mapper exists within. RealmId *string `pulumi:"realmId"` } type GroupMembershipProtocolMapperState struct { + // Indicates if the property should be added as a claim to the access token. Defaults to `true`. AddToAccessToken pulumi.BoolPtrInput - AddToIdToken pulumi.BoolPtrInput - AddToUserinfo pulumi.BoolPtrInput - ClaimName pulumi.StringPtrInput - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // Indicates if the property should be added as a claim to the id token. Defaults to `true`. + AddToIdToken pulumi.BoolPtrInput + // Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + AddToUserinfo pulumi.BoolPtrInput + // The name of the claim to insert into a token. + ClaimName pulumi.StringPtrInput + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId pulumi.StringPtrInput - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. ClientScopeId pulumi.StringPtrInput - FullPath pulumi.BoolPtrInput - // A human-friendly name that will appear in the Keycloak console. + // Indicates whether the full path of the group including its parents will be used. Defaults to `true`. + FullPath pulumi.BoolPtrInput + // The display name of this protocol mapper in the GUI. Name pulumi.StringPtrInput - // The realm id where the associated client or client scope exists. + // The realm this protocol mapper exists within. RealmId pulumi.StringPtrInput } @@ -227,35 +239,45 @@ func (GroupMembershipProtocolMapperState) ElementType() reflect.Type { } type groupMembershipProtocolMapperArgs struct { - AddToAccessToken *bool `pulumi:"addToAccessToken"` - AddToIdToken *bool `pulumi:"addToIdToken"` - AddToUserinfo *bool `pulumi:"addToUserinfo"` - ClaimName string `pulumi:"claimName"` - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // Indicates if the property should be added as a claim to the access token. Defaults to `true`. + AddToAccessToken *bool `pulumi:"addToAccessToken"` + // Indicates if the property should be added as a claim to the id token. Defaults to `true`. + AddToIdToken *bool `pulumi:"addToIdToken"` + // Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + AddToUserinfo *bool `pulumi:"addToUserinfo"` + // The name of the claim to insert into a token. + ClaimName string `pulumi:"claimName"` + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId *string `pulumi:"clientId"` - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. ClientScopeId *string `pulumi:"clientScopeId"` - FullPath *bool `pulumi:"fullPath"` - // A human-friendly name that will appear in the Keycloak console. + // Indicates whether the full path of the group including its parents will be used. Defaults to `true`. + FullPath *bool `pulumi:"fullPath"` + // The display name of this protocol mapper in the GUI. Name *string `pulumi:"name"` - // The realm id where the associated client or client scope exists. + // The realm this protocol mapper exists within. RealmId string `pulumi:"realmId"` } // The set of arguments for constructing a GroupMembershipProtocolMapper resource. type GroupMembershipProtocolMapperArgs struct { + // Indicates if the property should be added as a claim to the access token. Defaults to `true`. AddToAccessToken pulumi.BoolPtrInput - AddToIdToken pulumi.BoolPtrInput - AddToUserinfo pulumi.BoolPtrInput - ClaimName pulumi.StringInput - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // Indicates if the property should be added as a claim to the id token. Defaults to `true`. + AddToIdToken pulumi.BoolPtrInput + // Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + AddToUserinfo pulumi.BoolPtrInput + // The name of the claim to insert into a token. + ClaimName pulumi.StringInput + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId pulumi.StringPtrInput - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. ClientScopeId pulumi.StringPtrInput - FullPath pulumi.BoolPtrInput - // A human-friendly name that will appear in the Keycloak console. + // Indicates whether the full path of the group including its parents will be used. Defaults to `true`. + FullPath pulumi.BoolPtrInput + // The display name of this protocol mapper in the GUI. Name pulumi.StringPtrInput - // The realm id where the associated client or client scope exists. + // The realm this protocol mapper exists within. RealmId pulumi.StringInput } @@ -346,42 +368,47 @@ func (o GroupMembershipProtocolMapperOutput) ToGroupMembershipProtocolMapperOutp return o } +// Indicates if the property should be added as a claim to the access token. Defaults to `true`. func (o GroupMembershipProtocolMapperOutput) AddToAccessToken() pulumi.BoolPtrOutput { return o.ApplyT(func(v *GroupMembershipProtocolMapper) pulumi.BoolPtrOutput { return v.AddToAccessToken }).(pulumi.BoolPtrOutput) } +// Indicates if the property should be added as a claim to the id token. Defaults to `true`. func (o GroupMembershipProtocolMapperOutput) AddToIdToken() pulumi.BoolPtrOutput { return o.ApplyT(func(v *GroupMembershipProtocolMapper) pulumi.BoolPtrOutput { return v.AddToIdToken }).(pulumi.BoolPtrOutput) } +// Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. func (o GroupMembershipProtocolMapperOutput) AddToUserinfo() pulumi.BoolPtrOutput { return o.ApplyT(func(v *GroupMembershipProtocolMapper) pulumi.BoolPtrOutput { return v.AddToUserinfo }).(pulumi.BoolPtrOutput) } +// The name of the claim to insert into a token. func (o GroupMembershipProtocolMapperOutput) ClaimName() pulumi.StringOutput { return o.ApplyT(func(v *GroupMembershipProtocolMapper) pulumi.StringOutput { return v.ClaimName }).(pulumi.StringOutput) } -// The mapper's associated client. Cannot be used at the same time as client_scope_id. +// The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. func (o GroupMembershipProtocolMapperOutput) ClientId() pulumi.StringPtrOutput { return o.ApplyT(func(v *GroupMembershipProtocolMapper) pulumi.StringPtrOutput { return v.ClientId }).(pulumi.StringPtrOutput) } -// The mapper's associated client scope. Cannot be used at the same time as client_id. +// The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. func (o GroupMembershipProtocolMapperOutput) ClientScopeId() pulumi.StringPtrOutput { return o.ApplyT(func(v *GroupMembershipProtocolMapper) pulumi.StringPtrOutput { return v.ClientScopeId }).(pulumi.StringPtrOutput) } +// Indicates whether the full path of the group including its parents will be used. Defaults to `true`. func (o GroupMembershipProtocolMapperOutput) FullPath() pulumi.BoolPtrOutput { return o.ApplyT(func(v *GroupMembershipProtocolMapper) pulumi.BoolPtrOutput { return v.FullPath }).(pulumi.BoolPtrOutput) } -// A human-friendly name that will appear in the Keycloak console. +// The display name of this protocol mapper in the GUI. func (o GroupMembershipProtocolMapperOutput) Name() pulumi.StringOutput { return o.ApplyT(func(v *GroupMembershipProtocolMapper) pulumi.StringOutput { return v.Name }).(pulumi.StringOutput) } -// The realm id where the associated client or client scope exists. +// The realm this protocol mapper exists within. func (o GroupMembershipProtocolMapperOutput) RealmId() pulumi.StringOutput { return o.ApplyT(func(v *GroupMembershipProtocolMapper) pulumi.StringOutput { return v.RealmId }).(pulumi.StringOutput) } diff --git a/sdk/go/keycloak/openid/hardcodedClaimProtocolMapper.go b/sdk/go/keycloak/openid/hardcodedClaimProtocolMapper.go index a8aef51f..e88d5084 100644 --- a/sdk/go/keycloak/openid/hardcodedClaimProtocolMapper.go +++ b/sdk/go/keycloak/openid/hardcodedClaimProtocolMapper.go @@ -12,17 +12,16 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## # openid.HardcodedClaimProtocolMapper +// Allows for creating and managing hardcoded claim protocol mappers within Keycloak. // -// Allows for creating and managing hardcoded claim protocol mappers within -// Keycloak. +// Hardcoded claim protocol mappers allow you to define a claim with a hardcoded value. // -// Hardcoded claim protocol mappers allow you to define a claim with a hardcoded -// value. Protocol mappers can be defined for a single client, or they can -// be defined for a client scope which can be shared between multiple different -// clients. +// Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between +// multiple different clients. // -// ### Example Usage (Client) +// ## Example Usage +// +// ### Client) // // ```go // package main @@ -46,8 +45,8 @@ import ( // } // openidClient, err := openid.NewClient(ctx, "openid_client", &openid.ClientArgs{ // RealmId: realm.ID(), -// ClientId: pulumi.String("test-client"), -// Name: pulumi.String("test client"), +// ClientId: pulumi.String("client"), +// Name: pulumi.String("client"), // Enabled: pulumi.Bool(true), // AccessType: pulumi.String("CONFIDENTIAL"), // ValidRedirectUris: pulumi.StringArray{ @@ -73,7 +72,7 @@ import ( // // ``` // -// ### Example Usage (Client Scope) +// ### Client Scope) // // ```go // package main @@ -97,7 +96,7 @@ import ( // } // clientScope, err := openid.NewClientScope(ctx, "client_scope", &openid.ClientScopeArgs{ // RealmId: realm.ID(), -// Name: pulumi.String("test-client-scope"), +// Name: pulumi.String("client-scope"), // }) // if err != nil { // return err @@ -118,48 +117,47 @@ import ( // // ``` // -// ### Argument Reference -// -// The following arguments are supported: -// -// - `realmId` - (Required) The realm this protocol mapper exists within. -// - `clientId` - (Required if `clientScopeId` is not specified) The client this protocol mapper is attached to. -// - `clientScopeId` - (Required if `clientId` is not specified) The client scope this protocol mapper is attached to. -// - `name` - (Required) The display name of this protocol mapper in the GUI. -// - `claimName` - (Required) The name of the claim to insert into a token. -// - `claimValue` - (Required) The hardcoded value of the claim. -// - `claimValueType` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`. -// - `addToIdToken` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. -// - `addToAccessToken` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. -// - `addToUserinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. -// -// ### Import +// ## Import // // Protocol mappers can be imported using one of the following formats: +// // - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` +// // - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` // // Example: +// +// bash +// +// ```sh +// $ pulumi import keycloak:openid/hardcodedClaimProtocolMapper:HardcodedClaimProtocolMapper hardcoded_claim_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +// ``` +// +// ```sh +// $ pulumi import keycloak:openid/hardcodedClaimProtocolMapper:HardcodedClaimProtocolMapper hardcoded_claim_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +// ``` type HardcodedClaimProtocolMapper struct { pulumi.CustomResourceState - // Indicates if the attribute should be a claim in the access token. + // Indicates if the property should be added as a claim to the access token. Defaults to `true`. AddToAccessToken pulumi.BoolPtrOutput `pulumi:"addToAccessToken"` - // Indicates if the attribute should be a claim in the id token. + // Indicates if the property should be added as a claim to the id token. Defaults to `true`. AddToIdToken pulumi.BoolPtrOutput `pulumi:"addToIdToken"` - // Indicates if the attribute should appear in the userinfo response body. + // Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. AddToUserinfo pulumi.BoolPtrOutput `pulumi:"addToUserinfo"` - ClaimName pulumi.StringOutput `pulumi:"claimName"` - ClaimValue pulumi.StringOutput `pulumi:"claimValue"` - // Claim type used when serializing tokens. + // The name of the claim to insert into a token. + ClaimName pulumi.StringOutput `pulumi:"claimName"` + // The hardcoded value of the claim. + ClaimValue pulumi.StringOutput `pulumi:"claimValue"` + // The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. ClaimValueType pulumi.StringPtrOutput `pulumi:"claimValueType"` - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId pulumi.StringPtrOutput `pulumi:"clientId"` - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. ClientScopeId pulumi.StringPtrOutput `pulumi:"clientScopeId"` - // A human-friendly name that will appear in the Keycloak console. + // The display name of this protocol mapper in the GUI. Name pulumi.StringOutput `pulumi:"name"` - // The realm id where the associated client or client scope exists. + // The realm this protocol mapper exists within. RealmId pulumi.StringOutput `pulumi:"realmId"` } @@ -202,44 +200,48 @@ func GetHardcodedClaimProtocolMapper(ctx *pulumi.Context, // Input properties used for looking up and filtering HardcodedClaimProtocolMapper resources. type hardcodedClaimProtocolMapperState struct { - // Indicates if the attribute should be a claim in the access token. + // Indicates if the property should be added as a claim to the access token. Defaults to `true`. AddToAccessToken *bool `pulumi:"addToAccessToken"` - // Indicates if the attribute should be a claim in the id token. + // Indicates if the property should be added as a claim to the id token. Defaults to `true`. AddToIdToken *bool `pulumi:"addToIdToken"` - // Indicates if the attribute should appear in the userinfo response body. - AddToUserinfo *bool `pulumi:"addToUserinfo"` - ClaimName *string `pulumi:"claimName"` - ClaimValue *string `pulumi:"claimValue"` - // Claim type used when serializing tokens. + // Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + AddToUserinfo *bool `pulumi:"addToUserinfo"` + // The name of the claim to insert into a token. + ClaimName *string `pulumi:"claimName"` + // The hardcoded value of the claim. + ClaimValue *string `pulumi:"claimValue"` + // The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. ClaimValueType *string `pulumi:"claimValueType"` - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId *string `pulumi:"clientId"` - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. ClientScopeId *string `pulumi:"clientScopeId"` - // A human-friendly name that will appear in the Keycloak console. + // The display name of this protocol mapper in the GUI. Name *string `pulumi:"name"` - // The realm id where the associated client or client scope exists. + // The realm this protocol mapper exists within. RealmId *string `pulumi:"realmId"` } type HardcodedClaimProtocolMapperState struct { - // Indicates if the attribute should be a claim in the access token. + // Indicates if the property should be added as a claim to the access token. Defaults to `true`. AddToAccessToken pulumi.BoolPtrInput - // Indicates if the attribute should be a claim in the id token. + // Indicates if the property should be added as a claim to the id token. Defaults to `true`. AddToIdToken pulumi.BoolPtrInput - // Indicates if the attribute should appear in the userinfo response body. + // Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. AddToUserinfo pulumi.BoolPtrInput - ClaimName pulumi.StringPtrInput - ClaimValue pulumi.StringPtrInput - // Claim type used when serializing tokens. + // The name of the claim to insert into a token. + ClaimName pulumi.StringPtrInput + // The hardcoded value of the claim. + ClaimValue pulumi.StringPtrInput + // The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. ClaimValueType pulumi.StringPtrInput - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId pulumi.StringPtrInput - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. ClientScopeId pulumi.StringPtrInput - // A human-friendly name that will appear in the Keycloak console. + // The display name of this protocol mapper in the GUI. Name pulumi.StringPtrInput - // The realm id where the associated client or client scope exists. + // The realm this protocol mapper exists within. RealmId pulumi.StringPtrInput } @@ -248,45 +250,49 @@ func (HardcodedClaimProtocolMapperState) ElementType() reflect.Type { } type hardcodedClaimProtocolMapperArgs struct { - // Indicates if the attribute should be a claim in the access token. + // Indicates if the property should be added as a claim to the access token. Defaults to `true`. AddToAccessToken *bool `pulumi:"addToAccessToken"` - // Indicates if the attribute should be a claim in the id token. + // Indicates if the property should be added as a claim to the id token. Defaults to `true`. AddToIdToken *bool `pulumi:"addToIdToken"` - // Indicates if the attribute should appear in the userinfo response body. - AddToUserinfo *bool `pulumi:"addToUserinfo"` - ClaimName string `pulumi:"claimName"` - ClaimValue string `pulumi:"claimValue"` - // Claim type used when serializing tokens. + // Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + AddToUserinfo *bool `pulumi:"addToUserinfo"` + // The name of the claim to insert into a token. + ClaimName string `pulumi:"claimName"` + // The hardcoded value of the claim. + ClaimValue string `pulumi:"claimValue"` + // The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. ClaimValueType *string `pulumi:"claimValueType"` - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId *string `pulumi:"clientId"` - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. ClientScopeId *string `pulumi:"clientScopeId"` - // A human-friendly name that will appear in the Keycloak console. + // The display name of this protocol mapper in the GUI. Name *string `pulumi:"name"` - // The realm id where the associated client or client scope exists. + // The realm this protocol mapper exists within. RealmId string `pulumi:"realmId"` } // The set of arguments for constructing a HardcodedClaimProtocolMapper resource. type HardcodedClaimProtocolMapperArgs struct { - // Indicates if the attribute should be a claim in the access token. + // Indicates if the property should be added as a claim to the access token. Defaults to `true`. AddToAccessToken pulumi.BoolPtrInput - // Indicates if the attribute should be a claim in the id token. + // Indicates if the property should be added as a claim to the id token. Defaults to `true`. AddToIdToken pulumi.BoolPtrInput - // Indicates if the attribute should appear in the userinfo response body. + // Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. AddToUserinfo pulumi.BoolPtrInput - ClaimName pulumi.StringInput - ClaimValue pulumi.StringInput - // Claim type used when serializing tokens. + // The name of the claim to insert into a token. + ClaimName pulumi.StringInput + // The hardcoded value of the claim. + ClaimValue pulumi.StringInput + // The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. ClaimValueType pulumi.StringPtrInput - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId pulumi.StringPtrInput - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. ClientScopeId pulumi.StringPtrInput - // A human-friendly name that will appear in the Keycloak console. + // The display name of this protocol mapper in the GUI. Name pulumi.StringPtrInput - // The realm id where the associated client or client scope exists. + // The realm this protocol mapper exists within. RealmId pulumi.StringInput } @@ -377,50 +383,52 @@ func (o HardcodedClaimProtocolMapperOutput) ToHardcodedClaimProtocolMapperOutput return o } -// Indicates if the attribute should be a claim in the access token. +// Indicates if the property should be added as a claim to the access token. Defaults to `true`. func (o HardcodedClaimProtocolMapperOutput) AddToAccessToken() pulumi.BoolPtrOutput { return o.ApplyT(func(v *HardcodedClaimProtocolMapper) pulumi.BoolPtrOutput { return v.AddToAccessToken }).(pulumi.BoolPtrOutput) } -// Indicates if the attribute should be a claim in the id token. +// Indicates if the property should be added as a claim to the id token. Defaults to `true`. func (o HardcodedClaimProtocolMapperOutput) AddToIdToken() pulumi.BoolPtrOutput { return o.ApplyT(func(v *HardcodedClaimProtocolMapper) pulumi.BoolPtrOutput { return v.AddToIdToken }).(pulumi.BoolPtrOutput) } -// Indicates if the attribute should appear in the userinfo response body. +// Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. func (o HardcodedClaimProtocolMapperOutput) AddToUserinfo() pulumi.BoolPtrOutput { return o.ApplyT(func(v *HardcodedClaimProtocolMapper) pulumi.BoolPtrOutput { return v.AddToUserinfo }).(pulumi.BoolPtrOutput) } +// The name of the claim to insert into a token. func (o HardcodedClaimProtocolMapperOutput) ClaimName() pulumi.StringOutput { return o.ApplyT(func(v *HardcodedClaimProtocolMapper) pulumi.StringOutput { return v.ClaimName }).(pulumi.StringOutput) } +// The hardcoded value of the claim. func (o HardcodedClaimProtocolMapperOutput) ClaimValue() pulumi.StringOutput { return o.ApplyT(func(v *HardcodedClaimProtocolMapper) pulumi.StringOutput { return v.ClaimValue }).(pulumi.StringOutput) } -// Claim type used when serializing tokens. +// The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. func (o HardcodedClaimProtocolMapperOutput) ClaimValueType() pulumi.StringPtrOutput { return o.ApplyT(func(v *HardcodedClaimProtocolMapper) pulumi.StringPtrOutput { return v.ClaimValueType }).(pulumi.StringPtrOutput) } -// The mapper's associated client. Cannot be used at the same time as client_scope_id. +// The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. func (o HardcodedClaimProtocolMapperOutput) ClientId() pulumi.StringPtrOutput { return o.ApplyT(func(v *HardcodedClaimProtocolMapper) pulumi.StringPtrOutput { return v.ClientId }).(pulumi.StringPtrOutput) } -// The mapper's associated client scope. Cannot be used at the same time as client_id. +// The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. func (o HardcodedClaimProtocolMapperOutput) ClientScopeId() pulumi.StringPtrOutput { return o.ApplyT(func(v *HardcodedClaimProtocolMapper) pulumi.StringPtrOutput { return v.ClientScopeId }).(pulumi.StringPtrOutput) } -// A human-friendly name that will appear in the Keycloak console. +// The display name of this protocol mapper in the GUI. func (o HardcodedClaimProtocolMapperOutput) Name() pulumi.StringOutput { return o.ApplyT(func(v *HardcodedClaimProtocolMapper) pulumi.StringOutput { return v.Name }).(pulumi.StringOutput) } -// The realm id where the associated client or client scope exists. +// The realm this protocol mapper exists within. func (o HardcodedClaimProtocolMapperOutput) RealmId() pulumi.StringOutput { return o.ApplyT(func(v *HardcodedClaimProtocolMapper) pulumi.StringOutput { return v.RealmId }).(pulumi.StringOutput) } diff --git a/sdk/go/keycloak/openid/hardcodedRoleProtocolMapper.go b/sdk/go/keycloak/openid/hardcodedRoleProtocolMapper.go index aaf1794f..07d3b805 100644 --- a/sdk/go/keycloak/openid/hardcodedRoleProtocolMapper.go +++ b/sdk/go/keycloak/openid/hardcodedRoleProtocolMapper.go @@ -12,17 +12,16 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## # openid.HardcodedRoleProtocolMapper +// Allows for creating and managing hardcoded role protocol mappers within Keycloak. // -// Allows for creating and managing hardcoded role protocol mappers within -// Keycloak. +// Hardcoded role protocol mappers allow you to specify a single role to always map to an access token for a client. // -// Hardcoded role protocol mappers allow you to specify a single role to -// always map to an access token for a client. Protocol mappers can be -// defined for a single client, or they can be defined for a client scope -// which can be shared between multiple different clients. +// Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between +// multiple different clients. // -// ### Example Usage (Client) +// ## Example Usage +// +// ### Client) // // ```go // package main @@ -53,8 +52,8 @@ import ( // } // openidClient, err := openid.NewClient(ctx, "openid_client", &openid.ClientArgs{ // RealmId: realm.ID(), -// ClientId: pulumi.String("test-client"), -// Name: pulumi.String("test client"), +// ClientId: pulumi.String("client"), +// Name: pulumi.String("client"), // Enabled: pulumi.Bool(true), // AccessType: pulumi.String("CONFIDENTIAL"), // ValidRedirectUris: pulumi.StringArray{ @@ -79,7 +78,7 @@ import ( // // ``` // -// ### Example Usage (Client Scope) +// ### Client Scope) // // ```go // package main @@ -110,7 +109,7 @@ import ( // } // clientScope, err := openid.NewClientScope(ctx, "client_scope", &openid.ClientScopeArgs{ // RealmId: realm.ID(), -// Name: pulumi.String("test-client-scope"), +// Name: pulumi.String("client-scope"), // }) // if err != nil { // return err @@ -130,36 +129,38 @@ import ( // // ``` // -// ### Argument Reference -// -// The following arguments are supported: -// -// - `realmId` - (Required) The realm this protocol mapper exists within. -// - `clientId` - (Required if `clientScopeId` is not specified) The client this protocol mapper is attached to. -// - `clientScopeId` - (Required if `clientId` is not specified) The client scope this protocol mapper is attached to. -// - `name` - (Required) The display name of this protocol mapper in the -// GUI. -// - `roleId` - (Required) The ID of the role to map to an access token. -// -// ### Import +// ## Import // // Protocol mappers can be imported using one of the following formats: +// // - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` +// // - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` // // Example: +// +// bash +// +// ```sh +// $ pulumi import keycloak:openid/hardcodedRoleProtocolMapper:HardcodedRoleProtocolMapper hardcoded_role_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +// ``` +// +// ```sh +// $ pulumi import keycloak:openid/hardcodedRoleProtocolMapper:HardcodedRoleProtocolMapper hardcoded_role_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +// ``` type HardcodedRoleProtocolMapper struct { pulumi.CustomResourceState - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId pulumi.StringPtrOutput `pulumi:"clientId"` - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. ClientScopeId pulumi.StringPtrOutput `pulumi:"clientScopeId"` - // A human-friendly name that will appear in the Keycloak console. + // The display name of this protocol mapper in the GUI. Name pulumi.StringOutput `pulumi:"name"` - // The realm id where the associated client or client scope exists. + // The realm this protocol mapper exists within. RealmId pulumi.StringOutput `pulumi:"realmId"` - RoleId pulumi.StringOutput `pulumi:"roleId"` + // The ID of the role to map to an access token. + RoleId pulumi.StringOutput `pulumi:"roleId"` } // NewHardcodedRoleProtocolMapper registers a new resource with the given unique name, arguments, and options. @@ -198,27 +199,29 @@ func GetHardcodedRoleProtocolMapper(ctx *pulumi.Context, // Input properties used for looking up and filtering HardcodedRoleProtocolMapper resources. type hardcodedRoleProtocolMapperState struct { - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId *string `pulumi:"clientId"` - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. ClientScopeId *string `pulumi:"clientScopeId"` - // A human-friendly name that will appear in the Keycloak console. + // The display name of this protocol mapper in the GUI. Name *string `pulumi:"name"` - // The realm id where the associated client or client scope exists. + // The realm this protocol mapper exists within. RealmId *string `pulumi:"realmId"` - RoleId *string `pulumi:"roleId"` + // The ID of the role to map to an access token. + RoleId *string `pulumi:"roleId"` } type HardcodedRoleProtocolMapperState struct { - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId pulumi.StringPtrInput - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. ClientScopeId pulumi.StringPtrInput - // A human-friendly name that will appear in the Keycloak console. + // The display name of this protocol mapper in the GUI. Name pulumi.StringPtrInput - // The realm id where the associated client or client scope exists. + // The realm this protocol mapper exists within. RealmId pulumi.StringPtrInput - RoleId pulumi.StringPtrInput + // The ID of the role to map to an access token. + RoleId pulumi.StringPtrInput } func (HardcodedRoleProtocolMapperState) ElementType() reflect.Type { @@ -226,28 +229,30 @@ func (HardcodedRoleProtocolMapperState) ElementType() reflect.Type { } type hardcodedRoleProtocolMapperArgs struct { - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId *string `pulumi:"clientId"` - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. ClientScopeId *string `pulumi:"clientScopeId"` - // A human-friendly name that will appear in the Keycloak console. + // The display name of this protocol mapper in the GUI. Name *string `pulumi:"name"` - // The realm id where the associated client or client scope exists. + // The realm this protocol mapper exists within. RealmId string `pulumi:"realmId"` - RoleId string `pulumi:"roleId"` + // The ID of the role to map to an access token. + RoleId string `pulumi:"roleId"` } // The set of arguments for constructing a HardcodedRoleProtocolMapper resource. type HardcodedRoleProtocolMapperArgs struct { - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId pulumi.StringPtrInput - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. ClientScopeId pulumi.StringPtrInput - // A human-friendly name that will appear in the Keycloak console. + // The display name of this protocol mapper in the GUI. Name pulumi.StringPtrInput - // The realm id where the associated client or client scope exists. + // The realm this protocol mapper exists within. RealmId pulumi.StringInput - RoleId pulumi.StringInput + // The ID of the role to map to an access token. + RoleId pulumi.StringInput } func (HardcodedRoleProtocolMapperArgs) ElementType() reflect.Type { @@ -337,26 +342,27 @@ func (o HardcodedRoleProtocolMapperOutput) ToHardcodedRoleProtocolMapperOutputWi return o } -// The mapper's associated client. Cannot be used at the same time as client_scope_id. +// The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. func (o HardcodedRoleProtocolMapperOutput) ClientId() pulumi.StringPtrOutput { return o.ApplyT(func(v *HardcodedRoleProtocolMapper) pulumi.StringPtrOutput { return v.ClientId }).(pulumi.StringPtrOutput) } -// The mapper's associated client scope. Cannot be used at the same time as client_id. +// The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. func (o HardcodedRoleProtocolMapperOutput) ClientScopeId() pulumi.StringPtrOutput { return o.ApplyT(func(v *HardcodedRoleProtocolMapper) pulumi.StringPtrOutput { return v.ClientScopeId }).(pulumi.StringPtrOutput) } -// A human-friendly name that will appear in the Keycloak console. +// The display name of this protocol mapper in the GUI. func (o HardcodedRoleProtocolMapperOutput) Name() pulumi.StringOutput { return o.ApplyT(func(v *HardcodedRoleProtocolMapper) pulumi.StringOutput { return v.Name }).(pulumi.StringOutput) } -// The realm id where the associated client or client scope exists. +// The realm this protocol mapper exists within. func (o HardcodedRoleProtocolMapperOutput) RealmId() pulumi.StringOutput { return o.ApplyT(func(v *HardcodedRoleProtocolMapper) pulumi.StringOutput { return v.RealmId }).(pulumi.StringOutput) } +// The ID of the role to map to an access token. func (o HardcodedRoleProtocolMapperOutput) RoleId() pulumi.StringOutput { return o.ApplyT(func(v *HardcodedRoleProtocolMapper) pulumi.StringOutput { return v.RoleId }).(pulumi.StringOutput) } diff --git a/sdk/go/keycloak/openid/pulumiTypes.go b/sdk/go/keycloak/openid/pulumiTypes.go index 87d7aea0..9aff0cb2 100644 --- a/sdk/go/keycloak/openid/pulumiTypes.go +++ b/sdk/go/keycloak/openid/pulumiTypes.go @@ -14,7 +14,9 @@ import ( var _ = internal.GetEnvOrDefault type ClientAuthenticationFlowBindingOverrides struct { - BrowserId *string `pulumi:"browserId"` + // Browser flow id, (flow needs to exist) + BrowserId *string `pulumi:"browserId"` + // Direct grant flow id (flow needs to exist) DirectGrantId *string `pulumi:"directGrantId"` } @@ -30,7 +32,9 @@ type ClientAuthenticationFlowBindingOverridesInput interface { } type ClientAuthenticationFlowBindingOverridesArgs struct { - BrowserId pulumi.StringPtrInput `pulumi:"browserId"` + // Browser flow id, (flow needs to exist) + BrowserId pulumi.StringPtrInput `pulumi:"browserId"` + // Direct grant flow id (flow needs to exist) DirectGrantId pulumi.StringPtrInput `pulumi:"directGrantId"` } @@ -111,10 +115,12 @@ func (o ClientAuthenticationFlowBindingOverridesOutput) ToClientAuthenticationFl }).(ClientAuthenticationFlowBindingOverridesPtrOutput) } +// Browser flow id, (flow needs to exist) func (o ClientAuthenticationFlowBindingOverridesOutput) BrowserId() pulumi.StringPtrOutput { return o.ApplyT(func(v ClientAuthenticationFlowBindingOverrides) *string { return v.BrowserId }).(pulumi.StringPtrOutput) } +// Direct grant flow id (flow needs to exist) func (o ClientAuthenticationFlowBindingOverridesOutput) DirectGrantId() pulumi.StringPtrOutput { return o.ApplyT(func(v ClientAuthenticationFlowBindingOverrides) *string { return v.DirectGrantId }).(pulumi.StringPtrOutput) } @@ -143,6 +149,7 @@ func (o ClientAuthenticationFlowBindingOverridesPtrOutput) Elem() ClientAuthenti }).(ClientAuthenticationFlowBindingOverridesOutput) } +// Browser flow id, (flow needs to exist) func (o ClientAuthenticationFlowBindingOverridesPtrOutput) BrowserId() pulumi.StringPtrOutput { return o.ApplyT(func(v *ClientAuthenticationFlowBindingOverrides) *string { if v == nil { @@ -152,6 +159,7 @@ func (o ClientAuthenticationFlowBindingOverridesPtrOutput) BrowserId() pulumi.St }).(pulumi.StringPtrOutput) } +// Direct grant flow id (flow needs to exist) func (o ClientAuthenticationFlowBindingOverridesPtrOutput) DirectGrantId() pulumi.StringPtrOutput { return o.ApplyT(func(v *ClientAuthenticationFlowBindingOverrides) *string { if v == nil { @@ -162,10 +170,14 @@ func (o ClientAuthenticationFlowBindingOverridesPtrOutput) DirectGrantId() pulum } type ClientAuthorization struct { - AllowRemoteResourceManagement *bool `pulumi:"allowRemoteResourceManagement"` - DecisionStrategy *string `pulumi:"decisionStrategy"` - KeepDefaults *bool `pulumi:"keepDefaults"` - PolicyEnforcementMode string `pulumi:"policyEnforcementMode"` + // When `true`, resources can be managed remotely by the resource server. Defaults to `false`. + AllowRemoteResourceManagement *bool `pulumi:"allowRemoteResourceManagement"` + // Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of `AFFIRMATIVE`, `CONSENSUS`, or `UNANIMOUS`. Applies to permissions. + DecisionStrategy *string `pulumi:"decisionStrategy"` + // When `true`, defaults set by Keycloak will be respected. Defaults to `false`. + KeepDefaults *bool `pulumi:"keepDefaults"` + // Dictates how policies are enforced when evaluating authorization requests. Can be one of `ENFORCING`, `PERMISSIVE`, or `DISABLED`. + PolicyEnforcementMode string `pulumi:"policyEnforcementMode"` } // ClientAuthorizationInput is an input type that accepts ClientAuthorizationArgs and ClientAuthorizationOutput values. @@ -180,10 +192,14 @@ type ClientAuthorizationInput interface { } type ClientAuthorizationArgs struct { - AllowRemoteResourceManagement pulumi.BoolPtrInput `pulumi:"allowRemoteResourceManagement"` - DecisionStrategy pulumi.StringPtrInput `pulumi:"decisionStrategy"` - KeepDefaults pulumi.BoolPtrInput `pulumi:"keepDefaults"` - PolicyEnforcementMode pulumi.StringInput `pulumi:"policyEnforcementMode"` + // When `true`, resources can be managed remotely by the resource server. Defaults to `false`. + AllowRemoteResourceManagement pulumi.BoolPtrInput `pulumi:"allowRemoteResourceManagement"` + // Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of `AFFIRMATIVE`, `CONSENSUS`, or `UNANIMOUS`. Applies to permissions. + DecisionStrategy pulumi.StringPtrInput `pulumi:"decisionStrategy"` + // When `true`, defaults set by Keycloak will be respected. Defaults to `false`. + KeepDefaults pulumi.BoolPtrInput `pulumi:"keepDefaults"` + // Dictates how policies are enforced when evaluating authorization requests. Can be one of `ENFORCING`, `PERMISSIVE`, or `DISABLED`. + PolicyEnforcementMode pulumi.StringInput `pulumi:"policyEnforcementMode"` } func (ClientAuthorizationArgs) ElementType() reflect.Type { @@ -263,18 +279,22 @@ func (o ClientAuthorizationOutput) ToClientAuthorizationPtrOutputWithContext(ctx }).(ClientAuthorizationPtrOutput) } +// When `true`, resources can be managed remotely by the resource server. Defaults to `false`. func (o ClientAuthorizationOutput) AllowRemoteResourceManagement() pulumi.BoolPtrOutput { return o.ApplyT(func(v ClientAuthorization) *bool { return v.AllowRemoteResourceManagement }).(pulumi.BoolPtrOutput) } +// Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of `AFFIRMATIVE`, `CONSENSUS`, or `UNANIMOUS`. Applies to permissions. func (o ClientAuthorizationOutput) DecisionStrategy() pulumi.StringPtrOutput { return o.ApplyT(func(v ClientAuthorization) *string { return v.DecisionStrategy }).(pulumi.StringPtrOutput) } +// When `true`, defaults set by Keycloak will be respected. Defaults to `false`. func (o ClientAuthorizationOutput) KeepDefaults() pulumi.BoolPtrOutput { return o.ApplyT(func(v ClientAuthorization) *bool { return v.KeepDefaults }).(pulumi.BoolPtrOutput) } +// Dictates how policies are enforced when evaluating authorization requests. Can be one of `ENFORCING`, `PERMISSIVE`, or `DISABLED`. func (o ClientAuthorizationOutput) PolicyEnforcementMode() pulumi.StringOutput { return o.ApplyT(func(v ClientAuthorization) string { return v.PolicyEnforcementMode }).(pulumi.StringOutput) } @@ -303,6 +323,7 @@ func (o ClientAuthorizationPtrOutput) Elem() ClientAuthorizationOutput { }).(ClientAuthorizationOutput) } +// When `true`, resources can be managed remotely by the resource server. Defaults to `false`. func (o ClientAuthorizationPtrOutput) AllowRemoteResourceManagement() pulumi.BoolPtrOutput { return o.ApplyT(func(v *ClientAuthorization) *bool { if v == nil { @@ -312,6 +333,7 @@ func (o ClientAuthorizationPtrOutput) AllowRemoteResourceManagement() pulumi.Boo }).(pulumi.BoolPtrOutput) } +// Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of `AFFIRMATIVE`, `CONSENSUS`, or `UNANIMOUS`. Applies to permissions. func (o ClientAuthorizationPtrOutput) DecisionStrategy() pulumi.StringPtrOutput { return o.ApplyT(func(v *ClientAuthorization) *string { if v == nil { @@ -321,6 +343,7 @@ func (o ClientAuthorizationPtrOutput) DecisionStrategy() pulumi.StringPtrOutput }).(pulumi.StringPtrOutput) } +// When `true`, defaults set by Keycloak will be respected. Defaults to `false`. func (o ClientAuthorizationPtrOutput) KeepDefaults() pulumi.BoolPtrOutput { return o.ApplyT(func(v *ClientAuthorization) *bool { if v == nil { @@ -330,6 +353,7 @@ func (o ClientAuthorizationPtrOutput) KeepDefaults() pulumi.BoolPtrOutput { }).(pulumi.BoolPtrOutput) } +// Dictates how policies are enforced when evaluating authorization requests. Can be one of `ENFORCING`, `PERMISSIVE`, or `DISABLED`. func (o ClientAuthorizationPtrOutput) PolicyEnforcementMode() pulumi.StringPtrOutput { return o.ApplyT(func(v *ClientAuthorization) *string { if v == nil { diff --git a/sdk/go/keycloak/openid/userAttributeProtocolMapper.go b/sdk/go/keycloak/openid/userAttributeProtocolMapper.go index ff09aa46..6767dd21 100644 --- a/sdk/go/keycloak/openid/userAttributeProtocolMapper.go +++ b/sdk/go/keycloak/openid/userAttributeProtocolMapper.go @@ -12,17 +12,16 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## # openid.UserAttributeProtocolMapper +// Allows for creating and managing user attribute protocol mappers within Keycloak. // -// Allows for creating and managing user attribute protocol mappers within -// Keycloak. +// User attribute protocol mappers allow you to map custom attributes defined for a user within Keycloak to a claim in a token. // -// User attribute protocol mappers allow you to map custom attributes defined -// for a user within Keycloak to a claim in a token. Protocol mappers can be -// defined for a single client, or they can be defined for a client scope which -// can be shared between multiple different clients. +// Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between +// multiple different clients. // -// ### Example Usage (Client) +// ## Example Usage +// +// ### Client) // // ```go // package main @@ -46,8 +45,8 @@ import ( // } // openidClient, err := openid.NewClient(ctx, "openid_client", &openid.ClientArgs{ // RealmId: realm.ID(), -// ClientId: pulumi.String("test-client"), -// Name: pulumi.String("test client"), +// ClientId: pulumi.String("client"), +// Name: pulumi.String("client"), // Enabled: pulumi.Bool(true), // AccessType: pulumi.String("CONFIDENTIAL"), // ValidRedirectUris: pulumi.StringArray{ @@ -60,7 +59,7 @@ import ( // _, err = openid.NewUserAttributeProtocolMapper(ctx, "user_attribute_mapper", &openid.UserAttributeProtocolMapperArgs{ // RealmId: realm.ID(), // ClientId: openidClient.ID(), -// Name: pulumi.String("test-mapper"), +// Name: pulumi.String("user-attribute-mapper"), // UserAttribute: pulumi.String("foo"), // ClaimName: pulumi.String("bar"), // }) @@ -73,7 +72,7 @@ import ( // // ``` // -// ### Example Usage (Client Scope) +// ### Client Scope) // // ```go // package main @@ -97,7 +96,7 @@ import ( // } // clientScope, err := openid.NewClientScope(ctx, "client_scope", &openid.ClientScopeArgs{ // RealmId: realm.ID(), -// Name: pulumi.String("test-client-scope"), +// Name: pulumi.String("client-scope"), // }) // if err != nil { // return err @@ -105,7 +104,7 @@ import ( // _, err = openid.NewUserAttributeProtocolMapper(ctx, "user_attribute_mapper", &openid.UserAttributeProtocolMapperArgs{ // RealmId: realm.ID(), // ClientScopeId: clientScope.ID(), -// Name: pulumi.String("test-mapper"), +// Name: pulumi.String("user-attribute-mapper"), // UserAttribute: pulumi.String("foo"), // ClaimName: pulumi.String("bar"), // }) @@ -118,53 +117,51 @@ import ( // // ``` // -// ### Argument Reference -// -// The following arguments are supported: -// -// - `realmId` - (Required) The realm this protocol mapper exists within. -// - `clientId` - (Required if `clientScopeId` is not specified) The client this protocol mapper is attached to. -// - `clientScopeId` - (Required if `clientId` is not specified) The client scope this protocol mapper is attached to. -// - `name` - (Required) The display name of this protocol mapper in the GUI. -// - `userAttribute` - (Required) The custom user attribute to map a claim for. -// - `claimName` - (Required) The name of the claim to insert into a token. -// - `claimValueType` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`. -// - `multivalued` - (Optional) Indicates whether this attribute is a single value or an array of values. Defaults to `false`. -// - `addToIdToken` - (Optional) Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. -// - `addToAccessToken` - (Optional) Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. -// - `addToUserinfo` - (Optional) Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. -// -// ### Import +// ## Import // // Protocol mappers can be imported using one of the following formats: +// // - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` +// // - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` // // Example: +// +// bash +// +// ```sh +// $ pulumi import keycloak:openid/userAttributeProtocolMapper:UserAttributeProtocolMapper user_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +// ``` +// +// ```sh +// $ pulumi import keycloak:openid/userAttributeProtocolMapper:UserAttributeProtocolMapper user_attribute_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +// ``` type UserAttributeProtocolMapper struct { pulumi.CustomResourceState - // Indicates if the attribute should be a claim in the access token. + // Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. AddToAccessToken pulumi.BoolPtrOutput `pulumi:"addToAccessToken"` - // Indicates if the attribute should be a claim in the id token. + // Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. AddToIdToken pulumi.BoolPtrOutput `pulumi:"addToIdToken"` - // Indicates if the attribute should appear in the userinfo response body. + // Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. AddToUserinfo pulumi.BoolPtrOutput `pulumi:"addToUserinfo"` - // Indicates if attribute values should be aggregated within the group attributes + // Indicates whether this attribute is a single value or an array of values. Defaults to `false`. AggregateAttributes pulumi.BoolPtrOutput `pulumi:"aggregateAttributes"` - ClaimName pulumi.StringOutput `pulumi:"claimName"` - // Claim type used when serializing tokens. + // The name of the claim to insert into a token. + ClaimName pulumi.StringOutput `pulumi:"claimName"` + // The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. ClaimValueType pulumi.StringPtrOutput `pulumi:"claimValueType"` - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId pulumi.StringPtrOutput `pulumi:"clientId"` - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. ClientScopeId pulumi.StringPtrOutput `pulumi:"clientScopeId"` - // Indicates whether this attribute is a single value or an array of values. + // Indicates whether this attribute is a single value or an array of values. Defaults to `false`. Multivalued pulumi.BoolPtrOutput `pulumi:"multivalued"` - // A human-friendly name that will appear in the Keycloak console. + // The display name of this protocol mapper in the GUI. Name pulumi.StringOutput `pulumi:"name"` - // The realm id where the associated client or client scope exists. - RealmId pulumi.StringOutput `pulumi:"realmId"` + // The realm this protocol mapper exists within. + RealmId pulumi.StringOutput `pulumi:"realmId"` + // The custom user attribute to map a claim for. UserAttribute pulumi.StringOutput `pulumi:"userAttribute"` } @@ -207,52 +204,56 @@ func GetUserAttributeProtocolMapper(ctx *pulumi.Context, // Input properties used for looking up and filtering UserAttributeProtocolMapper resources. type userAttributeProtocolMapperState struct { - // Indicates if the attribute should be a claim in the access token. + // Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. AddToAccessToken *bool `pulumi:"addToAccessToken"` - // Indicates if the attribute should be a claim in the id token. + // Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. AddToIdToken *bool `pulumi:"addToIdToken"` - // Indicates if the attribute should appear in the userinfo response body. + // Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. AddToUserinfo *bool `pulumi:"addToUserinfo"` - // Indicates if attribute values should be aggregated within the group attributes - AggregateAttributes *bool `pulumi:"aggregateAttributes"` - ClaimName *string `pulumi:"claimName"` - // Claim type used when serializing tokens. + // Indicates whether this attribute is a single value or an array of values. Defaults to `false`. + AggregateAttributes *bool `pulumi:"aggregateAttributes"` + // The name of the claim to insert into a token. + ClaimName *string `pulumi:"claimName"` + // The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. ClaimValueType *string `pulumi:"claimValueType"` - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId *string `pulumi:"clientId"` - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. ClientScopeId *string `pulumi:"clientScopeId"` - // Indicates whether this attribute is a single value or an array of values. + // Indicates whether this attribute is a single value or an array of values. Defaults to `false`. Multivalued *bool `pulumi:"multivalued"` - // A human-friendly name that will appear in the Keycloak console. + // The display name of this protocol mapper in the GUI. Name *string `pulumi:"name"` - // The realm id where the associated client or client scope exists. - RealmId *string `pulumi:"realmId"` + // The realm this protocol mapper exists within. + RealmId *string `pulumi:"realmId"` + // The custom user attribute to map a claim for. UserAttribute *string `pulumi:"userAttribute"` } type UserAttributeProtocolMapperState struct { - // Indicates if the attribute should be a claim in the access token. + // Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. AddToAccessToken pulumi.BoolPtrInput - // Indicates if the attribute should be a claim in the id token. + // Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. AddToIdToken pulumi.BoolPtrInput - // Indicates if the attribute should appear in the userinfo response body. + // Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. AddToUserinfo pulumi.BoolPtrInput - // Indicates if attribute values should be aggregated within the group attributes + // Indicates whether this attribute is a single value or an array of values. Defaults to `false`. AggregateAttributes pulumi.BoolPtrInput - ClaimName pulumi.StringPtrInput - // Claim type used when serializing tokens. + // The name of the claim to insert into a token. + ClaimName pulumi.StringPtrInput + // The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. ClaimValueType pulumi.StringPtrInput - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId pulumi.StringPtrInput - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. ClientScopeId pulumi.StringPtrInput - // Indicates whether this attribute is a single value or an array of values. + // Indicates whether this attribute is a single value or an array of values. Defaults to `false`. Multivalued pulumi.BoolPtrInput - // A human-friendly name that will appear in the Keycloak console. + // The display name of this protocol mapper in the GUI. Name pulumi.StringPtrInput - // The realm id where the associated client or client scope exists. - RealmId pulumi.StringPtrInput + // The realm this protocol mapper exists within. + RealmId pulumi.StringPtrInput + // The custom user attribute to map a claim for. UserAttribute pulumi.StringPtrInput } @@ -261,53 +262,57 @@ func (UserAttributeProtocolMapperState) ElementType() reflect.Type { } type userAttributeProtocolMapperArgs struct { - // Indicates if the attribute should be a claim in the access token. + // Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. AddToAccessToken *bool `pulumi:"addToAccessToken"` - // Indicates if the attribute should be a claim in the id token. + // Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. AddToIdToken *bool `pulumi:"addToIdToken"` - // Indicates if the attribute should appear in the userinfo response body. + // Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. AddToUserinfo *bool `pulumi:"addToUserinfo"` - // Indicates if attribute values should be aggregated within the group attributes - AggregateAttributes *bool `pulumi:"aggregateAttributes"` - ClaimName string `pulumi:"claimName"` - // Claim type used when serializing tokens. + // Indicates whether this attribute is a single value or an array of values. Defaults to `false`. + AggregateAttributes *bool `pulumi:"aggregateAttributes"` + // The name of the claim to insert into a token. + ClaimName string `pulumi:"claimName"` + // The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. ClaimValueType *string `pulumi:"claimValueType"` - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId *string `pulumi:"clientId"` - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. ClientScopeId *string `pulumi:"clientScopeId"` - // Indicates whether this attribute is a single value or an array of values. + // Indicates whether this attribute is a single value or an array of values. Defaults to `false`. Multivalued *bool `pulumi:"multivalued"` - // A human-friendly name that will appear in the Keycloak console. + // The display name of this protocol mapper in the GUI. Name *string `pulumi:"name"` - // The realm id where the associated client or client scope exists. - RealmId string `pulumi:"realmId"` + // The realm this protocol mapper exists within. + RealmId string `pulumi:"realmId"` + // The custom user attribute to map a claim for. UserAttribute string `pulumi:"userAttribute"` } // The set of arguments for constructing a UserAttributeProtocolMapper resource. type UserAttributeProtocolMapperArgs struct { - // Indicates if the attribute should be a claim in the access token. + // Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. AddToAccessToken pulumi.BoolPtrInput - // Indicates if the attribute should be a claim in the id token. + // Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. AddToIdToken pulumi.BoolPtrInput - // Indicates if the attribute should appear in the userinfo response body. + // Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. AddToUserinfo pulumi.BoolPtrInput - // Indicates if attribute values should be aggregated within the group attributes + // Indicates whether this attribute is a single value or an array of values. Defaults to `false`. AggregateAttributes pulumi.BoolPtrInput - ClaimName pulumi.StringInput - // Claim type used when serializing tokens. + // The name of the claim to insert into a token. + ClaimName pulumi.StringInput + // The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. ClaimValueType pulumi.StringPtrInput - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId pulumi.StringPtrInput - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. ClientScopeId pulumi.StringPtrInput - // Indicates whether this attribute is a single value or an array of values. + // Indicates whether this attribute is a single value or an array of values. Defaults to `false`. Multivalued pulumi.BoolPtrInput - // A human-friendly name that will appear in the Keycloak console. + // The display name of this protocol mapper in the GUI. Name pulumi.StringPtrInput - // The realm id where the associated client or client scope exists. - RealmId pulumi.StringInput + // The realm this protocol mapper exists within. + RealmId pulumi.StringInput + // The custom user attribute to map a claim for. UserAttribute pulumi.StringInput } @@ -398,60 +403,62 @@ func (o UserAttributeProtocolMapperOutput) ToUserAttributeProtocolMapperOutputWi return o } -// Indicates if the attribute should be a claim in the access token. +// Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. func (o UserAttributeProtocolMapperOutput) AddToAccessToken() pulumi.BoolPtrOutput { return o.ApplyT(func(v *UserAttributeProtocolMapper) pulumi.BoolPtrOutput { return v.AddToAccessToken }).(pulumi.BoolPtrOutput) } -// Indicates if the attribute should be a claim in the id token. +// Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. func (o UserAttributeProtocolMapperOutput) AddToIdToken() pulumi.BoolPtrOutput { return o.ApplyT(func(v *UserAttributeProtocolMapper) pulumi.BoolPtrOutput { return v.AddToIdToken }).(pulumi.BoolPtrOutput) } -// Indicates if the attribute should appear in the userinfo response body. +// Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. func (o UserAttributeProtocolMapperOutput) AddToUserinfo() pulumi.BoolPtrOutput { return o.ApplyT(func(v *UserAttributeProtocolMapper) pulumi.BoolPtrOutput { return v.AddToUserinfo }).(pulumi.BoolPtrOutput) } -// Indicates if attribute values should be aggregated within the group attributes +// Indicates whether this attribute is a single value or an array of values. Defaults to `false`. func (o UserAttributeProtocolMapperOutput) AggregateAttributes() pulumi.BoolPtrOutput { return o.ApplyT(func(v *UserAttributeProtocolMapper) pulumi.BoolPtrOutput { return v.AggregateAttributes }).(pulumi.BoolPtrOutput) } +// The name of the claim to insert into a token. func (o UserAttributeProtocolMapperOutput) ClaimName() pulumi.StringOutput { return o.ApplyT(func(v *UserAttributeProtocolMapper) pulumi.StringOutput { return v.ClaimName }).(pulumi.StringOutput) } -// Claim type used when serializing tokens. +// The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. func (o UserAttributeProtocolMapperOutput) ClaimValueType() pulumi.StringPtrOutput { return o.ApplyT(func(v *UserAttributeProtocolMapper) pulumi.StringPtrOutput { return v.ClaimValueType }).(pulumi.StringPtrOutput) } -// The mapper's associated client. Cannot be used at the same time as client_scope_id. +// The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. func (o UserAttributeProtocolMapperOutput) ClientId() pulumi.StringPtrOutput { return o.ApplyT(func(v *UserAttributeProtocolMapper) pulumi.StringPtrOutput { return v.ClientId }).(pulumi.StringPtrOutput) } -// The mapper's associated client scope. Cannot be used at the same time as client_id. +// The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. func (o UserAttributeProtocolMapperOutput) ClientScopeId() pulumi.StringPtrOutput { return o.ApplyT(func(v *UserAttributeProtocolMapper) pulumi.StringPtrOutput { return v.ClientScopeId }).(pulumi.StringPtrOutput) } -// Indicates whether this attribute is a single value or an array of values. +// Indicates whether this attribute is a single value or an array of values. Defaults to `false`. func (o UserAttributeProtocolMapperOutput) Multivalued() pulumi.BoolPtrOutput { return o.ApplyT(func(v *UserAttributeProtocolMapper) pulumi.BoolPtrOutput { return v.Multivalued }).(pulumi.BoolPtrOutput) } -// A human-friendly name that will appear in the Keycloak console. +// The display name of this protocol mapper in the GUI. func (o UserAttributeProtocolMapperOutput) Name() pulumi.StringOutput { return o.ApplyT(func(v *UserAttributeProtocolMapper) pulumi.StringOutput { return v.Name }).(pulumi.StringOutput) } -// The realm id where the associated client or client scope exists. +// The realm this protocol mapper exists within. func (o UserAttributeProtocolMapperOutput) RealmId() pulumi.StringOutput { return o.ApplyT(func(v *UserAttributeProtocolMapper) pulumi.StringOutput { return v.RealmId }).(pulumi.StringOutput) } +// The custom user attribute to map a claim for. func (o UserAttributeProtocolMapperOutput) UserAttribute() pulumi.StringOutput { return o.ApplyT(func(v *UserAttributeProtocolMapper) pulumi.StringOutput { return v.UserAttribute }).(pulumi.StringOutput) } diff --git a/sdk/go/keycloak/openid/userPropertyProtocolMapper.go b/sdk/go/keycloak/openid/userPropertyProtocolMapper.go index bd49bde4..60cd3840 100644 --- a/sdk/go/keycloak/openid/userPropertyProtocolMapper.go +++ b/sdk/go/keycloak/openid/userPropertyProtocolMapper.go @@ -12,17 +12,17 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## # openid.UserPropertyProtocolMapper +// Allows for creating and managing user property protocol mappers within Keycloak. // -// Allows for creating and managing user property protocol mappers within -// Keycloak. +// User property protocol mappers allow you to map built in properties defined on the Keycloak user interface to a claim in +// a token. // -// User property protocol mappers allow you to map built in properties defined -// on the Keycloak user interface to a claim in a token. Protocol mappers can be -// defined for a single client, or they can be defined for a client scope which -// can be shared between multiple different clients. +// Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between +// multiple different clients. // -// ### Example Usage (Client) +// ## Example Usage +// +// ### Client) // // ```go // package main @@ -46,8 +46,8 @@ import ( // } // openidClient, err := openid.NewClient(ctx, "openid_client", &openid.ClientArgs{ // RealmId: realm.ID(), -// ClientId: pulumi.String("test-client"), -// Name: pulumi.String("test client"), +// ClientId: pulumi.String("client"), +// Name: pulumi.String("client"), // Enabled: pulumi.Bool(true), // AccessType: pulumi.String("CONFIDENTIAL"), // ValidRedirectUris: pulumi.StringArray{ @@ -60,7 +60,7 @@ import ( // _, err = openid.NewUserPropertyProtocolMapper(ctx, "user_property_mapper", &openid.UserPropertyProtocolMapperArgs{ // RealmId: realm.ID(), // ClientId: openidClient.ID(), -// Name: pulumi.String("test-mapper"), +// Name: pulumi.String("user-property-mapper"), // UserProperty: pulumi.String("email"), // ClaimName: pulumi.String("email"), // }) @@ -73,7 +73,7 @@ import ( // // ``` // -// ### Example Usage (Client Scope) +// ### Client Scope) // // ```go // package main @@ -97,7 +97,7 @@ import ( // } // clientScope, err := openid.NewClientScope(ctx, "client_scope", &openid.ClientScopeArgs{ // RealmId: realm.ID(), -// Name: pulumi.String("test-client-scope"), +// Name: pulumi.String("client-scope"), // }) // if err != nil { // return err @@ -118,48 +118,47 @@ import ( // // ``` // -// ### Argument Reference -// -// The following arguments are supported: -// -// - `realmId` - (Required) The realm this protocol mapper exists within. -// - `clientId` - (Required if `clientScopeId` is not specified) The client this protocol mapper is attached to. -// - `clientScopeId` - (Required if `clientId` is not specified) The client scope this protocol mapper is attached to. -// - `name` - (Required) The display name of this protocol mapper in the GUI. -// - `userProperty` - (Required) The built in user property (such as email) to map a claim for. -// - `claimName` - (Required) The name of the claim to insert into a token. -// - `claimValueType` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`. -// - `addToIdToken` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. -// - `addToAccessToken` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. -// - `addToUserinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. -// -// ### Import +// ## Import // // Protocol mappers can be imported using one of the following formats: +// // - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` +// // - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` // // Example: +// +// bash +// +// ```sh +// $ pulumi import keycloak:openid/userPropertyProtocolMapper:UserPropertyProtocolMapper user_property_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +// ``` +// +// ```sh +// $ pulumi import keycloak:openid/userPropertyProtocolMapper:UserPropertyProtocolMapper user_property_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +// ``` type UserPropertyProtocolMapper struct { pulumi.CustomResourceState - // Indicates if the property should be a claim in the access token. + // Indicates if the property should be added as a claim to the access token. Defaults to `true`. AddToAccessToken pulumi.BoolPtrOutput `pulumi:"addToAccessToken"` - // Indicates if the property should be a claim in the id token. + // Indicates if the property should be added as a claim to the id token. Defaults to `true`. AddToIdToken pulumi.BoolPtrOutput `pulumi:"addToIdToken"` - // Indicates if the property should appear in the userinfo response body. + // Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. AddToUserinfo pulumi.BoolPtrOutput `pulumi:"addToUserinfo"` - ClaimName pulumi.StringOutput `pulumi:"claimName"` - // Claim type used when serializing tokens. + // The name of the claim to insert into a token. + ClaimName pulumi.StringOutput `pulumi:"claimName"` + // The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. ClaimValueType pulumi.StringPtrOutput `pulumi:"claimValueType"` - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId pulumi.StringPtrOutput `pulumi:"clientId"` - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. `clientScopeId` - (Required if `clientId` is not specified) The client scope this protocol mapper is attached to. ClientScopeId pulumi.StringPtrOutput `pulumi:"clientScopeId"` - // A human-friendly name that will appear in the Keycloak console. + // The display name of this protocol mapper in the GUI. Name pulumi.StringOutput `pulumi:"name"` - // The realm id where the associated client or client scope exists. - RealmId pulumi.StringOutput `pulumi:"realmId"` + // The realm this protocol mapper exists within. + RealmId pulumi.StringOutput `pulumi:"realmId"` + // The built in user property (such as email) to map a claim for. UserProperty pulumi.StringOutput `pulumi:"userProperty"` } @@ -202,44 +201,48 @@ func GetUserPropertyProtocolMapper(ctx *pulumi.Context, // Input properties used for looking up and filtering UserPropertyProtocolMapper resources. type userPropertyProtocolMapperState struct { - // Indicates if the property should be a claim in the access token. + // Indicates if the property should be added as a claim to the access token. Defaults to `true`. AddToAccessToken *bool `pulumi:"addToAccessToken"` - // Indicates if the property should be a claim in the id token. + // Indicates if the property should be added as a claim to the id token. Defaults to `true`. AddToIdToken *bool `pulumi:"addToIdToken"` - // Indicates if the property should appear in the userinfo response body. - AddToUserinfo *bool `pulumi:"addToUserinfo"` - ClaimName *string `pulumi:"claimName"` - // Claim type used when serializing tokens. + // Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + AddToUserinfo *bool `pulumi:"addToUserinfo"` + // The name of the claim to insert into a token. + ClaimName *string `pulumi:"claimName"` + // The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. ClaimValueType *string `pulumi:"claimValueType"` - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId *string `pulumi:"clientId"` - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. `clientScopeId` - (Required if `clientId` is not specified) The client scope this protocol mapper is attached to. ClientScopeId *string `pulumi:"clientScopeId"` - // A human-friendly name that will appear in the Keycloak console. + // The display name of this protocol mapper in the GUI. Name *string `pulumi:"name"` - // The realm id where the associated client or client scope exists. - RealmId *string `pulumi:"realmId"` + // The realm this protocol mapper exists within. + RealmId *string `pulumi:"realmId"` + // The built in user property (such as email) to map a claim for. UserProperty *string `pulumi:"userProperty"` } type UserPropertyProtocolMapperState struct { - // Indicates if the property should be a claim in the access token. + // Indicates if the property should be added as a claim to the access token. Defaults to `true`. AddToAccessToken pulumi.BoolPtrInput - // Indicates if the property should be a claim in the id token. + // Indicates if the property should be added as a claim to the id token. Defaults to `true`. AddToIdToken pulumi.BoolPtrInput - // Indicates if the property should appear in the userinfo response body. + // Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. AddToUserinfo pulumi.BoolPtrInput - ClaimName pulumi.StringPtrInput - // Claim type used when serializing tokens. + // The name of the claim to insert into a token. + ClaimName pulumi.StringPtrInput + // The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. ClaimValueType pulumi.StringPtrInput - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId pulumi.StringPtrInput - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. `clientScopeId` - (Required if `clientId` is not specified) The client scope this protocol mapper is attached to. ClientScopeId pulumi.StringPtrInput - // A human-friendly name that will appear in the Keycloak console. + // The display name of this protocol mapper in the GUI. Name pulumi.StringPtrInput - // The realm id where the associated client or client scope exists. - RealmId pulumi.StringPtrInput + // The realm this protocol mapper exists within. + RealmId pulumi.StringPtrInput + // The built in user property (such as email) to map a claim for. UserProperty pulumi.StringPtrInput } @@ -248,45 +251,49 @@ func (UserPropertyProtocolMapperState) ElementType() reflect.Type { } type userPropertyProtocolMapperArgs struct { - // Indicates if the property should be a claim in the access token. + // Indicates if the property should be added as a claim to the access token. Defaults to `true`. AddToAccessToken *bool `pulumi:"addToAccessToken"` - // Indicates if the property should be a claim in the id token. + // Indicates if the property should be added as a claim to the id token. Defaults to `true`. AddToIdToken *bool `pulumi:"addToIdToken"` - // Indicates if the property should appear in the userinfo response body. - AddToUserinfo *bool `pulumi:"addToUserinfo"` - ClaimName string `pulumi:"claimName"` - // Claim type used when serializing tokens. + // Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + AddToUserinfo *bool `pulumi:"addToUserinfo"` + // The name of the claim to insert into a token. + ClaimName string `pulumi:"claimName"` + // The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. ClaimValueType *string `pulumi:"claimValueType"` - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId *string `pulumi:"clientId"` - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. `clientScopeId` - (Required if `clientId` is not specified) The client scope this protocol mapper is attached to. ClientScopeId *string `pulumi:"clientScopeId"` - // A human-friendly name that will appear in the Keycloak console. + // The display name of this protocol mapper in the GUI. Name *string `pulumi:"name"` - // The realm id where the associated client or client scope exists. - RealmId string `pulumi:"realmId"` + // The realm this protocol mapper exists within. + RealmId string `pulumi:"realmId"` + // The built in user property (such as email) to map a claim for. UserProperty string `pulumi:"userProperty"` } // The set of arguments for constructing a UserPropertyProtocolMapper resource. type UserPropertyProtocolMapperArgs struct { - // Indicates if the property should be a claim in the access token. + // Indicates if the property should be added as a claim to the access token. Defaults to `true`. AddToAccessToken pulumi.BoolPtrInput - // Indicates if the property should be a claim in the id token. + // Indicates if the property should be added as a claim to the id token. Defaults to `true`. AddToIdToken pulumi.BoolPtrInput - // Indicates if the property should appear in the userinfo response body. + // Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. AddToUserinfo pulumi.BoolPtrInput - ClaimName pulumi.StringInput - // Claim type used when serializing tokens. + // The name of the claim to insert into a token. + ClaimName pulumi.StringInput + // The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. ClaimValueType pulumi.StringPtrInput - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId pulumi.StringPtrInput - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. `clientScopeId` - (Required if `clientId` is not specified) The client scope this protocol mapper is attached to. ClientScopeId pulumi.StringPtrInput - // A human-friendly name that will appear in the Keycloak console. + // The display name of this protocol mapper in the GUI. Name pulumi.StringPtrInput - // The realm id where the associated client or client scope exists. - RealmId pulumi.StringInput + // The realm this protocol mapper exists within. + RealmId pulumi.StringInput + // The built in user property (such as email) to map a claim for. UserProperty pulumi.StringInput } @@ -377,50 +384,52 @@ func (o UserPropertyProtocolMapperOutput) ToUserPropertyProtocolMapperOutputWith return o } -// Indicates if the property should be a claim in the access token. +// Indicates if the property should be added as a claim to the access token. Defaults to `true`. func (o UserPropertyProtocolMapperOutput) AddToAccessToken() pulumi.BoolPtrOutput { return o.ApplyT(func(v *UserPropertyProtocolMapper) pulumi.BoolPtrOutput { return v.AddToAccessToken }).(pulumi.BoolPtrOutput) } -// Indicates if the property should be a claim in the id token. +// Indicates if the property should be added as a claim to the id token. Defaults to `true`. func (o UserPropertyProtocolMapperOutput) AddToIdToken() pulumi.BoolPtrOutput { return o.ApplyT(func(v *UserPropertyProtocolMapper) pulumi.BoolPtrOutput { return v.AddToIdToken }).(pulumi.BoolPtrOutput) } -// Indicates if the property should appear in the userinfo response body. +// Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. func (o UserPropertyProtocolMapperOutput) AddToUserinfo() pulumi.BoolPtrOutput { return o.ApplyT(func(v *UserPropertyProtocolMapper) pulumi.BoolPtrOutput { return v.AddToUserinfo }).(pulumi.BoolPtrOutput) } +// The name of the claim to insert into a token. func (o UserPropertyProtocolMapperOutput) ClaimName() pulumi.StringOutput { return o.ApplyT(func(v *UserPropertyProtocolMapper) pulumi.StringOutput { return v.ClaimName }).(pulumi.StringOutput) } -// Claim type used when serializing tokens. +// The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. func (o UserPropertyProtocolMapperOutput) ClaimValueType() pulumi.StringPtrOutput { return o.ApplyT(func(v *UserPropertyProtocolMapper) pulumi.StringPtrOutput { return v.ClaimValueType }).(pulumi.StringPtrOutput) } -// The mapper's associated client. Cannot be used at the same time as client_scope_id. +// The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. func (o UserPropertyProtocolMapperOutput) ClientId() pulumi.StringPtrOutput { return o.ApplyT(func(v *UserPropertyProtocolMapper) pulumi.StringPtrOutput { return v.ClientId }).(pulumi.StringPtrOutput) } -// The mapper's associated client scope. Cannot be used at the same time as client_id. +// The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. `clientScopeId` - (Required if `clientId` is not specified) The client scope this protocol mapper is attached to. func (o UserPropertyProtocolMapperOutput) ClientScopeId() pulumi.StringPtrOutput { return o.ApplyT(func(v *UserPropertyProtocolMapper) pulumi.StringPtrOutput { return v.ClientScopeId }).(pulumi.StringPtrOutput) } -// A human-friendly name that will appear in the Keycloak console. +// The display name of this protocol mapper in the GUI. func (o UserPropertyProtocolMapperOutput) Name() pulumi.StringOutput { return o.ApplyT(func(v *UserPropertyProtocolMapper) pulumi.StringOutput { return v.Name }).(pulumi.StringOutput) } -// The realm id where the associated client or client scope exists. +// The realm this protocol mapper exists within. func (o UserPropertyProtocolMapperOutput) RealmId() pulumi.StringOutput { return o.ApplyT(func(v *UserPropertyProtocolMapper) pulumi.StringOutput { return v.RealmId }).(pulumi.StringOutput) } +// The built in user property (such as email) to map a claim for. func (o UserPropertyProtocolMapperOutput) UserProperty() pulumi.StringOutput { return o.ApplyT(func(v *UserPropertyProtocolMapper) pulumi.StringOutput { return v.UserProperty }).(pulumi.StringOutput) } diff --git a/sdk/go/keycloak/openid/userRealmRoleProtocolMapper.go b/sdk/go/keycloak/openid/userRealmRoleProtocolMapper.go index bb545d98..0a992172 100644 --- a/sdk/go/keycloak/openid/userRealmRoleProtocolMapper.go +++ b/sdk/go/keycloak/openid/userRealmRoleProtocolMapper.go @@ -12,17 +12,16 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## # openid.UserRealmRoleProtocolMapper -// -// Allows for creating and managing user realm role protocol mappers within -// Keycloak. +// Allows for creating and managing user realm role protocol mappers within Keycloak. // // User realm role protocol mappers allow you to define a claim containing the list of the realm roles. -// Protocol mappers can be defined for a single client, or they can -// be defined for a client scope which can be shared between multiple different -// clients. // -// ### Example Usage (Client) +// Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between +// multiple different clients. +// +// ## Example Usage +// +// ### Client) // // ```go // package main @@ -46,8 +45,8 @@ import ( // } // openidClient, err := openid.NewClient(ctx, "openid_client", &openid.ClientArgs{ // RealmId: realm.ID(), -// ClientId: pulumi.String("test-client"), -// Name: pulumi.String("test client"), +// ClientId: pulumi.String("client"), +// Name: pulumi.String("client"), // Enabled: pulumi.Bool(true), // AccessType: pulumi.String("CONFIDENTIAL"), // ValidRedirectUris: pulumi.StringArray{ @@ -72,7 +71,7 @@ import ( // // ``` // -// ### Example Usage (Client Scope) +// ### Client Scope) // // ```go // package main @@ -116,52 +115,49 @@ import ( // // ``` // -// ### Argument Reference -// -// The following arguments are supported: -// -// - `realmId` - (Required) The realm this protocol mapper exists within. -// - `clientId` - (Required if `clientScopeId` is not specified) The client this protocol mapper is attached to. -// - `clientScopeId` - (Required if `clientId` is not specified) The client scope this protocol mapper is attached to. -// - `name` - (Required) The display name of this protocol mapper in the GUI. -// - `claimName` - (Required) The name of the claim to insert into a token. -// - `claimValueType` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`. -// - `multivalued` - (Optional) Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `true`. -// - `realmRolePrefix` - (Optional) A prefix for each Realm Role. -// - `addToIdToken` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. -// - `addToAccessToken` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. -// - `addToUserinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. -// -// ### Import +// ## Import // // Protocol mappers can be imported using one of the following formats: +// // - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` +// // - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` // // Example: +// +// bash +// +// ```sh +// $ pulumi import keycloak:openid/userRealmRoleProtocolMapper:UserRealmRoleProtocolMapper user_realm_role_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +// ``` +// +// ```sh +// $ pulumi import keycloak:openid/userRealmRoleProtocolMapper:UserRealmRoleProtocolMapper user_realm_role_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +// ``` type UserRealmRoleProtocolMapper struct { pulumi.CustomResourceState - // Indicates if the attribute should be a claim in the access token. + // Indicates if the property should be added as a claim to the access token. Defaults to `true`. AddToAccessToken pulumi.BoolPtrOutput `pulumi:"addToAccessToken"` - // Indicates if the attribute should be a claim in the id token. + // Indicates if the property should be added as a claim to the id token. Defaults to `true`. AddToIdToken pulumi.BoolPtrOutput `pulumi:"addToIdToken"` - // Indicates if the attribute should appear in the userinfo response body. + // Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. AddToUserinfo pulumi.BoolPtrOutput `pulumi:"addToUserinfo"` - ClaimName pulumi.StringOutput `pulumi:"claimName"` - // Claim type used when serializing tokens. + // The name of the claim to insert into a token. + ClaimName pulumi.StringOutput `pulumi:"claimName"` + // The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. ClaimValueType pulumi.StringPtrOutput `pulumi:"claimValueType"` - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId pulumi.StringPtrOutput `pulumi:"clientId"` - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. ClientScopeId pulumi.StringPtrOutput `pulumi:"clientScopeId"` - // Indicates whether this attribute is a single value or an array of values. + // Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`. Multivalued pulumi.BoolPtrOutput `pulumi:"multivalued"` - // A human-friendly name that will appear in the Keycloak console. + // The display name of this protocol mapper in the GUI. Name pulumi.StringOutput `pulumi:"name"` - // The realm id where the associated client or client scope exists. + // The realm this protocol mapper exists within. RealmId pulumi.StringOutput `pulumi:"realmId"` - // Prefix that will be added to each realm role. + // A prefix for each Realm Role. RealmRolePrefix pulumi.StringPtrOutput `pulumi:"realmRolePrefix"` } @@ -201,50 +197,52 @@ func GetUserRealmRoleProtocolMapper(ctx *pulumi.Context, // Input properties used for looking up and filtering UserRealmRoleProtocolMapper resources. type userRealmRoleProtocolMapperState struct { - // Indicates if the attribute should be a claim in the access token. + // Indicates if the property should be added as a claim to the access token. Defaults to `true`. AddToAccessToken *bool `pulumi:"addToAccessToken"` - // Indicates if the attribute should be a claim in the id token. + // Indicates if the property should be added as a claim to the id token. Defaults to `true`. AddToIdToken *bool `pulumi:"addToIdToken"` - // Indicates if the attribute should appear in the userinfo response body. - AddToUserinfo *bool `pulumi:"addToUserinfo"` - ClaimName *string `pulumi:"claimName"` - // Claim type used when serializing tokens. + // Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + AddToUserinfo *bool `pulumi:"addToUserinfo"` + // The name of the claim to insert into a token. + ClaimName *string `pulumi:"claimName"` + // The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. ClaimValueType *string `pulumi:"claimValueType"` - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId *string `pulumi:"clientId"` - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. ClientScopeId *string `pulumi:"clientScopeId"` - // Indicates whether this attribute is a single value or an array of values. + // Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`. Multivalued *bool `pulumi:"multivalued"` - // A human-friendly name that will appear in the Keycloak console. + // The display name of this protocol mapper in the GUI. Name *string `pulumi:"name"` - // The realm id where the associated client or client scope exists. + // The realm this protocol mapper exists within. RealmId *string `pulumi:"realmId"` - // Prefix that will be added to each realm role. + // A prefix for each Realm Role. RealmRolePrefix *string `pulumi:"realmRolePrefix"` } type UserRealmRoleProtocolMapperState struct { - // Indicates if the attribute should be a claim in the access token. + // Indicates if the property should be added as a claim to the access token. Defaults to `true`. AddToAccessToken pulumi.BoolPtrInput - // Indicates if the attribute should be a claim in the id token. + // Indicates if the property should be added as a claim to the id token. Defaults to `true`. AddToIdToken pulumi.BoolPtrInput - // Indicates if the attribute should appear in the userinfo response body. + // Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. AddToUserinfo pulumi.BoolPtrInput - ClaimName pulumi.StringPtrInput - // Claim type used when serializing tokens. + // The name of the claim to insert into a token. + ClaimName pulumi.StringPtrInput + // The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. ClaimValueType pulumi.StringPtrInput - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId pulumi.StringPtrInput - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. ClientScopeId pulumi.StringPtrInput - // Indicates whether this attribute is a single value or an array of values. + // Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`. Multivalued pulumi.BoolPtrInput - // A human-friendly name that will appear in the Keycloak console. + // The display name of this protocol mapper in the GUI. Name pulumi.StringPtrInput - // The realm id where the associated client or client scope exists. + // The realm this protocol mapper exists within. RealmId pulumi.StringPtrInput - // Prefix that will be added to each realm role. + // A prefix for each Realm Role. RealmRolePrefix pulumi.StringPtrInput } @@ -253,51 +251,53 @@ func (UserRealmRoleProtocolMapperState) ElementType() reflect.Type { } type userRealmRoleProtocolMapperArgs struct { - // Indicates if the attribute should be a claim in the access token. + // Indicates if the property should be added as a claim to the access token. Defaults to `true`. AddToAccessToken *bool `pulumi:"addToAccessToken"` - // Indicates if the attribute should be a claim in the id token. + // Indicates if the property should be added as a claim to the id token. Defaults to `true`. AddToIdToken *bool `pulumi:"addToIdToken"` - // Indicates if the attribute should appear in the userinfo response body. - AddToUserinfo *bool `pulumi:"addToUserinfo"` - ClaimName string `pulumi:"claimName"` - // Claim type used when serializing tokens. + // Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + AddToUserinfo *bool `pulumi:"addToUserinfo"` + // The name of the claim to insert into a token. + ClaimName string `pulumi:"claimName"` + // The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. ClaimValueType *string `pulumi:"claimValueType"` - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId *string `pulumi:"clientId"` - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. ClientScopeId *string `pulumi:"clientScopeId"` - // Indicates whether this attribute is a single value or an array of values. + // Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`. Multivalued *bool `pulumi:"multivalued"` - // A human-friendly name that will appear in the Keycloak console. + // The display name of this protocol mapper in the GUI. Name *string `pulumi:"name"` - // The realm id where the associated client or client scope exists. + // The realm this protocol mapper exists within. RealmId string `pulumi:"realmId"` - // Prefix that will be added to each realm role. + // A prefix for each Realm Role. RealmRolePrefix *string `pulumi:"realmRolePrefix"` } // The set of arguments for constructing a UserRealmRoleProtocolMapper resource. type UserRealmRoleProtocolMapperArgs struct { - // Indicates if the attribute should be a claim in the access token. + // Indicates if the property should be added as a claim to the access token. Defaults to `true`. AddToAccessToken pulumi.BoolPtrInput - // Indicates if the attribute should be a claim in the id token. + // Indicates if the property should be added as a claim to the id token. Defaults to `true`. AddToIdToken pulumi.BoolPtrInput - // Indicates if the attribute should appear in the userinfo response body. + // Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. AddToUserinfo pulumi.BoolPtrInput - ClaimName pulumi.StringInput - // Claim type used when serializing tokens. + // The name of the claim to insert into a token. + ClaimName pulumi.StringInput + // The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. ClaimValueType pulumi.StringPtrInput - // The mapper's associated client. Cannot be used at the same time as client_scope_id. + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. ClientId pulumi.StringPtrInput - // The mapper's associated client scope. Cannot be used at the same time as client_id. + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. ClientScopeId pulumi.StringPtrInput - // Indicates whether this attribute is a single value or an array of values. + // Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`. Multivalued pulumi.BoolPtrInput - // A human-friendly name that will appear in the Keycloak console. + // The display name of this protocol mapper in the GUI. Name pulumi.StringPtrInput - // The realm id where the associated client or client scope exists. + // The realm this protocol mapper exists within. RealmId pulumi.StringInput - // Prefix that will be added to each realm role. + // A prefix for each Realm Role. RealmRolePrefix pulumi.StringPtrInput } @@ -388,56 +388,57 @@ func (o UserRealmRoleProtocolMapperOutput) ToUserRealmRoleProtocolMapperOutputWi return o } -// Indicates if the attribute should be a claim in the access token. +// Indicates if the property should be added as a claim to the access token. Defaults to `true`. func (o UserRealmRoleProtocolMapperOutput) AddToAccessToken() pulumi.BoolPtrOutput { return o.ApplyT(func(v *UserRealmRoleProtocolMapper) pulumi.BoolPtrOutput { return v.AddToAccessToken }).(pulumi.BoolPtrOutput) } -// Indicates if the attribute should be a claim in the id token. +// Indicates if the property should be added as a claim to the id token. Defaults to `true`. func (o UserRealmRoleProtocolMapperOutput) AddToIdToken() pulumi.BoolPtrOutput { return o.ApplyT(func(v *UserRealmRoleProtocolMapper) pulumi.BoolPtrOutput { return v.AddToIdToken }).(pulumi.BoolPtrOutput) } -// Indicates if the attribute should appear in the userinfo response body. +// Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. func (o UserRealmRoleProtocolMapperOutput) AddToUserinfo() pulumi.BoolPtrOutput { return o.ApplyT(func(v *UserRealmRoleProtocolMapper) pulumi.BoolPtrOutput { return v.AddToUserinfo }).(pulumi.BoolPtrOutput) } +// The name of the claim to insert into a token. func (o UserRealmRoleProtocolMapperOutput) ClaimName() pulumi.StringOutput { return o.ApplyT(func(v *UserRealmRoleProtocolMapper) pulumi.StringOutput { return v.ClaimName }).(pulumi.StringOutput) } -// Claim type used when serializing tokens. +// The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. func (o UserRealmRoleProtocolMapperOutput) ClaimValueType() pulumi.StringPtrOutput { return o.ApplyT(func(v *UserRealmRoleProtocolMapper) pulumi.StringPtrOutput { return v.ClaimValueType }).(pulumi.StringPtrOutput) } -// The mapper's associated client. Cannot be used at the same time as client_scope_id. +// The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. func (o UserRealmRoleProtocolMapperOutput) ClientId() pulumi.StringPtrOutput { return o.ApplyT(func(v *UserRealmRoleProtocolMapper) pulumi.StringPtrOutput { return v.ClientId }).(pulumi.StringPtrOutput) } -// The mapper's associated client scope. Cannot be used at the same time as client_id. +// The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. func (o UserRealmRoleProtocolMapperOutput) ClientScopeId() pulumi.StringPtrOutput { return o.ApplyT(func(v *UserRealmRoleProtocolMapper) pulumi.StringPtrOutput { return v.ClientScopeId }).(pulumi.StringPtrOutput) } -// Indicates whether this attribute is a single value or an array of values. +// Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`. func (o UserRealmRoleProtocolMapperOutput) Multivalued() pulumi.BoolPtrOutput { return o.ApplyT(func(v *UserRealmRoleProtocolMapper) pulumi.BoolPtrOutput { return v.Multivalued }).(pulumi.BoolPtrOutput) } -// A human-friendly name that will appear in the Keycloak console. +// The display name of this protocol mapper in the GUI. func (o UserRealmRoleProtocolMapperOutput) Name() pulumi.StringOutput { return o.ApplyT(func(v *UserRealmRoleProtocolMapper) pulumi.StringOutput { return v.Name }).(pulumi.StringOutput) } -// The realm id where the associated client or client scope exists. +// The realm this protocol mapper exists within. func (o UserRealmRoleProtocolMapperOutput) RealmId() pulumi.StringOutput { return o.ApplyT(func(v *UserRealmRoleProtocolMapper) pulumi.StringOutput { return v.RealmId }).(pulumi.StringOutput) } -// Prefix that will be added to each realm role. +// A prefix for each Realm Role. func (o UserRealmRoleProtocolMapperOutput) RealmRolePrefix() pulumi.StringPtrOutput { return o.ApplyT(func(v *UserRealmRoleProtocolMapper) pulumi.StringPtrOutput { return v.RealmRolePrefix }).(pulumi.StringPtrOutput) } diff --git a/sdk/go/keycloak/pulumiTypes.go b/sdk/go/keycloak/pulumiTypes.go index 48b47aca..90806b63 100644 --- a/sdk/go/keycloak/pulumiTypes.go +++ b/sdk/go/keycloak/pulumiTypes.go @@ -829,7 +829,9 @@ func (o GroupPermissionsViewScopePtrOutput) Policies() pulumi.StringArrayOutput } type RealmInternationalization struct { - DefaultLocale string `pulumi:"defaultLocale"` + // The locale to use by default. This locale code must be present within the `supportedLocales` list. + DefaultLocale string `pulumi:"defaultLocale"` + // A list of [ISO 639-1](https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes) locale codes that the realm should support. SupportedLocales []string `pulumi:"supportedLocales"` } @@ -845,7 +847,9 @@ type RealmInternationalizationInput interface { } type RealmInternationalizationArgs struct { - DefaultLocale pulumi.StringInput `pulumi:"defaultLocale"` + // The locale to use by default. This locale code must be present within the `supportedLocales` list. + DefaultLocale pulumi.StringInput `pulumi:"defaultLocale"` + // A list of [ISO 639-1](https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes) locale codes that the realm should support. SupportedLocales pulumi.StringArrayInput `pulumi:"supportedLocales"` } @@ -926,10 +930,12 @@ func (o RealmInternationalizationOutput) ToRealmInternationalizationPtrOutputWit }).(RealmInternationalizationPtrOutput) } +// The locale to use by default. This locale code must be present within the `supportedLocales` list. func (o RealmInternationalizationOutput) DefaultLocale() pulumi.StringOutput { return o.ApplyT(func(v RealmInternationalization) string { return v.DefaultLocale }).(pulumi.StringOutput) } +// A list of [ISO 639-1](https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes) locale codes that the realm should support. func (o RealmInternationalizationOutput) SupportedLocales() pulumi.StringArrayOutput { return o.ApplyT(func(v RealmInternationalization) []string { return v.SupportedLocales }).(pulumi.StringArrayOutput) } @@ -958,6 +964,7 @@ func (o RealmInternationalizationPtrOutput) Elem() RealmInternationalizationOutp }).(RealmInternationalizationOutput) } +// The locale to use by default. This locale code must be present within the `supportedLocales` list. func (o RealmInternationalizationPtrOutput) DefaultLocale() pulumi.StringPtrOutput { return o.ApplyT(func(v *RealmInternationalization) *string { if v == nil { @@ -967,6 +974,7 @@ func (o RealmInternationalizationPtrOutput) DefaultLocale() pulumi.StringPtrOutp }).(pulumi.StringPtrOutput) } +// A list of [ISO 639-1](https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes) locale codes that the realm should support. func (o RealmInternationalizationPtrOutput) SupportedLocales() pulumi.StringArrayOutput { return o.ApplyT(func(v *RealmInternationalization) []string { if v == nil { @@ -977,13 +985,17 @@ func (o RealmInternationalizationPtrOutput) SupportedLocales() pulumi.StringArra } type RealmOtpPolicy struct { - // What hashing algorithm should be used to generate the OTP. - Algorithm *string `pulumi:"algorithm"` - Digits *int `pulumi:"digits"` - InitialCounter *int `pulumi:"initialCounter"` - LookAheadWindow *int `pulumi:"lookAheadWindow"` - Period *int `pulumi:"period"` - // OTP Type, totp for Time-Based One Time Password or hotp for counter base one time password + // What hashing algorithm should be used to generate the OTP, Valid options are `HmacSHA1`,`HmacSHA256` and `HmacSHA512`. Defaults to `HmacSHA1`. + Algorithm *string `pulumi:"algorithm"` + // How many digits the OTP have. Defaults to `6`. + Digits *int `pulumi:"digits"` + // What should the initial counter value be. Defaults to `2`. + InitialCounter *int `pulumi:"initialCounter"` + // How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to `1`. + LookAheadWindow *int `pulumi:"lookAheadWindow"` + // How many seconds should an OTP token be valid. Defaults to `30`. + Period *int `pulumi:"period"` + // One Time Password Type, supported Values are `totp` for Time-Based One Time Password and `hotp` for Counter Based. Defaults to `totp`. Type *string `pulumi:"type"` } @@ -999,13 +1011,17 @@ type RealmOtpPolicyInput interface { } type RealmOtpPolicyArgs struct { - // What hashing algorithm should be used to generate the OTP. - Algorithm pulumi.StringPtrInput `pulumi:"algorithm"` - Digits pulumi.IntPtrInput `pulumi:"digits"` - InitialCounter pulumi.IntPtrInput `pulumi:"initialCounter"` - LookAheadWindow pulumi.IntPtrInput `pulumi:"lookAheadWindow"` - Period pulumi.IntPtrInput `pulumi:"period"` - // OTP Type, totp for Time-Based One Time Password or hotp for counter base one time password + // What hashing algorithm should be used to generate the OTP, Valid options are `HmacSHA1`,`HmacSHA256` and `HmacSHA512`. Defaults to `HmacSHA1`. + Algorithm pulumi.StringPtrInput `pulumi:"algorithm"` + // How many digits the OTP have. Defaults to `6`. + Digits pulumi.IntPtrInput `pulumi:"digits"` + // What should the initial counter value be. Defaults to `2`. + InitialCounter pulumi.IntPtrInput `pulumi:"initialCounter"` + // How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to `1`. + LookAheadWindow pulumi.IntPtrInput `pulumi:"lookAheadWindow"` + // How many seconds should an OTP token be valid. Defaults to `30`. + Period pulumi.IntPtrInput `pulumi:"period"` + // One Time Password Type, supported Values are `totp` for Time-Based One Time Password and `hotp` for Counter Based. Defaults to `totp`. Type pulumi.StringPtrInput `pulumi:"type"` } @@ -1086,28 +1102,32 @@ func (o RealmOtpPolicyOutput) ToRealmOtpPolicyPtrOutputWithContext(ctx context.C }).(RealmOtpPolicyPtrOutput) } -// What hashing algorithm should be used to generate the OTP. +// What hashing algorithm should be used to generate the OTP, Valid options are `HmacSHA1`,`HmacSHA256` and `HmacSHA512`. Defaults to `HmacSHA1`. func (o RealmOtpPolicyOutput) Algorithm() pulumi.StringPtrOutput { return o.ApplyT(func(v RealmOtpPolicy) *string { return v.Algorithm }).(pulumi.StringPtrOutput) } +// How many digits the OTP have. Defaults to `6`. func (o RealmOtpPolicyOutput) Digits() pulumi.IntPtrOutput { return o.ApplyT(func(v RealmOtpPolicy) *int { return v.Digits }).(pulumi.IntPtrOutput) } +// What should the initial counter value be. Defaults to `2`. func (o RealmOtpPolicyOutput) InitialCounter() pulumi.IntPtrOutput { return o.ApplyT(func(v RealmOtpPolicy) *int { return v.InitialCounter }).(pulumi.IntPtrOutput) } +// How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to `1`. func (o RealmOtpPolicyOutput) LookAheadWindow() pulumi.IntPtrOutput { return o.ApplyT(func(v RealmOtpPolicy) *int { return v.LookAheadWindow }).(pulumi.IntPtrOutput) } +// How many seconds should an OTP token be valid. Defaults to `30`. func (o RealmOtpPolicyOutput) Period() pulumi.IntPtrOutput { return o.ApplyT(func(v RealmOtpPolicy) *int { return v.Period }).(pulumi.IntPtrOutput) } -// OTP Type, totp for Time-Based One Time Password or hotp for counter base one time password +// One Time Password Type, supported Values are `totp` for Time-Based One Time Password and `hotp` for Counter Based. Defaults to `totp`. func (o RealmOtpPolicyOutput) Type() pulumi.StringPtrOutput { return o.ApplyT(func(v RealmOtpPolicy) *string { return v.Type }).(pulumi.StringPtrOutput) } @@ -1136,7 +1156,7 @@ func (o RealmOtpPolicyPtrOutput) Elem() RealmOtpPolicyOutput { }).(RealmOtpPolicyOutput) } -// What hashing algorithm should be used to generate the OTP. +// What hashing algorithm should be used to generate the OTP, Valid options are `HmacSHA1`,`HmacSHA256` and `HmacSHA512`. Defaults to `HmacSHA1`. func (o RealmOtpPolicyPtrOutput) Algorithm() pulumi.StringPtrOutput { return o.ApplyT(func(v *RealmOtpPolicy) *string { if v == nil { @@ -1146,6 +1166,7 @@ func (o RealmOtpPolicyPtrOutput) Algorithm() pulumi.StringPtrOutput { }).(pulumi.StringPtrOutput) } +// How many digits the OTP have. Defaults to `6`. func (o RealmOtpPolicyPtrOutput) Digits() pulumi.IntPtrOutput { return o.ApplyT(func(v *RealmOtpPolicy) *int { if v == nil { @@ -1155,6 +1176,7 @@ func (o RealmOtpPolicyPtrOutput) Digits() pulumi.IntPtrOutput { }).(pulumi.IntPtrOutput) } +// What should the initial counter value be. Defaults to `2`. func (o RealmOtpPolicyPtrOutput) InitialCounter() pulumi.IntPtrOutput { return o.ApplyT(func(v *RealmOtpPolicy) *int { if v == nil { @@ -1164,6 +1186,7 @@ func (o RealmOtpPolicyPtrOutput) InitialCounter() pulumi.IntPtrOutput { }).(pulumi.IntPtrOutput) } +// How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to `1`. func (o RealmOtpPolicyPtrOutput) LookAheadWindow() pulumi.IntPtrOutput { return o.ApplyT(func(v *RealmOtpPolicy) *int { if v == nil { @@ -1173,6 +1196,7 @@ func (o RealmOtpPolicyPtrOutput) LookAheadWindow() pulumi.IntPtrOutput { }).(pulumi.IntPtrOutput) } +// How many seconds should an OTP token be valid. Defaults to `30`. func (o RealmOtpPolicyPtrOutput) Period() pulumi.IntPtrOutput { return o.ApplyT(func(v *RealmOtpPolicy) *int { if v == nil { @@ -1182,7 +1206,7 @@ func (o RealmOtpPolicyPtrOutput) Period() pulumi.IntPtrOutput { }).(pulumi.IntPtrOutput) } -// OTP Type, totp for Time-Based One Time Password or hotp for counter base one time password +// One Time Password Type, supported Values are `totp` for Time-Based One Time Password and `hotp` for Counter Based. Defaults to `totp`. func (o RealmOtpPolicyPtrOutput) Type() pulumi.StringPtrOutput { return o.ApplyT(func(v *RealmOtpPolicy) *string { if v == nil { @@ -1341,13 +1365,20 @@ func (o RealmSecurityDefensesPtrOutput) Headers() RealmSecurityDefensesHeadersPt } type RealmSecurityDefensesBruteForceDetection struct { - FailureResetTimeSeconds *int `pulumi:"failureResetTimeSeconds"` - MaxFailureWaitSeconds *int `pulumi:"maxFailureWaitSeconds"` - MaxLoginFailures *int `pulumi:"maxLoginFailures"` - MinimumQuickLoginWaitSeconds *int `pulumi:"minimumQuickLoginWaitSeconds"` - PermanentLockout *bool `pulumi:"permanentLockout"` - QuickLoginCheckMilliSeconds *int `pulumi:"quickLoginCheckMilliSeconds"` - WaitIncrementSeconds *int `pulumi:"waitIncrementSeconds"` + // When will failure count be reset? + FailureResetTimeSeconds *int `pulumi:"failureResetTimeSeconds"` + MaxFailureWaitSeconds *int `pulumi:"maxFailureWaitSeconds"` + // How many failures before wait is triggered. + MaxLoginFailures *int `pulumi:"maxLoginFailures"` + // How long to wait after a quick login failure. + // - ` maxFailureWaitSeconds ` - (Optional) Max. time a user will be locked out. + MinimumQuickLoginWaitSeconds *int `pulumi:"minimumQuickLoginWaitSeconds"` + // When `true`, this will lock the user permanently when the user exceeds the maximum login failures. + PermanentLockout *bool `pulumi:"permanentLockout"` + // Configures the amount of time, in milliseconds, for consecutive failures to lock a user out. + QuickLoginCheckMilliSeconds *int `pulumi:"quickLoginCheckMilliSeconds"` + // This represents the amount of time a user should be locked out when the login failure threshold has been met. + WaitIncrementSeconds *int `pulumi:"waitIncrementSeconds"` } // RealmSecurityDefensesBruteForceDetectionInput is an input type that accepts RealmSecurityDefensesBruteForceDetectionArgs and RealmSecurityDefensesBruteForceDetectionOutput values. @@ -1362,13 +1393,20 @@ type RealmSecurityDefensesBruteForceDetectionInput interface { } type RealmSecurityDefensesBruteForceDetectionArgs struct { - FailureResetTimeSeconds pulumi.IntPtrInput `pulumi:"failureResetTimeSeconds"` - MaxFailureWaitSeconds pulumi.IntPtrInput `pulumi:"maxFailureWaitSeconds"` - MaxLoginFailures pulumi.IntPtrInput `pulumi:"maxLoginFailures"` - MinimumQuickLoginWaitSeconds pulumi.IntPtrInput `pulumi:"minimumQuickLoginWaitSeconds"` - PermanentLockout pulumi.BoolPtrInput `pulumi:"permanentLockout"` - QuickLoginCheckMilliSeconds pulumi.IntPtrInput `pulumi:"quickLoginCheckMilliSeconds"` - WaitIncrementSeconds pulumi.IntPtrInput `pulumi:"waitIncrementSeconds"` + // When will failure count be reset? + FailureResetTimeSeconds pulumi.IntPtrInput `pulumi:"failureResetTimeSeconds"` + MaxFailureWaitSeconds pulumi.IntPtrInput `pulumi:"maxFailureWaitSeconds"` + // How many failures before wait is triggered. + MaxLoginFailures pulumi.IntPtrInput `pulumi:"maxLoginFailures"` + // How long to wait after a quick login failure. + // - ` maxFailureWaitSeconds ` - (Optional) Max. time a user will be locked out. + MinimumQuickLoginWaitSeconds pulumi.IntPtrInput `pulumi:"minimumQuickLoginWaitSeconds"` + // When `true`, this will lock the user permanently when the user exceeds the maximum login failures. + PermanentLockout pulumi.BoolPtrInput `pulumi:"permanentLockout"` + // Configures the amount of time, in milliseconds, for consecutive failures to lock a user out. + QuickLoginCheckMilliSeconds pulumi.IntPtrInput `pulumi:"quickLoginCheckMilliSeconds"` + // This represents the amount of time a user should be locked out when the login failure threshold has been met. + WaitIncrementSeconds pulumi.IntPtrInput `pulumi:"waitIncrementSeconds"` } func (RealmSecurityDefensesBruteForceDetectionArgs) ElementType() reflect.Type { @@ -1448,6 +1486,7 @@ func (o RealmSecurityDefensesBruteForceDetectionOutput) ToRealmSecurityDefensesB }).(RealmSecurityDefensesBruteForceDetectionPtrOutput) } +// When will failure count be reset? func (o RealmSecurityDefensesBruteForceDetectionOutput) FailureResetTimeSeconds() pulumi.IntPtrOutput { return o.ApplyT(func(v RealmSecurityDefensesBruteForceDetection) *int { return v.FailureResetTimeSeconds }).(pulumi.IntPtrOutput) } @@ -1456,22 +1495,28 @@ func (o RealmSecurityDefensesBruteForceDetectionOutput) MaxFailureWaitSeconds() return o.ApplyT(func(v RealmSecurityDefensesBruteForceDetection) *int { return v.MaxFailureWaitSeconds }).(pulumi.IntPtrOutput) } +// How many failures before wait is triggered. func (o RealmSecurityDefensesBruteForceDetectionOutput) MaxLoginFailures() pulumi.IntPtrOutput { return o.ApplyT(func(v RealmSecurityDefensesBruteForceDetection) *int { return v.MaxLoginFailures }).(pulumi.IntPtrOutput) } +// How long to wait after a quick login failure. +// - ` maxFailureWaitSeconds ` - (Optional) Max. time a user will be locked out. func (o RealmSecurityDefensesBruteForceDetectionOutput) MinimumQuickLoginWaitSeconds() pulumi.IntPtrOutput { return o.ApplyT(func(v RealmSecurityDefensesBruteForceDetection) *int { return v.MinimumQuickLoginWaitSeconds }).(pulumi.IntPtrOutput) } +// When `true`, this will lock the user permanently when the user exceeds the maximum login failures. func (o RealmSecurityDefensesBruteForceDetectionOutput) PermanentLockout() pulumi.BoolPtrOutput { return o.ApplyT(func(v RealmSecurityDefensesBruteForceDetection) *bool { return v.PermanentLockout }).(pulumi.BoolPtrOutput) } +// Configures the amount of time, in milliseconds, for consecutive failures to lock a user out. func (o RealmSecurityDefensesBruteForceDetectionOutput) QuickLoginCheckMilliSeconds() pulumi.IntPtrOutput { return o.ApplyT(func(v RealmSecurityDefensesBruteForceDetection) *int { return v.QuickLoginCheckMilliSeconds }).(pulumi.IntPtrOutput) } +// This represents the amount of time a user should be locked out when the login failure threshold has been met. func (o RealmSecurityDefensesBruteForceDetectionOutput) WaitIncrementSeconds() pulumi.IntPtrOutput { return o.ApplyT(func(v RealmSecurityDefensesBruteForceDetection) *int { return v.WaitIncrementSeconds }).(pulumi.IntPtrOutput) } @@ -1500,6 +1545,7 @@ func (o RealmSecurityDefensesBruteForceDetectionPtrOutput) Elem() RealmSecurityD }).(RealmSecurityDefensesBruteForceDetectionOutput) } +// When will failure count be reset? func (o RealmSecurityDefensesBruteForceDetectionPtrOutput) FailureResetTimeSeconds() pulumi.IntPtrOutput { return o.ApplyT(func(v *RealmSecurityDefensesBruteForceDetection) *int { if v == nil { @@ -1518,6 +1564,7 @@ func (o RealmSecurityDefensesBruteForceDetectionPtrOutput) MaxFailureWaitSeconds }).(pulumi.IntPtrOutput) } +// How many failures before wait is triggered. func (o RealmSecurityDefensesBruteForceDetectionPtrOutput) MaxLoginFailures() pulumi.IntPtrOutput { return o.ApplyT(func(v *RealmSecurityDefensesBruteForceDetection) *int { if v == nil { @@ -1527,6 +1574,8 @@ func (o RealmSecurityDefensesBruteForceDetectionPtrOutput) MaxLoginFailures() pu }).(pulumi.IntPtrOutput) } +// How long to wait after a quick login failure. +// - ` maxFailureWaitSeconds ` - (Optional) Max. time a user will be locked out. func (o RealmSecurityDefensesBruteForceDetectionPtrOutput) MinimumQuickLoginWaitSeconds() pulumi.IntPtrOutput { return o.ApplyT(func(v *RealmSecurityDefensesBruteForceDetection) *int { if v == nil { @@ -1536,6 +1585,7 @@ func (o RealmSecurityDefensesBruteForceDetectionPtrOutput) MinimumQuickLoginWait }).(pulumi.IntPtrOutput) } +// When `true`, this will lock the user permanently when the user exceeds the maximum login failures. func (o RealmSecurityDefensesBruteForceDetectionPtrOutput) PermanentLockout() pulumi.BoolPtrOutput { return o.ApplyT(func(v *RealmSecurityDefensesBruteForceDetection) *bool { if v == nil { @@ -1545,6 +1595,7 @@ func (o RealmSecurityDefensesBruteForceDetectionPtrOutput) PermanentLockout() pu }).(pulumi.BoolPtrOutput) } +// Configures the amount of time, in milliseconds, for consecutive failures to lock a user out. func (o RealmSecurityDefensesBruteForceDetectionPtrOutput) QuickLoginCheckMilliSeconds() pulumi.IntPtrOutput { return o.ApplyT(func(v *RealmSecurityDefensesBruteForceDetection) *int { if v == nil { @@ -1554,6 +1605,7 @@ func (o RealmSecurityDefensesBruteForceDetectionPtrOutput) QuickLoginCheckMilliS }).(pulumi.IntPtrOutput) } +// This represents the amount of time a user should be locked out when the login failure threshold has been met. func (o RealmSecurityDefensesBruteForceDetectionPtrOutput) WaitIncrementSeconds() pulumi.IntPtrOutput { return o.ApplyT(func(v *RealmSecurityDefensesBruteForceDetection) *int { if v == nil { @@ -1564,14 +1616,22 @@ func (o RealmSecurityDefensesBruteForceDetectionPtrOutput) WaitIncrementSeconds( } type RealmSecurityDefensesHeaders struct { - ContentSecurityPolicy *string `pulumi:"contentSecurityPolicy"` + // Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the [W3C-CSP](https://www.w3.org/TR/CSP/) Abstract. + ContentSecurityPolicy *string `pulumi:"contentSecurityPolicy"` + // Used for testing Content Security Policies. ContentSecurityPolicyReportOnly *string `pulumi:"contentSecurityPolicyReportOnly"` - ReferrerPolicy *string `pulumi:"referrerPolicy"` - StrictTransportSecurity *string `pulumi:"strictTransportSecurity"` - XContentTypeOptions *string `pulumi:"xContentTypeOptions"` - XFrameOptions *string `pulumi:"xFrameOptions"` - XRobotsTag *string `pulumi:"xRobotsTag"` - XXssProtection *string `pulumi:"xXssProtection"` + // The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests. + ReferrerPolicy *string `pulumi:"referrerPolicy"` + // The Script-Transport-Security HTTP header tells browsers to always use HTTPS. + StrictTransportSecurity *string `pulumi:"strictTransportSecurity"` + // Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type + XContentTypeOptions *string `pulumi:"xContentTypeOptions"` + // Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the [RFC7034](https://tools.ietf.org/html/rfc7034) + XFrameOptions *string `pulumi:"xFrameOptions"` + // Prevent pages from appearing in search engines. + XRobotsTag *string `pulumi:"xRobotsTag"` + // This header configures the Cross-site scripting (XSS) filter in your browser. + XXssProtection *string `pulumi:"xXssProtection"` } // RealmSecurityDefensesHeadersInput is an input type that accepts RealmSecurityDefensesHeadersArgs and RealmSecurityDefensesHeadersOutput values. @@ -1586,14 +1646,22 @@ type RealmSecurityDefensesHeadersInput interface { } type RealmSecurityDefensesHeadersArgs struct { - ContentSecurityPolicy pulumi.StringPtrInput `pulumi:"contentSecurityPolicy"` + // Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the [W3C-CSP](https://www.w3.org/TR/CSP/) Abstract. + ContentSecurityPolicy pulumi.StringPtrInput `pulumi:"contentSecurityPolicy"` + // Used for testing Content Security Policies. ContentSecurityPolicyReportOnly pulumi.StringPtrInput `pulumi:"contentSecurityPolicyReportOnly"` - ReferrerPolicy pulumi.StringPtrInput `pulumi:"referrerPolicy"` - StrictTransportSecurity pulumi.StringPtrInput `pulumi:"strictTransportSecurity"` - XContentTypeOptions pulumi.StringPtrInput `pulumi:"xContentTypeOptions"` - XFrameOptions pulumi.StringPtrInput `pulumi:"xFrameOptions"` - XRobotsTag pulumi.StringPtrInput `pulumi:"xRobotsTag"` - XXssProtection pulumi.StringPtrInput `pulumi:"xXssProtection"` + // The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests. + ReferrerPolicy pulumi.StringPtrInput `pulumi:"referrerPolicy"` + // The Script-Transport-Security HTTP header tells browsers to always use HTTPS. + StrictTransportSecurity pulumi.StringPtrInput `pulumi:"strictTransportSecurity"` + // Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type + XContentTypeOptions pulumi.StringPtrInput `pulumi:"xContentTypeOptions"` + // Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the [RFC7034](https://tools.ietf.org/html/rfc7034) + XFrameOptions pulumi.StringPtrInput `pulumi:"xFrameOptions"` + // Prevent pages from appearing in search engines. + XRobotsTag pulumi.StringPtrInput `pulumi:"xRobotsTag"` + // This header configures the Cross-site scripting (XSS) filter in your browser. + XXssProtection pulumi.StringPtrInput `pulumi:"xXssProtection"` } func (RealmSecurityDefensesHeadersArgs) ElementType() reflect.Type { @@ -1673,34 +1741,42 @@ func (o RealmSecurityDefensesHeadersOutput) ToRealmSecurityDefensesHeadersPtrOut }).(RealmSecurityDefensesHeadersPtrOutput) } +// Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the [W3C-CSP](https://www.w3.org/TR/CSP/) Abstract. func (o RealmSecurityDefensesHeadersOutput) ContentSecurityPolicy() pulumi.StringPtrOutput { return o.ApplyT(func(v RealmSecurityDefensesHeaders) *string { return v.ContentSecurityPolicy }).(pulumi.StringPtrOutput) } +// Used for testing Content Security Policies. func (o RealmSecurityDefensesHeadersOutput) ContentSecurityPolicyReportOnly() pulumi.StringPtrOutput { return o.ApplyT(func(v RealmSecurityDefensesHeaders) *string { return v.ContentSecurityPolicyReportOnly }).(pulumi.StringPtrOutput) } +// The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests. func (o RealmSecurityDefensesHeadersOutput) ReferrerPolicy() pulumi.StringPtrOutput { return o.ApplyT(func(v RealmSecurityDefensesHeaders) *string { return v.ReferrerPolicy }).(pulumi.StringPtrOutput) } +// The Script-Transport-Security HTTP header tells browsers to always use HTTPS. func (o RealmSecurityDefensesHeadersOutput) StrictTransportSecurity() pulumi.StringPtrOutput { return o.ApplyT(func(v RealmSecurityDefensesHeaders) *string { return v.StrictTransportSecurity }).(pulumi.StringPtrOutput) } +// Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type func (o RealmSecurityDefensesHeadersOutput) XContentTypeOptions() pulumi.StringPtrOutput { return o.ApplyT(func(v RealmSecurityDefensesHeaders) *string { return v.XContentTypeOptions }).(pulumi.StringPtrOutput) } +// Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the [RFC7034](https://tools.ietf.org/html/rfc7034) func (o RealmSecurityDefensesHeadersOutput) XFrameOptions() pulumi.StringPtrOutput { return o.ApplyT(func(v RealmSecurityDefensesHeaders) *string { return v.XFrameOptions }).(pulumi.StringPtrOutput) } +// Prevent pages from appearing in search engines. func (o RealmSecurityDefensesHeadersOutput) XRobotsTag() pulumi.StringPtrOutput { return o.ApplyT(func(v RealmSecurityDefensesHeaders) *string { return v.XRobotsTag }).(pulumi.StringPtrOutput) } +// This header configures the Cross-site scripting (XSS) filter in your browser. func (o RealmSecurityDefensesHeadersOutput) XXssProtection() pulumi.StringPtrOutput { return o.ApplyT(func(v RealmSecurityDefensesHeaders) *string { return v.XXssProtection }).(pulumi.StringPtrOutput) } @@ -1729,6 +1805,7 @@ func (o RealmSecurityDefensesHeadersPtrOutput) Elem() RealmSecurityDefensesHeade }).(RealmSecurityDefensesHeadersOutput) } +// Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the [W3C-CSP](https://www.w3.org/TR/CSP/) Abstract. func (o RealmSecurityDefensesHeadersPtrOutput) ContentSecurityPolicy() pulumi.StringPtrOutput { return o.ApplyT(func(v *RealmSecurityDefensesHeaders) *string { if v == nil { @@ -1738,6 +1815,7 @@ func (o RealmSecurityDefensesHeadersPtrOutput) ContentSecurityPolicy() pulumi.St }).(pulumi.StringPtrOutput) } +// Used for testing Content Security Policies. func (o RealmSecurityDefensesHeadersPtrOutput) ContentSecurityPolicyReportOnly() pulumi.StringPtrOutput { return o.ApplyT(func(v *RealmSecurityDefensesHeaders) *string { if v == nil { @@ -1747,6 +1825,7 @@ func (o RealmSecurityDefensesHeadersPtrOutput) ContentSecurityPolicyReportOnly() }).(pulumi.StringPtrOutput) } +// The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests. func (o RealmSecurityDefensesHeadersPtrOutput) ReferrerPolicy() pulumi.StringPtrOutput { return o.ApplyT(func(v *RealmSecurityDefensesHeaders) *string { if v == nil { @@ -1756,6 +1835,7 @@ func (o RealmSecurityDefensesHeadersPtrOutput) ReferrerPolicy() pulumi.StringPtr }).(pulumi.StringPtrOutput) } +// The Script-Transport-Security HTTP header tells browsers to always use HTTPS. func (o RealmSecurityDefensesHeadersPtrOutput) StrictTransportSecurity() pulumi.StringPtrOutput { return o.ApplyT(func(v *RealmSecurityDefensesHeaders) *string { if v == nil { @@ -1765,6 +1845,7 @@ func (o RealmSecurityDefensesHeadersPtrOutput) StrictTransportSecurity() pulumi. }).(pulumi.StringPtrOutput) } +// Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type func (o RealmSecurityDefensesHeadersPtrOutput) XContentTypeOptions() pulumi.StringPtrOutput { return o.ApplyT(func(v *RealmSecurityDefensesHeaders) *string { if v == nil { @@ -1774,6 +1855,7 @@ func (o RealmSecurityDefensesHeadersPtrOutput) XContentTypeOptions() pulumi.Stri }).(pulumi.StringPtrOutput) } +// Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the [RFC7034](https://tools.ietf.org/html/rfc7034) func (o RealmSecurityDefensesHeadersPtrOutput) XFrameOptions() pulumi.StringPtrOutput { return o.ApplyT(func(v *RealmSecurityDefensesHeaders) *string { if v == nil { @@ -1783,6 +1865,7 @@ func (o RealmSecurityDefensesHeadersPtrOutput) XFrameOptions() pulumi.StringPtrO }).(pulumi.StringPtrOutput) } +// Prevent pages from appearing in search engines. func (o RealmSecurityDefensesHeadersPtrOutput) XRobotsTag() pulumi.StringPtrOutput { return o.ApplyT(func(v *RealmSecurityDefensesHeaders) *string { if v == nil { @@ -1792,6 +1875,7 @@ func (o RealmSecurityDefensesHeadersPtrOutput) XRobotsTag() pulumi.StringPtrOutp }).(pulumi.StringPtrOutput) } +// This header configures the Cross-site scripting (XSS) filter in your browser. func (o RealmSecurityDefensesHeadersPtrOutput) XXssProtection() pulumi.StringPtrOutput { return o.ApplyT(func(v *RealmSecurityDefensesHeaders) *string { if v == nil { @@ -1802,16 +1886,26 @@ func (o RealmSecurityDefensesHeadersPtrOutput) XXssProtection() pulumi.StringPtr } type RealmSmtpServer struct { - Auth *RealmSmtpServerAuth `pulumi:"auth"` - EnvelopeFrom *string `pulumi:"envelopeFrom"` - From string `pulumi:"from"` - FromDisplayName *string `pulumi:"fromDisplayName"` - Host string `pulumi:"host"` - Port *string `pulumi:"port"` - ReplyTo *string `pulumi:"replyTo"` - ReplyToDisplayName *string `pulumi:"replyToDisplayName"` - Ssl *bool `pulumi:"ssl"` - Starttls *bool `pulumi:"starttls"` + // Enables authentication to the SMTP server. This block supports the following arguments: + Auth *RealmSmtpServerAuth `pulumi:"auth"` + // The email address uses for bounces. + EnvelopeFrom *string `pulumi:"envelopeFrom"` + // The email address for the sender. + From string `pulumi:"from"` + // The display name of the sender email address. + FromDisplayName *string `pulumi:"fromDisplayName"` + // The host of the SMTP server. + Host string `pulumi:"host"` + // The port of the SMTP server (defaults to 25). + Port *string `pulumi:"port"` + // The "reply to" email address. + ReplyTo *string `pulumi:"replyTo"` + // The display name of the "reply to" email address. + ReplyToDisplayName *string `pulumi:"replyToDisplayName"` + // When `true`, enables SSL. Defaults to `false`. + Ssl *bool `pulumi:"ssl"` + // When `true`, enables StartTLS. Defaults to `false`. + Starttls *bool `pulumi:"starttls"` } // RealmSmtpServerInput is an input type that accepts RealmSmtpServerArgs and RealmSmtpServerOutput values. @@ -1826,16 +1920,26 @@ type RealmSmtpServerInput interface { } type RealmSmtpServerArgs struct { - Auth RealmSmtpServerAuthPtrInput `pulumi:"auth"` - EnvelopeFrom pulumi.StringPtrInput `pulumi:"envelopeFrom"` - From pulumi.StringInput `pulumi:"from"` - FromDisplayName pulumi.StringPtrInput `pulumi:"fromDisplayName"` - Host pulumi.StringInput `pulumi:"host"` - Port pulumi.StringPtrInput `pulumi:"port"` - ReplyTo pulumi.StringPtrInput `pulumi:"replyTo"` - ReplyToDisplayName pulumi.StringPtrInput `pulumi:"replyToDisplayName"` - Ssl pulumi.BoolPtrInput `pulumi:"ssl"` - Starttls pulumi.BoolPtrInput `pulumi:"starttls"` + // Enables authentication to the SMTP server. This block supports the following arguments: + Auth RealmSmtpServerAuthPtrInput `pulumi:"auth"` + // The email address uses for bounces. + EnvelopeFrom pulumi.StringPtrInput `pulumi:"envelopeFrom"` + // The email address for the sender. + From pulumi.StringInput `pulumi:"from"` + // The display name of the sender email address. + FromDisplayName pulumi.StringPtrInput `pulumi:"fromDisplayName"` + // The host of the SMTP server. + Host pulumi.StringInput `pulumi:"host"` + // The port of the SMTP server (defaults to 25). + Port pulumi.StringPtrInput `pulumi:"port"` + // The "reply to" email address. + ReplyTo pulumi.StringPtrInput `pulumi:"replyTo"` + // The display name of the "reply to" email address. + ReplyToDisplayName pulumi.StringPtrInput `pulumi:"replyToDisplayName"` + // When `true`, enables SSL. Defaults to `false`. + Ssl pulumi.BoolPtrInput `pulumi:"ssl"` + // When `true`, enables StartTLS. Defaults to `false`. + Starttls pulumi.BoolPtrInput `pulumi:"starttls"` } func (RealmSmtpServerArgs) ElementType() reflect.Type { @@ -1915,42 +2019,52 @@ func (o RealmSmtpServerOutput) ToRealmSmtpServerPtrOutputWithContext(ctx context }).(RealmSmtpServerPtrOutput) } +// Enables authentication to the SMTP server. This block supports the following arguments: func (o RealmSmtpServerOutput) Auth() RealmSmtpServerAuthPtrOutput { return o.ApplyT(func(v RealmSmtpServer) *RealmSmtpServerAuth { return v.Auth }).(RealmSmtpServerAuthPtrOutput) } +// The email address uses for bounces. func (o RealmSmtpServerOutput) EnvelopeFrom() pulumi.StringPtrOutput { return o.ApplyT(func(v RealmSmtpServer) *string { return v.EnvelopeFrom }).(pulumi.StringPtrOutput) } +// The email address for the sender. func (o RealmSmtpServerOutput) From() pulumi.StringOutput { return o.ApplyT(func(v RealmSmtpServer) string { return v.From }).(pulumi.StringOutput) } +// The display name of the sender email address. func (o RealmSmtpServerOutput) FromDisplayName() pulumi.StringPtrOutput { return o.ApplyT(func(v RealmSmtpServer) *string { return v.FromDisplayName }).(pulumi.StringPtrOutput) } +// The host of the SMTP server. func (o RealmSmtpServerOutput) Host() pulumi.StringOutput { return o.ApplyT(func(v RealmSmtpServer) string { return v.Host }).(pulumi.StringOutput) } +// The port of the SMTP server (defaults to 25). func (o RealmSmtpServerOutput) Port() pulumi.StringPtrOutput { return o.ApplyT(func(v RealmSmtpServer) *string { return v.Port }).(pulumi.StringPtrOutput) } +// The "reply to" email address. func (o RealmSmtpServerOutput) ReplyTo() pulumi.StringPtrOutput { return o.ApplyT(func(v RealmSmtpServer) *string { return v.ReplyTo }).(pulumi.StringPtrOutput) } +// The display name of the "reply to" email address. func (o RealmSmtpServerOutput) ReplyToDisplayName() pulumi.StringPtrOutput { return o.ApplyT(func(v RealmSmtpServer) *string { return v.ReplyToDisplayName }).(pulumi.StringPtrOutput) } +// When `true`, enables SSL. Defaults to `false`. func (o RealmSmtpServerOutput) Ssl() pulumi.BoolPtrOutput { return o.ApplyT(func(v RealmSmtpServer) *bool { return v.Ssl }).(pulumi.BoolPtrOutput) } +// When `true`, enables StartTLS. Defaults to `false`. func (o RealmSmtpServerOutput) Starttls() pulumi.BoolPtrOutput { return o.ApplyT(func(v RealmSmtpServer) *bool { return v.Starttls }).(pulumi.BoolPtrOutput) } @@ -1979,6 +2093,7 @@ func (o RealmSmtpServerPtrOutput) Elem() RealmSmtpServerOutput { }).(RealmSmtpServerOutput) } +// Enables authentication to the SMTP server. This block supports the following arguments: func (o RealmSmtpServerPtrOutput) Auth() RealmSmtpServerAuthPtrOutput { return o.ApplyT(func(v *RealmSmtpServer) *RealmSmtpServerAuth { if v == nil { @@ -1988,6 +2103,7 @@ func (o RealmSmtpServerPtrOutput) Auth() RealmSmtpServerAuthPtrOutput { }).(RealmSmtpServerAuthPtrOutput) } +// The email address uses for bounces. func (o RealmSmtpServerPtrOutput) EnvelopeFrom() pulumi.StringPtrOutput { return o.ApplyT(func(v *RealmSmtpServer) *string { if v == nil { @@ -1997,6 +2113,7 @@ func (o RealmSmtpServerPtrOutput) EnvelopeFrom() pulumi.StringPtrOutput { }).(pulumi.StringPtrOutput) } +// The email address for the sender. func (o RealmSmtpServerPtrOutput) From() pulumi.StringPtrOutput { return o.ApplyT(func(v *RealmSmtpServer) *string { if v == nil { @@ -2006,6 +2123,7 @@ func (o RealmSmtpServerPtrOutput) From() pulumi.StringPtrOutput { }).(pulumi.StringPtrOutput) } +// The display name of the sender email address. func (o RealmSmtpServerPtrOutput) FromDisplayName() pulumi.StringPtrOutput { return o.ApplyT(func(v *RealmSmtpServer) *string { if v == nil { @@ -2015,6 +2133,7 @@ func (o RealmSmtpServerPtrOutput) FromDisplayName() pulumi.StringPtrOutput { }).(pulumi.StringPtrOutput) } +// The host of the SMTP server. func (o RealmSmtpServerPtrOutput) Host() pulumi.StringPtrOutput { return o.ApplyT(func(v *RealmSmtpServer) *string { if v == nil { @@ -2024,6 +2143,7 @@ func (o RealmSmtpServerPtrOutput) Host() pulumi.StringPtrOutput { }).(pulumi.StringPtrOutput) } +// The port of the SMTP server (defaults to 25). func (o RealmSmtpServerPtrOutput) Port() pulumi.StringPtrOutput { return o.ApplyT(func(v *RealmSmtpServer) *string { if v == nil { @@ -2033,6 +2153,7 @@ func (o RealmSmtpServerPtrOutput) Port() pulumi.StringPtrOutput { }).(pulumi.StringPtrOutput) } +// The "reply to" email address. func (o RealmSmtpServerPtrOutput) ReplyTo() pulumi.StringPtrOutput { return o.ApplyT(func(v *RealmSmtpServer) *string { if v == nil { @@ -2042,6 +2163,7 @@ func (o RealmSmtpServerPtrOutput) ReplyTo() pulumi.StringPtrOutput { }).(pulumi.StringPtrOutput) } +// The display name of the "reply to" email address. func (o RealmSmtpServerPtrOutput) ReplyToDisplayName() pulumi.StringPtrOutput { return o.ApplyT(func(v *RealmSmtpServer) *string { if v == nil { @@ -2051,6 +2173,7 @@ func (o RealmSmtpServerPtrOutput) ReplyToDisplayName() pulumi.StringPtrOutput { }).(pulumi.StringPtrOutput) } +// When `true`, enables SSL. Defaults to `false`. func (o RealmSmtpServerPtrOutput) Ssl() pulumi.BoolPtrOutput { return o.ApplyT(func(v *RealmSmtpServer) *bool { if v == nil { @@ -2060,6 +2183,7 @@ func (o RealmSmtpServerPtrOutput) Ssl() pulumi.BoolPtrOutput { }).(pulumi.BoolPtrOutput) } +// When `true`, enables StartTLS. Defaults to `false`. func (o RealmSmtpServerPtrOutput) Starttls() pulumi.BoolPtrOutput { return o.ApplyT(func(v *RealmSmtpServer) *bool { if v == nil { @@ -2070,7 +2194,9 @@ func (o RealmSmtpServerPtrOutput) Starttls() pulumi.BoolPtrOutput { } type RealmSmtpServerAuth struct { + // The SMTP server password. Password string `pulumi:"password"` + // The SMTP server username. Username string `pulumi:"username"` } @@ -2086,7 +2212,9 @@ type RealmSmtpServerAuthInput interface { } type RealmSmtpServerAuthArgs struct { + // The SMTP server password. Password pulumi.StringInput `pulumi:"password"` + // The SMTP server username. Username pulumi.StringInput `pulumi:"username"` } @@ -2167,10 +2295,12 @@ func (o RealmSmtpServerAuthOutput) ToRealmSmtpServerAuthPtrOutputWithContext(ctx }).(RealmSmtpServerAuthPtrOutput) } +// The SMTP server password. func (o RealmSmtpServerAuthOutput) Password() pulumi.StringOutput { return o.ApplyT(func(v RealmSmtpServerAuth) string { return v.Password }).(pulumi.StringOutput) } +// The SMTP server username. func (o RealmSmtpServerAuthOutput) Username() pulumi.StringOutput { return o.ApplyT(func(v RealmSmtpServerAuth) string { return v.Username }).(pulumi.StringOutput) } @@ -2199,6 +2329,7 @@ func (o RealmSmtpServerAuthPtrOutput) Elem() RealmSmtpServerAuthOutput { }).(RealmSmtpServerAuthOutput) } +// The SMTP server password. func (o RealmSmtpServerAuthPtrOutput) Password() pulumi.StringPtrOutput { return o.ApplyT(func(v *RealmSmtpServerAuth) *string { if v == nil { @@ -2208,6 +2339,7 @@ func (o RealmSmtpServerAuthPtrOutput) Password() pulumi.StringPtrOutput { }).(pulumi.StringPtrOutput) } +// The SMTP server username. func (o RealmSmtpServerAuthPtrOutput) Username() pulumi.StringPtrOutput { return o.ApplyT(func(v *RealmSmtpServerAuth) *string { if v == nil { @@ -2758,15 +2890,20 @@ func (o RealmUserProfileGroupArrayOutput) Index(i pulumi.IntInput) RealmUserProf } type RealmWebAuthnPasswordlessPolicy struct { + // A set of AAGUIDs for which an authenticator can be registered. AcceptableAaguids []string `pulumi:"acceptableAaguids"` // Either none, indirect or direct AttestationConveyancePreference *string `pulumi:"attestationConveyancePreference"` // Either platform or cross-platform - AuthenticatorAttachment *string `pulumi:"authenticatorAttachment"` - AvoidSameAuthenticatorRegister *bool `pulumi:"avoidSameAuthenticatorRegister"` - CreateTimeout *int `pulumi:"createTimeout"` - RelyingPartyEntityName *string `pulumi:"relyingPartyEntityName"` - RelyingPartyId *string `pulumi:"relyingPartyId"` + AuthenticatorAttachment *string `pulumi:"authenticatorAttachment"` + // When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + AvoidSameAuthenticatorRegister *bool `pulumi:"avoidSameAuthenticatorRegister"` + // The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + CreateTimeout *int `pulumi:"createTimeout"` + // A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + RelyingPartyEntityName *string `pulumi:"relyingPartyEntityName"` + // The WebAuthn relying party ID. + RelyingPartyId *string `pulumi:"relyingPartyId"` // Either Yes or No RequireResidentKey *string `pulumi:"requireResidentKey"` // Keycloak lists ES256, ES384, ES512, RS256, RS384, RS512, RS1 at the time of writing @@ -2787,15 +2924,20 @@ type RealmWebAuthnPasswordlessPolicyInput interface { } type RealmWebAuthnPasswordlessPolicyArgs struct { + // A set of AAGUIDs for which an authenticator can be registered. AcceptableAaguids pulumi.StringArrayInput `pulumi:"acceptableAaguids"` // Either none, indirect or direct AttestationConveyancePreference pulumi.StringPtrInput `pulumi:"attestationConveyancePreference"` // Either platform or cross-platform - AuthenticatorAttachment pulumi.StringPtrInput `pulumi:"authenticatorAttachment"` - AvoidSameAuthenticatorRegister pulumi.BoolPtrInput `pulumi:"avoidSameAuthenticatorRegister"` - CreateTimeout pulumi.IntPtrInput `pulumi:"createTimeout"` - RelyingPartyEntityName pulumi.StringPtrInput `pulumi:"relyingPartyEntityName"` - RelyingPartyId pulumi.StringPtrInput `pulumi:"relyingPartyId"` + AuthenticatorAttachment pulumi.StringPtrInput `pulumi:"authenticatorAttachment"` + // When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + AvoidSameAuthenticatorRegister pulumi.BoolPtrInput `pulumi:"avoidSameAuthenticatorRegister"` + // The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + CreateTimeout pulumi.IntPtrInput `pulumi:"createTimeout"` + // A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + RelyingPartyEntityName pulumi.StringPtrInput `pulumi:"relyingPartyEntityName"` + // The WebAuthn relying party ID. + RelyingPartyId pulumi.StringPtrInput `pulumi:"relyingPartyId"` // Either Yes or No RequireResidentKey pulumi.StringPtrInput `pulumi:"requireResidentKey"` // Keycloak lists ES256, ES384, ES512, RS256, RS384, RS512, RS1 at the time of writing @@ -2881,6 +3023,7 @@ func (o RealmWebAuthnPasswordlessPolicyOutput) ToRealmWebAuthnPasswordlessPolicy }).(RealmWebAuthnPasswordlessPolicyPtrOutput) } +// A set of AAGUIDs for which an authenticator can be registered. func (o RealmWebAuthnPasswordlessPolicyOutput) AcceptableAaguids() pulumi.StringArrayOutput { return o.ApplyT(func(v RealmWebAuthnPasswordlessPolicy) []string { return v.AcceptableAaguids }).(pulumi.StringArrayOutput) } @@ -2895,18 +3038,22 @@ func (o RealmWebAuthnPasswordlessPolicyOutput) AuthenticatorAttachment() pulumi. return o.ApplyT(func(v RealmWebAuthnPasswordlessPolicy) *string { return v.AuthenticatorAttachment }).(pulumi.StringPtrOutput) } +// When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. func (o RealmWebAuthnPasswordlessPolicyOutput) AvoidSameAuthenticatorRegister() pulumi.BoolPtrOutput { return o.ApplyT(func(v RealmWebAuthnPasswordlessPolicy) *bool { return v.AvoidSameAuthenticatorRegister }).(pulumi.BoolPtrOutput) } +// The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. func (o RealmWebAuthnPasswordlessPolicyOutput) CreateTimeout() pulumi.IntPtrOutput { return o.ApplyT(func(v RealmWebAuthnPasswordlessPolicy) *int { return v.CreateTimeout }).(pulumi.IntPtrOutput) } +// A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. func (o RealmWebAuthnPasswordlessPolicyOutput) RelyingPartyEntityName() pulumi.StringPtrOutput { return o.ApplyT(func(v RealmWebAuthnPasswordlessPolicy) *string { return v.RelyingPartyEntityName }).(pulumi.StringPtrOutput) } +// The WebAuthn relying party ID. func (o RealmWebAuthnPasswordlessPolicyOutput) RelyingPartyId() pulumi.StringPtrOutput { return o.ApplyT(func(v RealmWebAuthnPasswordlessPolicy) *string { return v.RelyingPartyId }).(pulumi.StringPtrOutput) } @@ -2950,6 +3097,7 @@ func (o RealmWebAuthnPasswordlessPolicyPtrOutput) Elem() RealmWebAuthnPasswordle }).(RealmWebAuthnPasswordlessPolicyOutput) } +// A set of AAGUIDs for which an authenticator can be registered. func (o RealmWebAuthnPasswordlessPolicyPtrOutput) AcceptableAaguids() pulumi.StringArrayOutput { return o.ApplyT(func(v *RealmWebAuthnPasswordlessPolicy) []string { if v == nil { @@ -2979,6 +3127,7 @@ func (o RealmWebAuthnPasswordlessPolicyPtrOutput) AuthenticatorAttachment() pulu }).(pulumi.StringPtrOutput) } +// When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. func (o RealmWebAuthnPasswordlessPolicyPtrOutput) AvoidSameAuthenticatorRegister() pulumi.BoolPtrOutput { return o.ApplyT(func(v *RealmWebAuthnPasswordlessPolicy) *bool { if v == nil { @@ -2988,6 +3137,7 @@ func (o RealmWebAuthnPasswordlessPolicyPtrOutput) AvoidSameAuthenticatorRegister }).(pulumi.BoolPtrOutput) } +// The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. func (o RealmWebAuthnPasswordlessPolicyPtrOutput) CreateTimeout() pulumi.IntPtrOutput { return o.ApplyT(func(v *RealmWebAuthnPasswordlessPolicy) *int { if v == nil { @@ -2997,6 +3147,7 @@ func (o RealmWebAuthnPasswordlessPolicyPtrOutput) CreateTimeout() pulumi.IntPtrO }).(pulumi.IntPtrOutput) } +// A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. func (o RealmWebAuthnPasswordlessPolicyPtrOutput) RelyingPartyEntityName() pulumi.StringPtrOutput { return o.ApplyT(func(v *RealmWebAuthnPasswordlessPolicy) *string { if v == nil { @@ -3006,6 +3157,7 @@ func (o RealmWebAuthnPasswordlessPolicyPtrOutput) RelyingPartyEntityName() pulum }).(pulumi.StringPtrOutput) } +// The WebAuthn relying party ID. func (o RealmWebAuthnPasswordlessPolicyPtrOutput) RelyingPartyId() pulumi.StringPtrOutput { return o.ApplyT(func(v *RealmWebAuthnPasswordlessPolicy) *string { if v == nil { @@ -3046,15 +3198,20 @@ func (o RealmWebAuthnPasswordlessPolicyPtrOutput) UserVerificationRequirement() } type RealmWebAuthnPolicy struct { + // A set of AAGUIDs for which an authenticator can be registered. AcceptableAaguids []string `pulumi:"acceptableAaguids"` // Either none, indirect or direct AttestationConveyancePreference *string `pulumi:"attestationConveyancePreference"` // Either platform or cross-platform - AuthenticatorAttachment *string `pulumi:"authenticatorAttachment"` - AvoidSameAuthenticatorRegister *bool `pulumi:"avoidSameAuthenticatorRegister"` - CreateTimeout *int `pulumi:"createTimeout"` - RelyingPartyEntityName *string `pulumi:"relyingPartyEntityName"` - RelyingPartyId *string `pulumi:"relyingPartyId"` + AuthenticatorAttachment *string `pulumi:"authenticatorAttachment"` + // When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + AvoidSameAuthenticatorRegister *bool `pulumi:"avoidSameAuthenticatorRegister"` + // The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + CreateTimeout *int `pulumi:"createTimeout"` + // A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + RelyingPartyEntityName *string `pulumi:"relyingPartyEntityName"` + // The WebAuthn relying party ID. + RelyingPartyId *string `pulumi:"relyingPartyId"` // Either Yes or No RequireResidentKey *string `pulumi:"requireResidentKey"` // Keycloak lists ES256, ES384, ES512, RS256, RS384, RS512, RS1 at the time of writing @@ -3075,15 +3232,20 @@ type RealmWebAuthnPolicyInput interface { } type RealmWebAuthnPolicyArgs struct { + // A set of AAGUIDs for which an authenticator can be registered. AcceptableAaguids pulumi.StringArrayInput `pulumi:"acceptableAaguids"` // Either none, indirect or direct AttestationConveyancePreference pulumi.StringPtrInput `pulumi:"attestationConveyancePreference"` // Either platform or cross-platform - AuthenticatorAttachment pulumi.StringPtrInput `pulumi:"authenticatorAttachment"` - AvoidSameAuthenticatorRegister pulumi.BoolPtrInput `pulumi:"avoidSameAuthenticatorRegister"` - CreateTimeout pulumi.IntPtrInput `pulumi:"createTimeout"` - RelyingPartyEntityName pulumi.StringPtrInput `pulumi:"relyingPartyEntityName"` - RelyingPartyId pulumi.StringPtrInput `pulumi:"relyingPartyId"` + AuthenticatorAttachment pulumi.StringPtrInput `pulumi:"authenticatorAttachment"` + // When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + AvoidSameAuthenticatorRegister pulumi.BoolPtrInput `pulumi:"avoidSameAuthenticatorRegister"` + // The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + CreateTimeout pulumi.IntPtrInput `pulumi:"createTimeout"` + // A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + RelyingPartyEntityName pulumi.StringPtrInput `pulumi:"relyingPartyEntityName"` + // The WebAuthn relying party ID. + RelyingPartyId pulumi.StringPtrInput `pulumi:"relyingPartyId"` // Either Yes or No RequireResidentKey pulumi.StringPtrInput `pulumi:"requireResidentKey"` // Keycloak lists ES256, ES384, ES512, RS256, RS384, RS512, RS1 at the time of writing @@ -3169,6 +3331,7 @@ func (o RealmWebAuthnPolicyOutput) ToRealmWebAuthnPolicyPtrOutputWithContext(ctx }).(RealmWebAuthnPolicyPtrOutput) } +// A set of AAGUIDs for which an authenticator can be registered. func (o RealmWebAuthnPolicyOutput) AcceptableAaguids() pulumi.StringArrayOutput { return o.ApplyT(func(v RealmWebAuthnPolicy) []string { return v.AcceptableAaguids }).(pulumi.StringArrayOutput) } @@ -3183,18 +3346,22 @@ func (o RealmWebAuthnPolicyOutput) AuthenticatorAttachment() pulumi.StringPtrOut return o.ApplyT(func(v RealmWebAuthnPolicy) *string { return v.AuthenticatorAttachment }).(pulumi.StringPtrOutput) } +// When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. func (o RealmWebAuthnPolicyOutput) AvoidSameAuthenticatorRegister() pulumi.BoolPtrOutput { return o.ApplyT(func(v RealmWebAuthnPolicy) *bool { return v.AvoidSameAuthenticatorRegister }).(pulumi.BoolPtrOutput) } +// The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. func (o RealmWebAuthnPolicyOutput) CreateTimeout() pulumi.IntPtrOutput { return o.ApplyT(func(v RealmWebAuthnPolicy) *int { return v.CreateTimeout }).(pulumi.IntPtrOutput) } +// A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. func (o RealmWebAuthnPolicyOutput) RelyingPartyEntityName() pulumi.StringPtrOutput { return o.ApplyT(func(v RealmWebAuthnPolicy) *string { return v.RelyingPartyEntityName }).(pulumi.StringPtrOutput) } +// The WebAuthn relying party ID. func (o RealmWebAuthnPolicyOutput) RelyingPartyId() pulumi.StringPtrOutput { return o.ApplyT(func(v RealmWebAuthnPolicy) *string { return v.RelyingPartyId }).(pulumi.StringPtrOutput) } @@ -3238,6 +3405,7 @@ func (o RealmWebAuthnPolicyPtrOutput) Elem() RealmWebAuthnPolicyOutput { }).(RealmWebAuthnPolicyOutput) } +// A set of AAGUIDs for which an authenticator can be registered. func (o RealmWebAuthnPolicyPtrOutput) AcceptableAaguids() pulumi.StringArrayOutput { return o.ApplyT(func(v *RealmWebAuthnPolicy) []string { if v == nil { @@ -3267,6 +3435,7 @@ func (o RealmWebAuthnPolicyPtrOutput) AuthenticatorAttachment() pulumi.StringPtr }).(pulumi.StringPtrOutput) } +// When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. func (o RealmWebAuthnPolicyPtrOutput) AvoidSameAuthenticatorRegister() pulumi.BoolPtrOutput { return o.ApplyT(func(v *RealmWebAuthnPolicy) *bool { if v == nil { @@ -3276,6 +3445,7 @@ func (o RealmWebAuthnPolicyPtrOutput) AvoidSameAuthenticatorRegister() pulumi.Bo }).(pulumi.BoolPtrOutput) } +// The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. func (o RealmWebAuthnPolicyPtrOutput) CreateTimeout() pulumi.IntPtrOutput { return o.ApplyT(func(v *RealmWebAuthnPolicy) *int { if v == nil { @@ -3285,6 +3455,7 @@ func (o RealmWebAuthnPolicyPtrOutput) CreateTimeout() pulumi.IntPtrOutput { }).(pulumi.IntPtrOutput) } +// A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. func (o RealmWebAuthnPolicyPtrOutput) RelyingPartyEntityName() pulumi.StringPtrOutput { return o.ApplyT(func(v *RealmWebAuthnPolicy) *string { if v == nil { @@ -3294,6 +3465,7 @@ func (o RealmWebAuthnPolicyPtrOutput) RelyingPartyEntityName() pulumi.StringPtrO }).(pulumi.StringPtrOutput) } +// The WebAuthn relying party ID. func (o RealmWebAuthnPolicyPtrOutput) RelyingPartyId() pulumi.StringPtrOutput { return o.ApplyT(func(v *RealmWebAuthnPolicy) *string { if v == nil { @@ -3334,9 +3506,12 @@ func (o RealmWebAuthnPolicyPtrOutput) UserVerificationRequirement() pulumi.Strin } type UserFederatedIdentity struct { + // The name of the identity provider IdentityProvider string `pulumi:"identityProvider"` - UserId string `pulumi:"userId"` - UserName string `pulumi:"userName"` + // The ID of the user defined in the identity provider + UserId string `pulumi:"userId"` + // The user name of the user defined in the identity provider + UserName string `pulumi:"userName"` } // UserFederatedIdentityInput is an input type that accepts UserFederatedIdentityArgs and UserFederatedIdentityOutput values. @@ -3351,9 +3526,12 @@ type UserFederatedIdentityInput interface { } type UserFederatedIdentityArgs struct { + // The name of the identity provider IdentityProvider pulumi.StringInput `pulumi:"identityProvider"` - UserId pulumi.StringInput `pulumi:"userId"` - UserName pulumi.StringInput `pulumi:"userName"` + // The ID of the user defined in the identity provider + UserId pulumi.StringInput `pulumi:"userId"` + // The user name of the user defined in the identity provider + UserName pulumi.StringInput `pulumi:"userName"` } func (UserFederatedIdentityArgs) ElementType() reflect.Type { @@ -3407,14 +3585,17 @@ func (o UserFederatedIdentityOutput) ToUserFederatedIdentityOutputWithContext(ct return o } +// The name of the identity provider func (o UserFederatedIdentityOutput) IdentityProvider() pulumi.StringOutput { return o.ApplyT(func(v UserFederatedIdentity) string { return v.IdentityProvider }).(pulumi.StringOutput) } +// The ID of the user defined in the identity provider func (o UserFederatedIdentityOutput) UserId() pulumi.StringOutput { return o.ApplyT(func(v UserFederatedIdentity) string { return v.UserId }).(pulumi.StringOutput) } +// The user name of the user defined in the identity provider func (o UserFederatedIdentityOutput) UserName() pulumi.StringOutput { return o.ApplyT(func(v UserFederatedIdentity) string { return v.UserName }).(pulumi.StringOutput) } @@ -3440,8 +3621,10 @@ func (o UserFederatedIdentityArrayOutput) Index(i pulumi.IntInput) UserFederated } type UserInitialPassword struct { - Temporary *bool `pulumi:"temporary"` - Value string `pulumi:"value"` + // If set to `true`, the initial password is set up for renewal on first use. Default to `false`. + Temporary *bool `pulumi:"temporary"` + // The initial password. + Value string `pulumi:"value"` } // UserInitialPasswordInput is an input type that accepts UserInitialPasswordArgs and UserInitialPasswordOutput values. @@ -3456,8 +3639,10 @@ type UserInitialPasswordInput interface { } type UserInitialPasswordArgs struct { + // If set to `true`, the initial password is set up for renewal on first use. Default to `false`. Temporary pulumi.BoolPtrInput `pulumi:"temporary"` - Value pulumi.StringInput `pulumi:"value"` + // The initial password. + Value pulumi.StringInput `pulumi:"value"` } func (UserInitialPasswordArgs) ElementType() reflect.Type { @@ -3537,10 +3722,12 @@ func (o UserInitialPasswordOutput) ToUserInitialPasswordPtrOutputWithContext(ctx }).(UserInitialPasswordPtrOutput) } +// If set to `true`, the initial password is set up for renewal on first use. Default to `false`. func (o UserInitialPasswordOutput) Temporary() pulumi.BoolPtrOutput { return o.ApplyT(func(v UserInitialPassword) *bool { return v.Temporary }).(pulumi.BoolPtrOutput) } +// The initial password. func (o UserInitialPasswordOutput) Value() pulumi.StringOutput { return o.ApplyT(func(v UserInitialPassword) string { return v.Value }).(pulumi.StringOutput) } @@ -3569,6 +3756,7 @@ func (o UserInitialPasswordPtrOutput) Elem() UserInitialPasswordOutput { }).(UserInitialPasswordOutput) } +// If set to `true`, the initial password is set up for renewal on first use. Default to `false`. func (o UserInitialPasswordPtrOutput) Temporary() pulumi.BoolPtrOutput { return o.ApplyT(func(v *UserInitialPassword) *bool { if v == nil { @@ -3578,6 +3766,7 @@ func (o UserInitialPasswordPtrOutput) Temporary() pulumi.BoolPtrOutput { }).(pulumi.BoolPtrOutput) } +// The initial password. func (o UserInitialPasswordPtrOutput) Value() pulumi.StringPtrOutput { return o.ApplyT(func(v *UserInitialPassword) *string { if v == nil { @@ -4784,14 +4973,22 @@ func (o GetRealmInternationalizationArrayOutput) Index(i pulumi.IntInput) GetRea } type GetRealmKeysKey struct { - Algorithm string `pulumi:"algorithm"` - Certificate string `pulumi:"certificate"` - Kid string `pulumi:"kid"` - ProviderId string `pulumi:"providerId"` - ProviderPriority int `pulumi:"providerPriority"` - PublicKey string `pulumi:"publicKey"` - Status string `pulumi:"status"` - Type string `pulumi:"type"` + // Key algorithm (string) + Algorithm string `pulumi:"algorithm"` + // Key certificate (string) + Certificate string `pulumi:"certificate"` + // Key ID (string) + Kid string `pulumi:"kid"` + // Key provider ID (string) + ProviderId string `pulumi:"providerId"` + // Key provider priority (int64) + ProviderPriority int `pulumi:"providerPriority"` + // Key public key (string) + PublicKey string `pulumi:"publicKey"` + // When specified, keys will be filtered by status. The statuses can be any of `ACTIVE`, `DISABLED` and `PASSIVE`. + Status string `pulumi:"status"` + // Key type (string) + Type string `pulumi:"type"` } // GetRealmKeysKeyInput is an input type that accepts GetRealmKeysKeyArgs and GetRealmKeysKeyOutput values. @@ -4806,14 +5003,22 @@ type GetRealmKeysKeyInput interface { } type GetRealmKeysKeyArgs struct { - Algorithm pulumi.StringInput `pulumi:"algorithm"` - Certificate pulumi.StringInput `pulumi:"certificate"` - Kid pulumi.StringInput `pulumi:"kid"` - ProviderId pulumi.StringInput `pulumi:"providerId"` - ProviderPriority pulumi.IntInput `pulumi:"providerPriority"` - PublicKey pulumi.StringInput `pulumi:"publicKey"` - Status pulumi.StringInput `pulumi:"status"` - Type pulumi.StringInput `pulumi:"type"` + // Key algorithm (string) + Algorithm pulumi.StringInput `pulumi:"algorithm"` + // Key certificate (string) + Certificate pulumi.StringInput `pulumi:"certificate"` + // Key ID (string) + Kid pulumi.StringInput `pulumi:"kid"` + // Key provider ID (string) + ProviderId pulumi.StringInput `pulumi:"providerId"` + // Key provider priority (int64) + ProviderPriority pulumi.IntInput `pulumi:"providerPriority"` + // Key public key (string) + PublicKey pulumi.StringInput `pulumi:"publicKey"` + // When specified, keys will be filtered by status. The statuses can be any of `ACTIVE`, `DISABLED` and `PASSIVE`. + Status pulumi.StringInput `pulumi:"status"` + // Key type (string) + Type pulumi.StringInput `pulumi:"type"` } func (GetRealmKeysKeyArgs) ElementType() reflect.Type { @@ -4867,34 +5072,42 @@ func (o GetRealmKeysKeyOutput) ToGetRealmKeysKeyOutputWithContext(ctx context.Co return o } +// Key algorithm (string) func (o GetRealmKeysKeyOutput) Algorithm() pulumi.StringOutput { return o.ApplyT(func(v GetRealmKeysKey) string { return v.Algorithm }).(pulumi.StringOutput) } +// Key certificate (string) func (o GetRealmKeysKeyOutput) Certificate() pulumi.StringOutput { return o.ApplyT(func(v GetRealmKeysKey) string { return v.Certificate }).(pulumi.StringOutput) } +// Key ID (string) func (o GetRealmKeysKeyOutput) Kid() pulumi.StringOutput { return o.ApplyT(func(v GetRealmKeysKey) string { return v.Kid }).(pulumi.StringOutput) } +// Key provider ID (string) func (o GetRealmKeysKeyOutput) ProviderId() pulumi.StringOutput { return o.ApplyT(func(v GetRealmKeysKey) string { return v.ProviderId }).(pulumi.StringOutput) } +// Key provider priority (int64) func (o GetRealmKeysKeyOutput) ProviderPriority() pulumi.IntOutput { return o.ApplyT(func(v GetRealmKeysKey) int { return v.ProviderPriority }).(pulumi.IntOutput) } +// Key public key (string) func (o GetRealmKeysKeyOutput) PublicKey() pulumi.StringOutput { return o.ApplyT(func(v GetRealmKeysKey) string { return v.PublicKey }).(pulumi.StringOutput) } +// When specified, keys will be filtered by status. The statuses can be any of `ACTIVE`, `DISABLED` and `PASSIVE`. func (o GetRealmKeysKeyOutput) Status() pulumi.StringOutput { return o.ApplyT(func(v GetRealmKeysKey) string { return v.Status }).(pulumi.StringOutput) } +// Key type (string) func (o GetRealmKeysKeyOutput) Type() pulumi.StringOutput { return o.ApplyT(func(v GetRealmKeysKey) string { return v.Type }).(pulumi.StringOutput) } diff --git a/sdk/go/keycloak/realm.go b/sdk/go/keycloak/realm.go index 46f16f8e..a8532d52 100644 --- a/sdk/go/keycloak/realm.go +++ b/sdk/go/keycloak/realm.go @@ -12,6 +12,107 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) +// Allows for creating and managing Realms within Keycloak. +// +// A realm manages a logical collection of users, credentials, roles, and groups. Users log in to realms and can be federated +// from multiple sources. +// +// ## Example Usage +// +// ```go +// package main +// +// import ( +// +// "github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak" +// "github.com/pulumi/pulumi/sdk/v3/go/pulumi" +// +// ) +// +// func main() { +// pulumi.Run(func(ctx *pulumi.Context) error { +// _, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{ +// Realm: pulumi.String("my-realm"), +// Enabled: pulumi.Bool(true), +// DisplayName: pulumi.String("my realm"), +// DisplayNameHtml: pulumi.String("my realm"), +// LoginTheme: pulumi.String("base"), +// AccessCodeLifespan: pulumi.String("1h"), +// SslRequired: pulumi.String("external"), +// PasswordPolicy: pulumi.String("upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername"), +// Attributes: pulumi.StringMap{ +// "mycustomAttribute": pulumi.String("myCustomValue"), +// }, +// SmtpServer: &keycloak.RealmSmtpServerArgs{ +// Host: pulumi.String("smtp.example.com"), +// From: pulumi.String("example@example.com"), +// Auth: &keycloak.RealmSmtpServerAuthArgs{ +// Username: pulumi.String("tom"), +// Password: pulumi.String("password"), +// }, +// }, +// Internationalization: &keycloak.RealmInternationalizationArgs{ +// SupportedLocales: pulumi.StringArray{ +// pulumi.String("en"), +// pulumi.String("de"), +// pulumi.String("es"), +// }, +// DefaultLocale: pulumi.String("en"), +// }, +// SecurityDefenses: &keycloak.RealmSecurityDefensesArgs{ +// Headers: &keycloak.RealmSecurityDefensesHeadersArgs{ +// XFrameOptions: pulumi.String("DENY"), +// ContentSecurityPolicy: pulumi.String("frame-src 'self'; frame-ancestors 'self'; object-src 'none';"), +// ContentSecurityPolicyReportOnly: pulumi.String(""), +// XContentTypeOptions: pulumi.String("nosniff"), +// XRobotsTag: pulumi.String("none"), +// XXssProtection: pulumi.String("1; mode=block"), +// StrictTransportSecurity: pulumi.String("max-age=31536000; includeSubDomains"), +// }, +// BruteForceDetection: &keycloak.RealmSecurityDefensesBruteForceDetectionArgs{ +// PermanentLockout: pulumi.Bool(false), +// MaxLoginFailures: pulumi.Int(30), +// WaitIncrementSeconds: pulumi.Int(60), +// QuickLoginCheckMilliSeconds: pulumi.Int(1000), +// MinimumQuickLoginWaitSeconds: pulumi.Int(60), +// MaxFailureWaitSeconds: pulumi.Int(900), +// FailureResetTimeSeconds: pulumi.Int(43200), +// }, +// }, +// WebAuthnPolicy: &keycloak.RealmWebAuthnPolicyArgs{ +// RelyingPartyEntityName: pulumi.String("Example"), +// RelyingPartyId: pulumi.String("keycloak.example.com"), +// SignatureAlgorithms: pulumi.StringArray{ +// pulumi.String("ES256"), +// pulumi.String("RS256"), +// }, +// }, +// }) +// if err != nil { +// return err +// } +// return nil +// }) +// } +// +// ``` +// +// ## Default Client Scopes +// +// - `defaultDefaultClientScopes` - (Optional) A list of default default client scopes to be used for client definitions. Defaults to `[]` or keycloak's built-in default default client-scopes. +// - `defaultOptionalClientScopes` - (Optional) A list of default optional client scopes to be used for client definitions. Defaults to `[]` or keycloak's built-in default optional client-scopes. +// +// ## Import +// +// Realms can be imported using their name. +// +// Example: +// +// bash +// +// ```sh +// $ pulumi import keycloak:index/realm:Realm realm my-realm +// ``` type Realm struct { pulumi.CustomResourceState @@ -24,7 +125,8 @@ type Realm struct { ActionTokenGeneratedByAdminLifespan pulumi.StringOutput `pulumi:"actionTokenGeneratedByAdminLifespan"` ActionTokenGeneratedByUserLifespan pulumi.StringOutput `pulumi:"actionTokenGeneratedByUserLifespan"` AdminTheme pulumi.StringPtrOutput `pulumi:"adminTheme"` - Attributes pulumi.StringMapOutput `pulumi:"attributes"` + // A map of custom attributes to add to the realm. + Attributes pulumi.StringMapOutput `pulumi:"attributes"` // Which flow should be used for BrowserFlow BrowserFlow pulumi.StringOutput `pulumi:"browserFlow"` // Which flow should be used for ClientAuthenticationFlow @@ -35,15 +137,19 @@ type Realm struct { DefaultOptionalClientScopes pulumi.StringArrayOutput `pulumi:"defaultOptionalClientScopes"` DefaultSignatureAlgorithm pulumi.StringPtrOutput `pulumi:"defaultSignatureAlgorithm"` // Which flow should be used for DirectGrantFlow - DirectGrantFlow pulumi.StringOutput `pulumi:"directGrantFlow"` - DisplayName pulumi.StringPtrOutput `pulumi:"displayName"` + DirectGrantFlow pulumi.StringOutput `pulumi:"directGrantFlow"` + // The display name for the realm that is shown when logging in to the admin console. + DisplayName pulumi.StringPtrOutput `pulumi:"displayName"` + // The display name for the realm that is rendered as HTML on the screen when logging in to the admin console. DisplayNameHtml pulumi.StringPtrOutput `pulumi:"displayNameHtml"` // Which flow should be used for DockerAuthenticationFlow - DockerAuthenticationFlow pulumi.StringOutput `pulumi:"dockerAuthenticationFlow"` - DuplicateEmailsAllowed pulumi.BoolOutput `pulumi:"duplicateEmailsAllowed"` - EditUsernameAllowed pulumi.BoolOutput `pulumi:"editUsernameAllowed"` - EmailTheme pulumi.StringPtrOutput `pulumi:"emailTheme"` - Enabled pulumi.BoolPtrOutput `pulumi:"enabled"` + DockerAuthenticationFlow pulumi.StringOutput `pulumi:"dockerAuthenticationFlow"` + DuplicateEmailsAllowed pulumi.BoolOutput `pulumi:"duplicateEmailsAllowed"` + EditUsernameAllowed pulumi.BoolOutput `pulumi:"editUsernameAllowed"` + EmailTheme pulumi.StringPtrOutput `pulumi:"emailTheme"` + // When `false`, users and clients will not be able to access this realm. Defaults to `true`. + Enabled pulumi.BoolPtrOutput `pulumi:"enabled"` + // When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name. InternalId pulumi.StringOutput `pulumi:"internalId"` Internationalization RealmInternationalizationPtrOutput `pulumi:"internationalization"` LoginTheme pulumi.StringPtrOutput `pulumi:"loginTheme"` @@ -57,11 +163,12 @@ type Realm struct { // String that represents the passwordPolicies that are in place. Each policy is separated with " and ". Supported policies // can be found in the server-info providers page. example: "upperCase(1) and length(8) and forceExpiredPasswordChange(365) // and notUsername(undefined)" - PasswordPolicy pulumi.StringPtrOutput `pulumi:"passwordPolicy"` - Realm pulumi.StringOutput `pulumi:"realm"` - RefreshTokenMaxReuse pulumi.IntPtrOutput `pulumi:"refreshTokenMaxReuse"` - RegistrationAllowed pulumi.BoolOutput `pulumi:"registrationAllowed"` - RegistrationEmailAsUsername pulumi.BoolOutput `pulumi:"registrationEmailAsUsername"` + PasswordPolicy pulumi.StringPtrOutput `pulumi:"passwordPolicy"` + // The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak. + Realm pulumi.StringOutput `pulumi:"realm"` + RefreshTokenMaxReuse pulumi.IntPtrOutput `pulumi:"refreshTokenMaxReuse"` + RegistrationAllowed pulumi.BoolOutput `pulumi:"registrationAllowed"` + RegistrationEmailAsUsername pulumi.BoolOutput `pulumi:"registrationEmailAsUsername"` // Which flow should be used for RegistrationFlow RegistrationFlow pulumi.StringOutput `pulumi:"registrationFlow"` RememberMe pulumi.BoolOutput `pulumi:"rememberMe"` @@ -72,15 +179,16 @@ type Realm struct { SecurityDefenses RealmSecurityDefensesPtrOutput `pulumi:"securityDefenses"` SmtpServer RealmSmtpServerPtrOutput `pulumi:"smtpServer"` // SSL Required: Values can be 'none', 'external' or 'all'. - SslRequired pulumi.StringPtrOutput `pulumi:"sslRequired"` - SsoSessionIdleTimeout pulumi.StringOutput `pulumi:"ssoSessionIdleTimeout"` - SsoSessionIdleTimeoutRememberMe pulumi.StringOutput `pulumi:"ssoSessionIdleTimeoutRememberMe"` - SsoSessionMaxLifespan pulumi.StringOutput `pulumi:"ssoSessionMaxLifespan"` - SsoSessionMaxLifespanRememberMe pulumi.StringOutput `pulumi:"ssoSessionMaxLifespanRememberMe"` - UserManagedAccess pulumi.BoolPtrOutput `pulumi:"userManagedAccess"` - VerifyEmail pulumi.BoolOutput `pulumi:"verifyEmail"` - WebAuthnPasswordlessPolicy RealmWebAuthnPasswordlessPolicyOutput `pulumi:"webAuthnPasswordlessPolicy"` - WebAuthnPolicy RealmWebAuthnPolicyOutput `pulumi:"webAuthnPolicy"` + SslRequired pulumi.StringPtrOutput `pulumi:"sslRequired"` + SsoSessionIdleTimeout pulumi.StringOutput `pulumi:"ssoSessionIdleTimeout"` + SsoSessionIdleTimeoutRememberMe pulumi.StringOutput `pulumi:"ssoSessionIdleTimeoutRememberMe"` + SsoSessionMaxLifespan pulumi.StringOutput `pulumi:"ssoSessionMaxLifespan"` + SsoSessionMaxLifespanRememberMe pulumi.StringOutput `pulumi:"ssoSessionMaxLifespanRememberMe"` + // When `true`, users are allowed to manage their own resources. Defaults to `false`. + UserManagedAccess pulumi.BoolPtrOutput `pulumi:"userManagedAccess"` + VerifyEmail pulumi.BoolOutput `pulumi:"verifyEmail"` + WebAuthnPasswordlessPolicy RealmWebAuthnPasswordlessPolicyOutput `pulumi:"webAuthnPasswordlessPolicy"` + WebAuthnPolicy RealmWebAuthnPolicyOutput `pulumi:"webAuthnPolicy"` } // NewRealm registers a new resource with the given unique name, arguments, and options. @@ -116,16 +224,17 @@ func GetRealm(ctx *pulumi.Context, // Input properties used for looking up and filtering Realm resources. type realmState struct { - AccessCodeLifespan *string `pulumi:"accessCodeLifespan"` - AccessCodeLifespanLogin *string `pulumi:"accessCodeLifespanLogin"` - AccessCodeLifespanUserAction *string `pulumi:"accessCodeLifespanUserAction"` - AccessTokenLifespan *string `pulumi:"accessTokenLifespan"` - AccessTokenLifespanForImplicitFlow *string `pulumi:"accessTokenLifespanForImplicitFlow"` - AccountTheme *string `pulumi:"accountTheme"` - ActionTokenGeneratedByAdminLifespan *string `pulumi:"actionTokenGeneratedByAdminLifespan"` - ActionTokenGeneratedByUserLifespan *string `pulumi:"actionTokenGeneratedByUserLifespan"` - AdminTheme *string `pulumi:"adminTheme"` - Attributes map[string]string `pulumi:"attributes"` + AccessCodeLifespan *string `pulumi:"accessCodeLifespan"` + AccessCodeLifespanLogin *string `pulumi:"accessCodeLifespanLogin"` + AccessCodeLifespanUserAction *string `pulumi:"accessCodeLifespanUserAction"` + AccessTokenLifespan *string `pulumi:"accessTokenLifespan"` + AccessTokenLifespanForImplicitFlow *string `pulumi:"accessTokenLifespanForImplicitFlow"` + AccountTheme *string `pulumi:"accountTheme"` + ActionTokenGeneratedByAdminLifespan *string `pulumi:"actionTokenGeneratedByAdminLifespan"` + ActionTokenGeneratedByUserLifespan *string `pulumi:"actionTokenGeneratedByUserLifespan"` + AdminTheme *string `pulumi:"adminTheme"` + // A map of custom attributes to add to the realm. + Attributes map[string]string `pulumi:"attributes"` // Which flow should be used for BrowserFlow BrowserFlow *string `pulumi:"browserFlow"` // Which flow should be used for ClientAuthenticationFlow @@ -137,14 +246,18 @@ type realmState struct { DefaultSignatureAlgorithm *string `pulumi:"defaultSignatureAlgorithm"` // Which flow should be used for DirectGrantFlow DirectGrantFlow *string `pulumi:"directGrantFlow"` - DisplayName *string `pulumi:"displayName"` + // The display name for the realm that is shown when logging in to the admin console. + DisplayName *string `pulumi:"displayName"` + // The display name for the realm that is rendered as HTML on the screen when logging in to the admin console. DisplayNameHtml *string `pulumi:"displayNameHtml"` // Which flow should be used for DockerAuthenticationFlow - DockerAuthenticationFlow *string `pulumi:"dockerAuthenticationFlow"` - DuplicateEmailsAllowed *bool `pulumi:"duplicateEmailsAllowed"` - EditUsernameAllowed *bool `pulumi:"editUsernameAllowed"` - EmailTheme *string `pulumi:"emailTheme"` - Enabled *bool `pulumi:"enabled"` + DockerAuthenticationFlow *string `pulumi:"dockerAuthenticationFlow"` + DuplicateEmailsAllowed *bool `pulumi:"duplicateEmailsAllowed"` + EditUsernameAllowed *bool `pulumi:"editUsernameAllowed"` + EmailTheme *string `pulumi:"emailTheme"` + // When `false`, users and clients will not be able to access this realm. Defaults to `true`. + Enabled *bool `pulumi:"enabled"` + // When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name. InternalId *string `pulumi:"internalId"` Internationalization *RealmInternationalization `pulumi:"internationalization"` LoginTheme *string `pulumi:"loginTheme"` @@ -158,7 +271,8 @@ type realmState struct { // String that represents the passwordPolicies that are in place. Each policy is separated with " and ". Supported policies // can be found in the server-info providers page. example: "upperCase(1) and length(8) and forceExpiredPasswordChange(365) // and notUsername(undefined)" - PasswordPolicy *string `pulumi:"passwordPolicy"` + PasswordPolicy *string `pulumi:"passwordPolicy"` + // The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak. Realm *string `pulumi:"realm"` RefreshTokenMaxReuse *int `pulumi:"refreshTokenMaxReuse"` RegistrationAllowed *bool `pulumi:"registrationAllowed"` @@ -173,15 +287,16 @@ type realmState struct { SecurityDefenses *RealmSecurityDefenses `pulumi:"securityDefenses"` SmtpServer *RealmSmtpServer `pulumi:"smtpServer"` // SSL Required: Values can be 'none', 'external' or 'all'. - SslRequired *string `pulumi:"sslRequired"` - SsoSessionIdleTimeout *string `pulumi:"ssoSessionIdleTimeout"` - SsoSessionIdleTimeoutRememberMe *string `pulumi:"ssoSessionIdleTimeoutRememberMe"` - SsoSessionMaxLifespan *string `pulumi:"ssoSessionMaxLifespan"` - SsoSessionMaxLifespanRememberMe *string `pulumi:"ssoSessionMaxLifespanRememberMe"` - UserManagedAccess *bool `pulumi:"userManagedAccess"` - VerifyEmail *bool `pulumi:"verifyEmail"` - WebAuthnPasswordlessPolicy *RealmWebAuthnPasswordlessPolicy `pulumi:"webAuthnPasswordlessPolicy"` - WebAuthnPolicy *RealmWebAuthnPolicy `pulumi:"webAuthnPolicy"` + SslRequired *string `pulumi:"sslRequired"` + SsoSessionIdleTimeout *string `pulumi:"ssoSessionIdleTimeout"` + SsoSessionIdleTimeoutRememberMe *string `pulumi:"ssoSessionIdleTimeoutRememberMe"` + SsoSessionMaxLifespan *string `pulumi:"ssoSessionMaxLifespan"` + SsoSessionMaxLifespanRememberMe *string `pulumi:"ssoSessionMaxLifespanRememberMe"` + // When `true`, users are allowed to manage their own resources. Defaults to `false`. + UserManagedAccess *bool `pulumi:"userManagedAccess"` + VerifyEmail *bool `pulumi:"verifyEmail"` + WebAuthnPasswordlessPolicy *RealmWebAuthnPasswordlessPolicy `pulumi:"webAuthnPasswordlessPolicy"` + WebAuthnPolicy *RealmWebAuthnPolicy `pulumi:"webAuthnPolicy"` } type RealmState struct { @@ -194,7 +309,8 @@ type RealmState struct { ActionTokenGeneratedByAdminLifespan pulumi.StringPtrInput ActionTokenGeneratedByUserLifespan pulumi.StringPtrInput AdminTheme pulumi.StringPtrInput - Attributes pulumi.StringMapInput + // A map of custom attributes to add to the realm. + Attributes pulumi.StringMapInput // Which flow should be used for BrowserFlow BrowserFlow pulumi.StringPtrInput // Which flow should be used for ClientAuthenticationFlow @@ -206,14 +322,18 @@ type RealmState struct { DefaultSignatureAlgorithm pulumi.StringPtrInput // Which flow should be used for DirectGrantFlow DirectGrantFlow pulumi.StringPtrInput - DisplayName pulumi.StringPtrInput + // The display name for the realm that is shown when logging in to the admin console. + DisplayName pulumi.StringPtrInput + // The display name for the realm that is rendered as HTML on the screen when logging in to the admin console. DisplayNameHtml pulumi.StringPtrInput // Which flow should be used for DockerAuthenticationFlow - DockerAuthenticationFlow pulumi.StringPtrInput - DuplicateEmailsAllowed pulumi.BoolPtrInput - EditUsernameAllowed pulumi.BoolPtrInput - EmailTheme pulumi.StringPtrInput - Enabled pulumi.BoolPtrInput + DockerAuthenticationFlow pulumi.StringPtrInput + DuplicateEmailsAllowed pulumi.BoolPtrInput + EditUsernameAllowed pulumi.BoolPtrInput + EmailTheme pulumi.StringPtrInput + // When `false`, users and clients will not be able to access this realm. Defaults to `true`. + Enabled pulumi.BoolPtrInput + // When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name. InternalId pulumi.StringPtrInput Internationalization RealmInternationalizationPtrInput LoginTheme pulumi.StringPtrInput @@ -227,7 +347,8 @@ type RealmState struct { // String that represents the passwordPolicies that are in place. Each policy is separated with " and ". Supported policies // can be found in the server-info providers page. example: "upperCase(1) and length(8) and forceExpiredPasswordChange(365) // and notUsername(undefined)" - PasswordPolicy pulumi.StringPtrInput + PasswordPolicy pulumi.StringPtrInput + // The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak. Realm pulumi.StringPtrInput RefreshTokenMaxReuse pulumi.IntPtrInput RegistrationAllowed pulumi.BoolPtrInput @@ -247,10 +368,11 @@ type RealmState struct { SsoSessionIdleTimeoutRememberMe pulumi.StringPtrInput SsoSessionMaxLifespan pulumi.StringPtrInput SsoSessionMaxLifespanRememberMe pulumi.StringPtrInput - UserManagedAccess pulumi.BoolPtrInput - VerifyEmail pulumi.BoolPtrInput - WebAuthnPasswordlessPolicy RealmWebAuthnPasswordlessPolicyPtrInput - WebAuthnPolicy RealmWebAuthnPolicyPtrInput + // When `true`, users are allowed to manage their own resources. Defaults to `false`. + UserManagedAccess pulumi.BoolPtrInput + VerifyEmail pulumi.BoolPtrInput + WebAuthnPasswordlessPolicy RealmWebAuthnPasswordlessPolicyPtrInput + WebAuthnPolicy RealmWebAuthnPolicyPtrInput } func (RealmState) ElementType() reflect.Type { @@ -258,16 +380,17 @@ func (RealmState) ElementType() reflect.Type { } type realmArgs struct { - AccessCodeLifespan *string `pulumi:"accessCodeLifespan"` - AccessCodeLifespanLogin *string `pulumi:"accessCodeLifespanLogin"` - AccessCodeLifespanUserAction *string `pulumi:"accessCodeLifespanUserAction"` - AccessTokenLifespan *string `pulumi:"accessTokenLifespan"` - AccessTokenLifespanForImplicitFlow *string `pulumi:"accessTokenLifespanForImplicitFlow"` - AccountTheme *string `pulumi:"accountTheme"` - ActionTokenGeneratedByAdminLifespan *string `pulumi:"actionTokenGeneratedByAdminLifespan"` - ActionTokenGeneratedByUserLifespan *string `pulumi:"actionTokenGeneratedByUserLifespan"` - AdminTheme *string `pulumi:"adminTheme"` - Attributes map[string]string `pulumi:"attributes"` + AccessCodeLifespan *string `pulumi:"accessCodeLifespan"` + AccessCodeLifespanLogin *string `pulumi:"accessCodeLifespanLogin"` + AccessCodeLifespanUserAction *string `pulumi:"accessCodeLifespanUserAction"` + AccessTokenLifespan *string `pulumi:"accessTokenLifespan"` + AccessTokenLifespanForImplicitFlow *string `pulumi:"accessTokenLifespanForImplicitFlow"` + AccountTheme *string `pulumi:"accountTheme"` + ActionTokenGeneratedByAdminLifespan *string `pulumi:"actionTokenGeneratedByAdminLifespan"` + ActionTokenGeneratedByUserLifespan *string `pulumi:"actionTokenGeneratedByUserLifespan"` + AdminTheme *string `pulumi:"adminTheme"` + // A map of custom attributes to add to the realm. + Attributes map[string]string `pulumi:"attributes"` // Which flow should be used for BrowserFlow BrowserFlow *string `pulumi:"browserFlow"` // Which flow should be used for ClientAuthenticationFlow @@ -279,14 +402,18 @@ type realmArgs struct { DefaultSignatureAlgorithm *string `pulumi:"defaultSignatureAlgorithm"` // Which flow should be used for DirectGrantFlow DirectGrantFlow *string `pulumi:"directGrantFlow"` - DisplayName *string `pulumi:"displayName"` + // The display name for the realm that is shown when logging in to the admin console. + DisplayName *string `pulumi:"displayName"` + // The display name for the realm that is rendered as HTML on the screen when logging in to the admin console. DisplayNameHtml *string `pulumi:"displayNameHtml"` // Which flow should be used for DockerAuthenticationFlow - DockerAuthenticationFlow *string `pulumi:"dockerAuthenticationFlow"` - DuplicateEmailsAllowed *bool `pulumi:"duplicateEmailsAllowed"` - EditUsernameAllowed *bool `pulumi:"editUsernameAllowed"` - EmailTheme *string `pulumi:"emailTheme"` - Enabled *bool `pulumi:"enabled"` + DockerAuthenticationFlow *string `pulumi:"dockerAuthenticationFlow"` + DuplicateEmailsAllowed *bool `pulumi:"duplicateEmailsAllowed"` + EditUsernameAllowed *bool `pulumi:"editUsernameAllowed"` + EmailTheme *string `pulumi:"emailTheme"` + // When `false`, users and clients will not be able to access this realm. Defaults to `true`. + Enabled *bool `pulumi:"enabled"` + // When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name. InternalId *string `pulumi:"internalId"` Internationalization *RealmInternationalization `pulumi:"internationalization"` LoginTheme *string `pulumi:"loginTheme"` @@ -300,11 +427,12 @@ type realmArgs struct { // String that represents the passwordPolicies that are in place. Each policy is separated with " and ". Supported policies // can be found in the server-info providers page. example: "upperCase(1) and length(8) and forceExpiredPasswordChange(365) // and notUsername(undefined)" - PasswordPolicy *string `pulumi:"passwordPolicy"` - Realm string `pulumi:"realm"` - RefreshTokenMaxReuse *int `pulumi:"refreshTokenMaxReuse"` - RegistrationAllowed *bool `pulumi:"registrationAllowed"` - RegistrationEmailAsUsername *bool `pulumi:"registrationEmailAsUsername"` + PasswordPolicy *string `pulumi:"passwordPolicy"` + // The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak. + Realm string `pulumi:"realm"` + RefreshTokenMaxReuse *int `pulumi:"refreshTokenMaxReuse"` + RegistrationAllowed *bool `pulumi:"registrationAllowed"` + RegistrationEmailAsUsername *bool `pulumi:"registrationEmailAsUsername"` // Which flow should be used for RegistrationFlow RegistrationFlow *string `pulumi:"registrationFlow"` RememberMe *bool `pulumi:"rememberMe"` @@ -315,15 +443,16 @@ type realmArgs struct { SecurityDefenses *RealmSecurityDefenses `pulumi:"securityDefenses"` SmtpServer *RealmSmtpServer `pulumi:"smtpServer"` // SSL Required: Values can be 'none', 'external' or 'all'. - SslRequired *string `pulumi:"sslRequired"` - SsoSessionIdleTimeout *string `pulumi:"ssoSessionIdleTimeout"` - SsoSessionIdleTimeoutRememberMe *string `pulumi:"ssoSessionIdleTimeoutRememberMe"` - SsoSessionMaxLifespan *string `pulumi:"ssoSessionMaxLifespan"` - SsoSessionMaxLifespanRememberMe *string `pulumi:"ssoSessionMaxLifespanRememberMe"` - UserManagedAccess *bool `pulumi:"userManagedAccess"` - VerifyEmail *bool `pulumi:"verifyEmail"` - WebAuthnPasswordlessPolicy *RealmWebAuthnPasswordlessPolicy `pulumi:"webAuthnPasswordlessPolicy"` - WebAuthnPolicy *RealmWebAuthnPolicy `pulumi:"webAuthnPolicy"` + SslRequired *string `pulumi:"sslRequired"` + SsoSessionIdleTimeout *string `pulumi:"ssoSessionIdleTimeout"` + SsoSessionIdleTimeoutRememberMe *string `pulumi:"ssoSessionIdleTimeoutRememberMe"` + SsoSessionMaxLifespan *string `pulumi:"ssoSessionMaxLifespan"` + SsoSessionMaxLifespanRememberMe *string `pulumi:"ssoSessionMaxLifespanRememberMe"` + // When `true`, users are allowed to manage their own resources. Defaults to `false`. + UserManagedAccess *bool `pulumi:"userManagedAccess"` + VerifyEmail *bool `pulumi:"verifyEmail"` + WebAuthnPasswordlessPolicy *RealmWebAuthnPasswordlessPolicy `pulumi:"webAuthnPasswordlessPolicy"` + WebAuthnPolicy *RealmWebAuthnPolicy `pulumi:"webAuthnPolicy"` } // The set of arguments for constructing a Realm resource. @@ -337,7 +466,8 @@ type RealmArgs struct { ActionTokenGeneratedByAdminLifespan pulumi.StringPtrInput ActionTokenGeneratedByUserLifespan pulumi.StringPtrInput AdminTheme pulumi.StringPtrInput - Attributes pulumi.StringMapInput + // A map of custom attributes to add to the realm. + Attributes pulumi.StringMapInput // Which flow should be used for BrowserFlow BrowserFlow pulumi.StringPtrInput // Which flow should be used for ClientAuthenticationFlow @@ -349,14 +479,18 @@ type RealmArgs struct { DefaultSignatureAlgorithm pulumi.StringPtrInput // Which flow should be used for DirectGrantFlow DirectGrantFlow pulumi.StringPtrInput - DisplayName pulumi.StringPtrInput + // The display name for the realm that is shown when logging in to the admin console. + DisplayName pulumi.StringPtrInput + // The display name for the realm that is rendered as HTML on the screen when logging in to the admin console. DisplayNameHtml pulumi.StringPtrInput // Which flow should be used for DockerAuthenticationFlow - DockerAuthenticationFlow pulumi.StringPtrInput - DuplicateEmailsAllowed pulumi.BoolPtrInput - EditUsernameAllowed pulumi.BoolPtrInput - EmailTheme pulumi.StringPtrInput - Enabled pulumi.BoolPtrInput + DockerAuthenticationFlow pulumi.StringPtrInput + DuplicateEmailsAllowed pulumi.BoolPtrInput + EditUsernameAllowed pulumi.BoolPtrInput + EmailTheme pulumi.StringPtrInput + // When `false`, users and clients will not be able to access this realm. Defaults to `true`. + Enabled pulumi.BoolPtrInput + // When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name. InternalId pulumi.StringPtrInput Internationalization RealmInternationalizationPtrInput LoginTheme pulumi.StringPtrInput @@ -370,7 +504,8 @@ type RealmArgs struct { // String that represents the passwordPolicies that are in place. Each policy is separated with " and ". Supported policies // can be found in the server-info providers page. example: "upperCase(1) and length(8) and forceExpiredPasswordChange(365) // and notUsername(undefined)" - PasswordPolicy pulumi.StringPtrInput + PasswordPolicy pulumi.StringPtrInput + // The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak. Realm pulumi.StringInput RefreshTokenMaxReuse pulumi.IntPtrInput RegistrationAllowed pulumi.BoolPtrInput @@ -390,10 +525,11 @@ type RealmArgs struct { SsoSessionIdleTimeoutRememberMe pulumi.StringPtrInput SsoSessionMaxLifespan pulumi.StringPtrInput SsoSessionMaxLifespanRememberMe pulumi.StringPtrInput - UserManagedAccess pulumi.BoolPtrInput - VerifyEmail pulumi.BoolPtrInput - WebAuthnPasswordlessPolicy RealmWebAuthnPasswordlessPolicyPtrInput - WebAuthnPolicy RealmWebAuthnPolicyPtrInput + // When `true`, users are allowed to manage their own resources. Defaults to `false`. + UserManagedAccess pulumi.BoolPtrInput + VerifyEmail pulumi.BoolPtrInput + WebAuthnPasswordlessPolicy RealmWebAuthnPasswordlessPolicyPtrInput + WebAuthnPolicy RealmWebAuthnPolicyPtrInput } func (RealmArgs) ElementType() reflect.Type { @@ -519,6 +655,7 @@ func (o RealmOutput) AdminTheme() pulumi.StringPtrOutput { return o.ApplyT(func(v *Realm) pulumi.StringPtrOutput { return v.AdminTheme }).(pulumi.StringPtrOutput) } +// A map of custom attributes to add to the realm. func (o RealmOutput) Attributes() pulumi.StringMapOutput { return o.ApplyT(func(v *Realm) pulumi.StringMapOutput { return v.Attributes }).(pulumi.StringMapOutput) } @@ -558,10 +695,12 @@ func (o RealmOutput) DirectGrantFlow() pulumi.StringOutput { return o.ApplyT(func(v *Realm) pulumi.StringOutput { return v.DirectGrantFlow }).(pulumi.StringOutput) } +// The display name for the realm that is shown when logging in to the admin console. func (o RealmOutput) DisplayName() pulumi.StringPtrOutput { return o.ApplyT(func(v *Realm) pulumi.StringPtrOutput { return v.DisplayName }).(pulumi.StringPtrOutput) } +// The display name for the realm that is rendered as HTML on the screen when logging in to the admin console. func (o RealmOutput) DisplayNameHtml() pulumi.StringPtrOutput { return o.ApplyT(func(v *Realm) pulumi.StringPtrOutput { return v.DisplayNameHtml }).(pulumi.StringPtrOutput) } @@ -583,10 +722,12 @@ func (o RealmOutput) EmailTheme() pulumi.StringPtrOutput { return o.ApplyT(func(v *Realm) pulumi.StringPtrOutput { return v.EmailTheme }).(pulumi.StringPtrOutput) } +// When `false`, users and clients will not be able to access this realm. Defaults to `true`. func (o RealmOutput) Enabled() pulumi.BoolPtrOutput { return o.ApplyT(func(v *Realm) pulumi.BoolPtrOutput { return v.Enabled }).(pulumi.BoolPtrOutput) } +// When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name. func (o RealmOutput) InternalId() pulumi.StringOutput { return o.ApplyT(func(v *Realm) pulumi.StringOutput { return v.InternalId }).(pulumi.StringOutput) } @@ -634,6 +775,7 @@ func (o RealmOutput) PasswordPolicy() pulumi.StringPtrOutput { return o.ApplyT(func(v *Realm) pulumi.StringPtrOutput { return v.PasswordPolicy }).(pulumi.StringPtrOutput) } +// The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak. func (o RealmOutput) Realm() pulumi.StringOutput { return o.ApplyT(func(v *Realm) pulumi.StringOutput { return v.Realm }).(pulumi.StringOutput) } @@ -701,6 +843,7 @@ func (o RealmOutput) SsoSessionMaxLifespanRememberMe() pulumi.StringOutput { return o.ApplyT(func(v *Realm) pulumi.StringOutput { return v.SsoSessionMaxLifespanRememberMe }).(pulumi.StringOutput) } +// When `true`, users are allowed to manage their own resources. Defaults to `false`. func (o RealmOutput) UserManagedAccess() pulumi.BoolPtrOutput { return o.ApplyT(func(v *Realm) pulumi.BoolPtrOutput { return v.UserManagedAccess }).(pulumi.BoolPtrOutput) } diff --git a/sdk/go/keycloak/realmEvents.go b/sdk/go/keycloak/realmEvents.go index a84148cf..d3d7394c 100644 --- a/sdk/go/keycloak/realmEvents.go +++ b/sdk/go/keycloak/realmEvents.go @@ -12,11 +12,9 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## # RealmEvents -// // Allows for managing Realm Events settings within Keycloak. // -// ### Example Usage +// ## Example Usage // // ```go // package main @@ -31,7 +29,8 @@ import ( // func main() { // pulumi.Run(func(ctx *pulumi.Context) error { // realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{ -// Realm: pulumi.String("test"), +// Realm: pulumi.String("my-realm"), +// Enabled: pulumi.Bool(true), // }) // if err != nil { // return err @@ -59,27 +58,26 @@ import ( // // ``` // -// ### Argument Reference -// -// The following arguments are supported: +// ## Import // -// - `realmId` - (Required) The name of the realm the event settings apply to. -// - `adminEventsEnabled` - (Optional) When true, admin events are saved to the database, making them available through the admin console. Defaults to `false`. -// - `adminEventsDetailsEnabled` - (Optional) When true, saved admin events will included detailed information for create/update requests. Defaults to `false`. -// - `eventsEnabled` - (Optional) When true, events from `enabledEventTypes` are saved to the database, making them available through the admin console. Defaults to `false`. -// - `eventsExpiration` - (Optional) The amount of time in seconds events will be saved in the database. Defaults to `0` or never. -// - `enabledEventTypes` - (Optional) The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. -// - `eventsListeners` - (Optional) The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. +// This resource currently does not support importing. type RealmEvents struct { pulumi.CustomResourceState - AdminEventsDetailsEnabled pulumi.BoolPtrOutput `pulumi:"adminEventsDetailsEnabled"` - AdminEventsEnabled pulumi.BoolPtrOutput `pulumi:"adminEventsEnabled"` - EnabledEventTypes pulumi.StringArrayOutput `pulumi:"enabledEventTypes"` - EventsEnabled pulumi.BoolPtrOutput `pulumi:"eventsEnabled"` - EventsExpiration pulumi.IntPtrOutput `pulumi:"eventsExpiration"` - EventsListeners pulumi.StringArrayOutput `pulumi:"eventsListeners"` - RealmId pulumi.StringOutput `pulumi:"realmId"` + // When `true`, saved admin events will included detailed information for create/update requests. Defaults to `false`. + AdminEventsDetailsEnabled pulumi.BoolPtrOutput `pulumi:"adminEventsDetailsEnabled"` + // When `true`, admin events are saved to the database, making them available through the admin console. Defaults to `false`. + AdminEventsEnabled pulumi.BoolPtrOutput `pulumi:"adminEventsEnabled"` + // The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. + EnabledEventTypes pulumi.StringArrayOutput `pulumi:"enabledEventTypes"` + // When `true`, events from `enabledEventTypes` are saved to the database, making them available through the admin console. Defaults to `false`. + EventsEnabled pulumi.BoolPtrOutput `pulumi:"eventsEnabled"` + // The amount of time in seconds events will be saved in the database. Defaults to `0` or never. + EventsExpiration pulumi.IntPtrOutput `pulumi:"eventsExpiration"` + // The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. + EventsListeners pulumi.StringArrayOutput `pulumi:"eventsListeners"` + // The name of the realm the event settings apply to. + RealmId pulumi.StringOutput `pulumi:"realmId"` } // NewRealmEvents registers a new resource with the given unique name, arguments, and options. @@ -115,23 +113,37 @@ func GetRealmEvents(ctx *pulumi.Context, // Input properties used for looking up and filtering RealmEvents resources. type realmEventsState struct { - AdminEventsDetailsEnabled *bool `pulumi:"adminEventsDetailsEnabled"` - AdminEventsEnabled *bool `pulumi:"adminEventsEnabled"` - EnabledEventTypes []string `pulumi:"enabledEventTypes"` - EventsEnabled *bool `pulumi:"eventsEnabled"` - EventsExpiration *int `pulumi:"eventsExpiration"` - EventsListeners []string `pulumi:"eventsListeners"` - RealmId *string `pulumi:"realmId"` + // When `true`, saved admin events will included detailed information for create/update requests. Defaults to `false`. + AdminEventsDetailsEnabled *bool `pulumi:"adminEventsDetailsEnabled"` + // When `true`, admin events are saved to the database, making them available through the admin console. Defaults to `false`. + AdminEventsEnabled *bool `pulumi:"adminEventsEnabled"` + // The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. + EnabledEventTypes []string `pulumi:"enabledEventTypes"` + // When `true`, events from `enabledEventTypes` are saved to the database, making them available through the admin console. Defaults to `false`. + EventsEnabled *bool `pulumi:"eventsEnabled"` + // The amount of time in seconds events will be saved in the database. Defaults to `0` or never. + EventsExpiration *int `pulumi:"eventsExpiration"` + // The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. + EventsListeners []string `pulumi:"eventsListeners"` + // The name of the realm the event settings apply to. + RealmId *string `pulumi:"realmId"` } type RealmEventsState struct { + // When `true`, saved admin events will included detailed information for create/update requests. Defaults to `false`. AdminEventsDetailsEnabled pulumi.BoolPtrInput - AdminEventsEnabled pulumi.BoolPtrInput - EnabledEventTypes pulumi.StringArrayInput - EventsEnabled pulumi.BoolPtrInput - EventsExpiration pulumi.IntPtrInput - EventsListeners pulumi.StringArrayInput - RealmId pulumi.StringPtrInput + // When `true`, admin events are saved to the database, making them available through the admin console. Defaults to `false`. + AdminEventsEnabled pulumi.BoolPtrInput + // The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. + EnabledEventTypes pulumi.StringArrayInput + // When `true`, events from `enabledEventTypes` are saved to the database, making them available through the admin console. Defaults to `false`. + EventsEnabled pulumi.BoolPtrInput + // The amount of time in seconds events will be saved in the database. Defaults to `0` or never. + EventsExpiration pulumi.IntPtrInput + // The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. + EventsListeners pulumi.StringArrayInput + // The name of the realm the event settings apply to. + RealmId pulumi.StringPtrInput } func (RealmEventsState) ElementType() reflect.Type { @@ -139,24 +151,38 @@ func (RealmEventsState) ElementType() reflect.Type { } type realmEventsArgs struct { - AdminEventsDetailsEnabled *bool `pulumi:"adminEventsDetailsEnabled"` - AdminEventsEnabled *bool `pulumi:"adminEventsEnabled"` - EnabledEventTypes []string `pulumi:"enabledEventTypes"` - EventsEnabled *bool `pulumi:"eventsEnabled"` - EventsExpiration *int `pulumi:"eventsExpiration"` - EventsListeners []string `pulumi:"eventsListeners"` - RealmId string `pulumi:"realmId"` + // When `true`, saved admin events will included detailed information for create/update requests. Defaults to `false`. + AdminEventsDetailsEnabled *bool `pulumi:"adminEventsDetailsEnabled"` + // When `true`, admin events are saved to the database, making them available through the admin console. Defaults to `false`. + AdminEventsEnabled *bool `pulumi:"adminEventsEnabled"` + // The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. + EnabledEventTypes []string `pulumi:"enabledEventTypes"` + // When `true`, events from `enabledEventTypes` are saved to the database, making them available through the admin console. Defaults to `false`. + EventsEnabled *bool `pulumi:"eventsEnabled"` + // The amount of time in seconds events will be saved in the database. Defaults to `0` or never. + EventsExpiration *int `pulumi:"eventsExpiration"` + // The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. + EventsListeners []string `pulumi:"eventsListeners"` + // The name of the realm the event settings apply to. + RealmId string `pulumi:"realmId"` } // The set of arguments for constructing a RealmEvents resource. type RealmEventsArgs struct { + // When `true`, saved admin events will included detailed information for create/update requests. Defaults to `false`. AdminEventsDetailsEnabled pulumi.BoolPtrInput - AdminEventsEnabled pulumi.BoolPtrInput - EnabledEventTypes pulumi.StringArrayInput - EventsEnabled pulumi.BoolPtrInput - EventsExpiration pulumi.IntPtrInput - EventsListeners pulumi.StringArrayInput - RealmId pulumi.StringInput + // When `true`, admin events are saved to the database, making them available through the admin console. Defaults to `false`. + AdminEventsEnabled pulumi.BoolPtrInput + // The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. + EnabledEventTypes pulumi.StringArrayInput + // When `true`, events from `enabledEventTypes` are saved to the database, making them available through the admin console. Defaults to `false`. + EventsEnabled pulumi.BoolPtrInput + // The amount of time in seconds events will be saved in the database. Defaults to `0` or never. + EventsExpiration pulumi.IntPtrInput + // The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. + EventsListeners pulumi.StringArrayInput + // The name of the realm the event settings apply to. + RealmId pulumi.StringInput } func (RealmEventsArgs) ElementType() reflect.Type { @@ -246,30 +272,37 @@ func (o RealmEventsOutput) ToRealmEventsOutputWithContext(ctx context.Context) R return o } +// When `true`, saved admin events will included detailed information for create/update requests. Defaults to `false`. func (o RealmEventsOutput) AdminEventsDetailsEnabled() pulumi.BoolPtrOutput { return o.ApplyT(func(v *RealmEvents) pulumi.BoolPtrOutput { return v.AdminEventsDetailsEnabled }).(pulumi.BoolPtrOutput) } +// When `true`, admin events are saved to the database, making them available through the admin console. Defaults to `false`. func (o RealmEventsOutput) AdminEventsEnabled() pulumi.BoolPtrOutput { return o.ApplyT(func(v *RealmEvents) pulumi.BoolPtrOutput { return v.AdminEventsEnabled }).(pulumi.BoolPtrOutput) } +// The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. func (o RealmEventsOutput) EnabledEventTypes() pulumi.StringArrayOutput { return o.ApplyT(func(v *RealmEvents) pulumi.StringArrayOutput { return v.EnabledEventTypes }).(pulumi.StringArrayOutput) } +// When `true`, events from `enabledEventTypes` are saved to the database, making them available through the admin console. Defaults to `false`. func (o RealmEventsOutput) EventsEnabled() pulumi.BoolPtrOutput { return o.ApplyT(func(v *RealmEvents) pulumi.BoolPtrOutput { return v.EventsEnabled }).(pulumi.BoolPtrOutput) } +// The amount of time in seconds events will be saved in the database. Defaults to `0` or never. func (o RealmEventsOutput) EventsExpiration() pulumi.IntPtrOutput { return o.ApplyT(func(v *RealmEvents) pulumi.IntPtrOutput { return v.EventsExpiration }).(pulumi.IntPtrOutput) } +// The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. func (o RealmEventsOutput) EventsListeners() pulumi.StringArrayOutput { return o.ApplyT(func(v *RealmEvents) pulumi.StringArrayOutput { return v.EventsListeners }).(pulumi.StringArrayOutput) } +// The name of the realm the event settings apply to. func (o RealmEventsOutput) RealmId() pulumi.StringOutput { return o.ApplyT(func(v *RealmEvents) pulumi.StringOutput { return v.RealmId }).(pulumi.StringOutput) } diff --git a/sdk/go/keycloak/role.go b/sdk/go/keycloak/role.go index 9fd239d2..e2ad3941 100644 --- a/sdk/go/keycloak/role.go +++ b/sdk/go/keycloak/role.go @@ -12,14 +12,13 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## # Role -// // Allows for creating and managing roles within Keycloak. // -// Roles allow you define privileges within Keycloak and map them to users -// and groups. +// Roles allow you define privileges within Keycloak and map them to users and groups. +// +// ## Example Usage // -// ### Example Usage (Realm role) +// ### Realm Role) // // ```go // package main @@ -44,6 +43,10 @@ import ( // RealmId: realm.ID(), // Name: pulumi.String("my-realm-role"), // Description: pulumi.String("My Realm Role"), +// Attributes: pulumi.StringMap{ +// "key": pulumi.String("value"), +// "multivalue": pulumi.String("value1##value2"), +// }, // }) // if err != nil { // return err @@ -54,7 +57,7 @@ import ( // // ``` // -// ### Example Usage (Client role) +// ### Client Role) // // ```go // package main @@ -76,21 +79,27 @@ import ( // if err != nil { // return err // } -// _, err = openid.NewClient(ctx, "client", &openid.ClientArgs{ +// _, err = openid.NewClient(ctx, "openid_client", &openid.ClientArgs{ // RealmId: realm.ID(), // ClientId: pulumi.String("client"), // Name: pulumi.String("client"), // Enabled: pulumi.Bool(true), -// AccessType: pulumi.String("BEARER-ONLY"), +// AccessType: pulumi.String("CONFIDENTIAL"), +// ValidRedirectUris: pulumi.StringArray{ +// pulumi.String("http://localhost:8080/openid-callback"), +// }, // }) // if err != nil { // return err // } // _, err = keycloak.NewRole(ctx, "client_role", &keycloak.RoleArgs{ // RealmId: realm.ID(), -// ClientId: pulumi.Any(clientKeycloakClient.Id), +// ClientId: pulumi.Any(openidClientKeycloakClient.Id), // Name: pulumi.String("my-client-role"), // Description: pulumi.String("My Client Role"), +// Attributes: pulumi.StringMap{ +// "key": pulumi.String("value"), +// }, // }) // if err != nil { // return err @@ -101,7 +110,7 @@ import ( // // ``` // -// ### Example Usage (Composite role) +// ### Composite Role) // // ```go // package main @@ -124,50 +133,68 @@ import ( // return err // } // // realm roles -// _, err = keycloak.NewRole(ctx, "create_role", &keycloak.RoleArgs{ +// createRole, err := keycloak.NewRole(ctx, "create_role", &keycloak.RoleArgs{ // RealmId: realm.ID(), // Name: pulumi.String("create"), +// Attributes: pulumi.StringMap{ +// "key": pulumi.String("value"), +// }, // }) // if err != nil { // return err // } -// _, err = keycloak.NewRole(ctx, "read_role", &keycloak.RoleArgs{ +// readRole, err := keycloak.NewRole(ctx, "read_role", &keycloak.RoleArgs{ // RealmId: realm.ID(), // Name: pulumi.String("read"), +// Attributes: pulumi.StringMap{ +// "key": pulumi.String("value"), +// }, // }) // if err != nil { // return err // } -// _, err = keycloak.NewRole(ctx, "update_role", &keycloak.RoleArgs{ +// updateRole, err := keycloak.NewRole(ctx, "update_role", &keycloak.RoleArgs{ // RealmId: realm.ID(), // Name: pulumi.String("update"), +// Attributes: pulumi.StringMap{ +// "key": pulumi.String("value"), +// }, // }) // if err != nil { // return err // } -// _, err = keycloak.NewRole(ctx, "delete_role", &keycloak.RoleArgs{ +// deleteRole, err := keycloak.NewRole(ctx, "delete_role", &keycloak.RoleArgs{ // RealmId: realm.ID(), // Name: pulumi.String("delete"), +// Attributes: pulumi.StringMap{ +// "key": pulumi.String("value"), +// }, // }) // if err != nil { // return err // } // // client role -// _, err = openid.NewClient(ctx, "client", &openid.ClientArgs{ +// _, err = openid.NewClient(ctx, "openid_client", &openid.ClientArgs{ // RealmId: realm.ID(), // ClientId: pulumi.String("client"), // Name: pulumi.String("client"), // Enabled: pulumi.Bool(true), -// AccessType: pulumi.String("BEARER-ONLY"), +// AccessType: pulumi.String("CONFIDENTIAL"), +// ValidRedirectUris: pulumi.StringArray{ +// pulumi.String("http://localhost:8080/openid-callback"), +// }, // }) // if err != nil { // return err // } -// _, err = keycloak.NewRole(ctx, "client_role", &keycloak.RoleArgs{ +// clientRole, err := keycloak.NewRole(ctx, "client_role", &keycloak.RoleArgs{ // RealmId: realm.ID(), -// ClientId: pulumi.Any(clientKeycloakClient.Id), +// ClientId: pulumi.Any(openidClientKeycloakClient.Id), // Name: pulumi.String("my-client-role"), // Description: pulumi.String("My Client Role"), +// Attributes: pulumi.StringMap{ +// "key": pulumi.String("value"), +// }, // }) // if err != nil { // return err @@ -176,11 +203,14 @@ import ( // RealmId: realm.ID(), // Name: pulumi.String("admin"), // CompositeRoles: pulumi.StringArray{ -// pulumi.String("{keycloak_role.create_role.id}"), -// pulumi.String("{keycloak_role.read_role.id}"), -// pulumi.String("{keycloak_role.update_role.id}"), -// pulumi.String("{keycloak_role.delete_role.id}"), -// pulumi.String("{keycloak_role.client_role.id}"), +// createRole.ID(), +// readRole.ID(), +// updateRole.ID(), +// deleteRole.ID(), +// clientRole.ID(), +// }, +// Attributes: pulumi.StringMap{ +// "key": pulumi.String("value"), // }, // }) // if err != nil { @@ -192,36 +222,34 @@ import ( // // ``` // -// ### Argument Reference +// ## Import // -// The following arguments are supported: +// Roles can be imported using the format `{{realm_id}}/{{role_id}}`, where `role_id` is the unique ID that Keycloak assigns // -// - `realmId` - (Required) The realm this role exists within. -// - `clientId` - (Optional) When specified, this role will be created as -// a client role attached to the client with the provided ID -// - `name` - (Required) The name of the role -// - `description` - (Optional) The description of the role -// - `compositeRoles` - (Optional) When specified, this role will be a -// composite role, composed of all roles that have an ID present within -// this list. +// to the role. The ID is not easy to find in the GUI, but it appears in the URL when editing the role. // -// ### Import +// Example: // -// Roles can be imported using the format `{{realm_id}}/{{role_id}}`, where -// `roleId` is the unique ID that Keycloak assigns to the role. The ID is -// not easy to find in the GUI, but it appears in the URL when editing the -// role. +// bash // -// Example: +// ```sh +// $ pulumi import keycloak:index/role:Role role my-realm/7e8cf32a-8acb-4d34-89c4-04fb1d10ccad +// ``` type Role struct { pulumi.CustomResourceState - Attributes pulumi.StringMapOutput `pulumi:"attributes"` - ClientId pulumi.StringPtrOutput `pulumi:"clientId"` + // A map representing attributes for the role. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + Attributes pulumi.StringMapOutput `pulumi:"attributes"` + // When specified, this role will be created as a client role attached to the client with the provided ID + ClientId pulumi.StringPtrOutput `pulumi:"clientId"` + // When specified, this role will be a composite role, composed of all roles that have an ID present within this list. CompositeRoles pulumi.StringArrayOutput `pulumi:"compositeRoles"` - Description pulumi.StringPtrOutput `pulumi:"description"` - Name pulumi.StringOutput `pulumi:"name"` - RealmId pulumi.StringOutput `pulumi:"realmId"` + // The description of the role + Description pulumi.StringPtrOutput `pulumi:"description"` + // The name of the role + Name pulumi.StringOutput `pulumi:"name"` + // The realm this role exists within. + RealmId pulumi.StringOutput `pulumi:"realmId"` } // NewRole registers a new resource with the given unique name, arguments, and options. @@ -257,21 +285,33 @@ func GetRole(ctx *pulumi.Context, // Input properties used for looking up and filtering Role resources. type roleState struct { - Attributes map[string]string `pulumi:"attributes"` - ClientId *string `pulumi:"clientId"` - CompositeRoles []string `pulumi:"compositeRoles"` - Description *string `pulumi:"description"` - Name *string `pulumi:"name"` - RealmId *string `pulumi:"realmId"` + // A map representing attributes for the role. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + Attributes map[string]string `pulumi:"attributes"` + // When specified, this role will be created as a client role attached to the client with the provided ID + ClientId *string `pulumi:"clientId"` + // When specified, this role will be a composite role, composed of all roles that have an ID present within this list. + CompositeRoles []string `pulumi:"compositeRoles"` + // The description of the role + Description *string `pulumi:"description"` + // The name of the role + Name *string `pulumi:"name"` + // The realm this role exists within. + RealmId *string `pulumi:"realmId"` } type RoleState struct { - Attributes pulumi.StringMapInput - ClientId pulumi.StringPtrInput + // A map representing attributes for the role. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + Attributes pulumi.StringMapInput + // When specified, this role will be created as a client role attached to the client with the provided ID + ClientId pulumi.StringPtrInput + // When specified, this role will be a composite role, composed of all roles that have an ID present within this list. CompositeRoles pulumi.StringArrayInput - Description pulumi.StringPtrInput - Name pulumi.StringPtrInput - RealmId pulumi.StringPtrInput + // The description of the role + Description pulumi.StringPtrInput + // The name of the role + Name pulumi.StringPtrInput + // The realm this role exists within. + RealmId pulumi.StringPtrInput } func (RoleState) ElementType() reflect.Type { @@ -279,22 +319,34 @@ func (RoleState) ElementType() reflect.Type { } type roleArgs struct { - Attributes map[string]string `pulumi:"attributes"` - ClientId *string `pulumi:"clientId"` - CompositeRoles []string `pulumi:"compositeRoles"` - Description *string `pulumi:"description"` - Name *string `pulumi:"name"` - RealmId string `pulumi:"realmId"` + // A map representing attributes for the role. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + Attributes map[string]string `pulumi:"attributes"` + // When specified, this role will be created as a client role attached to the client with the provided ID + ClientId *string `pulumi:"clientId"` + // When specified, this role will be a composite role, composed of all roles that have an ID present within this list. + CompositeRoles []string `pulumi:"compositeRoles"` + // The description of the role + Description *string `pulumi:"description"` + // The name of the role + Name *string `pulumi:"name"` + // The realm this role exists within. + RealmId string `pulumi:"realmId"` } // The set of arguments for constructing a Role resource. type RoleArgs struct { - Attributes pulumi.StringMapInput - ClientId pulumi.StringPtrInput + // A map representing attributes for the role. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + Attributes pulumi.StringMapInput + // When specified, this role will be created as a client role attached to the client with the provided ID + ClientId pulumi.StringPtrInput + // When specified, this role will be a composite role, composed of all roles that have an ID present within this list. CompositeRoles pulumi.StringArrayInput - Description pulumi.StringPtrInput - Name pulumi.StringPtrInput - RealmId pulumi.StringInput + // The description of the role + Description pulumi.StringPtrInput + // The name of the role + Name pulumi.StringPtrInput + // The realm this role exists within. + RealmId pulumi.StringInput } func (RoleArgs) ElementType() reflect.Type { @@ -384,26 +436,32 @@ func (o RoleOutput) ToRoleOutputWithContext(ctx context.Context) RoleOutput { return o } +// A map representing attributes for the role. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars func (o RoleOutput) Attributes() pulumi.StringMapOutput { return o.ApplyT(func(v *Role) pulumi.StringMapOutput { return v.Attributes }).(pulumi.StringMapOutput) } +// When specified, this role will be created as a client role attached to the client with the provided ID func (o RoleOutput) ClientId() pulumi.StringPtrOutput { return o.ApplyT(func(v *Role) pulumi.StringPtrOutput { return v.ClientId }).(pulumi.StringPtrOutput) } +// When specified, this role will be a composite role, composed of all roles that have an ID present within this list. func (o RoleOutput) CompositeRoles() pulumi.StringArrayOutput { return o.ApplyT(func(v *Role) pulumi.StringArrayOutput { return v.CompositeRoles }).(pulumi.StringArrayOutput) } +// The description of the role func (o RoleOutput) Description() pulumi.StringPtrOutput { return o.ApplyT(func(v *Role) pulumi.StringPtrOutput { return v.Description }).(pulumi.StringPtrOutput) } +// The name of the role func (o RoleOutput) Name() pulumi.StringOutput { return o.ApplyT(func(v *Role) pulumi.StringOutput { return v.Name }).(pulumi.StringOutput) } +// The realm this role exists within. func (o RoleOutput) RealmId() pulumi.StringOutput { return o.ApplyT(func(v *Role) pulumi.StringOutput { return v.RealmId }).(pulumi.StringOutput) } diff --git a/sdk/go/keycloak/saml/client.go b/sdk/go/keycloak/saml/client.go index 4972b3c7..012b1edb 100644 --- a/sdk/go/keycloak/saml/client.go +++ b/sdk/go/keycloak/saml/client.go @@ -12,60 +12,100 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## # saml.Client -// // Allows for creating and managing Keycloak clients that use the SAML protocol. // -// Clients are entities that can use Keycloak for user authentication. Typically, -// clients are applications that redirect users to Keycloak for authentication -// in order to take advantage of Keycloak's user sessions for SSO. +// Clients are entities that can use Keycloak for user authentication. Typically, clients are applications that redirect users +// to Keycloak for authentication in order to take advantage of Keycloak's user sessions for SSO. +// +// ## Import // -// ### Import +// Clients can be imported using the format `{{realm_id}}/{{client_keycloak_id}}`, where `client_keycloak_id` is the unique ID that Keycloak // -// Clients can be imported using the format `{{realm_id}}/{{client_keycloak_id}}`, where `clientKeycloakId` is the unique ID that Keycloak // assigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID. // // Example: +// +// bash +// +// ```sh +// $ pulumi import keycloak:saml/client:Client saml_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352 +// ``` type Client struct { pulumi.CustomResourceState - AssertionConsumerPostUrl pulumi.StringPtrOutput `pulumi:"assertionConsumerPostUrl"` - AssertionConsumerRedirectUrl pulumi.StringPtrOutput `pulumi:"assertionConsumerRedirectUrl"` + // SAML POST Binding URL for the client's assertion consumer service (login responses). + AssertionConsumerPostUrl pulumi.StringPtrOutput `pulumi:"assertionConsumerPostUrl"` + // SAML Redirect Binding URL for the client's assertion consumer service (login responses). + AssertionConsumerRedirectUrl pulumi.StringPtrOutput `pulumi:"assertionConsumerRedirectUrl"` + // Override realm authentication flow bindings AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesPtrOutput `pulumi:"authenticationFlowBindingOverrides"` - BaseUrl pulumi.StringPtrOutput `pulumi:"baseUrl"` - CanonicalizationMethod pulumi.StringPtrOutput `pulumi:"canonicalizationMethod"` - ClientId pulumi.StringOutput `pulumi:"clientId"` - ClientSignatureRequired pulumi.BoolPtrOutput `pulumi:"clientSignatureRequired"` - Description pulumi.StringPtrOutput `pulumi:"description"` - Enabled pulumi.BoolPtrOutput `pulumi:"enabled"` - EncryptAssertions pulumi.BoolPtrOutput `pulumi:"encryptAssertions"` - EncryptionCertificate pulumi.StringOutput `pulumi:"encryptionCertificate"` - EncryptionCertificateSha1 pulumi.StringOutput `pulumi:"encryptionCertificateSha1"` - ExtraConfig pulumi.StringMapOutput `pulumi:"extraConfig"` - ForceNameIdFormat pulumi.BoolPtrOutput `pulumi:"forceNameIdFormat"` - ForcePostBinding pulumi.BoolPtrOutput `pulumi:"forcePostBinding"` - FrontChannelLogout pulumi.BoolPtrOutput `pulumi:"frontChannelLogout"` - FullScopeAllowed pulumi.BoolPtrOutput `pulumi:"fullScopeAllowed"` - IdpInitiatedSsoRelayState pulumi.StringPtrOutput `pulumi:"idpInitiatedSsoRelayState"` - IdpInitiatedSsoUrlName pulumi.StringPtrOutput `pulumi:"idpInitiatedSsoUrlName"` - IncludeAuthnStatement pulumi.BoolPtrOutput `pulumi:"includeAuthnStatement"` - LoginTheme pulumi.StringPtrOutput `pulumi:"loginTheme"` - LogoutServicePostBindingUrl pulumi.StringPtrOutput `pulumi:"logoutServicePostBindingUrl"` - LogoutServiceRedirectBindingUrl pulumi.StringPtrOutput `pulumi:"logoutServiceRedirectBindingUrl"` - MasterSamlProcessingUrl pulumi.StringPtrOutput `pulumi:"masterSamlProcessingUrl"` - Name pulumi.StringOutput `pulumi:"name"` - NameIdFormat pulumi.StringOutput `pulumi:"nameIdFormat"` - RealmId pulumi.StringOutput `pulumi:"realmId"` - RootUrl pulumi.StringPtrOutput `pulumi:"rootUrl"` - SignAssertions pulumi.BoolPtrOutput `pulumi:"signAssertions"` - SignDocuments pulumi.BoolPtrOutput `pulumi:"signDocuments"` - SignatureAlgorithm pulumi.StringPtrOutput `pulumi:"signatureAlgorithm"` - SignatureKeyName pulumi.StringPtrOutput `pulumi:"signatureKeyName"` - SigningCertificate pulumi.StringOutput `pulumi:"signingCertificate"` - SigningCertificateSha1 pulumi.StringOutput `pulumi:"signingCertificateSha1"` - SigningPrivateKey pulumi.StringOutput `pulumi:"signingPrivateKey"` - SigningPrivateKeySha1 pulumi.StringOutput `pulumi:"signingPrivateKeySha1"` - ValidRedirectUris pulumi.StringArrayOutput `pulumi:"validRedirectUris"` + // When specified, this URL will be used whenever Keycloak needs to link to this client. + BaseUrl pulumi.StringPtrOutput `pulumi:"baseUrl"` + // The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE". + CanonicalizationMethod pulumi.StringPtrOutput `pulumi:"canonicalizationMethod"` + // The unique ID of this client, referenced in the URI during authentication and in issued tokens. + ClientId pulumi.StringOutput `pulumi:"clientId"` + // When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signingCertificate` and `signingPrivateKey`. Defaults to `true`. + ClientSignatureRequired pulumi.BoolPtrOutput `pulumi:"clientSignatureRequired"` + // The description of this client in the GUI. + Description pulumi.StringPtrOutput `pulumi:"description"` + // When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + Enabled pulumi.BoolPtrOutput `pulumi:"enabled"` + // When `true`, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to `false`. + EncryptAssertions pulumi.BoolPtrOutput `pulumi:"encryptAssertions"` + // If assertions for the client are encrypted, this certificate will be used for encryption. + EncryptionCertificate pulumi.StringOutput `pulumi:"encryptionCertificate"` + // (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty. + EncryptionCertificateSha1 pulumi.StringOutput `pulumi:"encryptionCertificateSha1"` + ExtraConfig pulumi.StringMapOutput `pulumi:"extraConfig"` + // Ignore requested NameID subject format and use the one defined in `nameIdFormat` instead. Defaults to `false`. + ForceNameIdFormat pulumi.BoolPtrOutput `pulumi:"forceNameIdFormat"` + // When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to `true`. + ForcePostBinding pulumi.BoolPtrOutput `pulumi:"forcePostBinding"` + // When `true`, this client will require a browser redirect in order to perform a logout. Defaults to `true`. + FrontChannelLogout pulumi.BoolPtrOutput `pulumi:"frontChannelLogout"` + // Allow to include all roles mappings in the access token + FullScopeAllowed pulumi.BoolPtrOutput `pulumi:"fullScopeAllowed"` + // Relay state you want to send with SAML request when you want to do IDP Initiated SSO. + IdpInitiatedSsoRelayState pulumi.StringPtrOutput `pulumi:"idpInitiatedSsoRelayState"` + // URL fragment name to reference client when you want to do IDP Initiated SSO. + IdpInitiatedSsoUrlName pulumi.StringPtrOutput `pulumi:"idpInitiatedSsoUrlName"` + // When `true`, an `AuthnStatement` will be included in the SAML response. Defaults to `true`. + IncludeAuthnStatement pulumi.BoolPtrOutput `pulumi:"includeAuthnStatement"` + // The login theme of this client. + LoginTheme pulumi.StringPtrOutput `pulumi:"loginTheme"` + // SAML POST Binding URL for the client's single logout service. + LogoutServicePostBindingUrl pulumi.StringPtrOutput `pulumi:"logoutServicePostBindingUrl"` + // SAML Redirect Binding URL for the client's single logout service. + LogoutServiceRedirectBindingUrl pulumi.StringPtrOutput `pulumi:"logoutServiceRedirectBindingUrl"` + // When specified, this URL will be used for all SAML requests. + MasterSamlProcessingUrl pulumi.StringPtrOutput `pulumi:"masterSamlProcessingUrl"` + // The display name of this client in the GUI. + Name pulumi.StringOutput `pulumi:"name"` + // Sets the Name ID format for the subject. + NameIdFormat pulumi.StringOutput `pulumi:"nameIdFormat"` + // The realm this client is attached to. + RealmId pulumi.StringOutput `pulumi:"realmId"` + // When specified, this value is prepended to all relative URLs. + RootUrl pulumi.StringPtrOutput `pulumi:"rootUrl"` + // When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to `false`. + SignAssertions pulumi.BoolPtrOutput `pulumi:"signAssertions"` + // When `true`, the SAML document will be signed by Keycloak using the realm's private key. Defaults to `true`. + SignDocuments pulumi.BoolPtrOutput `pulumi:"signDocuments"` + // The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1". + SignatureAlgorithm pulumi.StringPtrOutput `pulumi:"signatureAlgorithm"` + // The value of the `KeyName` element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID". + SignatureKeyName pulumi.StringPtrOutput `pulumi:"signatureKeyName"` + // If documents or assertions from the client are signed, this certificate will be used to verify the signature. + SigningCertificate pulumi.StringOutput `pulumi:"signingCertificate"` + // (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty. + SigningCertificateSha1 pulumi.StringOutput `pulumi:"signingCertificateSha1"` + // If documents or assertions from the client are signed, this private key will be used to verify the signature. + SigningPrivateKey pulumi.StringOutput `pulumi:"signingPrivateKey"` + // (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty. + SigningPrivateKeySha1 pulumi.StringOutput `pulumi:"signingPrivateKeySha1"` + // When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. + ValidRedirectUris pulumi.StringArrayOutput `pulumi:"validRedirectUris"` } // NewClient registers a new resource with the given unique name, arguments, and options. @@ -104,83 +144,155 @@ func GetClient(ctx *pulumi.Context, // Input properties used for looking up and filtering Client resources. type clientState struct { - AssertionConsumerPostUrl *string `pulumi:"assertionConsumerPostUrl"` - AssertionConsumerRedirectUrl *string `pulumi:"assertionConsumerRedirectUrl"` + // SAML POST Binding URL for the client's assertion consumer service (login responses). + AssertionConsumerPostUrl *string `pulumi:"assertionConsumerPostUrl"` + // SAML Redirect Binding URL for the client's assertion consumer service (login responses). + AssertionConsumerRedirectUrl *string `pulumi:"assertionConsumerRedirectUrl"` + // Override realm authentication flow bindings AuthenticationFlowBindingOverrides *ClientAuthenticationFlowBindingOverrides `pulumi:"authenticationFlowBindingOverrides"` - BaseUrl *string `pulumi:"baseUrl"` - CanonicalizationMethod *string `pulumi:"canonicalizationMethod"` - ClientId *string `pulumi:"clientId"` - ClientSignatureRequired *bool `pulumi:"clientSignatureRequired"` - Description *string `pulumi:"description"` - Enabled *bool `pulumi:"enabled"` - EncryptAssertions *bool `pulumi:"encryptAssertions"` - EncryptionCertificate *string `pulumi:"encryptionCertificate"` - EncryptionCertificateSha1 *string `pulumi:"encryptionCertificateSha1"` - ExtraConfig map[string]string `pulumi:"extraConfig"` - ForceNameIdFormat *bool `pulumi:"forceNameIdFormat"` - ForcePostBinding *bool `pulumi:"forcePostBinding"` - FrontChannelLogout *bool `pulumi:"frontChannelLogout"` - FullScopeAllowed *bool `pulumi:"fullScopeAllowed"` - IdpInitiatedSsoRelayState *string `pulumi:"idpInitiatedSsoRelayState"` - IdpInitiatedSsoUrlName *string `pulumi:"idpInitiatedSsoUrlName"` - IncludeAuthnStatement *bool `pulumi:"includeAuthnStatement"` - LoginTheme *string `pulumi:"loginTheme"` - LogoutServicePostBindingUrl *string `pulumi:"logoutServicePostBindingUrl"` - LogoutServiceRedirectBindingUrl *string `pulumi:"logoutServiceRedirectBindingUrl"` - MasterSamlProcessingUrl *string `pulumi:"masterSamlProcessingUrl"` - Name *string `pulumi:"name"` - NameIdFormat *string `pulumi:"nameIdFormat"` - RealmId *string `pulumi:"realmId"` - RootUrl *string `pulumi:"rootUrl"` - SignAssertions *bool `pulumi:"signAssertions"` - SignDocuments *bool `pulumi:"signDocuments"` - SignatureAlgorithm *string `pulumi:"signatureAlgorithm"` - SignatureKeyName *string `pulumi:"signatureKeyName"` - SigningCertificate *string `pulumi:"signingCertificate"` - SigningCertificateSha1 *string `pulumi:"signingCertificateSha1"` - SigningPrivateKey *string `pulumi:"signingPrivateKey"` - SigningPrivateKeySha1 *string `pulumi:"signingPrivateKeySha1"` - ValidRedirectUris []string `pulumi:"validRedirectUris"` + // When specified, this URL will be used whenever Keycloak needs to link to this client. + BaseUrl *string `pulumi:"baseUrl"` + // The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE". + CanonicalizationMethod *string `pulumi:"canonicalizationMethod"` + // The unique ID of this client, referenced in the URI during authentication and in issued tokens. + ClientId *string `pulumi:"clientId"` + // When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signingCertificate` and `signingPrivateKey`. Defaults to `true`. + ClientSignatureRequired *bool `pulumi:"clientSignatureRequired"` + // The description of this client in the GUI. + Description *string `pulumi:"description"` + // When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + Enabled *bool `pulumi:"enabled"` + // When `true`, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to `false`. + EncryptAssertions *bool `pulumi:"encryptAssertions"` + // If assertions for the client are encrypted, this certificate will be used for encryption. + EncryptionCertificate *string `pulumi:"encryptionCertificate"` + // (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty. + EncryptionCertificateSha1 *string `pulumi:"encryptionCertificateSha1"` + ExtraConfig map[string]string `pulumi:"extraConfig"` + // Ignore requested NameID subject format and use the one defined in `nameIdFormat` instead. Defaults to `false`. + ForceNameIdFormat *bool `pulumi:"forceNameIdFormat"` + // When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to `true`. + ForcePostBinding *bool `pulumi:"forcePostBinding"` + // When `true`, this client will require a browser redirect in order to perform a logout. Defaults to `true`. + FrontChannelLogout *bool `pulumi:"frontChannelLogout"` + // Allow to include all roles mappings in the access token + FullScopeAllowed *bool `pulumi:"fullScopeAllowed"` + // Relay state you want to send with SAML request when you want to do IDP Initiated SSO. + IdpInitiatedSsoRelayState *string `pulumi:"idpInitiatedSsoRelayState"` + // URL fragment name to reference client when you want to do IDP Initiated SSO. + IdpInitiatedSsoUrlName *string `pulumi:"idpInitiatedSsoUrlName"` + // When `true`, an `AuthnStatement` will be included in the SAML response. Defaults to `true`. + IncludeAuthnStatement *bool `pulumi:"includeAuthnStatement"` + // The login theme of this client. + LoginTheme *string `pulumi:"loginTheme"` + // SAML POST Binding URL for the client's single logout service. + LogoutServicePostBindingUrl *string `pulumi:"logoutServicePostBindingUrl"` + // SAML Redirect Binding URL for the client's single logout service. + LogoutServiceRedirectBindingUrl *string `pulumi:"logoutServiceRedirectBindingUrl"` + // When specified, this URL will be used for all SAML requests. + MasterSamlProcessingUrl *string `pulumi:"masterSamlProcessingUrl"` + // The display name of this client in the GUI. + Name *string `pulumi:"name"` + // Sets the Name ID format for the subject. + NameIdFormat *string `pulumi:"nameIdFormat"` + // The realm this client is attached to. + RealmId *string `pulumi:"realmId"` + // When specified, this value is prepended to all relative URLs. + RootUrl *string `pulumi:"rootUrl"` + // When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to `false`. + SignAssertions *bool `pulumi:"signAssertions"` + // When `true`, the SAML document will be signed by Keycloak using the realm's private key. Defaults to `true`. + SignDocuments *bool `pulumi:"signDocuments"` + // The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1". + SignatureAlgorithm *string `pulumi:"signatureAlgorithm"` + // The value of the `KeyName` element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID". + SignatureKeyName *string `pulumi:"signatureKeyName"` + // If documents or assertions from the client are signed, this certificate will be used to verify the signature. + SigningCertificate *string `pulumi:"signingCertificate"` + // (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty. + SigningCertificateSha1 *string `pulumi:"signingCertificateSha1"` + // If documents or assertions from the client are signed, this private key will be used to verify the signature. + SigningPrivateKey *string `pulumi:"signingPrivateKey"` + // (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty. + SigningPrivateKeySha1 *string `pulumi:"signingPrivateKeySha1"` + // When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. + ValidRedirectUris []string `pulumi:"validRedirectUris"` } type ClientState struct { - AssertionConsumerPostUrl pulumi.StringPtrInput - AssertionConsumerRedirectUrl pulumi.StringPtrInput + // SAML POST Binding URL for the client's assertion consumer service (login responses). + AssertionConsumerPostUrl pulumi.StringPtrInput + // SAML Redirect Binding URL for the client's assertion consumer service (login responses). + AssertionConsumerRedirectUrl pulumi.StringPtrInput + // Override realm authentication flow bindings AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesPtrInput - BaseUrl pulumi.StringPtrInput - CanonicalizationMethod pulumi.StringPtrInput - ClientId pulumi.StringPtrInput - ClientSignatureRequired pulumi.BoolPtrInput - Description pulumi.StringPtrInput - Enabled pulumi.BoolPtrInput - EncryptAssertions pulumi.BoolPtrInput - EncryptionCertificate pulumi.StringPtrInput - EncryptionCertificateSha1 pulumi.StringPtrInput - ExtraConfig pulumi.StringMapInput - ForceNameIdFormat pulumi.BoolPtrInput - ForcePostBinding pulumi.BoolPtrInput - FrontChannelLogout pulumi.BoolPtrInput - FullScopeAllowed pulumi.BoolPtrInput - IdpInitiatedSsoRelayState pulumi.StringPtrInput - IdpInitiatedSsoUrlName pulumi.StringPtrInput - IncludeAuthnStatement pulumi.BoolPtrInput - LoginTheme pulumi.StringPtrInput - LogoutServicePostBindingUrl pulumi.StringPtrInput - LogoutServiceRedirectBindingUrl pulumi.StringPtrInput - MasterSamlProcessingUrl pulumi.StringPtrInput - Name pulumi.StringPtrInput - NameIdFormat pulumi.StringPtrInput - RealmId pulumi.StringPtrInput - RootUrl pulumi.StringPtrInput - SignAssertions pulumi.BoolPtrInput - SignDocuments pulumi.BoolPtrInput - SignatureAlgorithm pulumi.StringPtrInput - SignatureKeyName pulumi.StringPtrInput - SigningCertificate pulumi.StringPtrInput - SigningCertificateSha1 pulumi.StringPtrInput - SigningPrivateKey pulumi.StringPtrInput - SigningPrivateKeySha1 pulumi.StringPtrInput - ValidRedirectUris pulumi.StringArrayInput + // When specified, this URL will be used whenever Keycloak needs to link to this client. + BaseUrl pulumi.StringPtrInput + // The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE". + CanonicalizationMethod pulumi.StringPtrInput + // The unique ID of this client, referenced in the URI during authentication and in issued tokens. + ClientId pulumi.StringPtrInput + // When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signingCertificate` and `signingPrivateKey`. Defaults to `true`. + ClientSignatureRequired pulumi.BoolPtrInput + // The description of this client in the GUI. + Description pulumi.StringPtrInput + // When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + Enabled pulumi.BoolPtrInput + // When `true`, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to `false`. + EncryptAssertions pulumi.BoolPtrInput + // If assertions for the client are encrypted, this certificate will be used for encryption. + EncryptionCertificate pulumi.StringPtrInput + // (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty. + EncryptionCertificateSha1 pulumi.StringPtrInput + ExtraConfig pulumi.StringMapInput + // Ignore requested NameID subject format and use the one defined in `nameIdFormat` instead. Defaults to `false`. + ForceNameIdFormat pulumi.BoolPtrInput + // When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to `true`. + ForcePostBinding pulumi.BoolPtrInput + // When `true`, this client will require a browser redirect in order to perform a logout. Defaults to `true`. + FrontChannelLogout pulumi.BoolPtrInput + // Allow to include all roles mappings in the access token + FullScopeAllowed pulumi.BoolPtrInput + // Relay state you want to send with SAML request when you want to do IDP Initiated SSO. + IdpInitiatedSsoRelayState pulumi.StringPtrInput + // URL fragment name to reference client when you want to do IDP Initiated SSO. + IdpInitiatedSsoUrlName pulumi.StringPtrInput + // When `true`, an `AuthnStatement` will be included in the SAML response. Defaults to `true`. + IncludeAuthnStatement pulumi.BoolPtrInput + // The login theme of this client. + LoginTheme pulumi.StringPtrInput + // SAML POST Binding URL for the client's single logout service. + LogoutServicePostBindingUrl pulumi.StringPtrInput + // SAML Redirect Binding URL for the client's single logout service. + LogoutServiceRedirectBindingUrl pulumi.StringPtrInput + // When specified, this URL will be used for all SAML requests. + MasterSamlProcessingUrl pulumi.StringPtrInput + // The display name of this client in the GUI. + Name pulumi.StringPtrInput + // Sets the Name ID format for the subject. + NameIdFormat pulumi.StringPtrInput + // The realm this client is attached to. + RealmId pulumi.StringPtrInput + // When specified, this value is prepended to all relative URLs. + RootUrl pulumi.StringPtrInput + // When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to `false`. + SignAssertions pulumi.BoolPtrInput + // When `true`, the SAML document will be signed by Keycloak using the realm's private key. Defaults to `true`. + SignDocuments pulumi.BoolPtrInput + // The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1". + SignatureAlgorithm pulumi.StringPtrInput + // The value of the `KeyName` element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID". + SignatureKeyName pulumi.StringPtrInput + // If documents or assertions from the client are signed, this certificate will be used to verify the signature. + SigningCertificate pulumi.StringPtrInput + // (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty. + SigningCertificateSha1 pulumi.StringPtrInput + // If documents or assertions from the client are signed, this private key will be used to verify the signature. + SigningPrivateKey pulumi.StringPtrInput + // (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty. + SigningPrivateKeySha1 pulumi.StringPtrInput + // When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. + ValidRedirectUris pulumi.StringArrayInput } func (ClientState) ElementType() reflect.Type { @@ -188,78 +300,144 @@ func (ClientState) ElementType() reflect.Type { } type clientArgs struct { - AssertionConsumerPostUrl *string `pulumi:"assertionConsumerPostUrl"` - AssertionConsumerRedirectUrl *string `pulumi:"assertionConsumerRedirectUrl"` + // SAML POST Binding URL for the client's assertion consumer service (login responses). + AssertionConsumerPostUrl *string `pulumi:"assertionConsumerPostUrl"` + // SAML Redirect Binding URL for the client's assertion consumer service (login responses). + AssertionConsumerRedirectUrl *string `pulumi:"assertionConsumerRedirectUrl"` + // Override realm authentication flow bindings AuthenticationFlowBindingOverrides *ClientAuthenticationFlowBindingOverrides `pulumi:"authenticationFlowBindingOverrides"` - BaseUrl *string `pulumi:"baseUrl"` - CanonicalizationMethod *string `pulumi:"canonicalizationMethod"` - ClientId string `pulumi:"clientId"` - ClientSignatureRequired *bool `pulumi:"clientSignatureRequired"` - Description *string `pulumi:"description"` - Enabled *bool `pulumi:"enabled"` - EncryptAssertions *bool `pulumi:"encryptAssertions"` - EncryptionCertificate *string `pulumi:"encryptionCertificate"` - ExtraConfig map[string]string `pulumi:"extraConfig"` - ForceNameIdFormat *bool `pulumi:"forceNameIdFormat"` - ForcePostBinding *bool `pulumi:"forcePostBinding"` - FrontChannelLogout *bool `pulumi:"frontChannelLogout"` - FullScopeAllowed *bool `pulumi:"fullScopeAllowed"` - IdpInitiatedSsoRelayState *string `pulumi:"idpInitiatedSsoRelayState"` - IdpInitiatedSsoUrlName *string `pulumi:"idpInitiatedSsoUrlName"` - IncludeAuthnStatement *bool `pulumi:"includeAuthnStatement"` - LoginTheme *string `pulumi:"loginTheme"` - LogoutServicePostBindingUrl *string `pulumi:"logoutServicePostBindingUrl"` - LogoutServiceRedirectBindingUrl *string `pulumi:"logoutServiceRedirectBindingUrl"` - MasterSamlProcessingUrl *string `pulumi:"masterSamlProcessingUrl"` - Name *string `pulumi:"name"` - NameIdFormat *string `pulumi:"nameIdFormat"` - RealmId string `pulumi:"realmId"` - RootUrl *string `pulumi:"rootUrl"` - SignAssertions *bool `pulumi:"signAssertions"` - SignDocuments *bool `pulumi:"signDocuments"` - SignatureAlgorithm *string `pulumi:"signatureAlgorithm"` - SignatureKeyName *string `pulumi:"signatureKeyName"` - SigningCertificate *string `pulumi:"signingCertificate"` - SigningPrivateKey *string `pulumi:"signingPrivateKey"` - ValidRedirectUris []string `pulumi:"validRedirectUris"` + // When specified, this URL will be used whenever Keycloak needs to link to this client. + BaseUrl *string `pulumi:"baseUrl"` + // The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE". + CanonicalizationMethod *string `pulumi:"canonicalizationMethod"` + // The unique ID of this client, referenced in the URI during authentication and in issued tokens. + ClientId string `pulumi:"clientId"` + // When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signingCertificate` and `signingPrivateKey`. Defaults to `true`. + ClientSignatureRequired *bool `pulumi:"clientSignatureRequired"` + // The description of this client in the GUI. + Description *string `pulumi:"description"` + // When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + Enabled *bool `pulumi:"enabled"` + // When `true`, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to `false`. + EncryptAssertions *bool `pulumi:"encryptAssertions"` + // If assertions for the client are encrypted, this certificate will be used for encryption. + EncryptionCertificate *string `pulumi:"encryptionCertificate"` + ExtraConfig map[string]string `pulumi:"extraConfig"` + // Ignore requested NameID subject format and use the one defined in `nameIdFormat` instead. Defaults to `false`. + ForceNameIdFormat *bool `pulumi:"forceNameIdFormat"` + // When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to `true`. + ForcePostBinding *bool `pulumi:"forcePostBinding"` + // When `true`, this client will require a browser redirect in order to perform a logout. Defaults to `true`. + FrontChannelLogout *bool `pulumi:"frontChannelLogout"` + // Allow to include all roles mappings in the access token + FullScopeAllowed *bool `pulumi:"fullScopeAllowed"` + // Relay state you want to send with SAML request when you want to do IDP Initiated SSO. + IdpInitiatedSsoRelayState *string `pulumi:"idpInitiatedSsoRelayState"` + // URL fragment name to reference client when you want to do IDP Initiated SSO. + IdpInitiatedSsoUrlName *string `pulumi:"idpInitiatedSsoUrlName"` + // When `true`, an `AuthnStatement` will be included in the SAML response. Defaults to `true`. + IncludeAuthnStatement *bool `pulumi:"includeAuthnStatement"` + // The login theme of this client. + LoginTheme *string `pulumi:"loginTheme"` + // SAML POST Binding URL for the client's single logout service. + LogoutServicePostBindingUrl *string `pulumi:"logoutServicePostBindingUrl"` + // SAML Redirect Binding URL for the client's single logout service. + LogoutServiceRedirectBindingUrl *string `pulumi:"logoutServiceRedirectBindingUrl"` + // When specified, this URL will be used for all SAML requests. + MasterSamlProcessingUrl *string `pulumi:"masterSamlProcessingUrl"` + // The display name of this client in the GUI. + Name *string `pulumi:"name"` + // Sets the Name ID format for the subject. + NameIdFormat *string `pulumi:"nameIdFormat"` + // The realm this client is attached to. + RealmId string `pulumi:"realmId"` + // When specified, this value is prepended to all relative URLs. + RootUrl *string `pulumi:"rootUrl"` + // When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to `false`. + SignAssertions *bool `pulumi:"signAssertions"` + // When `true`, the SAML document will be signed by Keycloak using the realm's private key. Defaults to `true`. + SignDocuments *bool `pulumi:"signDocuments"` + // The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1". + SignatureAlgorithm *string `pulumi:"signatureAlgorithm"` + // The value of the `KeyName` element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID". + SignatureKeyName *string `pulumi:"signatureKeyName"` + // If documents or assertions from the client are signed, this certificate will be used to verify the signature. + SigningCertificate *string `pulumi:"signingCertificate"` + // If documents or assertions from the client are signed, this private key will be used to verify the signature. + SigningPrivateKey *string `pulumi:"signingPrivateKey"` + // When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. + ValidRedirectUris []string `pulumi:"validRedirectUris"` } // The set of arguments for constructing a Client resource. type ClientArgs struct { - AssertionConsumerPostUrl pulumi.StringPtrInput - AssertionConsumerRedirectUrl pulumi.StringPtrInput + // SAML POST Binding URL for the client's assertion consumer service (login responses). + AssertionConsumerPostUrl pulumi.StringPtrInput + // SAML Redirect Binding URL for the client's assertion consumer service (login responses). + AssertionConsumerRedirectUrl pulumi.StringPtrInput + // Override realm authentication flow bindings AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesPtrInput - BaseUrl pulumi.StringPtrInput - CanonicalizationMethod pulumi.StringPtrInput - ClientId pulumi.StringInput - ClientSignatureRequired pulumi.BoolPtrInput - Description pulumi.StringPtrInput - Enabled pulumi.BoolPtrInput - EncryptAssertions pulumi.BoolPtrInput - EncryptionCertificate pulumi.StringPtrInput - ExtraConfig pulumi.StringMapInput - ForceNameIdFormat pulumi.BoolPtrInput - ForcePostBinding pulumi.BoolPtrInput - FrontChannelLogout pulumi.BoolPtrInput - FullScopeAllowed pulumi.BoolPtrInput - IdpInitiatedSsoRelayState pulumi.StringPtrInput - IdpInitiatedSsoUrlName pulumi.StringPtrInput - IncludeAuthnStatement pulumi.BoolPtrInput - LoginTheme pulumi.StringPtrInput - LogoutServicePostBindingUrl pulumi.StringPtrInput - LogoutServiceRedirectBindingUrl pulumi.StringPtrInput - MasterSamlProcessingUrl pulumi.StringPtrInput - Name pulumi.StringPtrInput - NameIdFormat pulumi.StringPtrInput - RealmId pulumi.StringInput - RootUrl pulumi.StringPtrInput - SignAssertions pulumi.BoolPtrInput - SignDocuments pulumi.BoolPtrInput - SignatureAlgorithm pulumi.StringPtrInput - SignatureKeyName pulumi.StringPtrInput - SigningCertificate pulumi.StringPtrInput - SigningPrivateKey pulumi.StringPtrInput - ValidRedirectUris pulumi.StringArrayInput + // When specified, this URL will be used whenever Keycloak needs to link to this client. + BaseUrl pulumi.StringPtrInput + // The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE". + CanonicalizationMethod pulumi.StringPtrInput + // The unique ID of this client, referenced in the URI during authentication and in issued tokens. + ClientId pulumi.StringInput + // When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signingCertificate` and `signingPrivateKey`. Defaults to `true`. + ClientSignatureRequired pulumi.BoolPtrInput + // The description of this client in the GUI. + Description pulumi.StringPtrInput + // When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + Enabled pulumi.BoolPtrInput + // When `true`, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to `false`. + EncryptAssertions pulumi.BoolPtrInput + // If assertions for the client are encrypted, this certificate will be used for encryption. + EncryptionCertificate pulumi.StringPtrInput + ExtraConfig pulumi.StringMapInput + // Ignore requested NameID subject format and use the one defined in `nameIdFormat` instead. Defaults to `false`. + ForceNameIdFormat pulumi.BoolPtrInput + // When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to `true`. + ForcePostBinding pulumi.BoolPtrInput + // When `true`, this client will require a browser redirect in order to perform a logout. Defaults to `true`. + FrontChannelLogout pulumi.BoolPtrInput + // Allow to include all roles mappings in the access token + FullScopeAllowed pulumi.BoolPtrInput + // Relay state you want to send with SAML request when you want to do IDP Initiated SSO. + IdpInitiatedSsoRelayState pulumi.StringPtrInput + // URL fragment name to reference client when you want to do IDP Initiated SSO. + IdpInitiatedSsoUrlName pulumi.StringPtrInput + // When `true`, an `AuthnStatement` will be included in the SAML response. Defaults to `true`. + IncludeAuthnStatement pulumi.BoolPtrInput + // The login theme of this client. + LoginTheme pulumi.StringPtrInput + // SAML POST Binding URL for the client's single logout service. + LogoutServicePostBindingUrl pulumi.StringPtrInput + // SAML Redirect Binding URL for the client's single logout service. + LogoutServiceRedirectBindingUrl pulumi.StringPtrInput + // When specified, this URL will be used for all SAML requests. + MasterSamlProcessingUrl pulumi.StringPtrInput + // The display name of this client in the GUI. + Name pulumi.StringPtrInput + // Sets the Name ID format for the subject. + NameIdFormat pulumi.StringPtrInput + // The realm this client is attached to. + RealmId pulumi.StringInput + // When specified, this value is prepended to all relative URLs. + RootUrl pulumi.StringPtrInput + // When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to `false`. + SignAssertions pulumi.BoolPtrInput + // When `true`, the SAML document will be signed by Keycloak using the realm's private key. Defaults to `true`. + SignDocuments pulumi.BoolPtrInput + // The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1". + SignatureAlgorithm pulumi.StringPtrInput + // The value of the `KeyName` element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID". + SignatureKeyName pulumi.StringPtrInput + // If documents or assertions from the client are signed, this certificate will be used to verify the signature. + SigningCertificate pulumi.StringPtrInput + // If documents or assertions from the client are signed, this private key will be used to verify the signature. + SigningPrivateKey pulumi.StringPtrInput + // When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. + ValidRedirectUris pulumi.StringArrayInput } func (ClientArgs) ElementType() reflect.Type { @@ -349,52 +527,64 @@ func (o ClientOutput) ToClientOutputWithContext(ctx context.Context) ClientOutpu return o } +// SAML POST Binding URL for the client's assertion consumer service (login responses). func (o ClientOutput) AssertionConsumerPostUrl() pulumi.StringPtrOutput { return o.ApplyT(func(v *Client) pulumi.StringPtrOutput { return v.AssertionConsumerPostUrl }).(pulumi.StringPtrOutput) } +// SAML Redirect Binding URL for the client's assertion consumer service (login responses). func (o ClientOutput) AssertionConsumerRedirectUrl() pulumi.StringPtrOutput { return o.ApplyT(func(v *Client) pulumi.StringPtrOutput { return v.AssertionConsumerRedirectUrl }).(pulumi.StringPtrOutput) } +// Override realm authentication flow bindings func (o ClientOutput) AuthenticationFlowBindingOverrides() ClientAuthenticationFlowBindingOverridesPtrOutput { return o.ApplyT(func(v *Client) ClientAuthenticationFlowBindingOverridesPtrOutput { return v.AuthenticationFlowBindingOverrides }).(ClientAuthenticationFlowBindingOverridesPtrOutput) } +// When specified, this URL will be used whenever Keycloak needs to link to this client. func (o ClientOutput) BaseUrl() pulumi.StringPtrOutput { return o.ApplyT(func(v *Client) pulumi.StringPtrOutput { return v.BaseUrl }).(pulumi.StringPtrOutput) } +// The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE". func (o ClientOutput) CanonicalizationMethod() pulumi.StringPtrOutput { return o.ApplyT(func(v *Client) pulumi.StringPtrOutput { return v.CanonicalizationMethod }).(pulumi.StringPtrOutput) } +// The unique ID of this client, referenced in the URI during authentication and in issued tokens. func (o ClientOutput) ClientId() pulumi.StringOutput { return o.ApplyT(func(v *Client) pulumi.StringOutput { return v.ClientId }).(pulumi.StringOutput) } +// When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signingCertificate` and `signingPrivateKey`. Defaults to `true`. func (o ClientOutput) ClientSignatureRequired() pulumi.BoolPtrOutput { return o.ApplyT(func(v *Client) pulumi.BoolPtrOutput { return v.ClientSignatureRequired }).(pulumi.BoolPtrOutput) } +// The description of this client in the GUI. func (o ClientOutput) Description() pulumi.StringPtrOutput { return o.ApplyT(func(v *Client) pulumi.StringPtrOutput { return v.Description }).(pulumi.StringPtrOutput) } +// When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. func (o ClientOutput) Enabled() pulumi.BoolPtrOutput { return o.ApplyT(func(v *Client) pulumi.BoolPtrOutput { return v.Enabled }).(pulumi.BoolPtrOutput) } +// When `true`, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to `false`. func (o ClientOutput) EncryptAssertions() pulumi.BoolPtrOutput { return o.ApplyT(func(v *Client) pulumi.BoolPtrOutput { return v.EncryptAssertions }).(pulumi.BoolPtrOutput) } +// If assertions for the client are encrypted, this certificate will be used for encryption. func (o ClientOutput) EncryptionCertificate() pulumi.StringOutput { return o.ApplyT(func(v *Client) pulumi.StringOutput { return v.EncryptionCertificate }).(pulumi.StringOutput) } +// (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty. func (o ClientOutput) EncryptionCertificateSha1() pulumi.StringOutput { return o.ApplyT(func(v *Client) pulumi.StringOutput { return v.EncryptionCertificateSha1 }).(pulumi.StringOutput) } @@ -403,98 +593,122 @@ func (o ClientOutput) ExtraConfig() pulumi.StringMapOutput { return o.ApplyT(func(v *Client) pulumi.StringMapOutput { return v.ExtraConfig }).(pulumi.StringMapOutput) } +// Ignore requested NameID subject format and use the one defined in `nameIdFormat` instead. Defaults to `false`. func (o ClientOutput) ForceNameIdFormat() pulumi.BoolPtrOutput { return o.ApplyT(func(v *Client) pulumi.BoolPtrOutput { return v.ForceNameIdFormat }).(pulumi.BoolPtrOutput) } +// When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to `true`. func (o ClientOutput) ForcePostBinding() pulumi.BoolPtrOutput { return o.ApplyT(func(v *Client) pulumi.BoolPtrOutput { return v.ForcePostBinding }).(pulumi.BoolPtrOutput) } +// When `true`, this client will require a browser redirect in order to perform a logout. Defaults to `true`. func (o ClientOutput) FrontChannelLogout() pulumi.BoolPtrOutput { return o.ApplyT(func(v *Client) pulumi.BoolPtrOutput { return v.FrontChannelLogout }).(pulumi.BoolPtrOutput) } +// Allow to include all roles mappings in the access token func (o ClientOutput) FullScopeAllowed() pulumi.BoolPtrOutput { return o.ApplyT(func(v *Client) pulumi.BoolPtrOutput { return v.FullScopeAllowed }).(pulumi.BoolPtrOutput) } +// Relay state you want to send with SAML request when you want to do IDP Initiated SSO. func (o ClientOutput) IdpInitiatedSsoRelayState() pulumi.StringPtrOutput { return o.ApplyT(func(v *Client) pulumi.StringPtrOutput { return v.IdpInitiatedSsoRelayState }).(pulumi.StringPtrOutput) } +// URL fragment name to reference client when you want to do IDP Initiated SSO. func (o ClientOutput) IdpInitiatedSsoUrlName() pulumi.StringPtrOutput { return o.ApplyT(func(v *Client) pulumi.StringPtrOutput { return v.IdpInitiatedSsoUrlName }).(pulumi.StringPtrOutput) } +// When `true`, an `AuthnStatement` will be included in the SAML response. Defaults to `true`. func (o ClientOutput) IncludeAuthnStatement() pulumi.BoolPtrOutput { return o.ApplyT(func(v *Client) pulumi.BoolPtrOutput { return v.IncludeAuthnStatement }).(pulumi.BoolPtrOutput) } +// The login theme of this client. func (o ClientOutput) LoginTheme() pulumi.StringPtrOutput { return o.ApplyT(func(v *Client) pulumi.StringPtrOutput { return v.LoginTheme }).(pulumi.StringPtrOutput) } +// SAML POST Binding URL for the client's single logout service. func (o ClientOutput) LogoutServicePostBindingUrl() pulumi.StringPtrOutput { return o.ApplyT(func(v *Client) pulumi.StringPtrOutput { return v.LogoutServicePostBindingUrl }).(pulumi.StringPtrOutput) } +// SAML Redirect Binding URL for the client's single logout service. func (o ClientOutput) LogoutServiceRedirectBindingUrl() pulumi.StringPtrOutput { return o.ApplyT(func(v *Client) pulumi.StringPtrOutput { return v.LogoutServiceRedirectBindingUrl }).(pulumi.StringPtrOutput) } +// When specified, this URL will be used for all SAML requests. func (o ClientOutput) MasterSamlProcessingUrl() pulumi.StringPtrOutput { return o.ApplyT(func(v *Client) pulumi.StringPtrOutput { return v.MasterSamlProcessingUrl }).(pulumi.StringPtrOutput) } +// The display name of this client in the GUI. func (o ClientOutput) Name() pulumi.StringOutput { return o.ApplyT(func(v *Client) pulumi.StringOutput { return v.Name }).(pulumi.StringOutput) } +// Sets the Name ID format for the subject. func (o ClientOutput) NameIdFormat() pulumi.StringOutput { return o.ApplyT(func(v *Client) pulumi.StringOutput { return v.NameIdFormat }).(pulumi.StringOutput) } +// The realm this client is attached to. func (o ClientOutput) RealmId() pulumi.StringOutput { return o.ApplyT(func(v *Client) pulumi.StringOutput { return v.RealmId }).(pulumi.StringOutput) } +// When specified, this value is prepended to all relative URLs. func (o ClientOutput) RootUrl() pulumi.StringPtrOutput { return o.ApplyT(func(v *Client) pulumi.StringPtrOutput { return v.RootUrl }).(pulumi.StringPtrOutput) } +// When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to `false`. func (o ClientOutput) SignAssertions() pulumi.BoolPtrOutput { return o.ApplyT(func(v *Client) pulumi.BoolPtrOutput { return v.SignAssertions }).(pulumi.BoolPtrOutput) } +// When `true`, the SAML document will be signed by Keycloak using the realm's private key. Defaults to `true`. func (o ClientOutput) SignDocuments() pulumi.BoolPtrOutput { return o.ApplyT(func(v *Client) pulumi.BoolPtrOutput { return v.SignDocuments }).(pulumi.BoolPtrOutput) } +// The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1". func (o ClientOutput) SignatureAlgorithm() pulumi.StringPtrOutput { return o.ApplyT(func(v *Client) pulumi.StringPtrOutput { return v.SignatureAlgorithm }).(pulumi.StringPtrOutput) } +// The value of the `KeyName` element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID". func (o ClientOutput) SignatureKeyName() pulumi.StringPtrOutput { return o.ApplyT(func(v *Client) pulumi.StringPtrOutput { return v.SignatureKeyName }).(pulumi.StringPtrOutput) } +// If documents or assertions from the client are signed, this certificate will be used to verify the signature. func (o ClientOutput) SigningCertificate() pulumi.StringOutput { return o.ApplyT(func(v *Client) pulumi.StringOutput { return v.SigningCertificate }).(pulumi.StringOutput) } +// (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty. func (o ClientOutput) SigningCertificateSha1() pulumi.StringOutput { return o.ApplyT(func(v *Client) pulumi.StringOutput { return v.SigningCertificateSha1 }).(pulumi.StringOutput) } +// If documents or assertions from the client are signed, this private key will be used to verify the signature. func (o ClientOutput) SigningPrivateKey() pulumi.StringOutput { return o.ApplyT(func(v *Client) pulumi.StringOutput { return v.SigningPrivateKey }).(pulumi.StringOutput) } +// (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty. func (o ClientOutput) SigningPrivateKeySha1() pulumi.StringOutput { return o.ApplyT(func(v *Client) pulumi.StringOutput { return v.SigningPrivateKeySha1 }).(pulumi.StringOutput) } +// When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. func (o ClientOutput) ValidRedirectUris() pulumi.StringArrayOutput { return o.ApplyT(func(v *Client) pulumi.StringArrayOutput { return v.ValidRedirectUris }).(pulumi.StringArrayOutput) } diff --git a/sdk/go/keycloak/saml/identityProvider.go b/sdk/go/keycloak/saml/identityProvider.go index 3a8b5662..e97401ba 100644 --- a/sdk/go/keycloak/saml/identityProvider.go +++ b/sdk/go/keycloak/saml/identityProvider.go @@ -12,19 +12,18 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## # saml.IdentityProvider +// Allows for creating and managing SAML Identity Providers within Keycloak. // -// Allows to create and manage SAML Identity Providers within Keycloak. +// SAML (Security Assertion Markup Language) identity providers allows users to authenticate through a third-party system using the SAML protocol. // -// SAML (Security Assertion Markup Language) identity providers allows to authenticate through a third-party system, using SAML standard. -// -// ### Example Usage +// ## Example Usage // // ```go // package main // // import ( // +// "github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak" // "github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/saml" // "github.com/pulumi/pulumi/sdk/v3/go/pulumi" // @@ -32,9 +31,17 @@ import ( // // func main() { // pulumi.Run(func(ctx *pulumi.Context) error { -// _, err := saml.NewIdentityProvider(ctx, "realm_identity_provider", &saml.IdentityProviderArgs{ -// Realm: pulumi.String("my-realm"), -// Alias: pulumi.String("my-idp"), +// realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{ +// Realm: pulumi.String("my-realm"), +// Enabled: pulumi.Bool(true), +// }) +// if err != nil { +// return err +// } +// _, err = saml.NewIdentityProvider(ctx, "realm_saml_identity_provider", &saml.IdentityProviderArgs{ +// Realm: realm.ID(), +// Alias: pulumi.String("my-saml-idp"), +// EntityId: pulumi.String("https://domain.com/entity_id"), // SingleSignOnServiceUrl: pulumi.String("https://domain.com/adfs/ls/"), // SingleLogoutServiceUrl: pulumi.String("https://domain.com/adfs/ls/?wa=wsignout1.0"), // BackchannelSupported: pulumi.Bool(true), @@ -54,127 +61,94 @@ import ( // // ``` // -// ### Argument Reference -// -// The following arguments are supported: +// ## Import // -// - `realm` - (Required) The name of the realm. This is unique across Keycloak. -// - `alias` - (Optional) The uniq name of identity provider. -// - `enabled` - (Optional) When false, users and clients will not be able to access this realm. Defaults to `true`. -// - `displayName` - (Optional) The display name for the realm that is shown when logging in to the admin console. -// - `storeToken` - (Optional) Enable/disable if tokens must be stored after authenticating users. Defaults to `true`. -// - `addReadTokenRoleOnCreate` - (Optional) Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. Defaults to `false`. -// - `trustEmail` - (Optional) If enabled then email provided by this provider is not verified even if verification is enabled for the realm. Defaults to `false`. -// - `linkOnly` - (Optional) If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider. Defaults to `false`. -// - `hideOnLoginPage` - (Optional) If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. -// - `firstBrokerLoginFlowAlias` - (Optional) Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. -// - `postBrokerLoginFlowAlias` - (Optional) Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. -// - `authenticateByDefault` - (Optional) Authenticate users by default. Defaults to `false`. +// Identity providers can be imported using the format `{{realm_id}}/{{idp_alias}}`, where `idp_alias` is the identity provider alias. // -// #### SAML Configuration -// -// - `singleSignOnServiceUrl` - (Optional) The Url that must be used to send authentication requests (SAML AuthnRequest). -// - `singleLogoutServiceUrl` - (Optional) The Url that must be used to send logout requests. -// - `backchannelSupported` - (Optional) Does the external IDP support back-channel logout ?. -// - `nameIdPolicyFormat` - (Optional) Specifies the URI reference corresponding to a name identifier format. Defaults to empty. -// - `postBindingResponse` - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. -// - `postBindingAuthnRequest` - (Optional) Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. -// - `postBindingLogout` - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. -// - `wantAssertionsSigned` - (Optional) Indicates whether this service provider expects a signed Assertion. -// - `wantAssertionsEncrypted` - (Optional) Indicates whether this service provider expects an encrypted Assertion. -// - `forceAuthn` - (Optional) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. -// - `validateSignature` - (Optional) Enable/disable signature validation of SAML responses. -// - `signingCertificate` - (Optional) Signing Certificate. -// - `signatureAlgorithm` - (Optional) Signing Algorithm. Defaults to empty. -// - `xmlSignKeyInfoKeyNameTransformer` - (Optional) Sign Key Transformer. Defaults to empty. -// -// ### Import +// Example: // -// Identity providers can be imported using the format `{{realm_id}}/{{idp_alias}}`, where `idpAlias` is the identity provider alias. +// bash // -// Example: +// ```sh +// $ pulumi import keycloak:saml/identityProvider:IdentityProvider realm_saml_identity_provider my-realm/my-saml-idp +// ``` type IdentityProvider struct { pulumi.CustomResourceState - // Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. + // When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`. AddReadTokenRoleOnCreate pulumi.BoolPtrOutput `pulumi:"addReadTokenRoleOnCreate"` - // The alias uniquely identifies an identity provider and it is also used to build the redirect uri. + // The unique name of identity provider. Alias pulumi.StringOutput `pulumi:"alias"` - // Enable/disable authenticate users by default. + // Authenticate users by default. Defaults to `false`. AuthenticateByDefault pulumi.BoolPtrOutput `pulumi:"authenticateByDefault"` - // AuthnContext ClassRefs + // Ordered list of requested AuthnContext ClassRefs. AuthnContextClassRefs pulumi.StringArrayOutput `pulumi:"authnContextClassRefs"` - // AuthnContext Comparison + // Specifies the comparison method used to evaluate the requested context classes or statements. AuthnContextComparisonType pulumi.StringPtrOutput `pulumi:"authnContextComparisonType"` - // AuthnContext DeclRefs + // Ordered list of requested AuthnContext DeclRefs. AuthnContextDeclRefs pulumi.StringArrayOutput `pulumi:"authnContextDeclRefs"` - // Does the external IDP support backchannel logout? + // Does the external IDP support backchannel logout?. Defaults to `false`. BackchannelSupported pulumi.BoolPtrOutput `pulumi:"backchannelSupported"` - // Friendly name for Identity Providers. + // The display name for the realm that is shown when logging in to the admin console. DisplayName pulumi.StringPtrOutput `pulumi:"displayName"` - // Enable/disable this identity provider. + // When `false`, users and clients will not be able to access this realm. Defaults to `true`. Enabled pulumi.BoolPtrOutput `pulumi:"enabled"` // The Entity ID that will be used to uniquely identify this SAML Service Provider. EntityId pulumi.StringOutput `pulumi:"entityId"` ExtraConfig pulumi.StringMapOutput `pulumi:"extraConfig"` - // Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means - // that there is not yet existing Keycloak account linked with the authenticated identity provider account. + // Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. FirstBrokerLoginFlowAlias pulumi.StringPtrOutput `pulumi:"firstBrokerLoginFlowAlias"` - // Require Force Authn. + // Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. ForceAuthn pulumi.BoolPtrOutput `pulumi:"forceAuthn"` - // GUI Order + // A number defining the order of this identity provider in the GUI. GuiOrder pulumi.StringPtrOutput `pulumi:"guiOrder"` - // Hide On Login Page. + // If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. HideOnLoginPage pulumi.BoolPtrOutput `pulumi:"hideOnLoginPage"` // Internal Identity Provider Id InternalId pulumi.StringOutput `pulumi:"internalId"` - // If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't - // want to allow login from the provider, but want to integrate with a provider + // When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`. LinkOnly pulumi.BoolPtrOutput `pulumi:"linkOnly"` // Login Hint. LoginHint pulumi.StringPtrOutput `pulumi:"loginHint"` - // Name ID Policy Format. + // Specifies the URI reference corresponding to a name identifier format. Defaults to empty. NameIdPolicyFormat pulumi.StringPtrOutput `pulumi:"nameIdPolicyFormat"` - // Post Binding Authn Request. + // Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. PostBindingAuthnRequest pulumi.BoolPtrOutput `pulumi:"postBindingAuthnRequest"` - // Post Binding Logout. + // Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. PostBindingLogout pulumi.BoolPtrOutput `pulumi:"postBindingLogout"` - // Post Binding Response. + // Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. PostBindingResponse pulumi.BoolPtrOutput `pulumi:"postBindingResponse"` - // Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want - // additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if - // you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that - // authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. + // Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. PostBrokerLoginFlowAlias pulumi.StringPtrOutput `pulumi:"postBrokerLoginFlowAlias"` - // Principal Attribute + // The principal attribute. PrincipalAttribute pulumi.StringPtrOutput `pulumi:"principalAttribute"` - // Principal Type + // The principal type. Can be one of `SUBJECT`, `ATTRIBUTE` or `FRIENDLY_ATTRIBUTE`. PrincipalType pulumi.StringPtrOutput `pulumi:"principalType"` - // provider id, is always saml, unless you have a custom implementation + // The ID of the identity provider to use. Defaults to `saml`, which should be used unless you have extended Keycloak and provided your own implementation. ProviderId pulumi.StringPtrOutput `pulumi:"providerId"` - // Realm Name + // The name of the realm. This is unique across Keycloak. Realm pulumi.StringOutput `pulumi:"realm"` - // Signing Algorithm. + // Signing Algorithm. Defaults to empty. SignatureAlgorithm pulumi.StringPtrOutput `pulumi:"signatureAlgorithm"` // Signing Certificate. SigningCertificate pulumi.StringPtrOutput `pulumi:"signingCertificate"` - // Logout URL. + // The Url that must be used to send logout requests. SingleLogoutServiceUrl pulumi.StringPtrOutput `pulumi:"singleLogoutServiceUrl"` - // SSO Logout URL. + // The Url that must be used to send authentication requests (SAML AuthnRequest). SingleSignOnServiceUrl pulumi.StringOutput `pulumi:"singleSignOnServiceUrl"` - // Enable/disable if tokens must be stored after authenticating users. + // When `true`, tokens will be stored after authenticating users. Defaults to `true`. StoreToken pulumi.BoolPtrOutput `pulumi:"storeToken"` - // Sync Mode + // The default sync mode to use for all mappers attached to this identity provider. Can be one of `IMPORT`, `FORCE`, or `LEGACY`. SyncMode pulumi.StringPtrOutput `pulumi:"syncMode"` - // If enabled then email provided by this provider is not verified even if verification is enabled for the realm. + // When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`. TrustEmail pulumi.BoolPtrOutput `pulumi:"trustEmail"` // Enable/disable signature validation of SAML responses. ValidateSignature pulumi.BoolPtrOutput `pulumi:"validateSignature"` - // Want Assertions Encrypted. + // Indicates whether this service provider expects an encrypted Assertion. WantAssertionsEncrypted pulumi.BoolPtrOutput `pulumi:"wantAssertionsEncrypted"` - // Want Assertions Signed. + // Indicates whether this service provider expects a signed Assertion. WantAssertionsSigned pulumi.BoolPtrOutput `pulumi:"wantAssertionsSigned"` - // Sign Key Transformer. + // The SAML signature key name. Can be one of `NONE`, `KEY_ID`, or `CERT_SUBJECT`. XmlSignKeyInfoKeyNameTransformer pulumi.StringPtrOutput `pulumi:"xmlSignKeyInfoKeyNameTransformer"` } @@ -220,168 +194,158 @@ func GetIdentityProvider(ctx *pulumi.Context, // Input properties used for looking up and filtering IdentityProvider resources. type identityProviderState struct { - // Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. + // When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`. AddReadTokenRoleOnCreate *bool `pulumi:"addReadTokenRoleOnCreate"` - // The alias uniquely identifies an identity provider and it is also used to build the redirect uri. + // The unique name of identity provider. Alias *string `pulumi:"alias"` - // Enable/disable authenticate users by default. + // Authenticate users by default. Defaults to `false`. AuthenticateByDefault *bool `pulumi:"authenticateByDefault"` - // AuthnContext ClassRefs + // Ordered list of requested AuthnContext ClassRefs. AuthnContextClassRefs []string `pulumi:"authnContextClassRefs"` - // AuthnContext Comparison + // Specifies the comparison method used to evaluate the requested context classes or statements. AuthnContextComparisonType *string `pulumi:"authnContextComparisonType"` - // AuthnContext DeclRefs + // Ordered list of requested AuthnContext DeclRefs. AuthnContextDeclRefs []string `pulumi:"authnContextDeclRefs"` - // Does the external IDP support backchannel logout? + // Does the external IDP support backchannel logout?. Defaults to `false`. BackchannelSupported *bool `pulumi:"backchannelSupported"` - // Friendly name for Identity Providers. + // The display name for the realm that is shown when logging in to the admin console. DisplayName *string `pulumi:"displayName"` - // Enable/disable this identity provider. + // When `false`, users and clients will not be able to access this realm. Defaults to `true`. Enabled *bool `pulumi:"enabled"` // The Entity ID that will be used to uniquely identify this SAML Service Provider. EntityId *string `pulumi:"entityId"` ExtraConfig map[string]string `pulumi:"extraConfig"` - // Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means - // that there is not yet existing Keycloak account linked with the authenticated identity provider account. + // Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. FirstBrokerLoginFlowAlias *string `pulumi:"firstBrokerLoginFlowAlias"` - // Require Force Authn. + // Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. ForceAuthn *bool `pulumi:"forceAuthn"` - // GUI Order + // A number defining the order of this identity provider in the GUI. GuiOrder *string `pulumi:"guiOrder"` - // Hide On Login Page. + // If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. HideOnLoginPage *bool `pulumi:"hideOnLoginPage"` // Internal Identity Provider Id InternalId *string `pulumi:"internalId"` - // If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't - // want to allow login from the provider, but want to integrate with a provider + // When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`. LinkOnly *bool `pulumi:"linkOnly"` // Login Hint. LoginHint *string `pulumi:"loginHint"` - // Name ID Policy Format. + // Specifies the URI reference corresponding to a name identifier format. Defaults to empty. NameIdPolicyFormat *string `pulumi:"nameIdPolicyFormat"` - // Post Binding Authn Request. + // Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. PostBindingAuthnRequest *bool `pulumi:"postBindingAuthnRequest"` - // Post Binding Logout. + // Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. PostBindingLogout *bool `pulumi:"postBindingLogout"` - // Post Binding Response. + // Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. PostBindingResponse *bool `pulumi:"postBindingResponse"` - // Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want - // additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if - // you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that - // authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. + // Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. PostBrokerLoginFlowAlias *string `pulumi:"postBrokerLoginFlowAlias"` - // Principal Attribute + // The principal attribute. PrincipalAttribute *string `pulumi:"principalAttribute"` - // Principal Type + // The principal type. Can be one of `SUBJECT`, `ATTRIBUTE` or `FRIENDLY_ATTRIBUTE`. PrincipalType *string `pulumi:"principalType"` - // provider id, is always saml, unless you have a custom implementation + // The ID of the identity provider to use. Defaults to `saml`, which should be used unless you have extended Keycloak and provided your own implementation. ProviderId *string `pulumi:"providerId"` - // Realm Name + // The name of the realm. This is unique across Keycloak. Realm *string `pulumi:"realm"` - // Signing Algorithm. + // Signing Algorithm. Defaults to empty. SignatureAlgorithm *string `pulumi:"signatureAlgorithm"` // Signing Certificate. SigningCertificate *string `pulumi:"signingCertificate"` - // Logout URL. + // The Url that must be used to send logout requests. SingleLogoutServiceUrl *string `pulumi:"singleLogoutServiceUrl"` - // SSO Logout URL. + // The Url that must be used to send authentication requests (SAML AuthnRequest). SingleSignOnServiceUrl *string `pulumi:"singleSignOnServiceUrl"` - // Enable/disable if tokens must be stored after authenticating users. + // When `true`, tokens will be stored after authenticating users. Defaults to `true`. StoreToken *bool `pulumi:"storeToken"` - // Sync Mode + // The default sync mode to use for all mappers attached to this identity provider. Can be one of `IMPORT`, `FORCE`, or `LEGACY`. SyncMode *string `pulumi:"syncMode"` - // If enabled then email provided by this provider is not verified even if verification is enabled for the realm. + // When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`. TrustEmail *bool `pulumi:"trustEmail"` // Enable/disable signature validation of SAML responses. ValidateSignature *bool `pulumi:"validateSignature"` - // Want Assertions Encrypted. + // Indicates whether this service provider expects an encrypted Assertion. WantAssertionsEncrypted *bool `pulumi:"wantAssertionsEncrypted"` - // Want Assertions Signed. + // Indicates whether this service provider expects a signed Assertion. WantAssertionsSigned *bool `pulumi:"wantAssertionsSigned"` - // Sign Key Transformer. + // The SAML signature key name. Can be one of `NONE`, `KEY_ID`, or `CERT_SUBJECT`. XmlSignKeyInfoKeyNameTransformer *string `pulumi:"xmlSignKeyInfoKeyNameTransformer"` } type IdentityProviderState struct { - // Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. + // When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`. AddReadTokenRoleOnCreate pulumi.BoolPtrInput - // The alias uniquely identifies an identity provider and it is also used to build the redirect uri. + // The unique name of identity provider. Alias pulumi.StringPtrInput - // Enable/disable authenticate users by default. + // Authenticate users by default. Defaults to `false`. AuthenticateByDefault pulumi.BoolPtrInput - // AuthnContext ClassRefs + // Ordered list of requested AuthnContext ClassRefs. AuthnContextClassRefs pulumi.StringArrayInput - // AuthnContext Comparison + // Specifies the comparison method used to evaluate the requested context classes or statements. AuthnContextComparisonType pulumi.StringPtrInput - // AuthnContext DeclRefs + // Ordered list of requested AuthnContext DeclRefs. AuthnContextDeclRefs pulumi.StringArrayInput - // Does the external IDP support backchannel logout? + // Does the external IDP support backchannel logout?. Defaults to `false`. BackchannelSupported pulumi.BoolPtrInput - // Friendly name for Identity Providers. + // The display name for the realm that is shown when logging in to the admin console. DisplayName pulumi.StringPtrInput - // Enable/disable this identity provider. + // When `false`, users and clients will not be able to access this realm. Defaults to `true`. Enabled pulumi.BoolPtrInput // The Entity ID that will be used to uniquely identify this SAML Service Provider. EntityId pulumi.StringPtrInput ExtraConfig pulumi.StringMapInput - // Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means - // that there is not yet existing Keycloak account linked with the authenticated identity provider account. + // Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. FirstBrokerLoginFlowAlias pulumi.StringPtrInput - // Require Force Authn. + // Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. ForceAuthn pulumi.BoolPtrInput - // GUI Order + // A number defining the order of this identity provider in the GUI. GuiOrder pulumi.StringPtrInput - // Hide On Login Page. + // If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. HideOnLoginPage pulumi.BoolPtrInput // Internal Identity Provider Id InternalId pulumi.StringPtrInput - // If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't - // want to allow login from the provider, but want to integrate with a provider + // When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`. LinkOnly pulumi.BoolPtrInput // Login Hint. LoginHint pulumi.StringPtrInput - // Name ID Policy Format. + // Specifies the URI reference corresponding to a name identifier format. Defaults to empty. NameIdPolicyFormat pulumi.StringPtrInput - // Post Binding Authn Request. + // Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. PostBindingAuthnRequest pulumi.BoolPtrInput - // Post Binding Logout. + // Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. PostBindingLogout pulumi.BoolPtrInput - // Post Binding Response. + // Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. PostBindingResponse pulumi.BoolPtrInput - // Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want - // additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if - // you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that - // authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. + // Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. PostBrokerLoginFlowAlias pulumi.StringPtrInput - // Principal Attribute + // The principal attribute. PrincipalAttribute pulumi.StringPtrInput - // Principal Type + // The principal type. Can be one of `SUBJECT`, `ATTRIBUTE` or `FRIENDLY_ATTRIBUTE`. PrincipalType pulumi.StringPtrInput - // provider id, is always saml, unless you have a custom implementation + // The ID of the identity provider to use. Defaults to `saml`, which should be used unless you have extended Keycloak and provided your own implementation. ProviderId pulumi.StringPtrInput - // Realm Name + // The name of the realm. This is unique across Keycloak. Realm pulumi.StringPtrInput - // Signing Algorithm. + // Signing Algorithm. Defaults to empty. SignatureAlgorithm pulumi.StringPtrInput // Signing Certificate. SigningCertificate pulumi.StringPtrInput - // Logout URL. + // The Url that must be used to send logout requests. SingleLogoutServiceUrl pulumi.StringPtrInput - // SSO Logout URL. + // The Url that must be used to send authentication requests (SAML AuthnRequest). SingleSignOnServiceUrl pulumi.StringPtrInput - // Enable/disable if tokens must be stored after authenticating users. + // When `true`, tokens will be stored after authenticating users. Defaults to `true`. StoreToken pulumi.BoolPtrInput - // Sync Mode + // The default sync mode to use for all mappers attached to this identity provider. Can be one of `IMPORT`, `FORCE`, or `LEGACY`. SyncMode pulumi.StringPtrInput - // If enabled then email provided by this provider is not verified even if verification is enabled for the realm. + // When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`. TrustEmail pulumi.BoolPtrInput // Enable/disable signature validation of SAML responses. ValidateSignature pulumi.BoolPtrInput - // Want Assertions Encrypted. + // Indicates whether this service provider expects an encrypted Assertion. WantAssertionsEncrypted pulumi.BoolPtrInput - // Want Assertions Signed. + // Indicates whether this service provider expects a signed Assertion. WantAssertionsSigned pulumi.BoolPtrInput - // Sign Key Transformer. + // The SAML signature key name. Can be one of `NONE`, `KEY_ID`, or `CERT_SUBJECT`. XmlSignKeyInfoKeyNameTransformer pulumi.StringPtrInput } @@ -390,165 +354,155 @@ func (IdentityProviderState) ElementType() reflect.Type { } type identityProviderArgs struct { - // Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. + // When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`. AddReadTokenRoleOnCreate *bool `pulumi:"addReadTokenRoleOnCreate"` - // The alias uniquely identifies an identity provider and it is also used to build the redirect uri. + // The unique name of identity provider. Alias string `pulumi:"alias"` - // Enable/disable authenticate users by default. + // Authenticate users by default. Defaults to `false`. AuthenticateByDefault *bool `pulumi:"authenticateByDefault"` - // AuthnContext ClassRefs + // Ordered list of requested AuthnContext ClassRefs. AuthnContextClassRefs []string `pulumi:"authnContextClassRefs"` - // AuthnContext Comparison + // Specifies the comparison method used to evaluate the requested context classes or statements. AuthnContextComparisonType *string `pulumi:"authnContextComparisonType"` - // AuthnContext DeclRefs + // Ordered list of requested AuthnContext DeclRefs. AuthnContextDeclRefs []string `pulumi:"authnContextDeclRefs"` - // Does the external IDP support backchannel logout? + // Does the external IDP support backchannel logout?. Defaults to `false`. BackchannelSupported *bool `pulumi:"backchannelSupported"` - // Friendly name for Identity Providers. + // The display name for the realm that is shown when logging in to the admin console. DisplayName *string `pulumi:"displayName"` - // Enable/disable this identity provider. + // When `false`, users and clients will not be able to access this realm. Defaults to `true`. Enabled *bool `pulumi:"enabled"` // The Entity ID that will be used to uniquely identify this SAML Service Provider. EntityId string `pulumi:"entityId"` ExtraConfig map[string]string `pulumi:"extraConfig"` - // Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means - // that there is not yet existing Keycloak account linked with the authenticated identity provider account. + // Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. FirstBrokerLoginFlowAlias *string `pulumi:"firstBrokerLoginFlowAlias"` - // Require Force Authn. + // Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. ForceAuthn *bool `pulumi:"forceAuthn"` - // GUI Order + // A number defining the order of this identity provider in the GUI. GuiOrder *string `pulumi:"guiOrder"` - // Hide On Login Page. + // If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. HideOnLoginPage *bool `pulumi:"hideOnLoginPage"` - // If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't - // want to allow login from the provider, but want to integrate with a provider + // When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`. LinkOnly *bool `pulumi:"linkOnly"` // Login Hint. LoginHint *string `pulumi:"loginHint"` - // Name ID Policy Format. + // Specifies the URI reference corresponding to a name identifier format. Defaults to empty. NameIdPolicyFormat *string `pulumi:"nameIdPolicyFormat"` - // Post Binding Authn Request. + // Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. PostBindingAuthnRequest *bool `pulumi:"postBindingAuthnRequest"` - // Post Binding Logout. + // Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. PostBindingLogout *bool `pulumi:"postBindingLogout"` - // Post Binding Response. + // Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. PostBindingResponse *bool `pulumi:"postBindingResponse"` - // Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want - // additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if - // you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that - // authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. + // Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. PostBrokerLoginFlowAlias *string `pulumi:"postBrokerLoginFlowAlias"` - // Principal Attribute + // The principal attribute. PrincipalAttribute *string `pulumi:"principalAttribute"` - // Principal Type + // The principal type. Can be one of `SUBJECT`, `ATTRIBUTE` or `FRIENDLY_ATTRIBUTE`. PrincipalType *string `pulumi:"principalType"` - // provider id, is always saml, unless you have a custom implementation + // The ID of the identity provider to use. Defaults to `saml`, which should be used unless you have extended Keycloak and provided your own implementation. ProviderId *string `pulumi:"providerId"` - // Realm Name + // The name of the realm. This is unique across Keycloak. Realm string `pulumi:"realm"` - // Signing Algorithm. + // Signing Algorithm. Defaults to empty. SignatureAlgorithm *string `pulumi:"signatureAlgorithm"` // Signing Certificate. SigningCertificate *string `pulumi:"signingCertificate"` - // Logout URL. + // The Url that must be used to send logout requests. SingleLogoutServiceUrl *string `pulumi:"singleLogoutServiceUrl"` - // SSO Logout URL. + // The Url that must be used to send authentication requests (SAML AuthnRequest). SingleSignOnServiceUrl string `pulumi:"singleSignOnServiceUrl"` - // Enable/disable if tokens must be stored after authenticating users. + // When `true`, tokens will be stored after authenticating users. Defaults to `true`. StoreToken *bool `pulumi:"storeToken"` - // Sync Mode + // The default sync mode to use for all mappers attached to this identity provider. Can be one of `IMPORT`, `FORCE`, or `LEGACY`. SyncMode *string `pulumi:"syncMode"` - // If enabled then email provided by this provider is not verified even if verification is enabled for the realm. + // When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`. TrustEmail *bool `pulumi:"trustEmail"` // Enable/disable signature validation of SAML responses. ValidateSignature *bool `pulumi:"validateSignature"` - // Want Assertions Encrypted. + // Indicates whether this service provider expects an encrypted Assertion. WantAssertionsEncrypted *bool `pulumi:"wantAssertionsEncrypted"` - // Want Assertions Signed. + // Indicates whether this service provider expects a signed Assertion. WantAssertionsSigned *bool `pulumi:"wantAssertionsSigned"` - // Sign Key Transformer. + // The SAML signature key name. Can be one of `NONE`, `KEY_ID`, or `CERT_SUBJECT`. XmlSignKeyInfoKeyNameTransformer *string `pulumi:"xmlSignKeyInfoKeyNameTransformer"` } // The set of arguments for constructing a IdentityProvider resource. type IdentityProviderArgs struct { - // Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. + // When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`. AddReadTokenRoleOnCreate pulumi.BoolPtrInput - // The alias uniquely identifies an identity provider and it is also used to build the redirect uri. + // The unique name of identity provider. Alias pulumi.StringInput - // Enable/disable authenticate users by default. + // Authenticate users by default. Defaults to `false`. AuthenticateByDefault pulumi.BoolPtrInput - // AuthnContext ClassRefs + // Ordered list of requested AuthnContext ClassRefs. AuthnContextClassRefs pulumi.StringArrayInput - // AuthnContext Comparison + // Specifies the comparison method used to evaluate the requested context classes or statements. AuthnContextComparisonType pulumi.StringPtrInput - // AuthnContext DeclRefs + // Ordered list of requested AuthnContext DeclRefs. AuthnContextDeclRefs pulumi.StringArrayInput - // Does the external IDP support backchannel logout? + // Does the external IDP support backchannel logout?. Defaults to `false`. BackchannelSupported pulumi.BoolPtrInput - // Friendly name for Identity Providers. + // The display name for the realm that is shown when logging in to the admin console. DisplayName pulumi.StringPtrInput - // Enable/disable this identity provider. + // When `false`, users and clients will not be able to access this realm. Defaults to `true`. Enabled pulumi.BoolPtrInput // The Entity ID that will be used to uniquely identify this SAML Service Provider. EntityId pulumi.StringInput ExtraConfig pulumi.StringMapInput - // Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means - // that there is not yet existing Keycloak account linked with the authenticated identity provider account. + // Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. FirstBrokerLoginFlowAlias pulumi.StringPtrInput - // Require Force Authn. + // Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. ForceAuthn pulumi.BoolPtrInput - // GUI Order + // A number defining the order of this identity provider in the GUI. GuiOrder pulumi.StringPtrInput - // Hide On Login Page. + // If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. HideOnLoginPage pulumi.BoolPtrInput - // If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't - // want to allow login from the provider, but want to integrate with a provider + // When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`. LinkOnly pulumi.BoolPtrInput // Login Hint. LoginHint pulumi.StringPtrInput - // Name ID Policy Format. + // Specifies the URI reference corresponding to a name identifier format. Defaults to empty. NameIdPolicyFormat pulumi.StringPtrInput - // Post Binding Authn Request. + // Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. PostBindingAuthnRequest pulumi.BoolPtrInput - // Post Binding Logout. + // Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. PostBindingLogout pulumi.BoolPtrInput - // Post Binding Response. + // Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. PostBindingResponse pulumi.BoolPtrInput - // Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want - // additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if - // you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that - // authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. + // Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. PostBrokerLoginFlowAlias pulumi.StringPtrInput - // Principal Attribute + // The principal attribute. PrincipalAttribute pulumi.StringPtrInput - // Principal Type + // The principal type. Can be one of `SUBJECT`, `ATTRIBUTE` or `FRIENDLY_ATTRIBUTE`. PrincipalType pulumi.StringPtrInput - // provider id, is always saml, unless you have a custom implementation + // The ID of the identity provider to use. Defaults to `saml`, which should be used unless you have extended Keycloak and provided your own implementation. ProviderId pulumi.StringPtrInput - // Realm Name + // The name of the realm. This is unique across Keycloak. Realm pulumi.StringInput - // Signing Algorithm. + // Signing Algorithm. Defaults to empty. SignatureAlgorithm pulumi.StringPtrInput // Signing Certificate. SigningCertificate pulumi.StringPtrInput - // Logout URL. + // The Url that must be used to send logout requests. SingleLogoutServiceUrl pulumi.StringPtrInput - // SSO Logout URL. + // The Url that must be used to send authentication requests (SAML AuthnRequest). SingleSignOnServiceUrl pulumi.StringInput - // Enable/disable if tokens must be stored after authenticating users. + // When `true`, tokens will be stored after authenticating users. Defaults to `true`. StoreToken pulumi.BoolPtrInput - // Sync Mode + // The default sync mode to use for all mappers attached to this identity provider. Can be one of `IMPORT`, `FORCE`, or `LEGACY`. SyncMode pulumi.StringPtrInput - // If enabled then email provided by this provider is not verified even if verification is enabled for the realm. + // When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`. TrustEmail pulumi.BoolPtrInput // Enable/disable signature validation of SAML responses. ValidateSignature pulumi.BoolPtrInput - // Want Assertions Encrypted. + // Indicates whether this service provider expects an encrypted Assertion. WantAssertionsEncrypted pulumi.BoolPtrInput - // Want Assertions Signed. + // Indicates whether this service provider expects a signed Assertion. WantAssertionsSigned pulumi.BoolPtrInput - // Sign Key Transformer. + // The SAML signature key name. Can be one of `NONE`, `KEY_ID`, or `CERT_SUBJECT`. XmlSignKeyInfoKeyNameTransformer pulumi.StringPtrInput } @@ -639,47 +593,47 @@ func (o IdentityProviderOutput) ToIdentityProviderOutputWithContext(ctx context. return o } -// Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. +// When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`. func (o IdentityProviderOutput) AddReadTokenRoleOnCreate() pulumi.BoolPtrOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.BoolPtrOutput { return v.AddReadTokenRoleOnCreate }).(pulumi.BoolPtrOutput) } -// The alias uniquely identifies an identity provider and it is also used to build the redirect uri. +// The unique name of identity provider. func (o IdentityProviderOutput) Alias() pulumi.StringOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.StringOutput { return v.Alias }).(pulumi.StringOutput) } -// Enable/disable authenticate users by default. +// Authenticate users by default. Defaults to `false`. func (o IdentityProviderOutput) AuthenticateByDefault() pulumi.BoolPtrOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.BoolPtrOutput { return v.AuthenticateByDefault }).(pulumi.BoolPtrOutput) } -// AuthnContext ClassRefs +// Ordered list of requested AuthnContext ClassRefs. func (o IdentityProviderOutput) AuthnContextClassRefs() pulumi.StringArrayOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.StringArrayOutput { return v.AuthnContextClassRefs }).(pulumi.StringArrayOutput) } -// AuthnContext Comparison +// Specifies the comparison method used to evaluate the requested context classes or statements. func (o IdentityProviderOutput) AuthnContextComparisonType() pulumi.StringPtrOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.StringPtrOutput { return v.AuthnContextComparisonType }).(pulumi.StringPtrOutput) } -// AuthnContext DeclRefs +// Ordered list of requested AuthnContext DeclRefs. func (o IdentityProviderOutput) AuthnContextDeclRefs() pulumi.StringArrayOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.StringArrayOutput { return v.AuthnContextDeclRefs }).(pulumi.StringArrayOutput) } -// Does the external IDP support backchannel logout? +// Does the external IDP support backchannel logout?. Defaults to `false`. func (o IdentityProviderOutput) BackchannelSupported() pulumi.BoolPtrOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.BoolPtrOutput { return v.BackchannelSupported }).(pulumi.BoolPtrOutput) } -// Friendly name for Identity Providers. +// The display name for the realm that is shown when logging in to the admin console. func (o IdentityProviderOutput) DisplayName() pulumi.StringPtrOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.StringPtrOutput { return v.DisplayName }).(pulumi.StringPtrOutput) } -// Enable/disable this identity provider. +// When `false`, users and clients will not be able to access this realm. Defaults to `true`. func (o IdentityProviderOutput) Enabled() pulumi.BoolPtrOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.BoolPtrOutput { return v.Enabled }).(pulumi.BoolPtrOutput) } @@ -693,23 +647,22 @@ func (o IdentityProviderOutput) ExtraConfig() pulumi.StringMapOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.StringMapOutput { return v.ExtraConfig }).(pulumi.StringMapOutput) } -// Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means -// that there is not yet existing Keycloak account linked with the authenticated identity provider account. +// Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. func (o IdentityProviderOutput) FirstBrokerLoginFlowAlias() pulumi.StringPtrOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.StringPtrOutput { return v.FirstBrokerLoginFlowAlias }).(pulumi.StringPtrOutput) } -// Require Force Authn. +// Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. func (o IdentityProviderOutput) ForceAuthn() pulumi.BoolPtrOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.BoolPtrOutput { return v.ForceAuthn }).(pulumi.BoolPtrOutput) } -// GUI Order +// A number defining the order of this identity provider in the GUI. func (o IdentityProviderOutput) GuiOrder() pulumi.StringPtrOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.StringPtrOutput { return v.GuiOrder }).(pulumi.StringPtrOutput) } -// Hide On Login Page. +// If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. func (o IdentityProviderOutput) HideOnLoginPage() pulumi.BoolPtrOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.BoolPtrOutput { return v.HideOnLoginPage }).(pulumi.BoolPtrOutput) } @@ -719,8 +672,7 @@ func (o IdentityProviderOutput) InternalId() pulumi.StringOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.StringOutput { return v.InternalId }).(pulumi.StringOutput) } -// If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't -// want to allow login from the provider, but want to integrate with a provider +// When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`. func (o IdentityProviderOutput) LinkOnly() pulumi.BoolPtrOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.BoolPtrOutput { return v.LinkOnly }).(pulumi.BoolPtrOutput) } @@ -730,55 +682,52 @@ func (o IdentityProviderOutput) LoginHint() pulumi.StringPtrOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.StringPtrOutput { return v.LoginHint }).(pulumi.StringPtrOutput) } -// Name ID Policy Format. +// Specifies the URI reference corresponding to a name identifier format. Defaults to empty. func (o IdentityProviderOutput) NameIdPolicyFormat() pulumi.StringPtrOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.StringPtrOutput { return v.NameIdPolicyFormat }).(pulumi.StringPtrOutput) } -// Post Binding Authn Request. +// Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. func (o IdentityProviderOutput) PostBindingAuthnRequest() pulumi.BoolPtrOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.BoolPtrOutput { return v.PostBindingAuthnRequest }).(pulumi.BoolPtrOutput) } -// Post Binding Logout. +// Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. func (o IdentityProviderOutput) PostBindingLogout() pulumi.BoolPtrOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.BoolPtrOutput { return v.PostBindingLogout }).(pulumi.BoolPtrOutput) } -// Post Binding Response. +// Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. func (o IdentityProviderOutput) PostBindingResponse() pulumi.BoolPtrOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.BoolPtrOutput { return v.PostBindingResponse }).(pulumi.BoolPtrOutput) } -// Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want -// additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if -// you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that -// authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. +// Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. func (o IdentityProviderOutput) PostBrokerLoginFlowAlias() pulumi.StringPtrOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.StringPtrOutput { return v.PostBrokerLoginFlowAlias }).(pulumi.StringPtrOutput) } -// Principal Attribute +// The principal attribute. func (o IdentityProviderOutput) PrincipalAttribute() pulumi.StringPtrOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.StringPtrOutput { return v.PrincipalAttribute }).(pulumi.StringPtrOutput) } -// Principal Type +// The principal type. Can be one of `SUBJECT`, `ATTRIBUTE` or `FRIENDLY_ATTRIBUTE`. func (o IdentityProviderOutput) PrincipalType() pulumi.StringPtrOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.StringPtrOutput { return v.PrincipalType }).(pulumi.StringPtrOutput) } -// provider id, is always saml, unless you have a custom implementation +// The ID of the identity provider to use. Defaults to `saml`, which should be used unless you have extended Keycloak and provided your own implementation. func (o IdentityProviderOutput) ProviderId() pulumi.StringPtrOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.StringPtrOutput { return v.ProviderId }).(pulumi.StringPtrOutput) } -// Realm Name +// The name of the realm. This is unique across Keycloak. func (o IdentityProviderOutput) Realm() pulumi.StringOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.StringOutput { return v.Realm }).(pulumi.StringOutput) } -// Signing Algorithm. +// Signing Algorithm. Defaults to empty. func (o IdentityProviderOutput) SignatureAlgorithm() pulumi.StringPtrOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.StringPtrOutput { return v.SignatureAlgorithm }).(pulumi.StringPtrOutput) } @@ -788,27 +737,27 @@ func (o IdentityProviderOutput) SigningCertificate() pulumi.StringPtrOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.StringPtrOutput { return v.SigningCertificate }).(pulumi.StringPtrOutput) } -// Logout URL. +// The Url that must be used to send logout requests. func (o IdentityProviderOutput) SingleLogoutServiceUrl() pulumi.StringPtrOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.StringPtrOutput { return v.SingleLogoutServiceUrl }).(pulumi.StringPtrOutput) } -// SSO Logout URL. +// The Url that must be used to send authentication requests (SAML AuthnRequest). func (o IdentityProviderOutput) SingleSignOnServiceUrl() pulumi.StringOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.StringOutput { return v.SingleSignOnServiceUrl }).(pulumi.StringOutput) } -// Enable/disable if tokens must be stored after authenticating users. +// When `true`, tokens will be stored after authenticating users. Defaults to `true`. func (o IdentityProviderOutput) StoreToken() pulumi.BoolPtrOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.BoolPtrOutput { return v.StoreToken }).(pulumi.BoolPtrOutput) } -// Sync Mode +// The default sync mode to use for all mappers attached to this identity provider. Can be one of `IMPORT`, `FORCE`, or `LEGACY`. func (o IdentityProviderOutput) SyncMode() pulumi.StringPtrOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.StringPtrOutput { return v.SyncMode }).(pulumi.StringPtrOutput) } -// If enabled then email provided by this provider is not verified even if verification is enabled for the realm. +// When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`. func (o IdentityProviderOutput) TrustEmail() pulumi.BoolPtrOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.BoolPtrOutput { return v.TrustEmail }).(pulumi.BoolPtrOutput) } @@ -818,17 +767,17 @@ func (o IdentityProviderOutput) ValidateSignature() pulumi.BoolPtrOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.BoolPtrOutput { return v.ValidateSignature }).(pulumi.BoolPtrOutput) } -// Want Assertions Encrypted. +// Indicates whether this service provider expects an encrypted Assertion. func (o IdentityProviderOutput) WantAssertionsEncrypted() pulumi.BoolPtrOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.BoolPtrOutput { return v.WantAssertionsEncrypted }).(pulumi.BoolPtrOutput) } -// Want Assertions Signed. +// Indicates whether this service provider expects a signed Assertion. func (o IdentityProviderOutput) WantAssertionsSigned() pulumi.BoolPtrOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.BoolPtrOutput { return v.WantAssertionsSigned }).(pulumi.BoolPtrOutput) } -// Sign Key Transformer. +// The SAML signature key name. Can be one of `NONE`, `KEY_ID`, or `CERT_SUBJECT`. func (o IdentityProviderOutput) XmlSignKeyInfoKeyNameTransformer() pulumi.StringPtrOutput { return o.ApplyT(func(v *IdentityProvider) pulumi.StringPtrOutput { return v.XmlSignKeyInfoKeyNameTransformer }).(pulumi.StringPtrOutput) } diff --git a/sdk/go/keycloak/saml/pulumiTypes.go b/sdk/go/keycloak/saml/pulumiTypes.go index dea98e85..a0592f2f 100644 --- a/sdk/go/keycloak/saml/pulumiTypes.go +++ b/sdk/go/keycloak/saml/pulumiTypes.go @@ -14,7 +14,9 @@ import ( var _ = internal.GetEnvOrDefault type ClientAuthenticationFlowBindingOverrides struct { - BrowserId *string `pulumi:"browserId"` + // Browser flow id, (flow needs to exist) + BrowserId *string `pulumi:"browserId"` + // Direct grant flow id (flow needs to exist) DirectGrantId *string `pulumi:"directGrantId"` } @@ -30,7 +32,9 @@ type ClientAuthenticationFlowBindingOverridesInput interface { } type ClientAuthenticationFlowBindingOverridesArgs struct { - BrowserId pulumi.StringPtrInput `pulumi:"browserId"` + // Browser flow id, (flow needs to exist) + BrowserId pulumi.StringPtrInput `pulumi:"browserId"` + // Direct grant flow id (flow needs to exist) DirectGrantId pulumi.StringPtrInput `pulumi:"directGrantId"` } @@ -111,10 +115,12 @@ func (o ClientAuthenticationFlowBindingOverridesOutput) ToClientAuthenticationFl }).(ClientAuthenticationFlowBindingOverridesPtrOutput) } +// Browser flow id, (flow needs to exist) func (o ClientAuthenticationFlowBindingOverridesOutput) BrowserId() pulumi.StringPtrOutput { return o.ApplyT(func(v ClientAuthenticationFlowBindingOverrides) *string { return v.BrowserId }).(pulumi.StringPtrOutput) } +// Direct grant flow id (flow needs to exist) func (o ClientAuthenticationFlowBindingOverridesOutput) DirectGrantId() pulumi.StringPtrOutput { return o.ApplyT(func(v ClientAuthenticationFlowBindingOverrides) *string { return v.DirectGrantId }).(pulumi.StringPtrOutput) } @@ -143,6 +149,7 @@ func (o ClientAuthenticationFlowBindingOverridesPtrOutput) Elem() ClientAuthenti }).(ClientAuthenticationFlowBindingOverridesOutput) } +// Browser flow id, (flow needs to exist) func (o ClientAuthenticationFlowBindingOverridesPtrOutput) BrowserId() pulumi.StringPtrOutput { return o.ApplyT(func(v *ClientAuthenticationFlowBindingOverrides) *string { if v == nil { @@ -152,6 +159,7 @@ func (o ClientAuthenticationFlowBindingOverridesPtrOutput) BrowserId() pulumi.St }).(pulumi.StringPtrOutput) } +// Direct grant flow id (flow needs to exist) func (o ClientAuthenticationFlowBindingOverridesPtrOutput) DirectGrantId() pulumi.StringPtrOutput { return o.ApplyT(func(v *ClientAuthenticationFlowBindingOverrides) *string { if v == nil { diff --git a/sdk/go/keycloak/saml/userAttributeProtocolMapper.go b/sdk/go/keycloak/saml/userAttributeProtocolMapper.go index 11be4de1..a8149aac 100644 --- a/sdk/go/keycloak/saml/userAttributeProtocolMapper.go +++ b/sdk/go/keycloak/saml/userAttributeProtocolMapper.go @@ -12,17 +12,15 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## # saml.UserAttributeProtocolMapper +// Allows for creating and managing user attribute protocol mappers for SAML clients within Keycloak. // -// Allows for creating and managing user attribute protocol mappers for -// SAML clients within Keycloak. +// SAML user attribute protocol mappers allow you to map custom attributes defined for a user within Keycloak to an attribute +// in a SAML assertion. // -// SAML user attribute protocol mappers allow you to map custom attributes defined -// for a user within Keycloak to an attribute in a SAML assertion. Protocol mappers -// can be defined for a single client, or they can be defined for a client scope which -// can be shared between multiple different clients. +// Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between +// multiple different clients. // -// ### Example Usage (Client) +// ## Example Usage // // ```go // package main @@ -37,7 +35,7 @@ import ( // // func main() { // pulumi.Run(func(ctx *pulumi.Context) error { -// _, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{ +// realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{ // Realm: pulumi.String("my-realm"), // Enabled: pulumi.Bool(true), // }) @@ -45,15 +43,15 @@ import ( // return err // } // samlClient, err := saml.NewClient(ctx, "saml_client", &saml.ClientArgs{ -// RealmId: pulumi.Any(test.Id), -// ClientId: pulumi.String("test-saml-client"), -// Name: pulumi.String("test-saml-client"), +// RealmId: realm.ID(), +// ClientId: pulumi.String("saml-client"), +// Name: pulumi.String("saml-client"), // }) // if err != nil { // return err // } // _, err = saml.NewUserAttributeProtocolMapper(ctx, "saml_user_attribute_mapper", &saml.UserAttributeProtocolMapperArgs{ -// RealmId: pulumi.Any(test.Id), +// RealmId: realm.ID(), // ClientId: samlClient.ID(), // Name: pulumi.String("displayname-user-attribute-mapper"), // UserAttribute: pulumi.String("displayName"), @@ -69,37 +67,44 @@ import ( // // ``` // -// ### Argument Reference -// -// The following arguments are supported: -// -// - `realmId` - (Required) The realm this protocol mapper exists within. -// - `clientId` - (Required if `clientScopeId` is not specified) The SAML client this protocol mapper is attached to. -// - `clientScopeId` - (Required if `clientId` is not specified) The SAML client scope this protocol mapper is attached to. -// - `name` - (Required) The display name of this protocol mapper in the GUI. -// - `userAttribute` - (Required) The custom user attribute to map. -// - `friendlyName` - (Optional) An optional human-friendly name for this attribute. -// - `samlAttributeName` - (Required) The name of the SAML attribute. -// - `samlAttributeNameFormat` - (Required) The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. -// -// ### Import +// ## Import // // Protocol mappers can be imported using one of the following formats: +// // - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` +// // - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` // // Example: +// +// bash +// +// ```sh +// $ pulumi import keycloak:saml/userAttributeProtocolMapper:UserAttributeProtocolMapper saml_user_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +// ``` +// +// ```sh +// $ pulumi import keycloak:saml/userAttributeProtocolMapper:UserAttributeProtocolMapper saml_user_attribute_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +// ``` type UserAttributeProtocolMapper struct { pulumi.CustomResourceState - ClientId pulumi.StringPtrOutput `pulumi:"clientId"` - ClientScopeId pulumi.StringPtrOutput `pulumi:"clientScopeId"` - FriendlyName pulumi.StringPtrOutput `pulumi:"friendlyName"` - Name pulumi.StringOutput `pulumi:"name"` - RealmId pulumi.StringOutput `pulumi:"realmId"` - SamlAttributeName pulumi.StringOutput `pulumi:"samlAttributeName"` - SamlAttributeNameFormat pulumi.StringOutput `pulumi:"samlAttributeNameFormat"` - UserAttribute pulumi.StringOutput `pulumi:"userAttribute"` + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. + ClientId pulumi.StringPtrOutput `pulumi:"clientId"` + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. + ClientScopeId pulumi.StringPtrOutput `pulumi:"clientScopeId"` + // An optional human-friendly name for this attribute. + FriendlyName pulumi.StringPtrOutput `pulumi:"friendlyName"` + // The display name of this protocol mapper in the GUI. + Name pulumi.StringOutput `pulumi:"name"` + // The realm this protocol mapper exists within. + RealmId pulumi.StringOutput `pulumi:"realmId"` + // The name of the SAML attribute. + SamlAttributeName pulumi.StringOutput `pulumi:"samlAttributeName"` + // The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + SamlAttributeNameFormat pulumi.StringOutput `pulumi:"samlAttributeNameFormat"` + // The custom user attribute to map. + UserAttribute pulumi.StringOutput `pulumi:"userAttribute"` } // NewUserAttributeProtocolMapper registers a new resource with the given unique name, arguments, and options. @@ -144,25 +149,41 @@ func GetUserAttributeProtocolMapper(ctx *pulumi.Context, // Input properties used for looking up and filtering UserAttributeProtocolMapper resources. type userAttributeProtocolMapperState struct { - ClientId *string `pulumi:"clientId"` - ClientScopeId *string `pulumi:"clientScopeId"` - FriendlyName *string `pulumi:"friendlyName"` - Name *string `pulumi:"name"` - RealmId *string `pulumi:"realmId"` - SamlAttributeName *string `pulumi:"samlAttributeName"` + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. + ClientId *string `pulumi:"clientId"` + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. + ClientScopeId *string `pulumi:"clientScopeId"` + // An optional human-friendly name for this attribute. + FriendlyName *string `pulumi:"friendlyName"` + // The display name of this protocol mapper in the GUI. + Name *string `pulumi:"name"` + // The realm this protocol mapper exists within. + RealmId *string `pulumi:"realmId"` + // The name of the SAML attribute. + SamlAttributeName *string `pulumi:"samlAttributeName"` + // The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. SamlAttributeNameFormat *string `pulumi:"samlAttributeNameFormat"` - UserAttribute *string `pulumi:"userAttribute"` + // The custom user attribute to map. + UserAttribute *string `pulumi:"userAttribute"` } type UserAttributeProtocolMapperState struct { - ClientId pulumi.StringPtrInput - ClientScopeId pulumi.StringPtrInput - FriendlyName pulumi.StringPtrInput - Name pulumi.StringPtrInput - RealmId pulumi.StringPtrInput - SamlAttributeName pulumi.StringPtrInput + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. + ClientId pulumi.StringPtrInput + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. + ClientScopeId pulumi.StringPtrInput + // An optional human-friendly name for this attribute. + FriendlyName pulumi.StringPtrInput + // The display name of this protocol mapper in the GUI. + Name pulumi.StringPtrInput + // The realm this protocol mapper exists within. + RealmId pulumi.StringPtrInput + // The name of the SAML attribute. + SamlAttributeName pulumi.StringPtrInput + // The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. SamlAttributeNameFormat pulumi.StringPtrInput - UserAttribute pulumi.StringPtrInput + // The custom user attribute to map. + UserAttribute pulumi.StringPtrInput } func (UserAttributeProtocolMapperState) ElementType() reflect.Type { @@ -170,26 +191,42 @@ func (UserAttributeProtocolMapperState) ElementType() reflect.Type { } type userAttributeProtocolMapperArgs struct { - ClientId *string `pulumi:"clientId"` - ClientScopeId *string `pulumi:"clientScopeId"` - FriendlyName *string `pulumi:"friendlyName"` - Name *string `pulumi:"name"` - RealmId string `pulumi:"realmId"` - SamlAttributeName string `pulumi:"samlAttributeName"` - SamlAttributeNameFormat string `pulumi:"samlAttributeNameFormat"` - UserAttribute string `pulumi:"userAttribute"` + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. + ClientId *string `pulumi:"clientId"` + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. + ClientScopeId *string `pulumi:"clientScopeId"` + // An optional human-friendly name for this attribute. + FriendlyName *string `pulumi:"friendlyName"` + // The display name of this protocol mapper in the GUI. + Name *string `pulumi:"name"` + // The realm this protocol mapper exists within. + RealmId string `pulumi:"realmId"` + // The name of the SAML attribute. + SamlAttributeName string `pulumi:"samlAttributeName"` + // The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + SamlAttributeNameFormat string `pulumi:"samlAttributeNameFormat"` + // The custom user attribute to map. + UserAttribute string `pulumi:"userAttribute"` } // The set of arguments for constructing a UserAttributeProtocolMapper resource. type UserAttributeProtocolMapperArgs struct { - ClientId pulumi.StringPtrInput - ClientScopeId pulumi.StringPtrInput - FriendlyName pulumi.StringPtrInput - Name pulumi.StringPtrInput - RealmId pulumi.StringInput - SamlAttributeName pulumi.StringInput + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. + ClientId pulumi.StringPtrInput + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. + ClientScopeId pulumi.StringPtrInput + // An optional human-friendly name for this attribute. + FriendlyName pulumi.StringPtrInput + // The display name of this protocol mapper in the GUI. + Name pulumi.StringPtrInput + // The realm this protocol mapper exists within. + RealmId pulumi.StringInput + // The name of the SAML attribute. + SamlAttributeName pulumi.StringInput + // The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. SamlAttributeNameFormat pulumi.StringInput - UserAttribute pulumi.StringInput + // The custom user attribute to map. + UserAttribute pulumi.StringInput } func (UserAttributeProtocolMapperArgs) ElementType() reflect.Type { @@ -279,34 +316,42 @@ func (o UserAttributeProtocolMapperOutput) ToUserAttributeProtocolMapperOutputWi return o } +// The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. func (o UserAttributeProtocolMapperOutput) ClientId() pulumi.StringPtrOutput { return o.ApplyT(func(v *UserAttributeProtocolMapper) pulumi.StringPtrOutput { return v.ClientId }).(pulumi.StringPtrOutput) } +// The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. func (o UserAttributeProtocolMapperOutput) ClientScopeId() pulumi.StringPtrOutput { return o.ApplyT(func(v *UserAttributeProtocolMapper) pulumi.StringPtrOutput { return v.ClientScopeId }).(pulumi.StringPtrOutput) } +// An optional human-friendly name for this attribute. func (o UserAttributeProtocolMapperOutput) FriendlyName() pulumi.StringPtrOutput { return o.ApplyT(func(v *UserAttributeProtocolMapper) pulumi.StringPtrOutput { return v.FriendlyName }).(pulumi.StringPtrOutput) } +// The display name of this protocol mapper in the GUI. func (o UserAttributeProtocolMapperOutput) Name() pulumi.StringOutput { return o.ApplyT(func(v *UserAttributeProtocolMapper) pulumi.StringOutput { return v.Name }).(pulumi.StringOutput) } +// The realm this protocol mapper exists within. func (o UserAttributeProtocolMapperOutput) RealmId() pulumi.StringOutput { return o.ApplyT(func(v *UserAttributeProtocolMapper) pulumi.StringOutput { return v.RealmId }).(pulumi.StringOutput) } +// The name of the SAML attribute. func (o UserAttributeProtocolMapperOutput) SamlAttributeName() pulumi.StringOutput { return o.ApplyT(func(v *UserAttributeProtocolMapper) pulumi.StringOutput { return v.SamlAttributeName }).(pulumi.StringOutput) } +// The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. func (o UserAttributeProtocolMapperOutput) SamlAttributeNameFormat() pulumi.StringOutput { return o.ApplyT(func(v *UserAttributeProtocolMapper) pulumi.StringOutput { return v.SamlAttributeNameFormat }).(pulumi.StringOutput) } +// The custom user attribute to map. func (o UserAttributeProtocolMapperOutput) UserAttribute() pulumi.StringOutput { return o.ApplyT(func(v *UserAttributeProtocolMapper) pulumi.StringOutput { return v.UserAttribute }).(pulumi.StringOutput) } diff --git a/sdk/go/keycloak/saml/userPropertyProtocolMapper.go b/sdk/go/keycloak/saml/userPropertyProtocolMapper.go index dde7d686..19aab52b 100644 --- a/sdk/go/keycloak/saml/userPropertyProtocolMapper.go +++ b/sdk/go/keycloak/saml/userPropertyProtocolMapper.go @@ -12,17 +12,15 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## # saml.UserPropertyProtocolMapper -// -// Allows for creating and managing user property protocol mappers for -// SAML clients within Keycloak. +// Allows for creating and managing user property protocol mappers for SAML clients within Keycloak. // // SAML user property protocol mappers allow you to map properties of the Keycloak -// user model to an attribute in a SAML assertion. Protocol mappers -// can be defined for a single client, or they can be defined for a client scope which -// can be shared between multiple different clients. +// user model to an attribute in a SAML assertion. +// +// Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between +// multiple different clients. // -// ### Example Usage (Client) +// ## Example Usage // // ```go // package main @@ -37,7 +35,7 @@ import ( // // func main() { // pulumi.Run(func(ctx *pulumi.Context) error { -// _, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{ +// realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{ // Realm: pulumi.String("my-realm"), // Enabled: pulumi.Bool(true), // }) @@ -45,15 +43,15 @@ import ( // return err // } // samlClient, err := saml.NewClient(ctx, "saml_client", &saml.ClientArgs{ -// RealmId: pulumi.Any(test.Id), -// ClientId: pulumi.String("test-saml-client"), -// Name: pulumi.String("test-saml-client"), +// RealmId: realm.ID(), +// ClientId: pulumi.String("saml-client"), +// Name: pulumi.String("saml-client"), // }) // if err != nil { // return err // } // _, err = saml.NewUserPropertyProtocolMapper(ctx, "saml_user_property_mapper", &saml.UserPropertyProtocolMapperArgs{ -// RealmId: pulumi.Any(test.Id), +// RealmId: realm.ID(), // ClientId: samlClient.ID(), // Name: pulumi.String("email-user-property-mapper"), // UserProperty: pulumi.String("email"), @@ -69,37 +67,44 @@ import ( // // ``` // -// ### Argument Reference -// -// The following arguments are supported: -// -// - `realmId` - (Required) The realm this protocol mapper exists within. -// - `clientId` - (Required if `clientScopeId` is not specified) The SAML client this protocol mapper is attached to. -// - `clientScopeId` - (Required if `clientId` is not specified) The SAML client scope this protocol mapper is attached to. -// - `name` - (Required) The display name of this protocol mapper in the GUI. -// - `userProperty` - (Required) The property of the Keycloak user model to map. -// - `friendlyName` - (Optional) An optional human-friendly name for this attribute. -// - `samlAttributeName` - (Required) The name of the SAML attribute. -// - `samlAttributeNameFormat` - (Required) The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. -// -// ### Import +// ## Import // // Protocol mappers can be imported using one of the following formats: +// // - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` +// // - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` // // Example: +// +// bash +// +// ```sh +// $ pulumi import keycloak:saml/userPropertyProtocolMapper:UserPropertyProtocolMapper saml_user_property_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +// ``` +// +// ```sh +// $ pulumi import keycloak:saml/userPropertyProtocolMapper:UserPropertyProtocolMapper saml_user_property_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +// ``` type UserPropertyProtocolMapper struct { pulumi.CustomResourceState - ClientId pulumi.StringPtrOutput `pulumi:"clientId"` - ClientScopeId pulumi.StringPtrOutput `pulumi:"clientScopeId"` - FriendlyName pulumi.StringPtrOutput `pulumi:"friendlyName"` - Name pulumi.StringOutput `pulumi:"name"` - RealmId pulumi.StringOutput `pulumi:"realmId"` - SamlAttributeName pulumi.StringOutput `pulumi:"samlAttributeName"` - SamlAttributeNameFormat pulumi.StringOutput `pulumi:"samlAttributeNameFormat"` - UserProperty pulumi.StringOutput `pulumi:"userProperty"` + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. + ClientId pulumi.StringPtrOutput `pulumi:"clientId"` + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. + ClientScopeId pulumi.StringPtrOutput `pulumi:"clientScopeId"` + // An optional human-friendly name for this attribute. + FriendlyName pulumi.StringPtrOutput `pulumi:"friendlyName"` + // The display name of this protocol mapper in the GUI. + Name pulumi.StringOutput `pulumi:"name"` + // The realm this protocol mapper exists within. + RealmId pulumi.StringOutput `pulumi:"realmId"` + // The name of the SAML attribute. + SamlAttributeName pulumi.StringOutput `pulumi:"samlAttributeName"` + // The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + SamlAttributeNameFormat pulumi.StringOutput `pulumi:"samlAttributeNameFormat"` + // The property of the Keycloak user model to map. + UserProperty pulumi.StringOutput `pulumi:"userProperty"` } // NewUserPropertyProtocolMapper registers a new resource with the given unique name, arguments, and options. @@ -144,25 +149,41 @@ func GetUserPropertyProtocolMapper(ctx *pulumi.Context, // Input properties used for looking up and filtering UserPropertyProtocolMapper resources. type userPropertyProtocolMapperState struct { - ClientId *string `pulumi:"clientId"` - ClientScopeId *string `pulumi:"clientScopeId"` - FriendlyName *string `pulumi:"friendlyName"` - Name *string `pulumi:"name"` - RealmId *string `pulumi:"realmId"` - SamlAttributeName *string `pulumi:"samlAttributeName"` + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. + ClientId *string `pulumi:"clientId"` + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. + ClientScopeId *string `pulumi:"clientScopeId"` + // An optional human-friendly name for this attribute. + FriendlyName *string `pulumi:"friendlyName"` + // The display name of this protocol mapper in the GUI. + Name *string `pulumi:"name"` + // The realm this protocol mapper exists within. + RealmId *string `pulumi:"realmId"` + // The name of the SAML attribute. + SamlAttributeName *string `pulumi:"samlAttributeName"` + // The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. SamlAttributeNameFormat *string `pulumi:"samlAttributeNameFormat"` - UserProperty *string `pulumi:"userProperty"` + // The property of the Keycloak user model to map. + UserProperty *string `pulumi:"userProperty"` } type UserPropertyProtocolMapperState struct { - ClientId pulumi.StringPtrInput - ClientScopeId pulumi.StringPtrInput - FriendlyName pulumi.StringPtrInput - Name pulumi.StringPtrInput - RealmId pulumi.StringPtrInput - SamlAttributeName pulumi.StringPtrInput + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. + ClientId pulumi.StringPtrInput + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. + ClientScopeId pulumi.StringPtrInput + // An optional human-friendly name for this attribute. + FriendlyName pulumi.StringPtrInput + // The display name of this protocol mapper in the GUI. + Name pulumi.StringPtrInput + // The realm this protocol mapper exists within. + RealmId pulumi.StringPtrInput + // The name of the SAML attribute. + SamlAttributeName pulumi.StringPtrInput + // The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. SamlAttributeNameFormat pulumi.StringPtrInput - UserProperty pulumi.StringPtrInput + // The property of the Keycloak user model to map. + UserProperty pulumi.StringPtrInput } func (UserPropertyProtocolMapperState) ElementType() reflect.Type { @@ -170,26 +191,42 @@ func (UserPropertyProtocolMapperState) ElementType() reflect.Type { } type userPropertyProtocolMapperArgs struct { - ClientId *string `pulumi:"clientId"` - ClientScopeId *string `pulumi:"clientScopeId"` - FriendlyName *string `pulumi:"friendlyName"` - Name *string `pulumi:"name"` - RealmId string `pulumi:"realmId"` - SamlAttributeName string `pulumi:"samlAttributeName"` - SamlAttributeNameFormat string `pulumi:"samlAttributeNameFormat"` - UserProperty string `pulumi:"userProperty"` + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. + ClientId *string `pulumi:"clientId"` + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. + ClientScopeId *string `pulumi:"clientScopeId"` + // An optional human-friendly name for this attribute. + FriendlyName *string `pulumi:"friendlyName"` + // The display name of this protocol mapper in the GUI. + Name *string `pulumi:"name"` + // The realm this protocol mapper exists within. + RealmId string `pulumi:"realmId"` + // The name of the SAML attribute. + SamlAttributeName string `pulumi:"samlAttributeName"` + // The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + SamlAttributeNameFormat string `pulumi:"samlAttributeNameFormat"` + // The property of the Keycloak user model to map. + UserProperty string `pulumi:"userProperty"` } // The set of arguments for constructing a UserPropertyProtocolMapper resource. type UserPropertyProtocolMapperArgs struct { - ClientId pulumi.StringPtrInput - ClientScopeId pulumi.StringPtrInput - FriendlyName pulumi.StringPtrInput - Name pulumi.StringPtrInput - RealmId pulumi.StringInput - SamlAttributeName pulumi.StringInput + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. + ClientId pulumi.StringPtrInput + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. + ClientScopeId pulumi.StringPtrInput + // An optional human-friendly name for this attribute. + FriendlyName pulumi.StringPtrInput + // The display name of this protocol mapper in the GUI. + Name pulumi.StringPtrInput + // The realm this protocol mapper exists within. + RealmId pulumi.StringInput + // The name of the SAML attribute. + SamlAttributeName pulumi.StringInput + // The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. SamlAttributeNameFormat pulumi.StringInput - UserProperty pulumi.StringInput + // The property of the Keycloak user model to map. + UserProperty pulumi.StringInput } func (UserPropertyProtocolMapperArgs) ElementType() reflect.Type { @@ -279,34 +316,42 @@ func (o UserPropertyProtocolMapperOutput) ToUserPropertyProtocolMapperOutputWith return o } +// The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. func (o UserPropertyProtocolMapperOutput) ClientId() pulumi.StringPtrOutput { return o.ApplyT(func(v *UserPropertyProtocolMapper) pulumi.StringPtrOutput { return v.ClientId }).(pulumi.StringPtrOutput) } +// The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. func (o UserPropertyProtocolMapperOutput) ClientScopeId() pulumi.StringPtrOutput { return o.ApplyT(func(v *UserPropertyProtocolMapper) pulumi.StringPtrOutput { return v.ClientScopeId }).(pulumi.StringPtrOutput) } +// An optional human-friendly name for this attribute. func (o UserPropertyProtocolMapperOutput) FriendlyName() pulumi.StringPtrOutput { return o.ApplyT(func(v *UserPropertyProtocolMapper) pulumi.StringPtrOutput { return v.FriendlyName }).(pulumi.StringPtrOutput) } +// The display name of this protocol mapper in the GUI. func (o UserPropertyProtocolMapperOutput) Name() pulumi.StringOutput { return o.ApplyT(func(v *UserPropertyProtocolMapper) pulumi.StringOutput { return v.Name }).(pulumi.StringOutput) } +// The realm this protocol mapper exists within. func (o UserPropertyProtocolMapperOutput) RealmId() pulumi.StringOutput { return o.ApplyT(func(v *UserPropertyProtocolMapper) pulumi.StringOutput { return v.RealmId }).(pulumi.StringOutput) } +// The name of the SAML attribute. func (o UserPropertyProtocolMapperOutput) SamlAttributeName() pulumi.StringOutput { return o.ApplyT(func(v *UserPropertyProtocolMapper) pulumi.StringOutput { return v.SamlAttributeName }).(pulumi.StringOutput) } +// The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. func (o UserPropertyProtocolMapperOutput) SamlAttributeNameFormat() pulumi.StringOutput { return o.ApplyT(func(v *UserPropertyProtocolMapper) pulumi.StringOutput { return v.SamlAttributeNameFormat }).(pulumi.StringOutput) } +// The property of the Keycloak user model to map. func (o UserPropertyProtocolMapperOutput) UserProperty() pulumi.StringOutput { return o.ApplyT(func(v *UserPropertyProtocolMapper) pulumi.StringOutput { return v.UserProperty }).(pulumi.StringOutput) } diff --git a/sdk/go/keycloak/user.go b/sdk/go/keycloak/user.go index 0009c27d..ce746bda 100644 --- a/sdk/go/keycloak/user.go +++ b/sdk/go/keycloak/user.go @@ -12,15 +12,13 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## # User -// // Allows for creating and managing Users within Keycloak. // -// This resource was created primarily to enable the acceptance tests for the `Group` resource. -// Creating users within Keycloak is not recommended. Instead, users should be federated from external sources -// by configuring user federation providers or identity providers. +// This resource was created primarily to enable the acceptance tests for the `Group` resource. Creating users within +// Keycloak is not recommended. Instead, users should be federated from external sources by configuring user federation providers +// or identity providers. // -// ### Example Usage +// ## Example Usage // // ```go // package main @@ -59,6 +57,10 @@ import ( // Email: pulumi.String("alice@domain.com"), // FirstName: pulumi.String("Alice"), // LastName: pulumi.String("Aliceberg"), +// Attributes: pulumi.StringMap{ +// "foo": pulumi.String("bar"), +// "multivalue": pulumi.String("value1##value2"), +// }, // InitialPassword: &keycloak.UserInitialPasswordArgs{ // Value: pulumi.String("some password"), // Temporary: pulumi.Bool(true), @@ -73,41 +75,44 @@ import ( // // ``` // -// ### Argument Reference -// -// The following arguments are supported: -// -// - `realmId` - (Required) The realm this user belongs to. -// - `username` - (Required) The unique username of this user. -// - `initialPassword` (Optional) When given, the user's initial password will be set. -// This attribute is only respected during initial user creation. -// - `value` (Required) The initial password. -// - `temporary` (Optional) If set to `true`, the initial password is set up for renewal on first use. Default to `false`. -// - `enabled` - (Optional) When false, this user cannot log in. Defaults to `true`. -// - `email` - (Optional) The user's email. -// - `firstName` - (Optional) The user's first name. -// - `lastName` - (Optional) The user's last name. +// ## Import // -// ### Import +// Users can be imported using the format `{{realm_id}}/{{user_id}}`, where `user_id` is the unique ID that Keycloak // -// Users can be imported using the format `{{realm_id}}/{{user_id}}`, where `userId` is the unique ID that Keycloak // assigns to the user upon creation. This value can be found in the GUI when editing the user. // // Example: +// +// bash +// +// ```sh +// $ pulumi import keycloak:index/user:User user my-realm/60c3f971-b1d3-4b3a-9035-d16d7540a5e4 +// ``` type User struct { pulumi.CustomResourceState - Attributes pulumi.StringMapOutput `pulumi:"attributes"` - Email pulumi.StringPtrOutput `pulumi:"email"` - EmailVerified pulumi.BoolPtrOutput `pulumi:"emailVerified"` - Enabled pulumi.BoolPtrOutput `pulumi:"enabled"` + // A map representing attributes for the user. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + Attributes pulumi.StringMapOutput `pulumi:"attributes"` + // The user's email. + Email pulumi.StringPtrOutput `pulumi:"email"` + // Whether the email address was validated or not. Default to `false`. + EmailVerified pulumi.BoolPtrOutput `pulumi:"emailVerified"` + // When false, this user cannot log in. Defaults to `true`. + Enabled pulumi.BoolPtrOutput `pulumi:"enabled"` + // When specified, the user will be linked to a federated identity provider. Refer to the federated user example for more details. FederatedIdentities UserFederatedIdentityArrayOutput `pulumi:"federatedIdentities"` - FirstName pulumi.StringPtrOutput `pulumi:"firstName"` - InitialPassword UserInitialPasswordPtrOutput `pulumi:"initialPassword"` - LastName pulumi.StringPtrOutput `pulumi:"lastName"` - RealmId pulumi.StringOutput `pulumi:"realmId"` - RequiredActions pulumi.StringArrayOutput `pulumi:"requiredActions"` - Username pulumi.StringOutput `pulumi:"username"` + // The user's first name. + FirstName pulumi.StringPtrOutput `pulumi:"firstName"` + // When given, the user's initial password will be set. This attribute is only respected during initial user creation. + InitialPassword UserInitialPasswordPtrOutput `pulumi:"initialPassword"` + // The user's last name. + LastName pulumi.StringPtrOutput `pulumi:"lastName"` + // The realm this user belongs to. + RealmId pulumi.StringOutput `pulumi:"realmId"` + // A list of required user actions. + RequiredActions pulumi.StringArrayOutput `pulumi:"requiredActions"` + // The unique username of this user. + Username pulumi.StringOutput `pulumi:"username"` } // NewUser registers a new resource with the given unique name, arguments, and options. @@ -146,31 +151,53 @@ func GetUser(ctx *pulumi.Context, // Input properties used for looking up and filtering User resources. type userState struct { - Attributes map[string]string `pulumi:"attributes"` - Email *string `pulumi:"email"` - EmailVerified *bool `pulumi:"emailVerified"` - Enabled *bool `pulumi:"enabled"` + // A map representing attributes for the user. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + Attributes map[string]string `pulumi:"attributes"` + // The user's email. + Email *string `pulumi:"email"` + // Whether the email address was validated or not. Default to `false`. + EmailVerified *bool `pulumi:"emailVerified"` + // When false, this user cannot log in. Defaults to `true`. + Enabled *bool `pulumi:"enabled"` + // When specified, the user will be linked to a federated identity provider. Refer to the federated user example for more details. FederatedIdentities []UserFederatedIdentity `pulumi:"federatedIdentities"` - FirstName *string `pulumi:"firstName"` - InitialPassword *UserInitialPassword `pulumi:"initialPassword"` - LastName *string `pulumi:"lastName"` - RealmId *string `pulumi:"realmId"` - RequiredActions []string `pulumi:"requiredActions"` - Username *string `pulumi:"username"` + // The user's first name. + FirstName *string `pulumi:"firstName"` + // When given, the user's initial password will be set. This attribute is only respected during initial user creation. + InitialPassword *UserInitialPassword `pulumi:"initialPassword"` + // The user's last name. + LastName *string `pulumi:"lastName"` + // The realm this user belongs to. + RealmId *string `pulumi:"realmId"` + // A list of required user actions. + RequiredActions []string `pulumi:"requiredActions"` + // The unique username of this user. + Username *string `pulumi:"username"` } type UserState struct { - Attributes pulumi.StringMapInput - Email pulumi.StringPtrInput - EmailVerified pulumi.BoolPtrInput - Enabled pulumi.BoolPtrInput + // A map representing attributes for the user. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + Attributes pulumi.StringMapInput + // The user's email. + Email pulumi.StringPtrInput + // Whether the email address was validated or not. Default to `false`. + EmailVerified pulumi.BoolPtrInput + // When false, this user cannot log in. Defaults to `true`. + Enabled pulumi.BoolPtrInput + // When specified, the user will be linked to a federated identity provider. Refer to the federated user example for more details. FederatedIdentities UserFederatedIdentityArrayInput - FirstName pulumi.StringPtrInput - InitialPassword UserInitialPasswordPtrInput - LastName pulumi.StringPtrInput - RealmId pulumi.StringPtrInput - RequiredActions pulumi.StringArrayInput - Username pulumi.StringPtrInput + // The user's first name. + FirstName pulumi.StringPtrInput + // When given, the user's initial password will be set. This attribute is only respected during initial user creation. + InitialPassword UserInitialPasswordPtrInput + // The user's last name. + LastName pulumi.StringPtrInput + // The realm this user belongs to. + RealmId pulumi.StringPtrInput + // A list of required user actions. + RequiredActions pulumi.StringArrayInput + // The unique username of this user. + Username pulumi.StringPtrInput } func (UserState) ElementType() reflect.Type { @@ -178,32 +205,54 @@ func (UserState) ElementType() reflect.Type { } type userArgs struct { - Attributes map[string]string `pulumi:"attributes"` - Email *string `pulumi:"email"` - EmailVerified *bool `pulumi:"emailVerified"` - Enabled *bool `pulumi:"enabled"` + // A map representing attributes for the user. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + Attributes map[string]string `pulumi:"attributes"` + // The user's email. + Email *string `pulumi:"email"` + // Whether the email address was validated or not. Default to `false`. + EmailVerified *bool `pulumi:"emailVerified"` + // When false, this user cannot log in. Defaults to `true`. + Enabled *bool `pulumi:"enabled"` + // When specified, the user will be linked to a federated identity provider. Refer to the federated user example for more details. FederatedIdentities []UserFederatedIdentity `pulumi:"federatedIdentities"` - FirstName *string `pulumi:"firstName"` - InitialPassword *UserInitialPassword `pulumi:"initialPassword"` - LastName *string `pulumi:"lastName"` - RealmId string `pulumi:"realmId"` - RequiredActions []string `pulumi:"requiredActions"` - Username string `pulumi:"username"` + // The user's first name. + FirstName *string `pulumi:"firstName"` + // When given, the user's initial password will be set. This attribute is only respected during initial user creation. + InitialPassword *UserInitialPassword `pulumi:"initialPassword"` + // The user's last name. + LastName *string `pulumi:"lastName"` + // The realm this user belongs to. + RealmId string `pulumi:"realmId"` + // A list of required user actions. + RequiredActions []string `pulumi:"requiredActions"` + // The unique username of this user. + Username string `pulumi:"username"` } // The set of arguments for constructing a User resource. type UserArgs struct { - Attributes pulumi.StringMapInput - Email pulumi.StringPtrInput - EmailVerified pulumi.BoolPtrInput - Enabled pulumi.BoolPtrInput + // A map representing attributes for the user. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + Attributes pulumi.StringMapInput + // The user's email. + Email pulumi.StringPtrInput + // Whether the email address was validated or not. Default to `false`. + EmailVerified pulumi.BoolPtrInput + // When false, this user cannot log in. Defaults to `true`. + Enabled pulumi.BoolPtrInput + // When specified, the user will be linked to a federated identity provider. Refer to the federated user example for more details. FederatedIdentities UserFederatedIdentityArrayInput - FirstName pulumi.StringPtrInput - InitialPassword UserInitialPasswordPtrInput - LastName pulumi.StringPtrInput - RealmId pulumi.StringInput - RequiredActions pulumi.StringArrayInput - Username pulumi.StringInput + // The user's first name. + FirstName pulumi.StringPtrInput + // When given, the user's initial password will be set. This attribute is only respected during initial user creation. + InitialPassword UserInitialPasswordPtrInput + // The user's last name. + LastName pulumi.StringPtrInput + // The realm this user belongs to. + RealmId pulumi.StringInput + // A list of required user actions. + RequiredActions pulumi.StringArrayInput + // The unique username of this user. + Username pulumi.StringInput } func (UserArgs) ElementType() reflect.Type { @@ -293,46 +342,57 @@ func (o UserOutput) ToUserOutputWithContext(ctx context.Context) UserOutput { return o } +// A map representing attributes for the user. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars func (o UserOutput) Attributes() pulumi.StringMapOutput { return o.ApplyT(func(v *User) pulumi.StringMapOutput { return v.Attributes }).(pulumi.StringMapOutput) } +// The user's email. func (o UserOutput) Email() pulumi.StringPtrOutput { return o.ApplyT(func(v *User) pulumi.StringPtrOutput { return v.Email }).(pulumi.StringPtrOutput) } +// Whether the email address was validated or not. Default to `false`. func (o UserOutput) EmailVerified() pulumi.BoolPtrOutput { return o.ApplyT(func(v *User) pulumi.BoolPtrOutput { return v.EmailVerified }).(pulumi.BoolPtrOutput) } +// When false, this user cannot log in. Defaults to `true`. func (o UserOutput) Enabled() pulumi.BoolPtrOutput { return o.ApplyT(func(v *User) pulumi.BoolPtrOutput { return v.Enabled }).(pulumi.BoolPtrOutput) } +// When specified, the user will be linked to a federated identity provider. Refer to the federated user example for more details. func (o UserOutput) FederatedIdentities() UserFederatedIdentityArrayOutput { return o.ApplyT(func(v *User) UserFederatedIdentityArrayOutput { return v.FederatedIdentities }).(UserFederatedIdentityArrayOutput) } +// The user's first name. func (o UserOutput) FirstName() pulumi.StringPtrOutput { return o.ApplyT(func(v *User) pulumi.StringPtrOutput { return v.FirstName }).(pulumi.StringPtrOutput) } +// When given, the user's initial password will be set. This attribute is only respected during initial user creation. func (o UserOutput) InitialPassword() UserInitialPasswordPtrOutput { return o.ApplyT(func(v *User) UserInitialPasswordPtrOutput { return v.InitialPassword }).(UserInitialPasswordPtrOutput) } +// The user's last name. func (o UserOutput) LastName() pulumi.StringPtrOutput { return o.ApplyT(func(v *User) pulumi.StringPtrOutput { return v.LastName }).(pulumi.StringPtrOutput) } +// The realm this user belongs to. func (o UserOutput) RealmId() pulumi.StringOutput { return o.ApplyT(func(v *User) pulumi.StringOutput { return v.RealmId }).(pulumi.StringOutput) } +// A list of required user actions. func (o UserOutput) RequiredActions() pulumi.StringArrayOutput { return o.ApplyT(func(v *User) pulumi.StringArrayOutput { return v.RequiredActions }).(pulumi.StringArrayOutput) } +// The unique username of this user. func (o UserOutput) Username() pulumi.StringOutput { return o.ApplyT(func(v *User) pulumi.StringOutput { return v.Username }).(pulumi.StringOutput) } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/AttributeImporterIdentityProviderMapper.java b/sdk/java/src/main/java/com/pulumi/keycloak/AttributeImporterIdentityProviderMapper.java index 3ae291c6..6eff1338 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/AttributeImporterIdentityProviderMapper.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/AttributeImporterIdentityProviderMapper.java @@ -16,11 +16,16 @@ import javax.annotation.Nullable; /** - * ## # keycloak.AttributeImporterIdentityProviderMapper + * Allows for creating and managing an attribute importer identity provider mapper within Keycloak. * - * Allows to create and manage identity provider mappers within Keycloak. + * The attribute importer mapper can be used to map attributes from externally defined users to attributes or properties of the imported Keycloak user: + * - For the OIDC identity provider, this will map a claim on the ID or access token to an attribute for the imported Keycloak user. + * - For the SAML identity provider, this will map a SAML attribute found within the assertion to an attribute for the imported Keycloak user. + * - For social identity providers, this will map a JSON field from the user profile to an attribute for the imported Keycloak user. * - * ### Example Usage + * > If you are using Keycloak 10 or higher, you will need to specify the `extra_config` argument in order to define a `syncMode` for the mapper. + * + * ## Example Usage * * <!--Start PulumiCodeChooser --> *
@@ -30,6 +35,10 @@
  * import com.pulumi.Context;
  * import com.pulumi.Pulumi;
  * import com.pulumi.core.Output;
+ * import com.pulumi.keycloak.Realm;
+ * import com.pulumi.keycloak.RealmArgs;
+ * import com.pulumi.keycloak.oidc.IdentityProvider;
+ * import com.pulumi.keycloak.oidc.IdentityProviderArgs;
  * import com.pulumi.keycloak.AttributeImporterIdentityProviderMapper;
  * import com.pulumi.keycloak.AttributeImporterIdentityProviderMapperArgs;
  * import java.util.List;
@@ -45,12 +54,28 @@
  *     }
  * 
  *     public static void stack(Context ctx) {
- *         var testMapper = new AttributeImporterIdentityProviderMapper("testMapper", AttributeImporterIdentityProviderMapperArgs.builder()
+ *         var realm = new Realm("realm", RealmArgs.builder()
  *             .realm("my-realm")
- *             .name("my-mapper")
- *             .identityProviderAlias("idp_alias")
- *             .attributeName("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname")
- *             .userAttribute("lastName")
+ *             .enabled(true)
+ *             .build());
+ * 
+ *         var oidc = new IdentityProvider("oidc", IdentityProviderArgs.builder()
+ *             .realm(realm.id())
+ *             .alias("oidc")
+ *             .authorizationUrl("https://example.com/auth")
+ *             .tokenUrl("https://example.com/token")
+ *             .clientId("example_id")
+ *             .clientSecret("example_token")
+ *             .defaultScopes("openid random profile")
+ *             .build());
+ * 
+ *         var oidcAttributeImporterIdentityProviderMapper = new AttributeImporterIdentityProviderMapper("oidcAttributeImporterIdentityProviderMapper", AttributeImporterIdentityProviderMapperArgs.builder()
+ *             .realm(realm.id())
+ *             .name("email-attribute-importer")
+ *             .claimName("my-email-claim")
+ *             .identityProviderAlias(oidc.alias())
+ *             .userAttribute("email")
+ *             .extraConfig(Map.of("syncMode", "INHERIT"))
  *             .build());
  * 
  *     }
@@ -59,127 +84,130 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference - * - * The following arguments are supported: + * ## Import * - * - `realm` - (Required) The name of the realm. - * - `name` - (Required) The name of the mapper. - * - `identity_provider_alias` - (Required) The alias of the associated identity provider. - * - `user_attribute` - (Required) The user attribute name to store SAML attribute. - * - `attribute_name` - (Optional) The Name of attribute to search for in assertion. You can leave this blank and specify a friendly name instead. - * - `attribute_friendly_name` - (Optional) The friendly name of attribute to search for in assertion. You can leave this blank and specify an attribute name instead. - * - `claim_name` - (Optional) The claim name. + * Identity provider mappers can be imported using the format `{{realm_id}}/{{idp_alias}}/{{idp_mapper_id}}`, where `idp_alias` is the identity provider alias, and `idp_mapper_id` is the unique ID that Keycloak * - * ### Import - * - * Identity provider mapper can be imported using the format `{{realm_id}}/{{idp_alias}}/{{idp_mapper_id}}`, where `idp_alias` is the identity provider alias, and `idp_mapper_id` is the unique ID that Keycloak * assigns to the mapper upon creation. This value can be found in the URI when editing this mapper in the GUI, and is typically a GUID. * * Example: * + * bash + * + * ```sh + * $ pulumi import keycloak:index/attributeImporterIdentityProviderMapper:AttributeImporterIdentityProviderMapper test_mapper my-realm/my-mapper/f446db98-7133-4e30-b18a-3d28fde7ca1b + * ``` + * */ @ResourceType(type="keycloak:index/attributeImporterIdentityProviderMapper:AttributeImporterIdentityProviderMapper") public class AttributeImporterIdentityProviderMapper extends com.pulumi.resources.CustomResource { /** - * Attribute Friendly Name + * For SAML based providers, this is the friendly name of the attribute to search for in the assertion. Conflicts with `attribute_name`. * */ @Export(name="attributeFriendlyName", refs={String.class}, tree="[0]") private Output attributeFriendlyName; /** - * @return Attribute Friendly Name + * @return For SAML based providers, this is the friendly name of the attribute to search for in the assertion. Conflicts with `attribute_name`. * */ public Output> attributeFriendlyName() { return Codegen.optional(this.attributeFriendlyName); } /** - * Attribute Name + * For SAML based providers, this is the name of the attribute to search for in the assertion. Conflicts with `attribute_friendly_name`. * */ @Export(name="attributeName", refs={String.class}, tree="[0]") private Output attributeName; /** - * @return Attribute Name + * @return For SAML based providers, this is the name of the attribute to search for in the assertion. Conflicts with `attribute_friendly_name`. * */ public Output> attributeName() { return Codegen.optional(this.attributeName); } /** - * Claim Name + * For OIDC based providers, this is the name of the claim to use. * */ @Export(name="claimName", refs={String.class}, tree="[0]") private Output claimName; /** - * @return Claim Name + * @return For OIDC based providers, this is the name of the claim to use. * */ public Output> claimName() { return Codegen.optional(this.claimName); } + /** + * Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + * + */ @Export(name="extraConfig", refs={Map.class,String.class}, tree="[0,1,1]") private Output> extraConfig; + /** + * @return Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + * + */ public Output>> extraConfig() { return Codegen.optional(this.extraConfig); } /** - * IDP Alias + * The alias of the associated identity provider. * */ @Export(name="identityProviderAlias", refs={String.class}, tree="[0]") private Output identityProviderAlias; /** - * @return IDP Alias + * @return The alias of the associated identity provider. * */ public Output identityProviderAlias() { return this.identityProviderAlias; } /** - * IDP Mapper Name + * The name of the mapper. * */ @Export(name="name", refs={String.class}, tree="[0]") private Output name; /** - * @return IDP Mapper Name + * @return The name of the mapper. * */ public Output name() { return this.name; } /** - * Realm Name + * The name of the realm. * */ @Export(name="realm", refs={String.class}, tree="[0]") private Output realm; /** - * @return Realm Name + * @return The name of the realm. * */ public Output realm() { return this.realm; } /** - * User Attribute + * The user attribute or property name to store the mapped result. * */ @Export(name="userAttribute", refs={String.class}, tree="[0]") private Output userAttribute; /** - * @return User Attribute + * @return The user attribute or property name to store the mapped result. * */ public Output userAttribute() { diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/AttributeImporterIdentityProviderMapperArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/AttributeImporterIdentityProviderMapperArgs.java index 00d4662b..8722617e 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/AttributeImporterIdentityProviderMapperArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/AttributeImporterIdentityProviderMapperArgs.java @@ -18,14 +18,14 @@ public final class AttributeImporterIdentityProviderMapperArgs extends com.pulum public static final AttributeImporterIdentityProviderMapperArgs Empty = new AttributeImporterIdentityProviderMapperArgs(); /** - * Attribute Friendly Name + * For SAML based providers, this is the friendly name of the attribute to search for in the assertion. Conflicts with `attribute_name`. * */ @Import(name="attributeFriendlyName") private @Nullable Output attributeFriendlyName; /** - * @return Attribute Friendly Name + * @return For SAML based providers, this is the friendly name of the attribute to search for in the assertion. Conflicts with `attribute_name`. * */ public Optional> attributeFriendlyName() { @@ -33,14 +33,14 @@ public Optional> attributeFriendlyName() { } /** - * Attribute Name + * For SAML based providers, this is the name of the attribute to search for in the assertion. Conflicts with `attribute_friendly_name`. * */ @Import(name="attributeName") private @Nullable Output attributeName; /** - * @return Attribute Name + * @return For SAML based providers, this is the name of the attribute to search for in the assertion. Conflicts with `attribute_friendly_name`. * */ public Optional> attributeName() { @@ -48,36 +48,44 @@ public Optional> attributeName() { } /** - * Claim Name + * For OIDC based providers, this is the name of the claim to use. * */ @Import(name="claimName") private @Nullable Output claimName; /** - * @return Claim Name + * @return For OIDC based providers, this is the name of the claim to use. * */ public Optional> claimName() { return Optional.ofNullable(this.claimName); } + /** + * Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + * + */ @Import(name="extraConfig") private @Nullable Output> extraConfig; + /** + * @return Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + * + */ public Optional>> extraConfig() { return Optional.ofNullable(this.extraConfig); } /** - * IDP Alias + * The alias of the associated identity provider. * */ @Import(name="identityProviderAlias", required=true) private Output identityProviderAlias; /** - * @return IDP Alias + * @return The alias of the associated identity provider. * */ public Output identityProviderAlias() { @@ -85,14 +93,14 @@ public Output identityProviderAlias() { } /** - * IDP Mapper Name + * The name of the mapper. * */ @Import(name="name") private @Nullable Output name; /** - * @return IDP Mapper Name + * @return The name of the mapper. * */ public Optional> name() { @@ -100,14 +108,14 @@ public Optional> name() { } /** - * Realm Name + * The name of the realm. * */ @Import(name="realm", required=true) private Output realm; /** - * @return Realm Name + * @return The name of the realm. * */ public Output realm() { @@ -115,14 +123,14 @@ public Output realm() { } /** - * User Attribute + * The user attribute or property name to store the mapped result. * */ @Import(name="userAttribute", required=true) private Output userAttribute; /** - * @return User Attribute + * @return The user attribute or property name to store the mapped result. * */ public Output userAttribute() { @@ -161,7 +169,7 @@ public Builder(AttributeImporterIdentityProviderMapperArgs defaults) { } /** - * @param attributeFriendlyName Attribute Friendly Name + * @param attributeFriendlyName For SAML based providers, this is the friendly name of the attribute to search for in the assertion. Conflicts with `attribute_name`. * * @return builder * @@ -172,7 +180,7 @@ public Builder attributeFriendlyName(@Nullable Output attributeFriendlyN } /** - * @param attributeFriendlyName Attribute Friendly Name + * @param attributeFriendlyName For SAML based providers, this is the friendly name of the attribute to search for in the assertion. Conflicts with `attribute_name`. * * @return builder * @@ -182,7 +190,7 @@ public Builder attributeFriendlyName(String attributeFriendlyName) { } /** - * @param attributeName Attribute Name + * @param attributeName For SAML based providers, this is the name of the attribute to search for in the assertion. Conflicts with `attribute_friendly_name`. * * @return builder * @@ -193,7 +201,7 @@ public Builder attributeName(@Nullable Output attributeName) { } /** - * @param attributeName Attribute Name + * @param attributeName For SAML based providers, this is the name of the attribute to search for in the assertion. Conflicts with `attribute_friendly_name`. * * @return builder * @@ -203,7 +211,7 @@ public Builder attributeName(String attributeName) { } /** - * @param claimName Claim Name + * @param claimName For OIDC based providers, this is the name of the claim to use. * * @return builder * @@ -214,7 +222,7 @@ public Builder claimName(@Nullable Output claimName) { } /** - * @param claimName Claim Name + * @param claimName For OIDC based providers, this is the name of the claim to use. * * @return builder * @@ -223,17 +231,29 @@ public Builder claimName(String claimName) { return claimName(Output.of(claimName)); } + /** + * @param extraConfig Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + * + * @return builder + * + */ public Builder extraConfig(@Nullable Output> extraConfig) { $.extraConfig = extraConfig; return this; } + /** + * @param extraConfig Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + * + * @return builder + * + */ public Builder extraConfig(Map extraConfig) { return extraConfig(Output.of(extraConfig)); } /** - * @param identityProviderAlias IDP Alias + * @param identityProviderAlias The alias of the associated identity provider. * * @return builder * @@ -244,7 +264,7 @@ public Builder identityProviderAlias(Output identityProviderAlias) { } /** - * @param identityProviderAlias IDP Alias + * @param identityProviderAlias The alias of the associated identity provider. * * @return builder * @@ -254,7 +274,7 @@ public Builder identityProviderAlias(String identityProviderAlias) { } /** - * @param name IDP Mapper Name + * @param name The name of the mapper. * * @return builder * @@ -265,7 +285,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name IDP Mapper Name + * @param name The name of the mapper. * * @return builder * @@ -275,7 +295,7 @@ public Builder name(String name) { } /** - * @param realm Realm Name + * @param realm The name of the realm. * * @return builder * @@ -286,7 +306,7 @@ public Builder realm(Output realm) { } /** - * @param realm Realm Name + * @param realm The name of the realm. * * @return builder * @@ -296,7 +316,7 @@ public Builder realm(String realm) { } /** - * @param userAttribute User Attribute + * @param userAttribute The user attribute or property name to store the mapped result. * * @return builder * @@ -307,7 +327,7 @@ public Builder userAttribute(Output userAttribute) { } /** - * @param userAttribute User Attribute + * @param userAttribute The user attribute or property name to store the mapped result. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/CustomUserFederation.java b/sdk/java/src/main/java/com/pulumi/keycloak/CustomUserFederation.java index 5f42a3a2..b93cdef7 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/CustomUserFederation.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/CustomUserFederation.java @@ -18,15 +18,12 @@ import javax.annotation.Nullable; /** - * ## # keycloak.CustomUserFederation - * * Allows for creating and managing custom user federation providers within Keycloak. * - * A custom user federation provider is an implementation of Keycloak's - * [User Storage SPI](https://www.keycloak.org/docs/4.2/server_development/index.html#_user-storage-spi). + * A custom user federation provider is an implementation of Keycloak's [User Storage SPI](https://www.keycloak.org/docs/4.2/server_development/index.html#_user-storage-spi). * An example of this implementation can be found here. * - * ### Example Usage + * ## Example Usage * * <!--Start PulumiCodeChooser --> *
@@ -63,6 +60,11 @@
  *             .realmId(realm.id())
  *             .providerId("custom")
  *             .enabled(true)
+ *             .config(Map.ofEntries(
+ *                 Map.entry("dummyString", "foobar"),
+ *                 Map.entry("dummyBool", true),
+ *                 Map.entry("multivalue", "value1##value2")
+ *             ))
  *             .build());
  * 
  *     }
@@ -71,62 +73,72 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference + * ## Import * - * The following arguments are supported: + * Custom user federation providers can be imported using the format `{{realm_id}}/{{custom_user_federation_id}}`. * - * - `realm_id` - (Required) The realm that this provider will provide user federation for. - * - `name` - (Required) Display name of the provider when displayed in the console. - * - `provider_id` - (Required) The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. - * - `enabled` - (Optional) When `false`, this provider will not be used when performing queries for users. Defaults to `true`. - * - `priority` - (Optional) Priority of this provider when looking up users. Lower values are first. Defaults to `0`. - * - `cache_policy` - (Optional) Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + * The ID of the custom user federation provider can be found within the Keycloak GUI and is typically a GUID: * - * ### Import + * bash * - * Custom user federation providers can be imported using the format `{{realm_id}}/{{custom_user_federation_id}}`. - * The ID of the custom user federation provider can be found within the Keycloak GUI and is typically a GUID: + * ```sh + * $ pulumi import keycloak:index/customUserFederation:CustomUserFederation custom_user_federation my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860 + * ``` * */ @ResourceType(type="keycloak:index/customUserFederation:CustomUserFederation") public class CustomUserFederation extends com.pulumi.resources.CustomResource { + /** + * Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + * + */ @Export(name="cachePolicy", refs={String.class}, tree="[0]") private Output cachePolicy; + /** + * @return Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + * + */ public Output> cachePolicy() { return Codegen.optional(this.cachePolicy); } /** - * How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users - * sync. + * How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users sync. * */ @Export(name="changedSyncPeriod", refs={Integer.class}, tree="[0]") private Output changedSyncPeriod; /** - * @return How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users - * sync. + * @return How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users sync. * */ public Output> changedSyncPeriod() { return Codegen.optional(this.changedSyncPeriod); } + /** + * The provider configuration handed over to your custom user federation provider. In order to add multivalue settings, use `##` to seperate the values. + * + */ @Export(name="config", refs={Map.class,String.class}, tree="[0,1,1]") private Output> config; + /** + * @return The provider configuration handed over to your custom user federation provider. In order to add multivalue settings, use `##` to seperate the values. + * + */ public Output>> config() { return Codegen.optional(this.config); } /** - * When false, this provider will not be used when performing queries for users. + * When `false`, this provider will not be used when performing queries for users. Defaults to `true`. * */ @Export(name="enabled", refs={Boolean.class}, tree="[0]") private Output enabled; /** - * @return When false, this provider will not be used when performing queries for users. + * @return When `false`, this provider will not be used when performing queries for users. Defaults to `true`. * */ public Output> enabled() { @@ -161,58 +173,56 @@ public Output name() { return this.name; } /** - * The parent_id of the generated component. will use realm_id if not specified. + * Must be set to the realms' `internal_id` when it differs from the realm. This can happen when existing resources are imported into the state. * */ @Export(name="parentId", refs={String.class}, tree="[0]") private Output parentId; /** - * @return The parent_id of the generated component. will use realm_id if not specified. + * @return Must be set to the realms' `internal_id` when it differs from the realm. This can happen when existing resources are imported into the state. * */ public Output parentId() { return this.parentId; } /** - * Priority of this provider when looking up users. Lower values are first. + * Priority of this provider when looking up users. Lower values are first. Defaults to `0`. * */ @Export(name="priority", refs={Integer.class}, tree="[0]") private Output priority; /** - * @return Priority of this provider when looking up users. Lower values are first. + * @return Priority of this provider when looking up users. Lower values are first. Defaults to `0`. * */ public Output> priority() { return Codegen.optional(this.priority); } /** - * The unique ID of the custom provider, specified in the `getId` implementation for the UserStorageProviderFactory - * interface + * The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. * */ @Export(name="providerId", refs={String.class}, tree="[0]") private Output providerId; /** - * @return The unique ID of the custom provider, specified in the `getId` implementation for the UserStorageProviderFactory - * interface + * @return The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. * */ public Output providerId() { return this.providerId; } /** - * The realm (name) this provider will provide user federation for. + * The realm that this provider will provide user federation for. * */ @Export(name="realmId", refs={String.class}, tree="[0]") private Output realmId; /** - * @return The realm (name) this provider will provide user federation for. + * @return The realm that this provider will provide user federation for. * */ public Output realmId() { diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/CustomUserFederationArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/CustomUserFederationArgs.java index f590f4cb..6892059d 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/CustomUserFederationArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/CustomUserFederationArgs.java @@ -19,46 +19,60 @@ public final class CustomUserFederationArgs extends com.pulumi.resources.Resourc public static final CustomUserFederationArgs Empty = new CustomUserFederationArgs(); + /** + * Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + * + */ @Import(name="cachePolicy") private @Nullable Output cachePolicy; + /** + * @return Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + * + */ public Optional> cachePolicy() { return Optional.ofNullable(this.cachePolicy); } /** - * How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users - * sync. + * How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users sync. * */ @Import(name="changedSyncPeriod") private @Nullable Output changedSyncPeriod; /** - * @return How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users - * sync. + * @return How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users sync. * */ public Optional> changedSyncPeriod() { return Optional.ofNullable(this.changedSyncPeriod); } + /** + * The provider configuration handed over to your custom user federation provider. In order to add multivalue settings, use `##` to seperate the values. + * + */ @Import(name="config") private @Nullable Output> config; + /** + * @return The provider configuration handed over to your custom user federation provider. In order to add multivalue settings, use `##` to seperate the values. + * + */ public Optional>> config() { return Optional.ofNullable(this.config); } /** - * When false, this provider will not be used when performing queries for users. + * When `false`, this provider will not be used when performing queries for users. Defaults to `true`. * */ @Import(name="enabled") private @Nullable Output enabled; /** - * @return When false, this provider will not be used when performing queries for users. + * @return When `false`, this provider will not be used when performing queries for users. Defaults to `true`. * */ public Optional> enabled() { @@ -96,14 +110,14 @@ public Optional> name() { } /** - * The parent_id of the generated component. will use realm_id if not specified. + * Must be set to the realms' `internal_id` when it differs from the realm. This can happen when existing resources are imported into the state. * */ @Import(name="parentId") private @Nullable Output parentId; /** - * @return The parent_id of the generated component. will use realm_id if not specified. + * @return Must be set to the realms' `internal_id` when it differs from the realm. This can happen when existing resources are imported into the state. * */ public Optional> parentId() { @@ -111,14 +125,14 @@ public Optional> parentId() { } /** - * Priority of this provider when looking up users. Lower values are first. + * Priority of this provider when looking up users. Lower values are first. Defaults to `0`. * */ @Import(name="priority") private @Nullable Output priority; /** - * @return Priority of this provider when looking up users. Lower values are first. + * @return Priority of this provider when looking up users. Lower values are first. Defaults to `0`. * */ public Optional> priority() { @@ -126,16 +140,14 @@ public Optional> priority() { } /** - * The unique ID of the custom provider, specified in the `getId` implementation for the UserStorageProviderFactory - * interface + * The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. * */ @Import(name="providerId", required=true) private Output providerId; /** - * @return The unique ID of the custom provider, specified in the `getId` implementation for the UserStorageProviderFactory - * interface + * @return The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. * */ public Output providerId() { @@ -143,14 +155,14 @@ public Output providerId() { } /** - * The realm (name) this provider will provide user federation for. + * The realm that this provider will provide user federation for. * */ @Import(name="realmId", required=true) private Output realmId; /** - * @return The realm (name) this provider will provide user federation for. + * @return The realm that this provider will provide user federation for. * */ public Output realmId() { @@ -190,18 +202,29 @@ public Builder(CustomUserFederationArgs defaults) { $ = new CustomUserFederationArgs(Objects.requireNonNull(defaults)); } + /** + * @param cachePolicy Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + * + * @return builder + * + */ public Builder cachePolicy(@Nullable Output cachePolicy) { $.cachePolicy = cachePolicy; return this; } + /** + * @param cachePolicy Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + * + * @return builder + * + */ public Builder cachePolicy(String cachePolicy) { return cachePolicy(Output.of(cachePolicy)); } /** - * @param changedSyncPeriod How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users - * sync. + * @param changedSyncPeriod How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users sync. * * @return builder * @@ -212,8 +235,7 @@ public Builder changedSyncPeriod(@Nullable Output changedSyncPeriod) { } /** - * @param changedSyncPeriod How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users - * sync. + * @param changedSyncPeriod How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users sync. * * @return builder * @@ -222,17 +244,29 @@ public Builder changedSyncPeriod(Integer changedSyncPeriod) { return changedSyncPeriod(Output.of(changedSyncPeriod)); } + /** + * @param config The provider configuration handed over to your custom user federation provider. In order to add multivalue settings, use `##` to seperate the values. + * + * @return builder + * + */ public Builder config(@Nullable Output> config) { $.config = config; return this; } + /** + * @param config The provider configuration handed over to your custom user federation provider. In order to add multivalue settings, use `##` to seperate the values. + * + * @return builder + * + */ public Builder config(Map config) { return config(Output.of(config)); } /** - * @param enabled When false, this provider will not be used when performing queries for users. + * @param enabled When `false`, this provider will not be used when performing queries for users. Defaults to `true`. * * @return builder * @@ -243,7 +277,7 @@ public Builder enabled(@Nullable Output enabled) { } /** - * @param enabled When false, this provider will not be used when performing queries for users. + * @param enabled When `false`, this provider will not be used when performing queries for users. Defaults to `true`. * * @return builder * @@ -295,7 +329,7 @@ public Builder name(String name) { } /** - * @param parentId The parent_id of the generated component. will use realm_id if not specified. + * @param parentId Must be set to the realms' `internal_id` when it differs from the realm. This can happen when existing resources are imported into the state. * * @return builder * @@ -306,7 +340,7 @@ public Builder parentId(@Nullable Output parentId) { } /** - * @param parentId The parent_id of the generated component. will use realm_id if not specified. + * @param parentId Must be set to the realms' `internal_id` when it differs from the realm. This can happen when existing resources are imported into the state. * * @return builder * @@ -316,7 +350,7 @@ public Builder parentId(String parentId) { } /** - * @param priority Priority of this provider when looking up users. Lower values are first. + * @param priority Priority of this provider when looking up users. Lower values are first. Defaults to `0`. * * @return builder * @@ -327,7 +361,7 @@ public Builder priority(@Nullable Output priority) { } /** - * @param priority Priority of this provider when looking up users. Lower values are first. + * @param priority Priority of this provider when looking up users. Lower values are first. Defaults to `0`. * * @return builder * @@ -337,8 +371,7 @@ public Builder priority(Integer priority) { } /** - * @param providerId The unique ID of the custom provider, specified in the `getId` implementation for the UserStorageProviderFactory - * interface + * @param providerId The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. * * @return builder * @@ -349,8 +382,7 @@ public Builder providerId(Output providerId) { } /** - * @param providerId The unique ID of the custom provider, specified in the `getId` implementation for the UserStorageProviderFactory - * interface + * @param providerId The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. * * @return builder * @@ -360,7 +392,7 @@ public Builder providerId(String providerId) { } /** - * @param realmId The realm (name) this provider will provide user federation for. + * @param realmId The realm that this provider will provide user federation for. * * @return builder * @@ -371,7 +403,7 @@ public Builder realmId(Output realmId) { } /** - * @param realmId The realm (name) this provider will provide user federation for. + * @param realmId The realm that this provider will provide user federation for. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/DefaultGroups.java b/sdk/java/src/main/java/com/pulumi/keycloak/DefaultGroups.java index f6103b5b..013e4486 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/DefaultGroups.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/DefaultGroups.java @@ -15,14 +15,11 @@ import javax.annotation.Nullable; /** - * ## # keycloak.DefaultGroups - * * Allows for managing a realm's default groups. * - * Note that you should not use `keycloak.DefaultGroups` with a group with memberships managed - * by `keycloak.GroupMemberships`. + * > You should not use `keycloak.DefaultGroups` with a group whose members are managed by `keycloak.GroupMemberships`. * - * ### Example Usage + * ## Example Usage * * <!--Start PulumiCodeChooser --> *
@@ -72,31 +69,46 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference - * - * The following arguments are supported: + * ## Import * - * - `realm_id` - (Required) The realm this group exists in. - * - `group_ids` - (Required) A set of group ids that should be default groups on the realm referenced by `realm_id`. + * Default groups can be imported using the format `{{realm_id}}` where `realm_id` is the realm the group exists in. * - * ### Import + * Example: * - * Groups can be imported using the format `{{realm_id}}` where `realm_id` is the realm the group exists in. + * bash * - * Example: + * ```sh + * $ pulumi import keycloak:index/defaultGroups:DefaultGroups default my-realm + * ``` * */ @ResourceType(type="keycloak:index/defaultGroups:DefaultGroups") public class DefaultGroups extends com.pulumi.resources.CustomResource { + /** + * A set of group ids that should be default groups on the realm referenced by `realm_id`. + * + */ @Export(name="groupIds", refs={List.class,String.class}, tree="[0,1]") private Output> groupIds; + /** + * @return A set of group ids that should be default groups on the realm referenced by `realm_id`. + * + */ public Output> groupIds() { return this.groupIds; } + /** + * The realm this group exists in. + * + */ @Export(name="realmId", refs={String.class}, tree="[0]") private Output realmId; + /** + * @return The realm this group exists in. + * + */ public Output realmId() { return this.realmId; } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/DefaultGroupsArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/DefaultGroupsArgs.java index c8580170..cb37547b 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/DefaultGroupsArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/DefaultGroupsArgs.java @@ -15,16 +15,32 @@ public final class DefaultGroupsArgs extends com.pulumi.resources.ResourceArgs { public static final DefaultGroupsArgs Empty = new DefaultGroupsArgs(); + /** + * A set of group ids that should be default groups on the realm referenced by `realm_id`. + * + */ @Import(name="groupIds", required=true) private Output> groupIds; + /** + * @return A set of group ids that should be default groups on the realm referenced by `realm_id`. + * + */ public Output> groupIds() { return this.groupIds; } + /** + * The realm this group exists in. + * + */ @Import(name="realmId", required=true) private Output realmId; + /** + * @return The realm this group exists in. + * + */ public Output realmId() { return this.realmId; } @@ -54,24 +70,54 @@ public Builder(DefaultGroupsArgs defaults) { $ = new DefaultGroupsArgs(Objects.requireNonNull(defaults)); } + /** + * @param groupIds A set of group ids that should be default groups on the realm referenced by `realm_id`. + * + * @return builder + * + */ public Builder groupIds(Output> groupIds) { $.groupIds = groupIds; return this; } + /** + * @param groupIds A set of group ids that should be default groups on the realm referenced by `realm_id`. + * + * @return builder + * + */ public Builder groupIds(List groupIds) { return groupIds(Output.of(groupIds)); } + /** + * @param groupIds A set of group ids that should be default groups on the realm referenced by `realm_id`. + * + * @return builder + * + */ public Builder groupIds(String... groupIds) { return groupIds(List.of(groupIds)); } + /** + * @param realmId The realm this group exists in. + * + * @return builder + * + */ public Builder realmId(Output realmId) { $.realmId = realmId; return this; } + /** + * @param realmId The realm this group exists in. + * + * @return builder + * + */ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/GenericClientProtocolMapper.java b/sdk/java/src/main/java/com/pulumi/keycloak/GenericClientProtocolMapper.java index 336d4331..96680d43 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/GenericClientProtocolMapper.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/GenericClientProtocolMapper.java @@ -16,9 +16,9 @@ import javax.annotation.Nullable; /** - * ## # keycloak.GenericClientProtocolMapper + * !> **WARNING:** This resource is deprecated and will be removed in the next major version. Please use `keycloak.GenericProtocolMapper` instead. * - * Allows for creating and managing protocol mapper for both types of clients (openid-connect and saml) within Keycloak. + * Allows for creating and managing protocol mappers for both types of clients (openid-connect and saml) within Keycloak. * * There are two uses cases for using this resource: * * If you implemented a custom protocol mapper, this resource can be used to configure it @@ -27,7 +27,7 @@ * Due to the generic nature of this mapper, it is less user-friendly and more prone to configuration errors. * Therefore, if possible, a specific mapper should be used. * - * ### Example Usage + * ## Example Usage * * <!--Start PulumiCodeChooser --> *
@@ -69,7 +69,7 @@
  *         var samlHardcodeAttributeMapper = new GenericClientProtocolMapper("samlHardcodeAttributeMapper", GenericClientProtocolMapperArgs.builder()
  *             .realmId(realm.id())
  *             .clientId(samlClient.id())
- *             .name("tes-mapper")
+ *             .name("test-mapper")
  *             .protocol("saml")
  *             .protocolMapper("saml-hardcode-attribute-mapper")
  *             .config(Map.ofEntries(
@@ -86,36 +86,30 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realm_id` - (Required) The realm this protocol mapper exists within. - * - `client_id` - (Required) The client this protocol mapper is attached to. - * - `name` - (Required) The display name of this protocol mapper in the GUI. - * - `protocol` - (Required) The type of client (either `openid-connect` or `saml`). The type must match the type of the client. - * - `protocol_mapper` - (Required) The name of the protocol mapper. The protocol mapper must be - * compatible with the specified client. - * - `config` - (Required) A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. - * - * ### Import + * ## Import * * Protocol mappers can be imported using the following format: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` * * Example: * + * bash + * + * ```sh + * $ pulumi import keycloak:index/genericClientProtocolMapper:GenericClientProtocolMapper saml_hardcode_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` + * */ @ResourceType(type="keycloak:index/genericClientProtocolMapper:GenericClientProtocolMapper") public class GenericClientProtocolMapper extends com.pulumi.resources.CustomResource { /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper is attached to. * */ @Export(name="clientId", refs={String.class}, tree="[0]") private Output clientId; /** - * @return The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @return The client this protocol mapper is attached to. * */ public Output> clientId() { @@ -135,63 +129,71 @@ public Output> clientId() { public Output> clientScopeId() { return Codegen.optional(this.clientScopeId); } + /** + * A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. + * + */ @Export(name="config", refs={Map.class,String.class}, tree="[0,1,1]") private Output> config; + /** + * @return A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. + * + */ public Output> config() { return this.config; } /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. * */ @Export(name="name", refs={String.class}, tree="[0]") private Output name; /** - * @return A human-friendly name that will appear in the Keycloak console. + * @return The display name of this protocol mapper in the GUI. * */ public Output name() { return this.name; } /** - * The protocol of the client (openid-connect / saml). + * The type of client (either `openid-connect` or `saml`). The type must match the type of the client. * */ @Export(name="protocol", refs={String.class}, tree="[0]") private Output protocol; /** - * @return The protocol of the client (openid-connect / saml). + * @return The type of client (either `openid-connect` or `saml`). The type must match the type of the client. * */ public Output protocol() { return this.protocol; } /** - * The type of the protocol mapper. + * The name of the protocol mapper. The protocol mapper must be compatible with the specified client. * */ @Export(name="protocolMapper", refs={String.class}, tree="[0]") private Output protocolMapper; /** - * @return The type of the protocol mapper. + * @return The name of the protocol mapper. The protocol mapper must be compatible with the specified client. * */ public Output protocolMapper() { return this.protocolMapper; } /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. * */ @Export(name="realmId", refs={String.class}, tree="[0]") private Output realmId; /** - * @return The realm id where the associated client or client scope exists. + * @return The realm this protocol mapper exists within. * */ public Output realmId() { diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/GenericClientProtocolMapperArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/GenericClientProtocolMapperArgs.java index 41c37092..a0873613 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/GenericClientProtocolMapperArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/GenericClientProtocolMapperArgs.java @@ -18,14 +18,14 @@ public final class GenericClientProtocolMapperArgs extends com.pulumi.resources. public static final GenericClientProtocolMapperArgs Empty = new GenericClientProtocolMapperArgs(); /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper is attached to. * */ @Import(name="clientId") private @Nullable Output clientId; /** - * @return The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @return The client this protocol mapper is attached to. * */ public Optional> clientId() { @@ -47,22 +47,30 @@ public Optional> clientScopeId() { return Optional.ofNullable(this.clientScopeId); } + /** + * A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. + * + */ @Import(name="config", required=true) private Output> config; + /** + * @return A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. + * + */ public Output> config() { return this.config; } /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. * */ @Import(name="name") private @Nullable Output name; /** - * @return A human-friendly name that will appear in the Keycloak console. + * @return The display name of this protocol mapper in the GUI. * */ public Optional> name() { @@ -70,14 +78,14 @@ public Optional> name() { } /** - * The protocol of the client (openid-connect / saml). + * The type of client (either `openid-connect` or `saml`). The type must match the type of the client. * */ @Import(name="protocol", required=true) private Output protocol; /** - * @return The protocol of the client (openid-connect / saml). + * @return The type of client (either `openid-connect` or `saml`). The type must match the type of the client. * */ public Output protocol() { @@ -85,14 +93,14 @@ public Output protocol() { } /** - * The type of the protocol mapper. + * The name of the protocol mapper. The protocol mapper must be compatible with the specified client. * */ @Import(name="protocolMapper", required=true) private Output protocolMapper; /** - * @return The type of the protocol mapper. + * @return The name of the protocol mapper. The protocol mapper must be compatible with the specified client. * */ public Output protocolMapper() { @@ -100,14 +108,14 @@ public Output protocolMapper() { } /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. * */ @Import(name="realmId", required=true) private Output realmId; /** - * @return The realm id where the associated client or client scope exists. + * @return The realm this protocol mapper exists within. * */ public Output realmId() { @@ -145,7 +153,7 @@ public Builder(GenericClientProtocolMapperArgs defaults) { } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper is attached to. * * @return builder * @@ -156,7 +164,7 @@ public Builder clientId(@Nullable Output clientId) { } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper is attached to. * * @return builder * @@ -186,17 +194,29 @@ public Builder clientScopeId(String clientScopeId) { return clientScopeId(Output.of(clientScopeId)); } + /** + * @param config A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. + * + * @return builder + * + */ public Builder config(Output> config) { $.config = config; return this; } + /** + * @param config A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. + * + * @return builder + * + */ public Builder config(Map config) { return config(Output.of(config)); } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -207,7 +227,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -217,7 +237,7 @@ public Builder name(String name) { } /** - * @param protocol The protocol of the client (openid-connect / saml). + * @param protocol The type of client (either `openid-connect` or `saml`). The type must match the type of the client. * * @return builder * @@ -228,7 +248,7 @@ public Builder protocol(Output protocol) { } /** - * @param protocol The protocol of the client (openid-connect / saml). + * @param protocol The type of client (either `openid-connect` or `saml`). The type must match the type of the client. * * @return builder * @@ -238,7 +258,7 @@ public Builder protocol(String protocol) { } /** - * @param protocolMapper The type of the protocol mapper. + * @param protocolMapper The name of the protocol mapper. The protocol mapper must be compatible with the specified client. * * @return builder * @@ -249,7 +269,7 @@ public Builder protocolMapper(Output protocolMapper) { } /** - * @param protocolMapper The type of the protocol mapper. + * @param protocolMapper The name of the protocol mapper. The protocol mapper must be compatible with the specified client. * * @return builder * @@ -259,7 +279,7 @@ public Builder protocolMapper(String protocolMapper) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * @@ -270,7 +290,7 @@ public Builder realmId(Output realmId) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/Group.java b/sdk/java/src/main/java/com/pulumi/keycloak/Group.java index 792275c8..ef38c15d 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/Group.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/Group.java @@ -16,20 +16,17 @@ import javax.annotation.Nullable; /** - * ## # keycloak.Group - * * Allows for creating and managing Groups within Keycloak. * - * Groups provide a logical wrapping for users within Keycloak. Users within a - * group can share attributes and roles, and group membership can be mapped - * to a claim. + * Groups provide a logical wrapping for users within Keycloak. Users within a group can share attributes and roles, and + * group membership can be mapped to a claim. * * Attributes can also be defined on Groups. * - * Groups can also be federated from external data sources, such as LDAP or Active Directory. - * This resource **should not** be used to manage groups that were created this way. + * Groups can also be federated from external data sources, such as LDAP or Active Directory. This resource **should not** + * be used to manage groups that were created this way. * - * ### Example Usage + * ## Example Usage * * <!--Start PulumiCodeChooser --> *
@@ -77,8 +74,8 @@
  *             .parentId(parentGroup.id())
  *             .name("child-group-with-optional-attributes")
  *             .attributes(Map.ofEntries(
- *                 Map.entry("key1", "value1"),
- *                 Map.entry("key2", "value2")
+ *                 Map.entry("foo", "bar"),
+ *                 Map.entry("multivalue", "value1##value2")
  *             ))
  *             .build());
  * 
@@ -88,58 +85,90 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realm_id` - (Required) The realm this group exists in. - * - `parent_id` - (Optional) The ID of this group's parent. If omitted, this group will be defined at the root level. - * - `name` - (Required) The name of the group. - * - `attributes` - (Optional) A dict of key/value pairs to set as custom attributes for the group. - * - * ### Attributes Reference - * - * In addition to the arguments listed above, the following computed attributes are exported: - * - * - `path` - The complete path of the group. For example, the child group's path in the example configuration would be `/parent-group/child-group`. - * - * ### Import + * ## Import * * Groups can be imported using the format `{{realm_id}}/{{group_id}}`, where `group_id` is the unique ID that Keycloak + * * assigns to the group upon creation. This value can be found in the URI when editing this group in the GUI, and is typically a GUID. * * Example: * + * bash + * + * ```sh + * $ pulumi import keycloak:index/group:Group child_group my-realm/934a4a4e-28bd-4703-a0fa-332df153aabd + * ``` + * */ @ResourceType(type="keycloak:index/group:Group") public class Group extends com.pulumi.resources.CustomResource { + /** + * A map representing attributes for the group. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + * + */ @Export(name="attributes", refs={Map.class,String.class}, tree="[0,1,1]") private Output> attributes; + /** + * @return A map representing attributes for the group. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + * + */ public Output>> attributes() { return Codegen.optional(this.attributes); } + /** + * The name of the group. + * + */ @Export(name="name", refs={String.class}, tree="[0]") private Output name; + /** + * @return The name of the group. + * + */ public Output name() { return this.name; } + /** + * The ID of this group's parent. If omitted, this group will be defined at the root level. + * + */ @Export(name="parentId", refs={String.class}, tree="[0]") private Output parentId; + /** + * @return The ID of this group's parent. If omitted, this group will be defined at the root level. + * + */ public Output> parentId() { return Codegen.optional(this.parentId); } + /** + * (Computed) The complete path of the group. For example, the child group's path in the example configuration would be `/parent-group/child-group`. + * + */ @Export(name="path", refs={String.class}, tree="[0]") private Output path; + /** + * @return (Computed) The complete path of the group. For example, the child group's path in the example configuration would be `/parent-group/child-group`. + * + */ public Output path() { return this.path; } + /** + * The realm this group exists in. + * + */ @Export(name="realmId", refs={String.class}, tree="[0]") private Output realmId; + /** + * @return The realm this group exists in. + * + */ public Output realmId() { return this.realmId; } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/GroupArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/GroupArgs.java index 14aad7a6..6e737df3 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/GroupArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/GroupArgs.java @@ -17,30 +17,62 @@ public final class GroupArgs extends com.pulumi.resources.ResourceArgs { public static final GroupArgs Empty = new GroupArgs(); + /** + * A map representing attributes for the group. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + * + */ @Import(name="attributes") private @Nullable Output> attributes; + /** + * @return A map representing attributes for the group. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + * + */ public Optional>> attributes() { return Optional.ofNullable(this.attributes); } + /** + * The name of the group. + * + */ @Import(name="name") private @Nullable Output name; + /** + * @return The name of the group. + * + */ public Optional> name() { return Optional.ofNullable(this.name); } + /** + * The ID of this group's parent. If omitted, this group will be defined at the root level. + * + */ @Import(name="parentId") private @Nullable Output parentId; + /** + * @return The ID of this group's parent. If omitted, this group will be defined at the root level. + * + */ public Optional> parentId() { return Optional.ofNullable(this.parentId); } + /** + * The realm this group exists in. + * + */ @Import(name="realmId", required=true) private Output realmId; + /** + * @return The realm this group exists in. + * + */ public Output realmId() { return this.realmId; } @@ -72,38 +104,86 @@ public Builder(GroupArgs defaults) { $ = new GroupArgs(Objects.requireNonNull(defaults)); } + /** + * @param attributes A map representing attributes for the group. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + * + * @return builder + * + */ public Builder attributes(@Nullable Output> attributes) { $.attributes = attributes; return this; } + /** + * @param attributes A map representing attributes for the group. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + * + * @return builder + * + */ public Builder attributes(Map attributes) { return attributes(Output.of(attributes)); } + /** + * @param name The name of the group. + * + * @return builder + * + */ public Builder name(@Nullable Output name) { $.name = name; return this; } + /** + * @param name The name of the group. + * + * @return builder + * + */ public Builder name(String name) { return name(Output.of(name)); } + /** + * @param parentId The ID of this group's parent. If omitted, this group will be defined at the root level. + * + * @return builder + * + */ public Builder parentId(@Nullable Output parentId) { $.parentId = parentId; return this; } + /** + * @param parentId The ID of this group's parent. If omitted, this group will be defined at the root level. + * + * @return builder + * + */ public Builder parentId(String parentId) { return parentId(Output.of(parentId)); } + /** + * @param realmId The realm this group exists in. + * + * @return builder + * + */ public Builder realmId(Output realmId) { $.realmId = realmId; return this; } + /** + * @param realmId The realm this group exists in. + * + * @return builder + * + */ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/GroupMemberships.java b/sdk/java/src/main/java/com/pulumi/keycloak/GroupMemberships.java index 8d65488f..93c7945b 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/GroupMemberships.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/GroupMemberships.java @@ -16,23 +16,23 @@ import javax.annotation.Nullable; /** - * ## # keycloak.GroupMemberships - * * Allows for managing a Keycloak group's members. * - * Note that this resource attempts to be an **authoritative** source over group members. - * When this resource takes control over a group's members, users that are manually added - * to the group will be removed, and users that are manually removed from the group will - * be added upon the next run of `pulumi up`. Eventually, a non-authoritative resource - * for group membership will be added to this provider. + * Note that this resource attempts to be an **authoritative** source over group members. When this resource takes control + * over a group's members, users that are manually added to the group will be removed, and users that are manually removed + * from the group will be added upon the next run of `pulumi up`. + * + * Also note that you should not use `keycloak.GroupMemberships` with a group has been assigned as a default group via + * `keycloak.DefaultGroups`. + * + * This resource **should not** be used to control membership of a group that has its members federated from an external + * source via group mapping. * - * Also note that you should not use `keycloak.GroupMemberships` with a group has been assigned - * as a default group via `keycloak.DefaultGroups`. + * To non-exclusively manage the group's of a user, see the [`keycloak.UserGroups` resource][1] * - * This resource **should not** be used to control membership of a group that has its members - * federated from an external source via group mapping. + * This resource paginates its data loading on refresh by 50 items. * - * ### Example Usage + * ## Example Usage * * <!--Start PulumiCodeChooser --> *
@@ -90,37 +90,56 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realm_id` - (Required) The realm this group exists in. - * - `group_id` - (Required) The ID of the group this resource should manage memberships for. - * - `members` - (Required) An array of usernames that belong to this group. - * - * ### Import + * ## Import * * This resource does not support import. Instead of importing, feel free to create this resource + * * as if it did not already exist on the server. * + * [1]: providers/mrparkers/keycloak/latest/docs/resources/group_memberships + * */ @ResourceType(type="keycloak:index/groupMemberships:GroupMemberships") public class GroupMemberships extends com.pulumi.resources.CustomResource { + /** + * The ID of the group this resource should manage memberships for. + * + */ @Export(name="groupId", refs={String.class}, tree="[0]") private Output groupId; + /** + * @return The ID of the group this resource should manage memberships for. + * + */ public Output> groupId() { return Codegen.optional(this.groupId); } + /** + * A list of usernames that belong to this group. + * + */ @Export(name="members", refs={List.class,String.class}, tree="[0,1]") private Output> members; + /** + * @return A list of usernames that belong to this group. + * + */ public Output> members() { return this.members; } + /** + * The realm this group exists in. + * + */ @Export(name="realmId", refs={String.class}, tree="[0]") private Output realmId; + /** + * @return The realm this group exists in. + * + */ public Output realmId() { return this.realmId; } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/GroupMembershipsArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/GroupMembershipsArgs.java index 2c51c18a..9ae256f4 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/GroupMembershipsArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/GroupMembershipsArgs.java @@ -17,23 +17,47 @@ public final class GroupMembershipsArgs extends com.pulumi.resources.ResourceArg public static final GroupMembershipsArgs Empty = new GroupMembershipsArgs(); + /** + * The ID of the group this resource should manage memberships for. + * + */ @Import(name="groupId") private @Nullable Output groupId; + /** + * @return The ID of the group this resource should manage memberships for. + * + */ public Optional> groupId() { return Optional.ofNullable(this.groupId); } + /** + * A list of usernames that belong to this group. + * + */ @Import(name="members", required=true) private Output> members; + /** + * @return A list of usernames that belong to this group. + * + */ public Output> members() { return this.members; } + /** + * The realm this group exists in. + * + */ @Import(name="realmId", required=true) private Output realmId; + /** + * @return The realm this group exists in. + * + */ public Output realmId() { return this.realmId; } @@ -64,33 +88,75 @@ public Builder(GroupMembershipsArgs defaults) { $ = new GroupMembershipsArgs(Objects.requireNonNull(defaults)); } + /** + * @param groupId The ID of the group this resource should manage memberships for. + * + * @return builder + * + */ public Builder groupId(@Nullable Output groupId) { $.groupId = groupId; return this; } + /** + * @param groupId The ID of the group this resource should manage memberships for. + * + * @return builder + * + */ public Builder groupId(String groupId) { return groupId(Output.of(groupId)); } + /** + * @param members A list of usernames that belong to this group. + * + * @return builder + * + */ public Builder members(Output> members) { $.members = members; return this; } + /** + * @param members A list of usernames that belong to this group. + * + * @return builder + * + */ public Builder members(List members) { return members(Output.of(members)); } + /** + * @param members A list of usernames that belong to this group. + * + * @return builder + * + */ public Builder members(String... members) { return members(List.of(members)); } + /** + * @param realmId The realm this group exists in. + * + * @return builder + * + */ public Builder realmId(Output realmId) { $.realmId = realmId; return this; } + /** + * @param realmId The realm this group exists in. + * + * @return builder + * + */ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/GroupRoles.java b/sdk/java/src/main/java/com/pulumi/keycloak/GroupRoles.java index 86e078b0..a606df75 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/GroupRoles.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/GroupRoles.java @@ -17,21 +17,18 @@ import javax.annotation.Nullable; /** - * ## # keycloak.GroupRoles - * * Allows you to manage roles assigned to a Keycloak group. * - * Note that this resource attempts to be an **authoritative** source over - * group roles. When this resource takes control over a group's roles, - * roles that are manually added to the group will be removed, and roles - * that are manually removed from the group will be added upon the next run - * of `pulumi up`. + * If `exhaustive` is true, this resource attempts to be an **authoritative** source over group roles: roles that are manually added to the group will be removed, and roles that are manually removed from the + * group will be added upon the next run of `pulumi up`. + * If `exhaustive` is false, this resource is a partial assignation of roles to a group. As a result, you can get multiple `keycloak.GroupRoles` for the same `group_id`. + * + * Note that when assigning composite roles to a group, you may see a non-empty plan following a `pulumi up` if you + * assign a role and a composite that includes that role to the same group. * - * Note that when assigning composite roles to a group, you may see a - * non-empty plan following a `pulumi up` if you assign a role and a - * composite that includes that role to the same group. + * ## Example Usage * - * ### Example Usage + * ### Exhaustive Roles) * * <!--Start PulumiCodeChooser --> *
@@ -109,48 +106,162 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference + * ### Non Exhaustive Roles) + * + * <!--Start PulumiCodeChooser --> + *
+ * {@code
+ * package generated_program;
+ * 
+ * import com.pulumi.Context;
+ * import com.pulumi.Pulumi;
+ * import com.pulumi.core.Output;
+ * import com.pulumi.keycloak.Realm;
+ * import com.pulumi.keycloak.RealmArgs;
+ * import com.pulumi.keycloak.Role;
+ * import com.pulumi.keycloak.RoleArgs;
+ * import com.pulumi.keycloak.openid.Client;
+ * import com.pulumi.keycloak.openid.ClientArgs;
+ * import com.pulumi.keycloak.Group;
+ * import com.pulumi.keycloak.GroupArgs;
+ * import com.pulumi.keycloak.GroupRoles;
+ * import com.pulumi.keycloak.GroupRolesArgs;
+ * import java.util.List;
+ * import java.util.ArrayList;
+ * import java.util.Map;
+ * import java.io.File;
+ * import java.nio.file.Files;
+ * import java.nio.file.Paths;
+ * 
+ * public class App {
+ *     public static void main(String[] args) {
+ *         Pulumi.run(App::stack);
+ *     }
+ * 
+ *     public static void stack(Context ctx) {
+ *         var realm = new Realm("realm", RealmArgs.builder()
+ *             .realm("my-realm")
+ *             .enabled(true)
+ *             .build());
+ * 
+ *         var realmRole = new Role("realmRole", RoleArgs.builder()
+ *             .realmId(realm.id())
+ *             .name("my-realm-role")
+ *             .description("My Realm Role")
+ *             .build());
+ * 
+ *         var client = new Client("client", ClientArgs.builder()
+ *             .realmId(realm.id())
+ *             .clientId("client")
+ *             .name("client")
+ *             .enabled(true)
+ *             .accessType("BEARER-ONLY")
+ *             .build());
+ * 
+ *         var clientRole = new Role("clientRole", RoleArgs.builder()
+ *             .realmId(realm.id())
+ *             .clientId(clientKeycloakClient.id())
+ *             .name("my-client-role")
+ *             .description("My Client Role")
+ *             .build());
+ * 
+ *         var group = new Group("group", GroupArgs.builder()
+ *             .realmId(realm.id())
+ *             .name("my-group")
+ *             .build());
+ * 
+ *         var groupRoleAssociation1 = new GroupRoles("groupRoleAssociation1", GroupRolesArgs.builder()
+ *             .realmId(realm.id())
+ *             .groupId(group.id())
+ *             .exhaustive(false)
+ *             .roleIds(realmRole.id())
+ *             .build());
+ * 
+ *         var groupRoleAssociation2 = new GroupRoles("groupRoleAssociation2", GroupRolesArgs.builder()
+ *             .realmId(realm.id())
+ *             .groupId(group.id())
+ *             .exhaustive(false)
+ *             .roleIds(clientRole.id())
+ *             .build());
+ * 
+ *     }
+ * }
+ * }
+ * 
+ * <!--End PulumiCodeChooser --> * - * The following arguments are supported: + * ## Import * - * - `realm_id` - (Required) The realm this group exists in. - * - `group_id` - (Required) The ID of the group this resource should - * manage roles for. - * - `role_ids` - (Required) A list of role IDs to map to the group + * This resource can be imported using the format `{{realm_id}}/{{group_id}}`, where `group_id` is the unique ID that Keycloak * - * ### Import + * assigns to the group upon creation. This value can be found in the URI when editing this group in the GUI, and is typically * - * This resource can be imported using the format - * `{{realm_id}}/{{group_id}}`, where `group_id` is the unique ID that - * Keycloak assigns to the group upon creation. This value can be found in - * the URI when editing this group in the GUI, and is typically a GUID. + * a GUID. * * Example: * + * bash + * + * ```sh + * $ pulumi import keycloak:index/groupRoles:GroupRoles group_roles my-realm/18cc6b87-2ce7-4e59-bdc8-b9d49ec98a94 + * ``` + * */ @ResourceType(type="keycloak:index/groupRoles:GroupRoles") public class GroupRoles extends com.pulumi.resources.CustomResource { + /** + * Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the group will be removed. Defaults to `true`. + * + */ @Export(name="exhaustive", refs={Boolean.class}, tree="[0]") private Output exhaustive; + /** + * @return Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the group will be removed. Defaults to `true`. + * + */ public Output> exhaustive() { return Codegen.optional(this.exhaustive); } + /** + * The ID of the group this resource should manage roles for. + * + */ @Export(name="groupId", refs={String.class}, tree="[0]") private Output groupId; + /** + * @return The ID of the group this resource should manage roles for. + * + */ public Output groupId() { return this.groupId; } + /** + * The realm this group exists in. + * + */ @Export(name="realmId", refs={String.class}, tree="[0]") private Output realmId; + /** + * @return The realm this group exists in. + * + */ public Output realmId() { return this.realmId; } + /** + * A list of role IDs to map to the group. + * + */ @Export(name="roleIds", refs={List.class,String.class}, tree="[0,1]") private Output> roleIds; + /** + * @return A list of role IDs to map to the group. + * + */ public Output> roleIds() { return this.roleIds; } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/GroupRolesArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/GroupRolesArgs.java index 5446f261..c3e7a925 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/GroupRolesArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/GroupRolesArgs.java @@ -18,30 +18,62 @@ public final class GroupRolesArgs extends com.pulumi.resources.ResourceArgs { public static final GroupRolesArgs Empty = new GroupRolesArgs(); + /** + * Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the group will be removed. Defaults to `true`. + * + */ @Import(name="exhaustive") private @Nullable Output exhaustive; + /** + * @return Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the group will be removed. Defaults to `true`. + * + */ public Optional> exhaustive() { return Optional.ofNullable(this.exhaustive); } + /** + * The ID of the group this resource should manage roles for. + * + */ @Import(name="groupId", required=true) private Output groupId; + /** + * @return The ID of the group this resource should manage roles for. + * + */ public Output groupId() { return this.groupId; } + /** + * The realm this group exists in. + * + */ @Import(name="realmId", required=true) private Output realmId; + /** + * @return The realm this group exists in. + * + */ public Output realmId() { return this.realmId; } + /** + * A list of role IDs to map to the group. + * + */ @Import(name="roleIds", required=true) private Output> roleIds; + /** + * @return A list of role IDs to map to the group. + * + */ public Output> roleIds() { return this.roleIds; } @@ -73,42 +105,96 @@ public Builder(GroupRolesArgs defaults) { $ = new GroupRolesArgs(Objects.requireNonNull(defaults)); } + /** + * @param exhaustive Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the group will be removed. Defaults to `true`. + * + * @return builder + * + */ public Builder exhaustive(@Nullable Output exhaustive) { $.exhaustive = exhaustive; return this; } + /** + * @param exhaustive Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the group will be removed. Defaults to `true`. + * + * @return builder + * + */ public Builder exhaustive(Boolean exhaustive) { return exhaustive(Output.of(exhaustive)); } + /** + * @param groupId The ID of the group this resource should manage roles for. + * + * @return builder + * + */ public Builder groupId(Output groupId) { $.groupId = groupId; return this; } + /** + * @param groupId The ID of the group this resource should manage roles for. + * + * @return builder + * + */ public Builder groupId(String groupId) { return groupId(Output.of(groupId)); } + /** + * @param realmId The realm this group exists in. + * + * @return builder + * + */ public Builder realmId(Output realmId) { $.realmId = realmId; return this; } + /** + * @param realmId The realm this group exists in. + * + * @return builder + * + */ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } + /** + * @param roleIds A list of role IDs to map to the group. + * + * @return builder + * + */ public Builder roleIds(Output> roleIds) { $.roleIds = roleIds; return this; } + /** + * @param roleIds A list of role IDs to map to the group. + * + * @return builder + * + */ public Builder roleIds(List roleIds) { return roleIds(Output.of(roleIds)); } + /** + * @param roleIds A list of role IDs to map to the group. + * + * @return builder + * + */ public Builder roleIds(String... roleIds) { return roleIds(List.of(roleIds)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/KeycloakFunctions.java b/sdk/java/src/main/java/com/pulumi/keycloak/KeycloakFunctions.java index 45aab622..c89957df 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/KeycloakFunctions.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/KeycloakFunctions.java @@ -787,128 +787,270 @@ public static CompletableFuture getClientDe return Deployment.getInstance().invokeAsync("keycloak:index/getClientDescriptionConverter:getClientDescriptionConverter", TypeShape.of(GetClientDescriptionConverterResult.class), args, Utilities.withVersion(options)); } /** - * ## # keycloak.Group data source - * * This data source can be used to fetch properties of a Keycloak group for * usage with other resources, such as `keycloak.GroupRoles`. * - * ### Example Usage + * ## Example Usage * * <!--Start PulumiCodeChooser --> - * <!--End PulumiCodeChooser --> + *
+     * {@code
+     * package generated_program;
      * 
-     * ### Argument Reference
+     * import com.pulumi.Context;
+     * import com.pulumi.Pulumi;
+     * import com.pulumi.core.Output;
+     * import com.pulumi.keycloak.Realm;
+     * import com.pulumi.keycloak.RealmArgs;
+     * import com.pulumi.keycloak.KeycloakFunctions;
+     * import com.pulumi.keycloak.inputs.GetRoleArgs;
+     * import com.pulumi.keycloak.inputs.GetGroupArgs;
+     * import com.pulumi.keycloak.GroupRoles;
+     * import com.pulumi.keycloak.GroupRolesArgs;
+     * import java.util.List;
+     * import java.util.ArrayList;
+     * import java.util.Map;
+     * import java.io.File;
+     * import java.nio.file.Files;
+     * import java.nio.file.Paths;
      * 
-     * The following arguments are supported:
+     * public class App {
+     *     public static void main(String[] args) {
+     *         Pulumi.run(App::stack);
+     *     }
      * 
-     * - `realm_id` - (Required) The realm this group exists within.
-     * - `name` - (Required) The name of the group
+     *     public static void stack(Context ctx) {
+     *         var realm = new Realm("realm", RealmArgs.builder()
+     *             .realm("my-realm")
+     *             .enabled(true)
+     *             .build());
      * 
-     * ### Attributes Reference
+     *         final var offlineAccess = KeycloakFunctions.getRole(GetRoleArgs.builder()
+     *             .realmId(realm.id())
+     *             .name("offline_access")
+     *             .build());
      * 
-     * In addition to the arguments listed above, the following computed attributes are exported:
+     *         final var group = KeycloakFunctions.getGroup(GetGroupArgs.builder()
+     *             .realmId(realm.id())
+     *             .name("group")
+     *             .build());
+     * 
+     *         var groupRoles = new GroupRoles("groupRoles", GroupRolesArgs.builder()
+     *             .realmId(realm.id())
+     *             .groupId(group.applyValue(getGroupResult -> getGroupResult).applyValue(group -> group.applyValue(getGroupResult -> getGroupResult.id())))
+     *             .roleIds(offlineAccess.applyValue(getRoleResult -> getRoleResult).applyValue(offlineAccess -> offlineAccess.applyValue(getRoleResult -> getRoleResult.id())))
+     *             .build());
      * 
-     * - `id` - The unique ID of the group, which can be used as an argument to
-     *   other resources supported by this provider.
+     *     }
+     * }
+     * }
+     * 
+ * <!--End PulumiCodeChooser --> * */ public static Output getGroup(GetGroupArgs args) { return getGroup(args, InvokeOptions.Empty); } /** - * ## # keycloak.Group data source - * * This data source can be used to fetch properties of a Keycloak group for * usage with other resources, such as `keycloak.GroupRoles`. * - * ### Example Usage + * ## Example Usage * * <!--Start PulumiCodeChooser --> - * <!--End PulumiCodeChooser --> + *
+     * {@code
+     * package generated_program;
+     * 
+     * import com.pulumi.Context;
+     * import com.pulumi.Pulumi;
+     * import com.pulumi.core.Output;
+     * import com.pulumi.keycloak.Realm;
+     * import com.pulumi.keycloak.RealmArgs;
+     * import com.pulumi.keycloak.KeycloakFunctions;
+     * import com.pulumi.keycloak.inputs.GetRoleArgs;
+     * import com.pulumi.keycloak.inputs.GetGroupArgs;
+     * import com.pulumi.keycloak.GroupRoles;
+     * import com.pulumi.keycloak.GroupRolesArgs;
+     * import java.util.List;
+     * import java.util.ArrayList;
+     * import java.util.Map;
+     * import java.io.File;
+     * import java.nio.file.Files;
+     * import java.nio.file.Paths;
      * 
-     * ### Argument Reference
+     * public class App {
+     *     public static void main(String[] args) {
+     *         Pulumi.run(App::stack);
+     *     }
      * 
-     * The following arguments are supported:
+     *     public static void stack(Context ctx) {
+     *         var realm = new Realm("realm", RealmArgs.builder()
+     *             .realm("my-realm")
+     *             .enabled(true)
+     *             .build());
      * 
-     * - `realm_id` - (Required) The realm this group exists within.
-     * - `name` - (Required) The name of the group
+     *         final var offlineAccess = KeycloakFunctions.getRole(GetRoleArgs.builder()
+     *             .realmId(realm.id())
+     *             .name("offline_access")
+     *             .build());
      * 
-     * ### Attributes Reference
+     *         final var group = KeycloakFunctions.getGroup(GetGroupArgs.builder()
+     *             .realmId(realm.id())
+     *             .name("group")
+     *             .build());
      * 
-     * In addition to the arguments listed above, the following computed attributes are exported:
+     *         var groupRoles = new GroupRoles("groupRoles", GroupRolesArgs.builder()
+     *             .realmId(realm.id())
+     *             .groupId(group.applyValue(getGroupResult -> getGroupResult).applyValue(group -> group.applyValue(getGroupResult -> getGroupResult.id())))
+     *             .roleIds(offlineAccess.applyValue(getRoleResult -> getRoleResult).applyValue(offlineAccess -> offlineAccess.applyValue(getRoleResult -> getRoleResult.id())))
+     *             .build());
      * 
-     * - `id` - The unique ID of the group, which can be used as an argument to
-     *   other resources supported by this provider.
+     *     }
+     * }
+     * }
+     * 
+ * <!--End PulumiCodeChooser --> * */ public static CompletableFuture getGroupPlain(GetGroupPlainArgs args) { return getGroupPlain(args, InvokeOptions.Empty); } /** - * ## # keycloak.Group data source - * * This data source can be used to fetch properties of a Keycloak group for * usage with other resources, such as `keycloak.GroupRoles`. * - * ### Example Usage + * ## Example Usage * * <!--Start PulumiCodeChooser --> - * <!--End PulumiCodeChooser --> + *
+     * {@code
+     * package generated_program;
+     * 
+     * import com.pulumi.Context;
+     * import com.pulumi.Pulumi;
+     * import com.pulumi.core.Output;
+     * import com.pulumi.keycloak.Realm;
+     * import com.pulumi.keycloak.RealmArgs;
+     * import com.pulumi.keycloak.KeycloakFunctions;
+     * import com.pulumi.keycloak.inputs.GetRoleArgs;
+     * import com.pulumi.keycloak.inputs.GetGroupArgs;
+     * import com.pulumi.keycloak.GroupRoles;
+     * import com.pulumi.keycloak.GroupRolesArgs;
+     * import java.util.List;
+     * import java.util.ArrayList;
+     * import java.util.Map;
+     * import java.io.File;
+     * import java.nio.file.Files;
+     * import java.nio.file.Paths;
      * 
-     * ### Argument Reference
+     * public class App {
+     *     public static void main(String[] args) {
+     *         Pulumi.run(App::stack);
+     *     }
      * 
-     * The following arguments are supported:
+     *     public static void stack(Context ctx) {
+     *         var realm = new Realm("realm", RealmArgs.builder()
+     *             .realm("my-realm")
+     *             .enabled(true)
+     *             .build());
      * 
-     * - `realm_id` - (Required) The realm this group exists within.
-     * - `name` - (Required) The name of the group
+     *         final var offlineAccess = KeycloakFunctions.getRole(GetRoleArgs.builder()
+     *             .realmId(realm.id())
+     *             .name("offline_access")
+     *             .build());
      * 
-     * ### Attributes Reference
+     *         final var group = KeycloakFunctions.getGroup(GetGroupArgs.builder()
+     *             .realmId(realm.id())
+     *             .name("group")
+     *             .build());
      * 
-     * In addition to the arguments listed above, the following computed attributes are exported:
+     *         var groupRoles = new GroupRoles("groupRoles", GroupRolesArgs.builder()
+     *             .realmId(realm.id())
+     *             .groupId(group.applyValue(getGroupResult -> getGroupResult).applyValue(group -> group.applyValue(getGroupResult -> getGroupResult.id())))
+     *             .roleIds(offlineAccess.applyValue(getRoleResult -> getRoleResult).applyValue(offlineAccess -> offlineAccess.applyValue(getRoleResult -> getRoleResult.id())))
+     *             .build());
      * 
-     * - `id` - The unique ID of the group, which can be used as an argument to
-     *   other resources supported by this provider.
+     *     }
+     * }
+     * }
+     * 
+ * <!--End PulumiCodeChooser --> * */ public static Output getGroup(GetGroupArgs args, InvokeOptions options) { return Deployment.getInstance().invoke("keycloak:index/getGroup:getGroup", TypeShape.of(GetGroupResult.class), args, Utilities.withVersion(options)); } /** - * ## # keycloak.Group data source - * * This data source can be used to fetch properties of a Keycloak group for * usage with other resources, such as `keycloak.GroupRoles`. * - * ### Example Usage + * ## Example Usage * * <!--Start PulumiCodeChooser --> - * <!--End PulumiCodeChooser --> + *
+     * {@code
+     * package generated_program;
      * 
-     * ### Argument Reference
+     * import com.pulumi.Context;
+     * import com.pulumi.Pulumi;
+     * import com.pulumi.core.Output;
+     * import com.pulumi.keycloak.Realm;
+     * import com.pulumi.keycloak.RealmArgs;
+     * import com.pulumi.keycloak.KeycloakFunctions;
+     * import com.pulumi.keycloak.inputs.GetRoleArgs;
+     * import com.pulumi.keycloak.inputs.GetGroupArgs;
+     * import com.pulumi.keycloak.GroupRoles;
+     * import com.pulumi.keycloak.GroupRolesArgs;
+     * import java.util.List;
+     * import java.util.ArrayList;
+     * import java.util.Map;
+     * import java.io.File;
+     * import java.nio.file.Files;
+     * import java.nio.file.Paths;
      * 
-     * The following arguments are supported:
+     * public class App {
+     *     public static void main(String[] args) {
+     *         Pulumi.run(App::stack);
+     *     }
+     * 
+     *     public static void stack(Context ctx) {
+     *         var realm = new Realm("realm", RealmArgs.builder()
+     *             .realm("my-realm")
+     *             .enabled(true)
+     *             .build());
      * 
-     * - `realm_id` - (Required) The realm this group exists within.
-     * - `name` - (Required) The name of the group
+     *         final var offlineAccess = KeycloakFunctions.getRole(GetRoleArgs.builder()
+     *             .realmId(realm.id())
+     *             .name("offline_access")
+     *             .build());
      * 
-     * ### Attributes Reference
+     *         final var group = KeycloakFunctions.getGroup(GetGroupArgs.builder()
+     *             .realmId(realm.id())
+     *             .name("group")
+     *             .build());
      * 
-     * In addition to the arguments listed above, the following computed attributes are exported:
+     *         var groupRoles = new GroupRoles("groupRoles", GroupRolesArgs.builder()
+     *             .realmId(realm.id())
+     *             .groupId(group.applyValue(getGroupResult -> getGroupResult).applyValue(group -> group.applyValue(getGroupResult -> getGroupResult.id())))
+     *             .roleIds(offlineAccess.applyValue(getRoleResult -> getRoleResult).applyValue(offlineAccess -> offlineAccess.applyValue(getRoleResult -> getRoleResult.id())))
+     *             .build());
      * 
-     * - `id` - The unique ID of the group, which can be used as an argument to
-     *   other resources supported by this provider.
+     *     }
+     * }
+     * }
+     * 
+ * <!--End PulumiCodeChooser --> * */ public static CompletableFuture getGroupPlain(GetGroupPlainArgs args, InvokeOptions options) { return Deployment.getInstance().invokeAsync("keycloak:index/getGroup:getGroup", TypeShape.of(GetGroupResult.class), args, Utilities.withVersion(options)); } /** - * ## # keycloak.Realm data source - * * This data source can be used to fetch properties of a Keycloak realm for * usage with other resources. * - * ### Example Usage + * ## Example Usage * * <!--Start PulumiCodeChooser --> *
@@ -941,7 +1083,7 @@ public static CompletableFuture getGroupPlain(GetGroupPlainArgs
      * 
      *         // use the data source
      *         var group = new Role("group", RoleArgs.builder()
-     *             .realmId(id)
+     *             .realmId(realm.applyValue(getRealmResult -> getRealmResult.id()))
      *             .name("group")
      *             .build());
      * 
@@ -951,27 +1093,15 @@ public static CompletableFuture getGroupPlain(GetGroupPlainArgs
      * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realm` - (Required) The realm name. - * - * ### Attributes Reference - * - * See the docs for the `keycloak.Realm` resource for details on the exported attributes. - * */ public static Output getRealm(GetRealmArgs args) { return getRealm(args, InvokeOptions.Empty); } /** - * ## # keycloak.Realm data source - * * This data source can be used to fetch properties of a Keycloak realm for * usage with other resources. * - * ### Example Usage + * ## Example Usage * * <!--Start PulumiCodeChooser --> *
@@ -1004,7 +1134,7 @@ public static Output getRealm(GetRealmArgs args) {
      * 
      *         // use the data source
      *         var group = new Role("group", RoleArgs.builder()
-     *             .realmId(id)
+     *             .realmId(realm.applyValue(getRealmResult -> getRealmResult.id()))
      *             .name("group")
      *             .build());
      * 
@@ -1014,27 +1144,15 @@ public static Output getRealm(GetRealmArgs args) {
      * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realm` - (Required) The realm name. - * - * ### Attributes Reference - * - * See the docs for the `keycloak.Realm` resource for details on the exported attributes. - * */ public static CompletableFuture getRealmPlain(GetRealmPlainArgs args) { return getRealmPlain(args, InvokeOptions.Empty); } /** - * ## # keycloak.Realm data source - * * This data source can be used to fetch properties of a Keycloak realm for * usage with other resources. * - * ### Example Usage + * ## Example Usage * * <!--Start PulumiCodeChooser --> *
@@ -1067,7 +1185,7 @@ public static CompletableFuture getRealmPlain(GetRealmPlainArgs
      * 
      *         // use the data source
      *         var group = new Role("group", RoleArgs.builder()
-     *             .realmId(id)
+     *             .realmId(realm.applyValue(getRealmResult -> getRealmResult.id()))
      *             .name("group")
      *             .build());
      * 
@@ -1077,27 +1195,15 @@ public static CompletableFuture getRealmPlain(GetRealmPlainArgs
      * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realm` - (Required) The realm name. - * - * ### Attributes Reference - * - * See the docs for the `keycloak.Realm` resource for details on the exported attributes. - * */ public static Output getRealm(GetRealmArgs args, InvokeOptions options) { return Deployment.getInstance().invoke("keycloak:index/getRealm:getRealm", TypeShape.of(GetRealmResult.class), args, Utilities.withVersion(options)); } /** - * ## # keycloak.Realm data source - * * This data source can be used to fetch properties of a Keycloak realm for * usage with other resources. * - * ### Example Usage + * ## Example Usage * * <!--Start PulumiCodeChooser --> *
@@ -1130,7 +1236,7 @@ public static Output getRealm(GetRealmArgs args, InvokeOptions o
      * 
      *         // use the data source
      *         var group = new Role("group", RoleArgs.builder()
-     *             .realmId(id)
+     *             .realmId(realm.applyValue(getRealmResult -> getRealmResult.id()))
      *             .name("group")
      *             .build());
      * 
@@ -1140,203 +1246,325 @@ public static Output getRealm(GetRealmArgs args, InvokeOptions o
      * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realm` - (Required) The realm name. - * - * ### Attributes Reference - * - * See the docs for the `keycloak.Realm` resource for details on the exported attributes. - * */ public static CompletableFuture getRealmPlain(GetRealmPlainArgs args, InvokeOptions options) { return Deployment.getInstance().invokeAsync("keycloak:index/getRealm:getRealm", TypeShape.of(GetRealmResult.class), args, Utilities.withVersion(options)); } /** - * ## # keycloak.getRealmKeys data source - * * Use this data source to get the keys of a realm. Keys can be filtered by algorithm and status. * * Remarks: * * - A key must meet all filter criteria - * - This datasource may return more than one value. - * - If no key matches the filter criteria, then an error is returned. + * - This data source may return more than one value. + * - If no key matches the filter criteria, then an error will be returned. * */ public static Output getRealmKeys(GetRealmKeysArgs args) { return getRealmKeys(args, InvokeOptions.Empty); } /** - * ## # keycloak.getRealmKeys data source - * * Use this data source to get the keys of a realm. Keys can be filtered by algorithm and status. * * Remarks: * * - A key must meet all filter criteria - * - This datasource may return more than one value. - * - If no key matches the filter criteria, then an error is returned. + * - This data source may return more than one value. + * - If no key matches the filter criteria, then an error will be returned. * */ public static CompletableFuture getRealmKeysPlain(GetRealmKeysPlainArgs args) { return getRealmKeysPlain(args, InvokeOptions.Empty); } /** - * ## # keycloak.getRealmKeys data source - * * Use this data source to get the keys of a realm. Keys can be filtered by algorithm and status. * * Remarks: * * - A key must meet all filter criteria - * - This datasource may return more than one value. - * - If no key matches the filter criteria, then an error is returned. + * - This data source may return more than one value. + * - If no key matches the filter criteria, then an error will be returned. * */ public static Output getRealmKeys(GetRealmKeysArgs args, InvokeOptions options) { return Deployment.getInstance().invoke("keycloak:index/getRealmKeys:getRealmKeys", TypeShape.of(GetRealmKeysResult.class), args, Utilities.withVersion(options)); } /** - * ## # keycloak.getRealmKeys data source - * * Use this data source to get the keys of a realm. Keys can be filtered by algorithm and status. * * Remarks: * * - A key must meet all filter criteria - * - This datasource may return more than one value. - * - If no key matches the filter criteria, then an error is returned. + * - This data source may return more than one value. + * - If no key matches the filter criteria, then an error will be returned. * */ public static CompletableFuture getRealmKeysPlain(GetRealmKeysPlainArgs args, InvokeOptions options) { return Deployment.getInstance().invokeAsync("keycloak:index/getRealmKeys:getRealmKeys", TypeShape.of(GetRealmKeysResult.class), args, Utilities.withVersion(options)); } /** - * ## # keycloak.Role data source - * * This data source can be used to fetch properties of a Keycloak role for * usage with other resources, such as `keycloak.GroupRoles`. * - * ### Example Usage + * ## Example Usage * * <!--Start PulumiCodeChooser --> - * <!--End PulumiCodeChooser --> + *
+     * {@code
+     * package generated_program;
      * 
-     * ### Argument Reference
+     * import com.pulumi.Context;
+     * import com.pulumi.Pulumi;
+     * import com.pulumi.core.Output;
+     * import com.pulumi.keycloak.Realm;
+     * import com.pulumi.keycloak.RealmArgs;
+     * import com.pulumi.keycloak.KeycloakFunctions;
+     * import com.pulumi.keycloak.inputs.GetRoleArgs;
+     * import com.pulumi.keycloak.Group;
+     * import com.pulumi.keycloak.GroupArgs;
+     * import com.pulumi.keycloak.GroupRoles;
+     * import com.pulumi.keycloak.GroupRolesArgs;
+     * import java.util.List;
+     * import java.util.ArrayList;
+     * import java.util.Map;
+     * import java.io.File;
+     * import java.nio.file.Files;
+     * import java.nio.file.Paths;
      * 
-     * The following arguments are supported:
+     * public class App {
+     *     public static void main(String[] args) {
+     *         Pulumi.run(App::stack);
+     *     }
      * 
-     * - `realm_id` - (Required) The realm this role exists within.
-     * - `client_id` - (Optional) When specified, this role is assumed to be a
-     *   client role belonging to the client with the provided ID
-     * - `name` - (Required) The name of the role
+     *     public static void stack(Context ctx) {
+     *         var realm = new Realm("realm", RealmArgs.builder()
+     *             .realm("my-realm")
+     *             .enabled(true)
+     *             .build());
      * 
-     * ### Attributes Reference
+     *         final var offlineAccess = KeycloakFunctions.getRole(GetRoleArgs.builder()
+     *             .realmId(realm.id())
+     *             .name("offline_access")
+     *             .build());
      * 
-     * In addition to the arguments listed above, the following computed attributes are exported:
+     *         // use the data source
+     *         var group = new Group("group", GroupArgs.builder()
+     *             .realmId(realm.id())
+     *             .name("group")
+     *             .build());
      * 
-     * - `id` - The unique ID of the role, which can be used as an argument to
-     *   other resources supported by this provider.
-     * - `description` - The description of the role.
+     *         var groupRoles = new GroupRoles("groupRoles", GroupRolesArgs.builder()
+     *             .realmId(realm.id())
+     *             .groupId(group.id())
+     *             .roleIds(offlineAccess.applyValue(getRoleResult -> getRoleResult).applyValue(offlineAccess -> offlineAccess.applyValue(getRoleResult -> getRoleResult.id())))
+     *             .build());
+     * 
+     *     }
+     * }
+     * }
+     * 
+ * <!--End PulumiCodeChooser --> * */ public static Output getRole(GetRoleArgs args) { return getRole(args, InvokeOptions.Empty); } /** - * ## # keycloak.Role data source - * * This data source can be used to fetch properties of a Keycloak role for * usage with other resources, such as `keycloak.GroupRoles`. * - * ### Example Usage + * ## Example Usage * * <!--Start PulumiCodeChooser --> - * <!--End PulumiCodeChooser --> + *
+     * {@code
+     * package generated_program;
+     * 
+     * import com.pulumi.Context;
+     * import com.pulumi.Pulumi;
+     * import com.pulumi.core.Output;
+     * import com.pulumi.keycloak.Realm;
+     * import com.pulumi.keycloak.RealmArgs;
+     * import com.pulumi.keycloak.KeycloakFunctions;
+     * import com.pulumi.keycloak.inputs.GetRoleArgs;
+     * import com.pulumi.keycloak.Group;
+     * import com.pulumi.keycloak.GroupArgs;
+     * import com.pulumi.keycloak.GroupRoles;
+     * import com.pulumi.keycloak.GroupRolesArgs;
+     * import java.util.List;
+     * import java.util.ArrayList;
+     * import java.util.Map;
+     * import java.io.File;
+     * import java.nio.file.Files;
+     * import java.nio.file.Paths;
      * 
-     * ### Argument Reference
+     * public class App {
+     *     public static void main(String[] args) {
+     *         Pulumi.run(App::stack);
+     *     }
      * 
-     * The following arguments are supported:
+     *     public static void stack(Context ctx) {
+     *         var realm = new Realm("realm", RealmArgs.builder()
+     *             .realm("my-realm")
+     *             .enabled(true)
+     *             .build());
      * 
-     * - `realm_id` - (Required) The realm this role exists within.
-     * - `client_id` - (Optional) When specified, this role is assumed to be a
-     *   client role belonging to the client with the provided ID
-     * - `name` - (Required) The name of the role
+     *         final var offlineAccess = KeycloakFunctions.getRole(GetRoleArgs.builder()
+     *             .realmId(realm.id())
+     *             .name("offline_access")
+     *             .build());
      * 
-     * ### Attributes Reference
+     *         // use the data source
+     *         var group = new Group("group", GroupArgs.builder()
+     *             .realmId(realm.id())
+     *             .name("group")
+     *             .build());
      * 
-     * In addition to the arguments listed above, the following computed attributes are exported:
+     *         var groupRoles = new GroupRoles("groupRoles", GroupRolesArgs.builder()
+     *             .realmId(realm.id())
+     *             .groupId(group.id())
+     *             .roleIds(offlineAccess.applyValue(getRoleResult -> getRoleResult).applyValue(offlineAccess -> offlineAccess.applyValue(getRoleResult -> getRoleResult.id())))
+     *             .build());
      * 
-     * - `id` - The unique ID of the role, which can be used as an argument to
-     *   other resources supported by this provider.
-     * - `description` - The description of the role.
+     *     }
+     * }
+     * }
+     * 
+ * <!--End PulumiCodeChooser --> * */ public static CompletableFuture getRolePlain(GetRolePlainArgs args) { return getRolePlain(args, InvokeOptions.Empty); } /** - * ## # keycloak.Role data source - * * This data source can be used to fetch properties of a Keycloak role for * usage with other resources, such as `keycloak.GroupRoles`. * - * ### Example Usage + * ## Example Usage * * <!--Start PulumiCodeChooser --> - * <!--End PulumiCodeChooser --> + *
+     * {@code
+     * package generated_program;
      * 
-     * ### Argument Reference
+     * import com.pulumi.Context;
+     * import com.pulumi.Pulumi;
+     * import com.pulumi.core.Output;
+     * import com.pulumi.keycloak.Realm;
+     * import com.pulumi.keycloak.RealmArgs;
+     * import com.pulumi.keycloak.KeycloakFunctions;
+     * import com.pulumi.keycloak.inputs.GetRoleArgs;
+     * import com.pulumi.keycloak.Group;
+     * import com.pulumi.keycloak.GroupArgs;
+     * import com.pulumi.keycloak.GroupRoles;
+     * import com.pulumi.keycloak.GroupRolesArgs;
+     * import java.util.List;
+     * import java.util.ArrayList;
+     * import java.util.Map;
+     * import java.io.File;
+     * import java.nio.file.Files;
+     * import java.nio.file.Paths;
      * 
-     * The following arguments are supported:
+     * public class App {
+     *     public static void main(String[] args) {
+     *         Pulumi.run(App::stack);
+     *     }
      * 
-     * - `realm_id` - (Required) The realm this role exists within.
-     * - `client_id` - (Optional) When specified, this role is assumed to be a
-     *   client role belonging to the client with the provided ID
-     * - `name` - (Required) The name of the role
+     *     public static void stack(Context ctx) {
+     *         var realm = new Realm("realm", RealmArgs.builder()
+     *             .realm("my-realm")
+     *             .enabled(true)
+     *             .build());
      * 
-     * ### Attributes Reference
+     *         final var offlineAccess = KeycloakFunctions.getRole(GetRoleArgs.builder()
+     *             .realmId(realm.id())
+     *             .name("offline_access")
+     *             .build());
      * 
-     * In addition to the arguments listed above, the following computed attributes are exported:
+     *         // use the data source
+     *         var group = new Group("group", GroupArgs.builder()
+     *             .realmId(realm.id())
+     *             .name("group")
+     *             .build());
      * 
-     * - `id` - The unique ID of the role, which can be used as an argument to
-     *   other resources supported by this provider.
-     * - `description` - The description of the role.
+     *         var groupRoles = new GroupRoles("groupRoles", GroupRolesArgs.builder()
+     *             .realmId(realm.id())
+     *             .groupId(group.id())
+     *             .roleIds(offlineAccess.applyValue(getRoleResult -> getRoleResult).applyValue(offlineAccess -> offlineAccess.applyValue(getRoleResult -> getRoleResult.id())))
+     *             .build());
+     * 
+     *     }
+     * }
+     * }
+     * 
+ * <!--End PulumiCodeChooser --> * */ public static Output getRole(GetRoleArgs args, InvokeOptions options) { return Deployment.getInstance().invoke("keycloak:index/getRole:getRole", TypeShape.of(GetRoleResult.class), args, Utilities.withVersion(options)); } /** - * ## # keycloak.Role data source - * * This data source can be used to fetch properties of a Keycloak role for * usage with other resources, such as `keycloak.GroupRoles`. * - * ### Example Usage + * ## Example Usage * * <!--Start PulumiCodeChooser --> - * <!--End PulumiCodeChooser --> + *
+     * {@code
+     * package generated_program;
+     * 
+     * import com.pulumi.Context;
+     * import com.pulumi.Pulumi;
+     * import com.pulumi.core.Output;
+     * import com.pulumi.keycloak.Realm;
+     * import com.pulumi.keycloak.RealmArgs;
+     * import com.pulumi.keycloak.KeycloakFunctions;
+     * import com.pulumi.keycloak.inputs.GetRoleArgs;
+     * import com.pulumi.keycloak.Group;
+     * import com.pulumi.keycloak.GroupArgs;
+     * import com.pulumi.keycloak.GroupRoles;
+     * import com.pulumi.keycloak.GroupRolesArgs;
+     * import java.util.List;
+     * import java.util.ArrayList;
+     * import java.util.Map;
+     * import java.io.File;
+     * import java.nio.file.Files;
+     * import java.nio.file.Paths;
      * 
-     * ### Argument Reference
+     * public class App {
+     *     public static void main(String[] args) {
+     *         Pulumi.run(App::stack);
+     *     }
      * 
-     * The following arguments are supported:
+     *     public static void stack(Context ctx) {
+     *         var realm = new Realm("realm", RealmArgs.builder()
+     *             .realm("my-realm")
+     *             .enabled(true)
+     *             .build());
      * 
-     * - `realm_id` - (Required) The realm this role exists within.
-     * - `client_id` - (Optional) When specified, this role is assumed to be a
-     *   client role belonging to the client with the provided ID
-     * - `name` - (Required) The name of the role
+     *         final var offlineAccess = KeycloakFunctions.getRole(GetRoleArgs.builder()
+     *             .realmId(realm.id())
+     *             .name("offline_access")
+     *             .build());
      * 
-     * ### Attributes Reference
+     *         // use the data source
+     *         var group = new Group("group", GroupArgs.builder()
+     *             .realmId(realm.id())
+     *             .name("group")
+     *             .build());
      * 
-     * In addition to the arguments listed above, the following computed attributes are exported:
+     *         var groupRoles = new GroupRoles("groupRoles", GroupRolesArgs.builder()
+     *             .realmId(realm.id())
+     *             .groupId(group.id())
+     *             .roleIds(offlineAccess.applyValue(getRoleResult -> getRoleResult).applyValue(offlineAccess -> offlineAccess.applyValue(getRoleResult -> getRoleResult.id())))
+     *             .build());
      * 
-     * - `id` - The unique ID of the role, which can be used as an argument to
-     *   other resources supported by this provider.
-     * - `description` - The description of the role.
+     *     }
+     * }
+     * }
+     * 
+ * <!--End PulumiCodeChooser --> * */ public static CompletableFuture getRolePlain(GetRolePlainArgs args, InvokeOptions options) { diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/Realm.java b/sdk/java/src/main/java/com/pulumi/keycloak/Realm.java index 91684e47..e79090c1 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/Realm.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/Realm.java @@ -24,6 +24,122 @@ import java.util.Optional; import javax.annotation.Nullable; +/** + * Allows for creating and managing Realms within Keycloak. + * + * A realm manages a logical collection of users, credentials, roles, and groups. Users log in to realms and can be federated + * from multiple sources. + * + * ## Example Usage + * + * <!--Start PulumiCodeChooser --> + *
+ * {@code
+ * package generated_program;
+ * 
+ * import com.pulumi.Context;
+ * import com.pulumi.Pulumi;
+ * import com.pulumi.core.Output;
+ * import com.pulumi.keycloak.Realm;
+ * import com.pulumi.keycloak.RealmArgs;
+ * import com.pulumi.keycloak.inputs.RealmSmtpServerArgs;
+ * import com.pulumi.keycloak.inputs.RealmSmtpServerAuthArgs;
+ * import com.pulumi.keycloak.inputs.RealmInternationalizationArgs;
+ * import com.pulumi.keycloak.inputs.RealmSecurityDefensesArgs;
+ * import com.pulumi.keycloak.inputs.RealmSecurityDefensesHeadersArgs;
+ * import com.pulumi.keycloak.inputs.RealmSecurityDefensesBruteForceDetectionArgs;
+ * import com.pulumi.keycloak.inputs.RealmWebAuthnPolicyArgs;
+ * import java.util.List;
+ * import java.util.ArrayList;
+ * import java.util.Map;
+ * import java.io.File;
+ * import java.nio.file.Files;
+ * import java.nio.file.Paths;
+ * 
+ * public class App }{{@code
+ *     public static void main(String[] args) }{{@code
+ *         Pulumi.run(App::stack);
+ *     }}{@code
+ * 
+ *     public static void stack(Context ctx) }{{@code
+ *         var realm = new Realm("realm", RealmArgs.builder()
+ *             .realm("my-realm")
+ *             .enabled(true)
+ *             .displayName("my realm")
+ *             .displayNameHtml("my realm")
+ *             .loginTheme("base")
+ *             .accessCodeLifespan("1h")
+ *             .sslRequired("external")
+ *             .passwordPolicy("upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername")
+ *             .attributes(Map.of("mycustomAttribute", "myCustomValue"))
+ *             .smtpServer(RealmSmtpServerArgs.builder()
+ *                 .host("smtp.example.com")
+ *                 .from("example}{@literal @}{@code example.com")
+ *                 .auth(RealmSmtpServerAuthArgs.builder()
+ *                     .username("tom")
+ *                     .password("password")
+ *                     .build())
+ *                 .build())
+ *             .internationalization(RealmInternationalizationArgs.builder()
+ *                 .supportedLocales(                
+ *                     "en",
+ *                     "de",
+ *                     "es")
+ *                 .defaultLocale("en")
+ *                 .build())
+ *             .securityDefenses(RealmSecurityDefensesArgs.builder()
+ *                 .headers(RealmSecurityDefensesHeadersArgs.builder()
+ *                     .xFrameOptions("DENY")
+ *                     .contentSecurityPolicy("frame-src 'self'; frame-ancestors 'self'; object-src 'none';")
+ *                     .contentSecurityPolicyReportOnly("")
+ *                     .xContentTypeOptions("nosniff")
+ *                     .xRobotsTag("none")
+ *                     .xXssProtection("1; mode=block")
+ *                     .strictTransportSecurity("max-age=31536000; includeSubDomains")
+ *                     .build())
+ *                 .bruteForceDetection(RealmSecurityDefensesBruteForceDetectionArgs.builder()
+ *                     .permanentLockout(false)
+ *                     .maxLoginFailures(30)
+ *                     .waitIncrementSeconds(60)
+ *                     .quickLoginCheckMilliSeconds(1000)
+ *                     .minimumQuickLoginWaitSeconds(60)
+ *                     .maxFailureWaitSeconds(900)
+ *                     .failureResetTimeSeconds(43200)
+ *                     .build())
+ *                 .build())
+ *             .webAuthnPolicy(RealmWebAuthnPolicyArgs.builder()
+ *                 .relyingPartyEntityName("Example")
+ *                 .relyingPartyId("keycloak.example.com")
+ *                 .signatureAlgorithms(                
+ *                     "ES256",
+ *                     "RS256")
+ *                 .build())
+ *             .build());
+ * 
+ *     }}{@code
+ * }}{@code
+ * }
+ * 
+ * <!--End PulumiCodeChooser --> + * + * ## Default Client Scopes + * + * - `default_default_client_scopes` - (Optional) A list of default default client scopes to be used for client definitions. Defaults to `[]` or keycloak's built-in default default client-scopes. + * - `default_optional_client_scopes` - (Optional) A list of default optional client scopes to be used for client definitions. Defaults to `[]` or keycloak's built-in default optional client-scopes. + * + * ## Import + * + * Realms can be imported using their name. + * + * Example: + * + * bash + * + * ```sh + * $ pulumi import keycloak:index/realm:Realm realm my-realm + * ``` + * + */ @ResourceType(type="keycloak:index/realm:Realm") public class Realm extends com.pulumi.resources.CustomResource { @Export(name="accessCodeLifespan", refs={String.class}, tree="[0]") @@ -80,9 +196,17 @@ public Output actionTokenGeneratedByUserLifespan() { public Output> adminTheme() { return Codegen.optional(this.adminTheme); } + /** + * A map of custom attributes to add to the realm. + * + */ @Export(name="attributes", refs={Map.class,String.class}, tree="[0,1,1]") private Output> attributes; + /** + * @return A map of custom attributes to add to the realm. + * + */ public Output>> attributes() { return Codegen.optional(this.attributes); } @@ -158,15 +282,31 @@ public Output> defaultSignatureAlgorithm() { public Output directGrantFlow() { return this.directGrantFlow; } + /** + * The display name for the realm that is shown when logging in to the admin console. + * + */ @Export(name="displayName", refs={String.class}, tree="[0]") private Output displayName; + /** + * @return The display name for the realm that is shown when logging in to the admin console. + * + */ public Output> displayName() { return Codegen.optional(this.displayName); } + /** + * The display name for the realm that is rendered as HTML on the screen when logging in to the admin console. + * + */ @Export(name="displayNameHtml", refs={String.class}, tree="[0]") private Output displayNameHtml; + /** + * @return The display name for the realm that is rendered as HTML on the screen when logging in to the admin console. + * + */ public Output> displayNameHtml() { return Codegen.optional(this.displayNameHtml); } @@ -202,15 +342,31 @@ public Output editUsernameAllowed() { public Output> emailTheme() { return Codegen.optional(this.emailTheme); } + /** + * When `false`, users and clients will not be able to access this realm. Defaults to `true`. + * + */ @Export(name="enabled", refs={Boolean.class}, tree="[0]") private Output enabled; + /** + * @return When `false`, users and clients will not be able to access this realm. Defaults to `true`. + * + */ public Output> enabled() { return Codegen.optional(this.enabled); } + /** + * When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name. + * + */ @Export(name="internalId", refs={String.class}, tree="[0]") private Output internalId; + /** + * @return When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name. + * + */ public Output internalId() { return this.internalId; } @@ -286,9 +442,17 @@ public Output otpPolicy() { public Output> passwordPolicy() { return Codegen.optional(this.passwordPolicy); } + /** + * The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak. + * + */ @Export(name="realm", refs={String.class}, tree="[0]") private Output realm; + /** + * @return The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak. + * + */ public Output realm() { return this.realm; } @@ -406,9 +570,17 @@ public Output ssoSessionMaxLifespan() { public Output ssoSessionMaxLifespanRememberMe() { return this.ssoSessionMaxLifespanRememberMe; } + /** + * When `true`, users are allowed to manage their own resources. Defaults to `false`. + * + */ @Export(name="userManagedAccess", refs={Boolean.class}, tree="[0]") private Output userManagedAccess; + /** + * @return When `true`, users are allowed to manage their own resources. Defaults to `false`. + * + */ public Output> userManagedAccess() { return Codegen.optional(this.userManagedAccess); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/RealmArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/RealmArgs.java index cec472a3..22176443 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/RealmArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/RealmArgs.java @@ -89,9 +89,17 @@ public Optional> adminTheme() { return Optional.ofNullable(this.adminTheme); } + /** + * A map of custom attributes to add to the realm. + * + */ @Import(name="attributes") private @Nullable Output> attributes; + /** + * @return A map of custom attributes to add to the realm. + * + */ public Optional>> attributes() { return Optional.ofNullable(this.attributes); } @@ -176,16 +184,32 @@ public Optional> directGrantFlow() { return Optional.ofNullable(this.directGrantFlow); } + /** + * The display name for the realm that is shown when logging in to the admin console. + * + */ @Import(name="displayName") private @Nullable Output displayName; + /** + * @return The display name for the realm that is shown when logging in to the admin console. + * + */ public Optional> displayName() { return Optional.ofNullable(this.displayName); } + /** + * The display name for the realm that is rendered as HTML on the screen when logging in to the admin console. + * + */ @Import(name="displayNameHtml") private @Nullable Output displayNameHtml; + /** + * @return The display name for the realm that is rendered as HTML on the screen when logging in to the admin console. + * + */ public Optional> displayNameHtml() { return Optional.ofNullable(this.displayNameHtml); } @@ -226,16 +250,32 @@ public Optional> emailTheme() { return Optional.ofNullable(this.emailTheme); } + /** + * When `false`, users and clients will not be able to access this realm. Defaults to `true`. + * + */ @Import(name="enabled") private @Nullable Output enabled; + /** + * @return When `false`, users and clients will not be able to access this realm. Defaults to `true`. + * + */ public Optional> enabled() { return Optional.ofNullable(this.enabled); } + /** + * When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name. + * + */ @Import(name="internalId") private @Nullable Output internalId; + /** + * @return When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name. + * + */ public Optional> internalId() { return Optional.ofNullable(this.internalId); } @@ -322,9 +362,17 @@ public Optional> passwordPolicy() { return Optional.ofNullable(this.passwordPolicy); } + /** + * The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak. + * + */ @Import(name="realm", required=true) private Output realm; + /** + * @return The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak. + * + */ public Output realm() { return this.realm; } @@ -458,9 +506,17 @@ public Optional> ssoSessionMaxLifespanRememberMe() { return Optional.ofNullable(this.ssoSessionMaxLifespanRememberMe); } + /** + * When `true`, users are allowed to manage their own resources. Defaults to `false`. + * + */ @Import(name="userManagedAccess") private @Nullable Output userManagedAccess; + /** + * @return When `true`, users are allowed to manage their own resources. Defaults to `false`. + * + */ public Optional> userManagedAccess() { return Optional.ofNullable(this.userManagedAccess); } @@ -646,11 +702,23 @@ public Builder adminTheme(String adminTheme) { return adminTheme(Output.of(adminTheme)); } + /** + * @param attributes A map of custom attributes to add to the realm. + * + * @return builder + * + */ public Builder attributes(@Nullable Output> attributes) { $.attributes = attributes; return this; } + /** + * @param attributes A map of custom attributes to add to the realm. + * + * @return builder + * + */ public Builder attributes(Map attributes) { return attributes(Output.of(attributes)); } @@ -771,20 +839,44 @@ public Builder directGrantFlow(String directGrantFlow) { return directGrantFlow(Output.of(directGrantFlow)); } + /** + * @param displayName The display name for the realm that is shown when logging in to the admin console. + * + * @return builder + * + */ public Builder displayName(@Nullable Output displayName) { $.displayName = displayName; return this; } + /** + * @param displayName The display name for the realm that is shown when logging in to the admin console. + * + * @return builder + * + */ public Builder displayName(String displayName) { return displayName(Output.of(displayName)); } + /** + * @param displayNameHtml The display name for the realm that is rendered as HTML on the screen when logging in to the admin console. + * + * @return builder + * + */ public Builder displayNameHtml(@Nullable Output displayNameHtml) { $.displayNameHtml = displayNameHtml; return this; } + /** + * @param displayNameHtml The display name for the realm that is rendered as HTML on the screen when logging in to the admin console. + * + * @return builder + * + */ public Builder displayNameHtml(String displayNameHtml) { return displayNameHtml(Output.of(displayNameHtml)); } @@ -837,20 +929,44 @@ public Builder emailTheme(String emailTheme) { return emailTheme(Output.of(emailTheme)); } + /** + * @param enabled When `false`, users and clients will not be able to access this realm. Defaults to `true`. + * + * @return builder + * + */ public Builder enabled(@Nullable Output enabled) { $.enabled = enabled; return this; } + /** + * @param enabled When `false`, users and clients will not be able to access this realm. Defaults to `true`. + * + * @return builder + * + */ public Builder enabled(Boolean enabled) { return enabled(Output.of(enabled)); } + /** + * @param internalId When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name. + * + * @return builder + * + */ public Builder internalId(@Nullable Output internalId) { $.internalId = internalId; return this; } + /** + * @param internalId When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name. + * + * @return builder + * + */ public Builder internalId(String internalId) { return internalId(Output.of(internalId)); } @@ -961,11 +1077,23 @@ public Builder passwordPolicy(String passwordPolicy) { return passwordPolicy(Output.of(passwordPolicy)); } + /** + * @param realm The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak. + * + * @return builder + * + */ public Builder realm(Output realm) { $.realm = realm; return this; } + /** + * @param realm The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak. + * + * @return builder + * + */ public Builder realm(String realm) { return realm(Output.of(realm)); } @@ -1141,11 +1269,23 @@ public Builder ssoSessionMaxLifespanRememberMe(String ssoSessionMaxLifespanRemem return ssoSessionMaxLifespanRememberMe(Output.of(ssoSessionMaxLifespanRememberMe)); } + /** + * @param userManagedAccess When `true`, users are allowed to manage their own resources. Defaults to `false`. + * + * @return builder + * + */ public Builder userManagedAccess(@Nullable Output userManagedAccess) { $.userManagedAccess = userManagedAccess; return this; } + /** + * @param userManagedAccess When `true`, users are allowed to manage their own resources. Defaults to `false`. + * + * @return builder + * + */ public Builder userManagedAccess(Boolean userManagedAccess) { return userManagedAccess(Output.of(userManagedAccess)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/RealmEvents.java b/sdk/java/src/main/java/com/pulumi/keycloak/RealmEvents.java index 107afab3..b632ba92 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/RealmEvents.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/RealmEvents.java @@ -18,11 +18,9 @@ import javax.annotation.Nullable; /** - * ## # keycloak.RealmEvents - * * Allows for managing Realm Events settings within Keycloak. * - * ### Example Usage + * ## Example Usage * * <!--Start PulumiCodeChooser --> *
@@ -50,7 +48,8 @@
  * 
  *     public static void stack(Context ctx) {
  *         var realm = new Realm("realm", RealmArgs.builder()
- *             .realm("test")
+ *             .realm("my-realm")
+ *             .enabled(true)
  *             .build());
  * 
  *         var realmEvents = new RealmEvents("realmEvents", RealmEventsArgs.builder()
@@ -71,60 +70,108 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference - * - * The following arguments are supported: + * ## Import * - * - `realm_id` - (Required) The name of the realm the event settings apply to. - * - `admin_events_enabled` - (Optional) When true, admin events are saved to the database, making them available through the admin console. Defaults to `false`. - * - `admin_events_details_enabled` - (Optional) When true, saved admin events will included detailed information for create/update requests. Defaults to `false`. - * - `events_enabled` - (Optional) When true, events from `enabled_event_types` are saved to the database, making them available through the admin console. Defaults to `false`. - * - `events_expiration` - (Optional) The amount of time in seconds events will be saved in the database. Defaults to `0` or never. - * - `enabled_event_types` - (Optional) The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. - * - `events_listeners` - (Optional) The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. + * This resource currently does not support importing. * */ @ResourceType(type="keycloak:index/realmEvents:RealmEvents") public class RealmEvents extends com.pulumi.resources.CustomResource { + /** + * When `true`, saved admin events will included detailed information for create/update requests. Defaults to `false`. + * + */ @Export(name="adminEventsDetailsEnabled", refs={Boolean.class}, tree="[0]") private Output adminEventsDetailsEnabled; + /** + * @return When `true`, saved admin events will included detailed information for create/update requests. Defaults to `false`. + * + */ public Output> adminEventsDetailsEnabled() { return Codegen.optional(this.adminEventsDetailsEnabled); } + /** + * When `true`, admin events are saved to the database, making them available through the admin console. Defaults to `false`. + * + */ @Export(name="adminEventsEnabled", refs={Boolean.class}, tree="[0]") private Output adminEventsEnabled; + /** + * @return When `true`, admin events are saved to the database, making them available through the admin console. Defaults to `false`. + * + */ public Output> adminEventsEnabled() { return Codegen.optional(this.adminEventsEnabled); } + /** + * The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. + * + */ @Export(name="enabledEventTypes", refs={List.class,String.class}, tree="[0,1]") private Output> enabledEventTypes; + /** + * @return The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. + * + */ public Output>> enabledEventTypes() { return Codegen.optional(this.enabledEventTypes); } + /** + * When `true`, events from `enabled_event_types` are saved to the database, making them available through the admin console. Defaults to `false`. + * + */ @Export(name="eventsEnabled", refs={Boolean.class}, tree="[0]") private Output eventsEnabled; + /** + * @return When `true`, events from `enabled_event_types` are saved to the database, making them available through the admin console. Defaults to `false`. + * + */ public Output> eventsEnabled() { return Codegen.optional(this.eventsEnabled); } + /** + * The amount of time in seconds events will be saved in the database. Defaults to `0` or never. + * + */ @Export(name="eventsExpiration", refs={Integer.class}, tree="[0]") private Output eventsExpiration; + /** + * @return The amount of time in seconds events will be saved in the database. Defaults to `0` or never. + * + */ public Output> eventsExpiration() { return Codegen.optional(this.eventsExpiration); } + /** + * The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. + * + */ @Export(name="eventsListeners", refs={List.class,String.class}, tree="[0,1]") private Output> eventsListeners; + /** + * @return The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. + * + */ public Output>> eventsListeners() { return Codegen.optional(this.eventsListeners); } + /** + * The name of the realm the event settings apply to. + * + */ @Export(name="realmId", refs={String.class}, tree="[0]") private Output realmId; + /** + * @return The name of the realm the event settings apply to. + * + */ public Output realmId() { return this.realmId; } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/RealmEventsArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/RealmEventsArgs.java index 7094f69d..d9fec2f3 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/RealmEventsArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/RealmEventsArgs.java @@ -19,51 +19,107 @@ public final class RealmEventsArgs extends com.pulumi.resources.ResourceArgs { public static final RealmEventsArgs Empty = new RealmEventsArgs(); + /** + * When `true`, saved admin events will included detailed information for create/update requests. Defaults to `false`. + * + */ @Import(name="adminEventsDetailsEnabled") private @Nullable Output adminEventsDetailsEnabled; + /** + * @return When `true`, saved admin events will included detailed information for create/update requests. Defaults to `false`. + * + */ public Optional> adminEventsDetailsEnabled() { return Optional.ofNullable(this.adminEventsDetailsEnabled); } + /** + * When `true`, admin events are saved to the database, making them available through the admin console. Defaults to `false`. + * + */ @Import(name="adminEventsEnabled") private @Nullable Output adminEventsEnabled; + /** + * @return When `true`, admin events are saved to the database, making them available through the admin console. Defaults to `false`. + * + */ public Optional> adminEventsEnabled() { return Optional.ofNullable(this.adminEventsEnabled); } + /** + * The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. + * + */ @Import(name="enabledEventTypes") private @Nullable Output> enabledEventTypes; + /** + * @return The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. + * + */ public Optional>> enabledEventTypes() { return Optional.ofNullable(this.enabledEventTypes); } + /** + * When `true`, events from `enabled_event_types` are saved to the database, making them available through the admin console. Defaults to `false`. + * + */ @Import(name="eventsEnabled") private @Nullable Output eventsEnabled; + /** + * @return When `true`, events from `enabled_event_types` are saved to the database, making them available through the admin console. Defaults to `false`. + * + */ public Optional> eventsEnabled() { return Optional.ofNullable(this.eventsEnabled); } + /** + * The amount of time in seconds events will be saved in the database. Defaults to `0` or never. + * + */ @Import(name="eventsExpiration") private @Nullable Output eventsExpiration; + /** + * @return The amount of time in seconds events will be saved in the database. Defaults to `0` or never. + * + */ public Optional> eventsExpiration() { return Optional.ofNullable(this.eventsExpiration); } + /** + * The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. + * + */ @Import(name="eventsListeners") private @Nullable Output> eventsListeners; + /** + * @return The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. + * + */ public Optional>> eventsListeners() { return Optional.ofNullable(this.eventsListeners); } + /** + * The name of the realm the event settings apply to. + * + */ @Import(name="realmId", required=true) private Output realmId; + /** + * @return The name of the realm the event settings apply to. + * + */ public Output realmId() { return this.realmId; } @@ -98,73 +154,169 @@ public Builder(RealmEventsArgs defaults) { $ = new RealmEventsArgs(Objects.requireNonNull(defaults)); } + /** + * @param adminEventsDetailsEnabled When `true`, saved admin events will included detailed information for create/update requests. Defaults to `false`. + * + * @return builder + * + */ public Builder adminEventsDetailsEnabled(@Nullable Output adminEventsDetailsEnabled) { $.adminEventsDetailsEnabled = adminEventsDetailsEnabled; return this; } + /** + * @param adminEventsDetailsEnabled When `true`, saved admin events will included detailed information for create/update requests. Defaults to `false`. + * + * @return builder + * + */ public Builder adminEventsDetailsEnabled(Boolean adminEventsDetailsEnabled) { return adminEventsDetailsEnabled(Output.of(adminEventsDetailsEnabled)); } + /** + * @param adminEventsEnabled When `true`, admin events are saved to the database, making them available through the admin console. Defaults to `false`. + * + * @return builder + * + */ public Builder adminEventsEnabled(@Nullable Output adminEventsEnabled) { $.adminEventsEnabled = adminEventsEnabled; return this; } + /** + * @param adminEventsEnabled When `true`, admin events are saved to the database, making them available through the admin console. Defaults to `false`. + * + * @return builder + * + */ public Builder adminEventsEnabled(Boolean adminEventsEnabled) { return adminEventsEnabled(Output.of(adminEventsEnabled)); } + /** + * @param enabledEventTypes The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. + * + * @return builder + * + */ public Builder enabledEventTypes(@Nullable Output> enabledEventTypes) { $.enabledEventTypes = enabledEventTypes; return this; } + /** + * @param enabledEventTypes The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. + * + * @return builder + * + */ public Builder enabledEventTypes(List enabledEventTypes) { return enabledEventTypes(Output.of(enabledEventTypes)); } + /** + * @param enabledEventTypes The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. + * + * @return builder + * + */ public Builder enabledEventTypes(String... enabledEventTypes) { return enabledEventTypes(List.of(enabledEventTypes)); } + /** + * @param eventsEnabled When `true`, events from `enabled_event_types` are saved to the database, making them available through the admin console. Defaults to `false`. + * + * @return builder + * + */ public Builder eventsEnabled(@Nullable Output eventsEnabled) { $.eventsEnabled = eventsEnabled; return this; } + /** + * @param eventsEnabled When `true`, events from `enabled_event_types` are saved to the database, making them available through the admin console. Defaults to `false`. + * + * @return builder + * + */ public Builder eventsEnabled(Boolean eventsEnabled) { return eventsEnabled(Output.of(eventsEnabled)); } + /** + * @param eventsExpiration The amount of time in seconds events will be saved in the database. Defaults to `0` or never. + * + * @return builder + * + */ public Builder eventsExpiration(@Nullable Output eventsExpiration) { $.eventsExpiration = eventsExpiration; return this; } + /** + * @param eventsExpiration The amount of time in seconds events will be saved in the database. Defaults to `0` or never. + * + * @return builder + * + */ public Builder eventsExpiration(Integer eventsExpiration) { return eventsExpiration(Output.of(eventsExpiration)); } + /** + * @param eventsListeners The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. + * + * @return builder + * + */ public Builder eventsListeners(@Nullable Output> eventsListeners) { $.eventsListeners = eventsListeners; return this; } + /** + * @param eventsListeners The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. + * + * @return builder + * + */ public Builder eventsListeners(List eventsListeners) { return eventsListeners(Output.of(eventsListeners)); } + /** + * @param eventsListeners The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. + * + * @return builder + * + */ public Builder eventsListeners(String... eventsListeners) { return eventsListeners(List.of(eventsListeners)); } + /** + * @param realmId The name of the realm the event settings apply to. + * + * @return builder + * + */ public Builder realmId(Output realmId) { $.realmId = realmId; return this; } + /** + * @param realmId The name of the realm the event settings apply to. + * + * @return builder + * + */ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/Role.java b/sdk/java/src/main/java/com/pulumi/keycloak/Role.java index 20d6b1ee..386a7491 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/Role.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/Role.java @@ -17,14 +17,13 @@ import javax.annotation.Nullable; /** - * ## # keycloak.Role - * * Allows for creating and managing roles within Keycloak. * - * Roles allow you define privileges within Keycloak and map them to users - * and groups. + * Roles allow you define privileges within Keycloak and map them to users and groups. + * + * ## Example Usage * - * ### Example Usage (Realm role) + * ### Realm Role) * * <!--Start PulumiCodeChooser --> *
@@ -60,6 +59,10 @@
  *             .realmId(realm.id())
  *             .name("my-realm-role")
  *             .description("My Realm Role")
+ *             .attributes(Map.ofEntries(
+ *                 Map.entry("key", "value"),
+ *                 Map.entry("multivalue", "value1##value2")
+ *             ))
  *             .build());
  * 
  *     }
@@ -68,7 +71,7 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Example Usage (Client role) + * ### Client Role) * * <!--Start PulumiCodeChooser --> *
@@ -102,19 +105,21 @@
  *             .enabled(true)
  *             .build());
  * 
- *         var client = new Client("client", ClientArgs.builder()
+ *         var openidClient = new Client("openidClient", ClientArgs.builder()
  *             .realmId(realm.id())
  *             .clientId("client")
  *             .name("client")
  *             .enabled(true)
- *             .accessType("BEARER-ONLY")
+ *             .accessType("CONFIDENTIAL")
+ *             .validRedirectUris("http://localhost:8080/openid-callback")
  *             .build());
  * 
  *         var clientRole = new Role("clientRole", RoleArgs.builder()
  *             .realmId(realm.id())
- *             .clientId(clientKeycloakClient.id())
+ *             .clientId(openidClientKeycloakClient.id())
  *             .name("my-client-role")
  *             .description("My Client Role")
+ *             .attributes(Map.of("key", "value"))
  *             .build());
  * 
  *     }
@@ -123,7 +128,7 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Example Usage (Composite role) + * ### Composite Role) * * <!--Start PulumiCodeChooser --> *
@@ -161,48 +166,55 @@
  *         var createRole = new Role("createRole", RoleArgs.builder()
  *             .realmId(realm.id())
  *             .name("create")
+ *             .attributes(Map.of("key", "value"))
  *             .build());
  * 
  *         var readRole = new Role("readRole", RoleArgs.builder()
  *             .realmId(realm.id())
  *             .name("read")
+ *             .attributes(Map.of("key", "value"))
  *             .build());
  * 
  *         var updateRole = new Role("updateRole", RoleArgs.builder()
  *             .realmId(realm.id())
  *             .name("update")
+ *             .attributes(Map.of("key", "value"))
  *             .build());
  * 
  *         var deleteRole = new Role("deleteRole", RoleArgs.builder()
  *             .realmId(realm.id())
  *             .name("delete")
+ *             .attributes(Map.of("key", "value"))
  *             .build());
  * 
  *         // client role
- *         var client = new Client("client", ClientArgs.builder()
+ *         var openidClient = new Client("openidClient", ClientArgs.builder()
  *             .realmId(realm.id())
  *             .clientId("client")
  *             .name("client")
  *             .enabled(true)
- *             .accessType("BEARER-ONLY")
+ *             .accessType("CONFIDENTIAL")
+ *             .validRedirectUris("http://localhost:8080/openid-callback")
  *             .build());
  * 
  *         var clientRole = new Role("clientRole", RoleArgs.builder()
  *             .realmId(realm.id())
- *             .clientId(clientKeycloakClient.id())
+ *             .clientId(openidClientKeycloakClient.id())
  *             .name("my-client-role")
  *             .description("My Client Role")
+ *             .attributes(Map.of("key", "value"))
  *             .build());
  * 
  *         var adminRole = new Role("adminRole", RoleArgs.builder()
  *             .realmId(realm.id())
  *             .name("admin")
  *             .compositeRoles(            
- *                 "{keycloak_role.create_role.id}",
- *                 "{keycloak_role.read_role.id}",
- *                 "{keycloak_role.update_role.id}",
- *                 "{keycloak_role.delete_role.id}",
- *                 "{keycloak_role.client_role.id}")
+ *                 createRole.id(),
+ *                 readRole.id(),
+ *                 updateRole.id(),
+ *                 deleteRole.id(),
+ *                 clientRole.id())
+ *             .attributes(Map.of("key", "value"))
  *             .build());
  * 
  *     }
@@ -211,64 +223,104 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference + * ## Import * - * The following arguments are supported: + * Roles can be imported using the format `{{realm_id}}/{{role_id}}`, where `role_id` is the unique ID that Keycloak assigns * - * - `realm_id` - (Required) The realm this role exists within. - * - `client_id` - (Optional) When specified, this role will be created as - * a client role attached to the client with the provided ID - * - `name` - (Required) The name of the role - * - `description` - (Optional) The description of the role - * - `composite_roles` - (Optional) When specified, this role will be a - * composite role, composed of all roles that have an ID present within - * this list. + * to the role. The ID is not easy to find in the GUI, but it appears in the URL when editing the role. * - * ### Import + * Example: * - * Roles can be imported using the format `{{realm_id}}/{{role_id}}`, where - * `role_id` is the unique ID that Keycloak assigns to the role. The ID is - * not easy to find in the GUI, but it appears in the URL when editing the - * role. + * bash * - * Example: + * ```sh + * $ pulumi import keycloak:index/role:Role role my-realm/7e8cf32a-8acb-4d34-89c4-04fb1d10ccad + * ``` * */ @ResourceType(type="keycloak:index/role:Role") public class Role extends com.pulumi.resources.CustomResource { + /** + * A map representing attributes for the role. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + * + */ @Export(name="attributes", refs={Map.class,String.class}, tree="[0,1,1]") private Output> attributes; + /** + * @return A map representing attributes for the role. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + * + */ public Output>> attributes() { return Codegen.optional(this.attributes); } + /** + * When specified, this role will be created as a client role attached to the client with the provided ID + * + */ @Export(name="clientId", refs={String.class}, tree="[0]") private Output clientId; + /** + * @return When specified, this role will be created as a client role attached to the client with the provided ID + * + */ public Output> clientId() { return Codegen.optional(this.clientId); } + /** + * When specified, this role will be a composite role, composed of all roles that have an ID present within this list. + * + */ @Export(name="compositeRoles", refs={List.class,String.class}, tree="[0,1]") private Output> compositeRoles; + /** + * @return When specified, this role will be a composite role, composed of all roles that have an ID present within this list. + * + */ public Output>> compositeRoles() { return Codegen.optional(this.compositeRoles); } + /** + * The description of the role + * + */ @Export(name="description", refs={String.class}, tree="[0]") private Output description; + /** + * @return The description of the role + * + */ public Output> description() { return Codegen.optional(this.description); } + /** + * The name of the role + * + */ @Export(name="name", refs={String.class}, tree="[0]") private Output name; + /** + * @return The name of the role + * + */ public Output name() { return this.name; } + /** + * The realm this role exists within. + * + */ @Export(name="realmId", refs={String.class}, tree="[0]") private Output realmId; + /** + * @return The realm this role exists within. + * + */ public Output realmId() { return this.realmId; } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/RoleArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/RoleArgs.java index f80db2ca..47fabfb5 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/RoleArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/RoleArgs.java @@ -18,44 +18,92 @@ public final class RoleArgs extends com.pulumi.resources.ResourceArgs { public static final RoleArgs Empty = new RoleArgs(); + /** + * A map representing attributes for the role. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + * + */ @Import(name="attributes") private @Nullable Output> attributes; + /** + * @return A map representing attributes for the role. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + * + */ public Optional>> attributes() { return Optional.ofNullable(this.attributes); } + /** + * When specified, this role will be created as a client role attached to the client with the provided ID + * + */ @Import(name="clientId") private @Nullable Output clientId; + /** + * @return When specified, this role will be created as a client role attached to the client with the provided ID + * + */ public Optional> clientId() { return Optional.ofNullable(this.clientId); } + /** + * When specified, this role will be a composite role, composed of all roles that have an ID present within this list. + * + */ @Import(name="compositeRoles") private @Nullable Output> compositeRoles; + /** + * @return When specified, this role will be a composite role, composed of all roles that have an ID present within this list. + * + */ public Optional>> compositeRoles() { return Optional.ofNullable(this.compositeRoles); } + /** + * The description of the role + * + */ @Import(name="description") private @Nullable Output description; + /** + * @return The description of the role + * + */ public Optional> description() { return Optional.ofNullable(this.description); } + /** + * The name of the role + * + */ @Import(name="name") private @Nullable Output name; + /** + * @return The name of the role + * + */ public Optional> name() { return Optional.ofNullable(this.name); } + /** + * The realm this role exists within. + * + */ @Import(name="realmId", required=true) private Output realmId; + /** + * @return The realm this role exists within. + * + */ public Output realmId() { return this.realmId; } @@ -89,60 +137,138 @@ public Builder(RoleArgs defaults) { $ = new RoleArgs(Objects.requireNonNull(defaults)); } + /** + * @param attributes A map representing attributes for the role. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + * + * @return builder + * + */ public Builder attributes(@Nullable Output> attributes) { $.attributes = attributes; return this; } + /** + * @param attributes A map representing attributes for the role. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + * + * @return builder + * + */ public Builder attributes(Map attributes) { return attributes(Output.of(attributes)); } + /** + * @param clientId When specified, this role will be created as a client role attached to the client with the provided ID + * + * @return builder + * + */ public Builder clientId(@Nullable Output clientId) { $.clientId = clientId; return this; } + /** + * @param clientId When specified, this role will be created as a client role attached to the client with the provided ID + * + * @return builder + * + */ public Builder clientId(String clientId) { return clientId(Output.of(clientId)); } + /** + * @param compositeRoles When specified, this role will be a composite role, composed of all roles that have an ID present within this list. + * + * @return builder + * + */ public Builder compositeRoles(@Nullable Output> compositeRoles) { $.compositeRoles = compositeRoles; return this; } + /** + * @param compositeRoles When specified, this role will be a composite role, composed of all roles that have an ID present within this list. + * + * @return builder + * + */ public Builder compositeRoles(List compositeRoles) { return compositeRoles(Output.of(compositeRoles)); } + /** + * @param compositeRoles When specified, this role will be a composite role, composed of all roles that have an ID present within this list. + * + * @return builder + * + */ public Builder compositeRoles(String... compositeRoles) { return compositeRoles(List.of(compositeRoles)); } + /** + * @param description The description of the role + * + * @return builder + * + */ public Builder description(@Nullable Output description) { $.description = description; return this; } + /** + * @param description The description of the role + * + * @return builder + * + */ public Builder description(String description) { return description(Output.of(description)); } + /** + * @param name The name of the role + * + * @return builder + * + */ public Builder name(@Nullable Output name) { $.name = name; return this; } + /** + * @param name The name of the role + * + * @return builder + * + */ public Builder name(String name) { return name(Output.of(name)); } + /** + * @param realmId The realm this role exists within. + * + * @return builder + * + */ public Builder realmId(Output realmId) { $.realmId = realmId; return this; } + /** + * @param realmId The realm this role exists within. + * + * @return builder + * + */ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/User.java b/sdk/java/src/main/java/com/pulumi/keycloak/User.java index bea876db..1e016284 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/User.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/User.java @@ -20,15 +20,13 @@ import javax.annotation.Nullable; /** - * ## # keycloak.User - * * Allows for creating and managing Users within Keycloak. * - * This resource was created primarily to enable the acceptance tests for the `keycloak.Group` resource. - * Creating users within Keycloak is not recommended. Instead, users should be federated from external sources - * by configuring user federation providers or identity providers. + * This resource was created primarily to enable the acceptance tests for the `keycloak.Group` resource. Creating users within + * Keycloak is not recommended. Instead, users should be federated from external sources by configuring user federation providers + * or identity providers. * - * ### Example Usage + * ## Example Usage * * <!--Start PulumiCodeChooser --> *
@@ -77,6 +75,10 @@
  *             .email("alice}{@literal @}{@code domain.com")
  *             .firstName("Alice")
  *             .lastName("Aliceberg")
+ *             .attributes(Map.ofEntries(
+ *                 Map.entry("foo", "bar"),
+ *                 Map.entry("multivalue", "value1##value2")
+ *             ))
  *             .initialPassword(UserInitialPasswordArgs.builder()
  *                 .value("some password")
  *                 .temporary(true)
@@ -89,94 +91,174 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realm_id` - (Required) The realm this user belongs to. - * - `username` - (Required) The unique username of this user. - * - `initial_password` (Optional) When given, the user's initial password will be set. - * This attribute is only respected during initial user creation. - * - `value` (Required) The initial password. - * - `temporary` (Optional) If set to `true`, the initial password is set up for renewal on first use. Default to `false`. - * - `enabled` - (Optional) When false, this user cannot log in. Defaults to `true`. - * - `email` - (Optional) The user's email. - * - `first_name` - (Optional) The user's first name. - * - `last_name` - (Optional) The user's last name. - * - * ### Import + * ## Import * * Users can be imported using the format `{{realm_id}}/{{user_id}}`, where `user_id` is the unique ID that Keycloak + * * assigns to the user upon creation. This value can be found in the GUI when editing the user. * * Example: * + * bash + * + * ```sh + * $ pulumi import keycloak:index/user:User user my-realm/60c3f971-b1d3-4b3a-9035-d16d7540a5e4 + * ``` + * */ @ResourceType(type="keycloak:index/user:User") public class User extends com.pulumi.resources.CustomResource { + /** + * A map representing attributes for the user. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + * + */ @Export(name="attributes", refs={Map.class,String.class}, tree="[0,1,1]") private Output> attributes; + /** + * @return A map representing attributes for the user. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + * + */ public Output>> attributes() { return Codegen.optional(this.attributes); } + /** + * The user's email. + * + */ @Export(name="email", refs={String.class}, tree="[0]") private Output email; + /** + * @return The user's email. + * + */ public Output> email() { return Codegen.optional(this.email); } + /** + * Whether the email address was validated or not. Default to `false`. + * + */ @Export(name="emailVerified", refs={Boolean.class}, tree="[0]") private Output emailVerified; + /** + * @return Whether the email address was validated or not. Default to `false`. + * + */ public Output> emailVerified() { return Codegen.optional(this.emailVerified); } + /** + * When false, this user cannot log in. Defaults to `true`. + * + */ @Export(name="enabled", refs={Boolean.class}, tree="[0]") private Output enabled; + /** + * @return When false, this user cannot log in. Defaults to `true`. + * + */ public Output> enabled() { return Codegen.optional(this.enabled); } + /** + * When specified, the user will be linked to a federated identity provider. Refer to the federated user example for more details. + * + */ @Export(name="federatedIdentities", refs={List.class,UserFederatedIdentity.class}, tree="[0,1]") private Output> federatedIdentities; + /** + * @return When specified, the user will be linked to a federated identity provider. Refer to the federated user example for more details. + * + */ public Output>> federatedIdentities() { return Codegen.optional(this.federatedIdentities); } + /** + * The user's first name. + * + */ @Export(name="firstName", refs={String.class}, tree="[0]") private Output firstName; + /** + * @return The user's first name. + * + */ public Output> firstName() { return Codegen.optional(this.firstName); } + /** + * When given, the user's initial password will be set. This attribute is only respected during initial user creation. + * + */ @Export(name="initialPassword", refs={UserInitialPassword.class}, tree="[0]") private Output initialPassword; + /** + * @return When given, the user's initial password will be set. This attribute is only respected during initial user creation. + * + */ public Output> initialPassword() { return Codegen.optional(this.initialPassword); } + /** + * The user's last name. + * + */ @Export(name="lastName", refs={String.class}, tree="[0]") private Output lastName; + /** + * @return The user's last name. + * + */ public Output> lastName() { return Codegen.optional(this.lastName); } + /** + * The realm this user belongs to. + * + */ @Export(name="realmId", refs={String.class}, tree="[0]") private Output realmId; + /** + * @return The realm this user belongs to. + * + */ public Output realmId() { return this.realmId; } + /** + * A list of required user actions. + * + */ @Export(name="requiredActions", refs={List.class,String.class}, tree="[0,1]") private Output> requiredActions; + /** + * @return A list of required user actions. + * + */ public Output>> requiredActions() { return Codegen.optional(this.requiredActions); } + /** + * The unique username of this user. + * + */ @Export(name="username", refs={String.class}, tree="[0]") private Output username; + /** + * @return The unique username of this user. + * + */ public Output username() { return this.username; } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/UserArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/UserArgs.java index da4e0ed2..17d99279 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/UserArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/UserArgs.java @@ -21,79 +21,167 @@ public final class UserArgs extends com.pulumi.resources.ResourceArgs { public static final UserArgs Empty = new UserArgs(); + /** + * A map representing attributes for the user. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + * + */ @Import(name="attributes") private @Nullable Output> attributes; + /** + * @return A map representing attributes for the user. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + * + */ public Optional>> attributes() { return Optional.ofNullable(this.attributes); } + /** + * The user's email. + * + */ @Import(name="email") private @Nullable Output email; + /** + * @return The user's email. + * + */ public Optional> email() { return Optional.ofNullable(this.email); } + /** + * Whether the email address was validated or not. Default to `false`. + * + */ @Import(name="emailVerified") private @Nullable Output emailVerified; + /** + * @return Whether the email address was validated or not. Default to `false`. + * + */ public Optional> emailVerified() { return Optional.ofNullable(this.emailVerified); } + /** + * When false, this user cannot log in. Defaults to `true`. + * + */ @Import(name="enabled") private @Nullable Output enabled; + /** + * @return When false, this user cannot log in. Defaults to `true`. + * + */ public Optional> enabled() { return Optional.ofNullable(this.enabled); } + /** + * When specified, the user will be linked to a federated identity provider. Refer to the federated user example for more details. + * + */ @Import(name="federatedIdentities") private @Nullable Output> federatedIdentities; + /** + * @return When specified, the user will be linked to a federated identity provider. Refer to the federated user example for more details. + * + */ public Optional>> federatedIdentities() { return Optional.ofNullable(this.federatedIdentities); } + /** + * The user's first name. + * + */ @Import(name="firstName") private @Nullable Output firstName; + /** + * @return The user's first name. + * + */ public Optional> firstName() { return Optional.ofNullable(this.firstName); } + /** + * When given, the user's initial password will be set. This attribute is only respected during initial user creation. + * + */ @Import(name="initialPassword") private @Nullable Output initialPassword; + /** + * @return When given, the user's initial password will be set. This attribute is only respected during initial user creation. + * + */ public Optional> initialPassword() { return Optional.ofNullable(this.initialPassword); } + /** + * The user's last name. + * + */ @Import(name="lastName") private @Nullable Output lastName; + /** + * @return The user's last name. + * + */ public Optional> lastName() { return Optional.ofNullable(this.lastName); } + /** + * The realm this user belongs to. + * + */ @Import(name="realmId", required=true) private Output realmId; + /** + * @return The realm this user belongs to. + * + */ public Output realmId() { return this.realmId; } + /** + * A list of required user actions. + * + */ @Import(name="requiredActions") private @Nullable Output> requiredActions; + /** + * @return A list of required user actions. + * + */ public Optional>> requiredActions() { return Optional.ofNullable(this.requiredActions); } + /** + * The unique username of this user. + * + */ @Import(name="username", required=true) private Output username; + /** + * @return The unique username of this user. + * + */ public Output username() { return this.username; } @@ -132,109 +220,253 @@ public Builder(UserArgs defaults) { $ = new UserArgs(Objects.requireNonNull(defaults)); } + /** + * @param attributes A map representing attributes for the user. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + * + * @return builder + * + */ public Builder attributes(@Nullable Output> attributes) { $.attributes = attributes; return this; } + /** + * @param attributes A map representing attributes for the user. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + * + * @return builder + * + */ public Builder attributes(Map attributes) { return attributes(Output.of(attributes)); } + /** + * @param email The user's email. + * + * @return builder + * + */ public Builder email(@Nullable Output email) { $.email = email; return this; } + /** + * @param email The user's email. + * + * @return builder + * + */ public Builder email(String email) { return email(Output.of(email)); } + /** + * @param emailVerified Whether the email address was validated or not. Default to `false`. + * + * @return builder + * + */ public Builder emailVerified(@Nullable Output emailVerified) { $.emailVerified = emailVerified; return this; } + /** + * @param emailVerified Whether the email address was validated or not. Default to `false`. + * + * @return builder + * + */ public Builder emailVerified(Boolean emailVerified) { return emailVerified(Output.of(emailVerified)); } + /** + * @param enabled When false, this user cannot log in. Defaults to `true`. + * + * @return builder + * + */ public Builder enabled(@Nullable Output enabled) { $.enabled = enabled; return this; } + /** + * @param enabled When false, this user cannot log in. Defaults to `true`. + * + * @return builder + * + */ public Builder enabled(Boolean enabled) { return enabled(Output.of(enabled)); } + /** + * @param federatedIdentities When specified, the user will be linked to a federated identity provider. Refer to the federated user example for more details. + * + * @return builder + * + */ public Builder federatedIdentities(@Nullable Output> federatedIdentities) { $.federatedIdentities = federatedIdentities; return this; } + /** + * @param federatedIdentities When specified, the user will be linked to a federated identity provider. Refer to the federated user example for more details. + * + * @return builder + * + */ public Builder federatedIdentities(List federatedIdentities) { return federatedIdentities(Output.of(federatedIdentities)); } + /** + * @param federatedIdentities When specified, the user will be linked to a federated identity provider. Refer to the federated user example for more details. + * + * @return builder + * + */ public Builder federatedIdentities(UserFederatedIdentityArgs... federatedIdentities) { return federatedIdentities(List.of(federatedIdentities)); } + /** + * @param firstName The user's first name. + * + * @return builder + * + */ public Builder firstName(@Nullable Output firstName) { $.firstName = firstName; return this; } + /** + * @param firstName The user's first name. + * + * @return builder + * + */ public Builder firstName(String firstName) { return firstName(Output.of(firstName)); } + /** + * @param initialPassword When given, the user's initial password will be set. This attribute is only respected during initial user creation. + * + * @return builder + * + */ public Builder initialPassword(@Nullable Output initialPassword) { $.initialPassword = initialPassword; return this; } + /** + * @param initialPassword When given, the user's initial password will be set. This attribute is only respected during initial user creation. + * + * @return builder + * + */ public Builder initialPassword(UserInitialPasswordArgs initialPassword) { return initialPassword(Output.of(initialPassword)); } + /** + * @param lastName The user's last name. + * + * @return builder + * + */ public Builder lastName(@Nullable Output lastName) { $.lastName = lastName; return this; } + /** + * @param lastName The user's last name. + * + * @return builder + * + */ public Builder lastName(String lastName) { return lastName(Output.of(lastName)); } + /** + * @param realmId The realm this user belongs to. + * + * @return builder + * + */ public Builder realmId(Output realmId) { $.realmId = realmId; return this; } + /** + * @param realmId The realm this user belongs to. + * + * @return builder + * + */ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } + /** + * @param requiredActions A list of required user actions. + * + * @return builder + * + */ public Builder requiredActions(@Nullable Output> requiredActions) { $.requiredActions = requiredActions; return this; } + /** + * @param requiredActions A list of required user actions. + * + * @return builder + * + */ public Builder requiredActions(List requiredActions) { return requiredActions(Output.of(requiredActions)); } + /** + * @param requiredActions A list of required user actions. + * + * @return builder + * + */ public Builder requiredActions(String... requiredActions) { return requiredActions(List.of(requiredActions)); } + /** + * @param username The unique username of this user. + * + * @return builder + * + */ public Builder username(Output username) { $.username = username; return this; } + /** + * @param username The unique username of this user. + * + * @return builder + * + */ public Builder username(String username) { return username(Output.of(username)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/AttributeImporterIdentityProviderMapperState.java b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/AttributeImporterIdentityProviderMapperState.java index 124ad882..e5413531 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/AttributeImporterIdentityProviderMapperState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/AttributeImporterIdentityProviderMapperState.java @@ -17,14 +17,14 @@ public final class AttributeImporterIdentityProviderMapperState extends com.pulu public static final AttributeImporterIdentityProviderMapperState Empty = new AttributeImporterIdentityProviderMapperState(); /** - * Attribute Friendly Name + * For SAML based providers, this is the friendly name of the attribute to search for in the assertion. Conflicts with `attribute_name`. * */ @Import(name="attributeFriendlyName") private @Nullable Output attributeFriendlyName; /** - * @return Attribute Friendly Name + * @return For SAML based providers, this is the friendly name of the attribute to search for in the assertion. Conflicts with `attribute_name`. * */ public Optional> attributeFriendlyName() { @@ -32,14 +32,14 @@ public Optional> attributeFriendlyName() { } /** - * Attribute Name + * For SAML based providers, this is the name of the attribute to search for in the assertion. Conflicts with `attribute_friendly_name`. * */ @Import(name="attributeName") private @Nullable Output attributeName; /** - * @return Attribute Name + * @return For SAML based providers, this is the name of the attribute to search for in the assertion. Conflicts with `attribute_friendly_name`. * */ public Optional> attributeName() { @@ -47,36 +47,44 @@ public Optional> attributeName() { } /** - * Claim Name + * For OIDC based providers, this is the name of the claim to use. * */ @Import(name="claimName") private @Nullable Output claimName; /** - * @return Claim Name + * @return For OIDC based providers, this is the name of the claim to use. * */ public Optional> claimName() { return Optional.ofNullable(this.claimName); } + /** + * Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + * + */ @Import(name="extraConfig") private @Nullable Output> extraConfig; + /** + * @return Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + * + */ public Optional>> extraConfig() { return Optional.ofNullable(this.extraConfig); } /** - * IDP Alias + * The alias of the associated identity provider. * */ @Import(name="identityProviderAlias") private @Nullable Output identityProviderAlias; /** - * @return IDP Alias + * @return The alias of the associated identity provider. * */ public Optional> identityProviderAlias() { @@ -84,14 +92,14 @@ public Optional> identityProviderAlias() { } /** - * IDP Mapper Name + * The name of the mapper. * */ @Import(name="name") private @Nullable Output name; /** - * @return IDP Mapper Name + * @return The name of the mapper. * */ public Optional> name() { @@ -99,14 +107,14 @@ public Optional> name() { } /** - * Realm Name + * The name of the realm. * */ @Import(name="realm") private @Nullable Output realm; /** - * @return Realm Name + * @return The name of the realm. * */ public Optional> realm() { @@ -114,14 +122,14 @@ public Optional> realm() { } /** - * User Attribute + * The user attribute or property name to store the mapped result. * */ @Import(name="userAttribute") private @Nullable Output userAttribute; /** - * @return User Attribute + * @return The user attribute or property name to store the mapped result. * */ public Optional> userAttribute() { @@ -160,7 +168,7 @@ public Builder(AttributeImporterIdentityProviderMapperState defaults) { } /** - * @param attributeFriendlyName Attribute Friendly Name + * @param attributeFriendlyName For SAML based providers, this is the friendly name of the attribute to search for in the assertion. Conflicts with `attribute_name`. * * @return builder * @@ -171,7 +179,7 @@ public Builder attributeFriendlyName(@Nullable Output attributeFriendlyN } /** - * @param attributeFriendlyName Attribute Friendly Name + * @param attributeFriendlyName For SAML based providers, this is the friendly name of the attribute to search for in the assertion. Conflicts with `attribute_name`. * * @return builder * @@ -181,7 +189,7 @@ public Builder attributeFriendlyName(String attributeFriendlyName) { } /** - * @param attributeName Attribute Name + * @param attributeName For SAML based providers, this is the name of the attribute to search for in the assertion. Conflicts with `attribute_friendly_name`. * * @return builder * @@ -192,7 +200,7 @@ public Builder attributeName(@Nullable Output attributeName) { } /** - * @param attributeName Attribute Name + * @param attributeName For SAML based providers, this is the name of the attribute to search for in the assertion. Conflicts with `attribute_friendly_name`. * * @return builder * @@ -202,7 +210,7 @@ public Builder attributeName(String attributeName) { } /** - * @param claimName Claim Name + * @param claimName For OIDC based providers, this is the name of the claim to use. * * @return builder * @@ -213,7 +221,7 @@ public Builder claimName(@Nullable Output claimName) { } /** - * @param claimName Claim Name + * @param claimName For OIDC based providers, this is the name of the claim to use. * * @return builder * @@ -222,17 +230,29 @@ public Builder claimName(String claimName) { return claimName(Output.of(claimName)); } + /** + * @param extraConfig Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + * + * @return builder + * + */ public Builder extraConfig(@Nullable Output> extraConfig) { $.extraConfig = extraConfig; return this; } + /** + * @param extraConfig Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + * + * @return builder + * + */ public Builder extraConfig(Map extraConfig) { return extraConfig(Output.of(extraConfig)); } /** - * @param identityProviderAlias IDP Alias + * @param identityProviderAlias The alias of the associated identity provider. * * @return builder * @@ -243,7 +263,7 @@ public Builder identityProviderAlias(@Nullable Output identityProviderAl } /** - * @param identityProviderAlias IDP Alias + * @param identityProviderAlias The alias of the associated identity provider. * * @return builder * @@ -253,7 +273,7 @@ public Builder identityProviderAlias(String identityProviderAlias) { } /** - * @param name IDP Mapper Name + * @param name The name of the mapper. * * @return builder * @@ -264,7 +284,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name IDP Mapper Name + * @param name The name of the mapper. * * @return builder * @@ -274,7 +294,7 @@ public Builder name(String name) { } /** - * @param realm Realm Name + * @param realm The name of the realm. * * @return builder * @@ -285,7 +305,7 @@ public Builder realm(@Nullable Output realm) { } /** - * @param realm Realm Name + * @param realm The name of the realm. * * @return builder * @@ -295,7 +315,7 @@ public Builder realm(String realm) { } /** - * @param userAttribute User Attribute + * @param userAttribute The user attribute or property name to store the mapped result. * * @return builder * @@ -306,7 +326,7 @@ public Builder userAttribute(@Nullable Output userAttribute) { } /** - * @param userAttribute User Attribute + * @param userAttribute The user attribute or property name to store the mapped result. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/CustomUserFederationState.java b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/CustomUserFederationState.java index edd82fea..a71ff83b 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/CustomUserFederationState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/CustomUserFederationState.java @@ -18,46 +18,60 @@ public final class CustomUserFederationState extends com.pulumi.resources.Resour public static final CustomUserFederationState Empty = new CustomUserFederationState(); + /** + * Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + * + */ @Import(name="cachePolicy") private @Nullable Output cachePolicy; + /** + * @return Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + * + */ public Optional> cachePolicy() { return Optional.ofNullable(this.cachePolicy); } /** - * How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users - * sync. + * How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users sync. * */ @Import(name="changedSyncPeriod") private @Nullable Output changedSyncPeriod; /** - * @return How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users - * sync. + * @return How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users sync. * */ public Optional> changedSyncPeriod() { return Optional.ofNullable(this.changedSyncPeriod); } + /** + * The provider configuration handed over to your custom user federation provider. In order to add multivalue settings, use `##` to seperate the values. + * + */ @Import(name="config") private @Nullable Output> config; + /** + * @return The provider configuration handed over to your custom user federation provider. In order to add multivalue settings, use `##` to seperate the values. + * + */ public Optional>> config() { return Optional.ofNullable(this.config); } /** - * When false, this provider will not be used when performing queries for users. + * When `false`, this provider will not be used when performing queries for users. Defaults to `true`. * */ @Import(name="enabled") private @Nullable Output enabled; /** - * @return When false, this provider will not be used when performing queries for users. + * @return When `false`, this provider will not be used when performing queries for users. Defaults to `true`. * */ public Optional> enabled() { @@ -95,14 +109,14 @@ public Optional> name() { } /** - * The parent_id of the generated component. will use realm_id if not specified. + * Must be set to the realms' `internal_id` when it differs from the realm. This can happen when existing resources are imported into the state. * */ @Import(name="parentId") private @Nullable Output parentId; /** - * @return The parent_id of the generated component. will use realm_id if not specified. + * @return Must be set to the realms' `internal_id` when it differs from the realm. This can happen when existing resources are imported into the state. * */ public Optional> parentId() { @@ -110,14 +124,14 @@ public Optional> parentId() { } /** - * Priority of this provider when looking up users. Lower values are first. + * Priority of this provider when looking up users. Lower values are first. Defaults to `0`. * */ @Import(name="priority") private @Nullable Output priority; /** - * @return Priority of this provider when looking up users. Lower values are first. + * @return Priority of this provider when looking up users. Lower values are first. Defaults to `0`. * */ public Optional> priority() { @@ -125,16 +139,14 @@ public Optional> priority() { } /** - * The unique ID of the custom provider, specified in the `getId` implementation for the UserStorageProviderFactory - * interface + * The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. * */ @Import(name="providerId") private @Nullable Output providerId; /** - * @return The unique ID of the custom provider, specified in the `getId` implementation for the UserStorageProviderFactory - * interface + * @return The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. * */ public Optional> providerId() { @@ -142,14 +154,14 @@ public Optional> providerId() { } /** - * The realm (name) this provider will provide user federation for. + * The realm that this provider will provide user federation for. * */ @Import(name="realmId") private @Nullable Output realmId; /** - * @return The realm (name) this provider will provide user federation for. + * @return The realm that this provider will provide user federation for. * */ public Optional> realmId() { @@ -189,18 +201,29 @@ public Builder(CustomUserFederationState defaults) { $ = new CustomUserFederationState(Objects.requireNonNull(defaults)); } + /** + * @param cachePolicy Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + * + * @return builder + * + */ public Builder cachePolicy(@Nullable Output cachePolicy) { $.cachePolicy = cachePolicy; return this; } + /** + * @param cachePolicy Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + * + * @return builder + * + */ public Builder cachePolicy(String cachePolicy) { return cachePolicy(Output.of(cachePolicy)); } /** - * @param changedSyncPeriod How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users - * sync. + * @param changedSyncPeriod How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users sync. * * @return builder * @@ -211,8 +234,7 @@ public Builder changedSyncPeriod(@Nullable Output changedSyncPeriod) { } /** - * @param changedSyncPeriod How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users - * sync. + * @param changedSyncPeriod How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users sync. * * @return builder * @@ -221,17 +243,29 @@ public Builder changedSyncPeriod(Integer changedSyncPeriod) { return changedSyncPeriod(Output.of(changedSyncPeriod)); } + /** + * @param config The provider configuration handed over to your custom user federation provider. In order to add multivalue settings, use `##` to seperate the values. + * + * @return builder + * + */ public Builder config(@Nullable Output> config) { $.config = config; return this; } + /** + * @param config The provider configuration handed over to your custom user federation provider. In order to add multivalue settings, use `##` to seperate the values. + * + * @return builder + * + */ public Builder config(Map config) { return config(Output.of(config)); } /** - * @param enabled When false, this provider will not be used when performing queries for users. + * @param enabled When `false`, this provider will not be used when performing queries for users. Defaults to `true`. * * @return builder * @@ -242,7 +276,7 @@ public Builder enabled(@Nullable Output enabled) { } /** - * @param enabled When false, this provider will not be used when performing queries for users. + * @param enabled When `false`, this provider will not be used when performing queries for users. Defaults to `true`. * * @return builder * @@ -294,7 +328,7 @@ public Builder name(String name) { } /** - * @param parentId The parent_id of the generated component. will use realm_id if not specified. + * @param parentId Must be set to the realms' `internal_id` when it differs from the realm. This can happen when existing resources are imported into the state. * * @return builder * @@ -305,7 +339,7 @@ public Builder parentId(@Nullable Output parentId) { } /** - * @param parentId The parent_id of the generated component. will use realm_id if not specified. + * @param parentId Must be set to the realms' `internal_id` when it differs from the realm. This can happen when existing resources are imported into the state. * * @return builder * @@ -315,7 +349,7 @@ public Builder parentId(String parentId) { } /** - * @param priority Priority of this provider when looking up users. Lower values are first. + * @param priority Priority of this provider when looking up users. Lower values are first. Defaults to `0`. * * @return builder * @@ -326,7 +360,7 @@ public Builder priority(@Nullable Output priority) { } /** - * @param priority Priority of this provider when looking up users. Lower values are first. + * @param priority Priority of this provider when looking up users. Lower values are first. Defaults to `0`. * * @return builder * @@ -336,8 +370,7 @@ public Builder priority(Integer priority) { } /** - * @param providerId The unique ID of the custom provider, specified in the `getId` implementation for the UserStorageProviderFactory - * interface + * @param providerId The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. * * @return builder * @@ -348,8 +381,7 @@ public Builder providerId(@Nullable Output providerId) { } /** - * @param providerId The unique ID of the custom provider, specified in the `getId` implementation for the UserStorageProviderFactory - * interface + * @param providerId The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. * * @return builder * @@ -359,7 +391,7 @@ public Builder providerId(String providerId) { } /** - * @param realmId The realm (name) this provider will provide user federation for. + * @param realmId The realm that this provider will provide user federation for. * * @return builder * @@ -370,7 +402,7 @@ public Builder realmId(@Nullable Output realmId) { } /** - * @param realmId The realm (name) this provider will provide user federation for. + * @param realmId The realm that this provider will provide user federation for. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/DefaultGroupsState.java b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/DefaultGroupsState.java index 9f9c20e2..78d8f560 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/DefaultGroupsState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/DefaultGroupsState.java @@ -16,16 +16,32 @@ public final class DefaultGroupsState extends com.pulumi.resources.ResourceArgs public static final DefaultGroupsState Empty = new DefaultGroupsState(); + /** + * A set of group ids that should be default groups on the realm referenced by `realm_id`. + * + */ @Import(name="groupIds") private @Nullable Output> groupIds; + /** + * @return A set of group ids that should be default groups on the realm referenced by `realm_id`. + * + */ public Optional>> groupIds() { return Optional.ofNullable(this.groupIds); } + /** + * The realm this group exists in. + * + */ @Import(name="realmId") private @Nullable Output realmId; + /** + * @return The realm this group exists in. + * + */ public Optional> realmId() { return Optional.ofNullable(this.realmId); } @@ -55,24 +71,54 @@ public Builder(DefaultGroupsState defaults) { $ = new DefaultGroupsState(Objects.requireNonNull(defaults)); } + /** + * @param groupIds A set of group ids that should be default groups on the realm referenced by `realm_id`. + * + * @return builder + * + */ public Builder groupIds(@Nullable Output> groupIds) { $.groupIds = groupIds; return this; } + /** + * @param groupIds A set of group ids that should be default groups on the realm referenced by `realm_id`. + * + * @return builder + * + */ public Builder groupIds(List groupIds) { return groupIds(Output.of(groupIds)); } + /** + * @param groupIds A set of group ids that should be default groups on the realm referenced by `realm_id`. + * + * @return builder + * + */ public Builder groupIds(String... groupIds) { return groupIds(List.of(groupIds)); } + /** + * @param realmId The realm this group exists in. + * + * @return builder + * + */ public Builder realmId(@Nullable Output realmId) { $.realmId = realmId; return this; } + /** + * @param realmId The realm this group exists in. + * + * @return builder + * + */ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GenericClientProtocolMapperState.java b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GenericClientProtocolMapperState.java index dff344e8..191ed1d2 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GenericClientProtocolMapperState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GenericClientProtocolMapperState.java @@ -17,14 +17,14 @@ public final class GenericClientProtocolMapperState extends com.pulumi.resources public static final GenericClientProtocolMapperState Empty = new GenericClientProtocolMapperState(); /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper is attached to. * */ @Import(name="clientId") private @Nullable Output clientId; /** - * @return The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @return The client this protocol mapper is attached to. * */ public Optional> clientId() { @@ -46,22 +46,30 @@ public Optional> clientScopeId() { return Optional.ofNullable(this.clientScopeId); } + /** + * A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. + * + */ @Import(name="config") private @Nullable Output> config; + /** + * @return A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. + * + */ public Optional>> config() { return Optional.ofNullable(this.config); } /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. * */ @Import(name="name") private @Nullable Output name; /** - * @return A human-friendly name that will appear in the Keycloak console. + * @return The display name of this protocol mapper in the GUI. * */ public Optional> name() { @@ -69,14 +77,14 @@ public Optional> name() { } /** - * The protocol of the client (openid-connect / saml). + * The type of client (either `openid-connect` or `saml`). The type must match the type of the client. * */ @Import(name="protocol") private @Nullable Output protocol; /** - * @return The protocol of the client (openid-connect / saml). + * @return The type of client (either `openid-connect` or `saml`). The type must match the type of the client. * */ public Optional> protocol() { @@ -84,14 +92,14 @@ public Optional> protocol() { } /** - * The type of the protocol mapper. + * The name of the protocol mapper. The protocol mapper must be compatible with the specified client. * */ @Import(name="protocolMapper") private @Nullable Output protocolMapper; /** - * @return The type of the protocol mapper. + * @return The name of the protocol mapper. The protocol mapper must be compatible with the specified client. * */ public Optional> protocolMapper() { @@ -99,14 +107,14 @@ public Optional> protocolMapper() { } /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. * */ @Import(name="realmId") private @Nullable Output realmId; /** - * @return The realm id where the associated client or client scope exists. + * @return The realm this protocol mapper exists within. * */ public Optional> realmId() { @@ -144,7 +152,7 @@ public Builder(GenericClientProtocolMapperState defaults) { } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper is attached to. * * @return builder * @@ -155,7 +163,7 @@ public Builder clientId(@Nullable Output clientId) { } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper is attached to. * * @return builder * @@ -185,17 +193,29 @@ public Builder clientScopeId(String clientScopeId) { return clientScopeId(Output.of(clientScopeId)); } + /** + * @param config A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. + * + * @return builder + * + */ public Builder config(@Nullable Output> config) { $.config = config; return this; } + /** + * @param config A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. + * + * @return builder + * + */ public Builder config(Map config) { return config(Output.of(config)); } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -206,7 +226,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -216,7 +236,7 @@ public Builder name(String name) { } /** - * @param protocol The protocol of the client (openid-connect / saml). + * @param protocol The type of client (either `openid-connect` or `saml`). The type must match the type of the client. * * @return builder * @@ -227,7 +247,7 @@ public Builder protocol(@Nullable Output protocol) { } /** - * @param protocol The protocol of the client (openid-connect / saml). + * @param protocol The type of client (either `openid-connect` or `saml`). The type must match the type of the client. * * @return builder * @@ -237,7 +257,7 @@ public Builder protocol(String protocol) { } /** - * @param protocolMapper The type of the protocol mapper. + * @param protocolMapper The name of the protocol mapper. The protocol mapper must be compatible with the specified client. * * @return builder * @@ -248,7 +268,7 @@ public Builder protocolMapper(@Nullable Output protocolMapper) { } /** - * @param protocolMapper The type of the protocol mapper. + * @param protocolMapper The name of the protocol mapper. The protocol mapper must be compatible with the specified client. * * @return builder * @@ -258,7 +278,7 @@ public Builder protocolMapper(String protocolMapper) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * @@ -269,7 +289,7 @@ public Builder realmId(@Nullable Output realmId) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GetGroupArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GetGroupArgs.java index 15e8d330..0b55c6bf 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GetGroupArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GetGroupArgs.java @@ -14,16 +14,32 @@ public final class GetGroupArgs extends com.pulumi.resources.InvokeArgs { public static final GetGroupArgs Empty = new GetGroupArgs(); + /** + * The name of the group. If there are multiple groups match `name`, the first result will be returned. + * + */ @Import(name="name", required=true) private Output name; + /** + * @return The name of the group. If there are multiple groups match `name`, the first result will be returned. + * + */ public Output name() { return this.name; } + /** + * The realm this group exists within. + * + */ @Import(name="realmId", required=true) private Output realmId; + /** + * @return The realm this group exists within. + * + */ public Output realmId() { return this.realmId; } @@ -53,20 +69,44 @@ public Builder(GetGroupArgs defaults) { $ = new GetGroupArgs(Objects.requireNonNull(defaults)); } + /** + * @param name The name of the group. If there are multiple groups match `name`, the first result will be returned. + * + * @return builder + * + */ public Builder name(Output name) { $.name = name; return this; } + /** + * @param name The name of the group. If there are multiple groups match `name`, the first result will be returned. + * + * @return builder + * + */ public Builder name(String name) { return name(Output.of(name)); } + /** + * @param realmId The realm this group exists within. + * + * @return builder + * + */ public Builder realmId(Output realmId) { $.realmId = realmId; return this; } + /** + * @param realmId The realm this group exists within. + * + * @return builder + * + */ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GetGroupPlainArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GetGroupPlainArgs.java index a7d0d9d8..b8943274 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GetGroupPlainArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GetGroupPlainArgs.java @@ -13,16 +13,32 @@ public final class GetGroupPlainArgs extends com.pulumi.resources.InvokeArgs { public static final GetGroupPlainArgs Empty = new GetGroupPlainArgs(); + /** + * The name of the group. If there are multiple groups match `name`, the first result will be returned. + * + */ @Import(name="name", required=true) private String name; + /** + * @return The name of the group. If there are multiple groups match `name`, the first result will be returned. + * + */ public String name() { return this.name; } + /** + * The realm this group exists within. + * + */ @Import(name="realmId", required=true) private String realmId; + /** + * @return The realm this group exists within. + * + */ public String realmId() { return this.realmId; } @@ -52,11 +68,23 @@ public Builder(GetGroupPlainArgs defaults) { $ = new GetGroupPlainArgs(Objects.requireNonNull(defaults)); } + /** + * @param name The name of the group. If there are multiple groups match `name`, the first result will be returned. + * + * @return builder + * + */ public Builder name(String name) { $.name = name; return this; } + /** + * @param realmId The realm this group exists within. + * + * @return builder + * + */ public Builder realmId(String realmId) { $.realmId = realmId; return this; diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GetRealmArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GetRealmArgs.java index f9418715..85c1d445 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GetRealmArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GetRealmArgs.java @@ -66,9 +66,17 @@ public Optional> otpPolicy() { return Optional.ofNullable(this.otpPolicy); } + /** + * The realm name. + * + */ @Import(name="realm", required=true) private Output realm; + /** + * @return The realm name. + * + */ public Output realm() { return this.realm; } @@ -201,11 +209,23 @@ public Builder otpPolicy(GetRealmOtpPolicyArgs otpPolicy) { return otpPolicy(Output.of(otpPolicy)); } + /** + * @param realm The realm name. + * + * @return builder + * + */ public Builder realm(Output realm) { $.realm = realm; return this; } + /** + * @param realm The realm name. + * + * @return builder + * + */ public Builder realm(String realm) { return realm(Output.of(realm)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GetRealmKeysArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GetRealmKeysArgs.java index 593d6591..fbe17d52 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GetRealmKeysArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GetRealmKeysArgs.java @@ -17,23 +17,47 @@ public final class GetRealmKeysArgs extends com.pulumi.resources.InvokeArgs { public static final GetRealmKeysArgs Empty = new GetRealmKeysArgs(); + /** + * When specified, keys will be filtered by algorithm. The algorithms can be any of `HS256`, `RS256`,`AES`, etc. + * + */ @Import(name="algorithms") private @Nullable Output> algorithms; + /** + * @return When specified, keys will be filtered by algorithm. The algorithms can be any of `HS256`, `RS256`,`AES`, etc. + * + */ public Optional>> algorithms() { return Optional.ofNullable(this.algorithms); } + /** + * The realm from which the keys will be retrieved. + * + */ @Import(name="realmId", required=true) private Output realmId; + /** + * @return The realm from which the keys will be retrieved. + * + */ public Output realmId() { return this.realmId; } + /** + * When specified, keys will be filtered by status. The statuses can be any of `ACTIVE`, `DISABLED` and `PASSIVE`. + * + */ @Import(name="statuses") private @Nullable Output> statuses; + /** + * @return When specified, keys will be filtered by status. The statuses can be any of `ACTIVE`, `DISABLED` and `PASSIVE`. + * + */ public Optional>> statuses() { return Optional.ofNullable(this.statuses); } @@ -64,37 +88,85 @@ public Builder(GetRealmKeysArgs defaults) { $ = new GetRealmKeysArgs(Objects.requireNonNull(defaults)); } + /** + * @param algorithms When specified, keys will be filtered by algorithm. The algorithms can be any of `HS256`, `RS256`,`AES`, etc. + * + * @return builder + * + */ public Builder algorithms(@Nullable Output> algorithms) { $.algorithms = algorithms; return this; } + /** + * @param algorithms When specified, keys will be filtered by algorithm. The algorithms can be any of `HS256`, `RS256`,`AES`, etc. + * + * @return builder + * + */ public Builder algorithms(List algorithms) { return algorithms(Output.of(algorithms)); } + /** + * @param algorithms When specified, keys will be filtered by algorithm. The algorithms can be any of `HS256`, `RS256`,`AES`, etc. + * + * @return builder + * + */ public Builder algorithms(String... algorithms) { return algorithms(List.of(algorithms)); } + /** + * @param realmId The realm from which the keys will be retrieved. + * + * @return builder + * + */ public Builder realmId(Output realmId) { $.realmId = realmId; return this; } + /** + * @param realmId The realm from which the keys will be retrieved. + * + * @return builder + * + */ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } + /** + * @param statuses When specified, keys will be filtered by status. The statuses can be any of `ACTIVE`, `DISABLED` and `PASSIVE`. + * + * @return builder + * + */ public Builder statuses(@Nullable Output> statuses) { $.statuses = statuses; return this; } + /** + * @param statuses When specified, keys will be filtered by status. The statuses can be any of `ACTIVE`, `DISABLED` and `PASSIVE`. + * + * @return builder + * + */ public Builder statuses(List statuses) { return statuses(Output.of(statuses)); } + /** + * @param statuses When specified, keys will be filtered by status. The statuses can be any of `ACTIVE`, `DISABLED` and `PASSIVE`. + * + * @return builder + * + */ public Builder statuses(String... statuses) { return statuses(List.of(statuses)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GetRealmKeysPlainArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GetRealmKeysPlainArgs.java index c2f38996..ea84af0b 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GetRealmKeysPlainArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GetRealmKeysPlainArgs.java @@ -16,23 +16,47 @@ public final class GetRealmKeysPlainArgs extends com.pulumi.resources.InvokeArgs public static final GetRealmKeysPlainArgs Empty = new GetRealmKeysPlainArgs(); + /** + * When specified, keys will be filtered by algorithm. The algorithms can be any of `HS256`, `RS256`,`AES`, etc. + * + */ @Import(name="algorithms") private @Nullable List algorithms; + /** + * @return When specified, keys will be filtered by algorithm. The algorithms can be any of `HS256`, `RS256`,`AES`, etc. + * + */ public Optional> algorithms() { return Optional.ofNullable(this.algorithms); } + /** + * The realm from which the keys will be retrieved. + * + */ @Import(name="realmId", required=true) private String realmId; + /** + * @return The realm from which the keys will be retrieved. + * + */ public String realmId() { return this.realmId; } + /** + * When specified, keys will be filtered by status. The statuses can be any of `ACTIVE`, `DISABLED` and `PASSIVE`. + * + */ @Import(name="statuses") private @Nullable List statuses; + /** + * @return When specified, keys will be filtered by status. The statuses can be any of `ACTIVE`, `DISABLED` and `PASSIVE`. + * + */ public Optional> statuses() { return Optional.ofNullable(this.statuses); } @@ -63,25 +87,55 @@ public Builder(GetRealmKeysPlainArgs defaults) { $ = new GetRealmKeysPlainArgs(Objects.requireNonNull(defaults)); } + /** + * @param algorithms When specified, keys will be filtered by algorithm. The algorithms can be any of `HS256`, `RS256`,`AES`, etc. + * + * @return builder + * + */ public Builder algorithms(@Nullable List algorithms) { $.algorithms = algorithms; return this; } + /** + * @param algorithms When specified, keys will be filtered by algorithm. The algorithms can be any of `HS256`, `RS256`,`AES`, etc. + * + * @return builder + * + */ public Builder algorithms(String... algorithms) { return algorithms(List.of(algorithms)); } + /** + * @param realmId The realm from which the keys will be retrieved. + * + * @return builder + * + */ public Builder realmId(String realmId) { $.realmId = realmId; return this; } + /** + * @param statuses When specified, keys will be filtered by status. The statuses can be any of `ACTIVE`, `DISABLED` and `PASSIVE`. + * + * @return builder + * + */ public Builder statuses(@Nullable List statuses) { $.statuses = statuses; return this; } + /** + * @param statuses When specified, keys will be filtered by status. The statuses can be any of `ACTIVE`, `DISABLED` and `PASSIVE`. + * + * @return builder + * + */ public Builder statuses(String... statuses) { return statuses(List.of(statuses)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GetRealmPlainArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GetRealmPlainArgs.java index 744f776f..5072d983 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GetRealmPlainArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GetRealmPlainArgs.java @@ -65,9 +65,17 @@ public Optional otpPolicy() { return Optional.ofNullable(this.otpPolicy); } + /** + * The realm name. + * + */ @Import(name="realm", required=true) private String realm; + /** + * @return The realm name. + * + */ public String realm() { return this.realm; } @@ -176,6 +184,12 @@ public Builder otpPolicy(@Nullable GetRealmOtpPolicy otpPolicy) { return this; } + /** + * @param realm The realm name. + * + * @return builder + * + */ public Builder realm(String realm) { $.realm = realm; return this; diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GetRoleArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GetRoleArgs.java index fa1b070b..df2d8c63 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GetRoleArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GetRoleArgs.java @@ -16,23 +16,47 @@ public final class GetRoleArgs extends com.pulumi.resources.InvokeArgs { public static final GetRoleArgs Empty = new GetRoleArgs(); + /** + * When specified, this role is assumed to be a client role belonging to the client with the provided ID. The `id` attribute of a `keycloak_client` resource should be used here. + * + */ @Import(name="clientId") private @Nullable Output clientId; + /** + * @return When specified, this role is assumed to be a client role belonging to the client with the provided ID. The `id` attribute of a `keycloak_client` resource should be used here. + * + */ public Optional> clientId() { return Optional.ofNullable(this.clientId); } + /** + * The name of the role. + * + */ @Import(name="name", required=true) private Output name; + /** + * @return The name of the role. + * + */ public Output name() { return this.name; } + /** + * The realm this role exists within. + * + */ @Import(name="realmId", required=true) private Output realmId; + /** + * @return The realm this role exists within. + * + */ public Output realmId() { return this.realmId; } @@ -63,29 +87,65 @@ public Builder(GetRoleArgs defaults) { $ = new GetRoleArgs(Objects.requireNonNull(defaults)); } + /** + * @param clientId When specified, this role is assumed to be a client role belonging to the client with the provided ID. The `id` attribute of a `keycloak_client` resource should be used here. + * + * @return builder + * + */ public Builder clientId(@Nullable Output clientId) { $.clientId = clientId; return this; } + /** + * @param clientId When specified, this role is assumed to be a client role belonging to the client with the provided ID. The `id` attribute of a `keycloak_client` resource should be used here. + * + * @return builder + * + */ public Builder clientId(String clientId) { return clientId(Output.of(clientId)); } + /** + * @param name The name of the role. + * + * @return builder + * + */ public Builder name(Output name) { $.name = name; return this; } + /** + * @param name The name of the role. + * + * @return builder + * + */ public Builder name(String name) { return name(Output.of(name)); } + /** + * @param realmId The realm this role exists within. + * + * @return builder + * + */ public Builder realmId(Output realmId) { $.realmId = realmId; return this; } + /** + * @param realmId The realm this role exists within. + * + * @return builder + * + */ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GetRolePlainArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GetRolePlainArgs.java index 064580ed..c5545d8f 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GetRolePlainArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GetRolePlainArgs.java @@ -15,23 +15,47 @@ public final class GetRolePlainArgs extends com.pulumi.resources.InvokeArgs { public static final GetRolePlainArgs Empty = new GetRolePlainArgs(); + /** + * When specified, this role is assumed to be a client role belonging to the client with the provided ID. The `id` attribute of a `keycloak_client` resource should be used here. + * + */ @Import(name="clientId") private @Nullable String clientId; + /** + * @return When specified, this role is assumed to be a client role belonging to the client with the provided ID. The `id` attribute of a `keycloak_client` resource should be used here. + * + */ public Optional clientId() { return Optional.ofNullable(this.clientId); } + /** + * The name of the role. + * + */ @Import(name="name", required=true) private String name; + /** + * @return The name of the role. + * + */ public String name() { return this.name; } + /** + * The realm this role exists within. + * + */ @Import(name="realmId", required=true) private String realmId; + /** + * @return The realm this role exists within. + * + */ public String realmId() { return this.realmId; } @@ -62,16 +86,34 @@ public Builder(GetRolePlainArgs defaults) { $ = new GetRolePlainArgs(Objects.requireNonNull(defaults)); } + /** + * @param clientId When specified, this role is assumed to be a client role belonging to the client with the provided ID. The `id` attribute of a `keycloak_client` resource should be used here. + * + * @return builder + * + */ public Builder clientId(@Nullable String clientId) { $.clientId = clientId; return this; } + /** + * @param name The name of the role. + * + * @return builder + * + */ public Builder name(String name) { $.name = name; return this; } + /** + * @param realmId The realm this role exists within. + * + * @return builder + * + */ public Builder realmId(String realmId) { $.realmId = realmId; return this; diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GroupMembershipsState.java b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GroupMembershipsState.java index 4d960cc2..d5615252 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GroupMembershipsState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GroupMembershipsState.java @@ -16,23 +16,47 @@ public final class GroupMembershipsState extends com.pulumi.resources.ResourceAr public static final GroupMembershipsState Empty = new GroupMembershipsState(); + /** + * The ID of the group this resource should manage memberships for. + * + */ @Import(name="groupId") private @Nullable Output groupId; + /** + * @return The ID of the group this resource should manage memberships for. + * + */ public Optional> groupId() { return Optional.ofNullable(this.groupId); } + /** + * A list of usernames that belong to this group. + * + */ @Import(name="members") private @Nullable Output> members; + /** + * @return A list of usernames that belong to this group. + * + */ public Optional>> members() { return Optional.ofNullable(this.members); } + /** + * The realm this group exists in. + * + */ @Import(name="realmId") private @Nullable Output realmId; + /** + * @return The realm this group exists in. + * + */ public Optional> realmId() { return Optional.ofNullable(this.realmId); } @@ -63,33 +87,75 @@ public Builder(GroupMembershipsState defaults) { $ = new GroupMembershipsState(Objects.requireNonNull(defaults)); } + /** + * @param groupId The ID of the group this resource should manage memberships for. + * + * @return builder + * + */ public Builder groupId(@Nullable Output groupId) { $.groupId = groupId; return this; } + /** + * @param groupId The ID of the group this resource should manage memberships for. + * + * @return builder + * + */ public Builder groupId(String groupId) { return groupId(Output.of(groupId)); } + /** + * @param members A list of usernames that belong to this group. + * + * @return builder + * + */ public Builder members(@Nullable Output> members) { $.members = members; return this; } + /** + * @param members A list of usernames that belong to this group. + * + * @return builder + * + */ public Builder members(List members) { return members(Output.of(members)); } + /** + * @param members A list of usernames that belong to this group. + * + * @return builder + * + */ public Builder members(String... members) { return members(List.of(members)); } + /** + * @param realmId The realm this group exists in. + * + * @return builder + * + */ public Builder realmId(@Nullable Output realmId) { $.realmId = realmId; return this; } + /** + * @param realmId The realm this group exists in. + * + * @return builder + * + */ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GroupRolesState.java b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GroupRolesState.java index c9336378..be9327bd 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GroupRolesState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GroupRolesState.java @@ -17,30 +17,62 @@ public final class GroupRolesState extends com.pulumi.resources.ResourceArgs { public static final GroupRolesState Empty = new GroupRolesState(); + /** + * Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the group will be removed. Defaults to `true`. + * + */ @Import(name="exhaustive") private @Nullable Output exhaustive; + /** + * @return Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the group will be removed. Defaults to `true`. + * + */ public Optional> exhaustive() { return Optional.ofNullable(this.exhaustive); } + /** + * The ID of the group this resource should manage roles for. + * + */ @Import(name="groupId") private @Nullable Output groupId; + /** + * @return The ID of the group this resource should manage roles for. + * + */ public Optional> groupId() { return Optional.ofNullable(this.groupId); } + /** + * The realm this group exists in. + * + */ @Import(name="realmId") private @Nullable Output realmId; + /** + * @return The realm this group exists in. + * + */ public Optional> realmId() { return Optional.ofNullable(this.realmId); } + /** + * A list of role IDs to map to the group. + * + */ @Import(name="roleIds") private @Nullable Output> roleIds; + /** + * @return A list of role IDs to map to the group. + * + */ public Optional>> roleIds() { return Optional.ofNullable(this.roleIds); } @@ -72,42 +104,96 @@ public Builder(GroupRolesState defaults) { $ = new GroupRolesState(Objects.requireNonNull(defaults)); } + /** + * @param exhaustive Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the group will be removed. Defaults to `true`. + * + * @return builder + * + */ public Builder exhaustive(@Nullable Output exhaustive) { $.exhaustive = exhaustive; return this; } + /** + * @param exhaustive Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the group will be removed. Defaults to `true`. + * + * @return builder + * + */ public Builder exhaustive(Boolean exhaustive) { return exhaustive(Output.of(exhaustive)); } + /** + * @param groupId The ID of the group this resource should manage roles for. + * + * @return builder + * + */ public Builder groupId(@Nullable Output groupId) { $.groupId = groupId; return this; } + /** + * @param groupId The ID of the group this resource should manage roles for. + * + * @return builder + * + */ public Builder groupId(String groupId) { return groupId(Output.of(groupId)); } + /** + * @param realmId The realm this group exists in. + * + * @return builder + * + */ public Builder realmId(@Nullable Output realmId) { $.realmId = realmId; return this; } + /** + * @param realmId The realm this group exists in. + * + * @return builder + * + */ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } + /** + * @param roleIds A list of role IDs to map to the group. + * + * @return builder + * + */ public Builder roleIds(@Nullable Output> roleIds) { $.roleIds = roleIds; return this; } + /** + * @param roleIds A list of role IDs to map to the group. + * + * @return builder + * + */ public Builder roleIds(List roleIds) { return roleIds(Output.of(roleIds)); } + /** + * @param roleIds A list of role IDs to map to the group. + * + * @return builder + * + */ public Builder roleIds(String... roleIds) { return roleIds(List.of(roleIds)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GroupState.java b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GroupState.java index f1beb46f..4aabc0fc 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GroupState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/GroupState.java @@ -16,37 +16,77 @@ public final class GroupState extends com.pulumi.resources.ResourceArgs { public static final GroupState Empty = new GroupState(); + /** + * A map representing attributes for the group. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + * + */ @Import(name="attributes") private @Nullable Output> attributes; + /** + * @return A map representing attributes for the group. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + * + */ public Optional>> attributes() { return Optional.ofNullable(this.attributes); } + /** + * The name of the group. + * + */ @Import(name="name") private @Nullable Output name; + /** + * @return The name of the group. + * + */ public Optional> name() { return Optional.ofNullable(this.name); } + /** + * The ID of this group's parent. If omitted, this group will be defined at the root level. + * + */ @Import(name="parentId") private @Nullable Output parentId; + /** + * @return The ID of this group's parent. If omitted, this group will be defined at the root level. + * + */ public Optional> parentId() { return Optional.ofNullable(this.parentId); } + /** + * (Computed) The complete path of the group. For example, the child group's path in the example configuration would be `/parent-group/child-group`. + * + */ @Import(name="path") private @Nullable Output path; + /** + * @return (Computed) The complete path of the group. For example, the child group's path in the example configuration would be `/parent-group/child-group`. + * + */ public Optional> path() { return Optional.ofNullable(this.path); } + /** + * The realm this group exists in. + * + */ @Import(name="realmId") private @Nullable Output realmId; + /** + * @return The realm this group exists in. + * + */ public Optional> realmId() { return Optional.ofNullable(this.realmId); } @@ -79,47 +119,107 @@ public Builder(GroupState defaults) { $ = new GroupState(Objects.requireNonNull(defaults)); } + /** + * @param attributes A map representing attributes for the group. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + * + * @return builder + * + */ public Builder attributes(@Nullable Output> attributes) { $.attributes = attributes; return this; } + /** + * @param attributes A map representing attributes for the group. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + * + * @return builder + * + */ public Builder attributes(Map attributes) { return attributes(Output.of(attributes)); } + /** + * @param name The name of the group. + * + * @return builder + * + */ public Builder name(@Nullable Output name) { $.name = name; return this; } + /** + * @param name The name of the group. + * + * @return builder + * + */ public Builder name(String name) { return name(Output.of(name)); } + /** + * @param parentId The ID of this group's parent. If omitted, this group will be defined at the root level. + * + * @return builder + * + */ public Builder parentId(@Nullable Output parentId) { $.parentId = parentId; return this; } + /** + * @param parentId The ID of this group's parent. If omitted, this group will be defined at the root level. + * + * @return builder + * + */ public Builder parentId(String parentId) { return parentId(Output.of(parentId)); } + /** + * @param path (Computed) The complete path of the group. For example, the child group's path in the example configuration would be `/parent-group/child-group`. + * + * @return builder + * + */ public Builder path(@Nullable Output path) { $.path = path; return this; } + /** + * @param path (Computed) The complete path of the group. For example, the child group's path in the example configuration would be `/parent-group/child-group`. + * + * @return builder + * + */ public Builder path(String path) { return path(Output.of(path)); } + /** + * @param realmId The realm this group exists in. + * + * @return builder + * + */ public Builder realmId(@Nullable Output realmId) { $.realmId = realmId; return this; } + /** + * @param realmId The realm this group exists in. + * + * @return builder + * + */ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmEventsState.java b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmEventsState.java index efc76ebc..039265f9 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmEventsState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmEventsState.java @@ -18,51 +18,107 @@ public final class RealmEventsState extends com.pulumi.resources.ResourceArgs { public static final RealmEventsState Empty = new RealmEventsState(); + /** + * When `true`, saved admin events will included detailed information for create/update requests. Defaults to `false`. + * + */ @Import(name="adminEventsDetailsEnabled") private @Nullable Output adminEventsDetailsEnabled; + /** + * @return When `true`, saved admin events will included detailed information for create/update requests. Defaults to `false`. + * + */ public Optional> adminEventsDetailsEnabled() { return Optional.ofNullable(this.adminEventsDetailsEnabled); } + /** + * When `true`, admin events are saved to the database, making them available through the admin console. Defaults to `false`. + * + */ @Import(name="adminEventsEnabled") private @Nullable Output adminEventsEnabled; + /** + * @return When `true`, admin events are saved to the database, making them available through the admin console. Defaults to `false`. + * + */ public Optional> adminEventsEnabled() { return Optional.ofNullable(this.adminEventsEnabled); } + /** + * The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. + * + */ @Import(name="enabledEventTypes") private @Nullable Output> enabledEventTypes; + /** + * @return The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. + * + */ public Optional>> enabledEventTypes() { return Optional.ofNullable(this.enabledEventTypes); } + /** + * When `true`, events from `enabled_event_types` are saved to the database, making them available through the admin console. Defaults to `false`. + * + */ @Import(name="eventsEnabled") private @Nullable Output eventsEnabled; + /** + * @return When `true`, events from `enabled_event_types` are saved to the database, making them available through the admin console. Defaults to `false`. + * + */ public Optional> eventsEnabled() { return Optional.ofNullable(this.eventsEnabled); } + /** + * The amount of time in seconds events will be saved in the database. Defaults to `0` or never. + * + */ @Import(name="eventsExpiration") private @Nullable Output eventsExpiration; + /** + * @return The amount of time in seconds events will be saved in the database. Defaults to `0` or never. + * + */ public Optional> eventsExpiration() { return Optional.ofNullable(this.eventsExpiration); } + /** + * The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. + * + */ @Import(name="eventsListeners") private @Nullable Output> eventsListeners; + /** + * @return The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. + * + */ public Optional>> eventsListeners() { return Optional.ofNullable(this.eventsListeners); } + /** + * The name of the realm the event settings apply to. + * + */ @Import(name="realmId") private @Nullable Output realmId; + /** + * @return The name of the realm the event settings apply to. + * + */ public Optional> realmId() { return Optional.ofNullable(this.realmId); } @@ -97,73 +153,169 @@ public Builder(RealmEventsState defaults) { $ = new RealmEventsState(Objects.requireNonNull(defaults)); } + /** + * @param adminEventsDetailsEnabled When `true`, saved admin events will included detailed information for create/update requests. Defaults to `false`. + * + * @return builder + * + */ public Builder adminEventsDetailsEnabled(@Nullable Output adminEventsDetailsEnabled) { $.adminEventsDetailsEnabled = adminEventsDetailsEnabled; return this; } + /** + * @param adminEventsDetailsEnabled When `true`, saved admin events will included detailed information for create/update requests. Defaults to `false`. + * + * @return builder + * + */ public Builder adminEventsDetailsEnabled(Boolean adminEventsDetailsEnabled) { return adminEventsDetailsEnabled(Output.of(adminEventsDetailsEnabled)); } + /** + * @param adminEventsEnabled When `true`, admin events are saved to the database, making them available through the admin console. Defaults to `false`. + * + * @return builder + * + */ public Builder adminEventsEnabled(@Nullable Output adminEventsEnabled) { $.adminEventsEnabled = adminEventsEnabled; return this; } + /** + * @param adminEventsEnabled When `true`, admin events are saved to the database, making them available through the admin console. Defaults to `false`. + * + * @return builder + * + */ public Builder adminEventsEnabled(Boolean adminEventsEnabled) { return adminEventsEnabled(Output.of(adminEventsEnabled)); } + /** + * @param enabledEventTypes The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. + * + * @return builder + * + */ public Builder enabledEventTypes(@Nullable Output> enabledEventTypes) { $.enabledEventTypes = enabledEventTypes; return this; } + /** + * @param enabledEventTypes The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. + * + * @return builder + * + */ public Builder enabledEventTypes(List enabledEventTypes) { return enabledEventTypes(Output.of(enabledEventTypes)); } + /** + * @param enabledEventTypes The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. + * + * @return builder + * + */ public Builder enabledEventTypes(String... enabledEventTypes) { return enabledEventTypes(List.of(enabledEventTypes)); } + /** + * @param eventsEnabled When `true`, events from `enabled_event_types` are saved to the database, making them available through the admin console. Defaults to `false`. + * + * @return builder + * + */ public Builder eventsEnabled(@Nullable Output eventsEnabled) { $.eventsEnabled = eventsEnabled; return this; } + /** + * @param eventsEnabled When `true`, events from `enabled_event_types` are saved to the database, making them available through the admin console. Defaults to `false`. + * + * @return builder + * + */ public Builder eventsEnabled(Boolean eventsEnabled) { return eventsEnabled(Output.of(eventsEnabled)); } + /** + * @param eventsExpiration The amount of time in seconds events will be saved in the database. Defaults to `0` or never. + * + * @return builder + * + */ public Builder eventsExpiration(@Nullable Output eventsExpiration) { $.eventsExpiration = eventsExpiration; return this; } + /** + * @param eventsExpiration The amount of time in seconds events will be saved in the database. Defaults to `0` or never. + * + * @return builder + * + */ public Builder eventsExpiration(Integer eventsExpiration) { return eventsExpiration(Output.of(eventsExpiration)); } + /** + * @param eventsListeners The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. + * + * @return builder + * + */ public Builder eventsListeners(@Nullable Output> eventsListeners) { $.eventsListeners = eventsListeners; return this; } + /** + * @param eventsListeners The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. + * + * @return builder + * + */ public Builder eventsListeners(List eventsListeners) { return eventsListeners(Output.of(eventsListeners)); } + /** + * @param eventsListeners The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. + * + * @return builder + * + */ public Builder eventsListeners(String... eventsListeners) { return eventsListeners(List.of(eventsListeners)); } + /** + * @param realmId The name of the realm the event settings apply to. + * + * @return builder + * + */ public Builder realmId(@Nullable Output realmId) { $.realmId = realmId; return this; } + /** + * @param realmId The name of the realm the event settings apply to. + * + * @return builder + * + */ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmInternationalizationArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmInternationalizationArgs.java index b38128e1..bca484a7 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmInternationalizationArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmInternationalizationArgs.java @@ -15,16 +15,32 @@ public final class RealmInternationalizationArgs extends com.pulumi.resources.Re public static final RealmInternationalizationArgs Empty = new RealmInternationalizationArgs(); + /** + * The locale to use by default. This locale code must be present within the `supported_locales` list. + * + */ @Import(name="defaultLocale", required=true) private Output defaultLocale; + /** + * @return The locale to use by default. This locale code must be present within the `supported_locales` list. + * + */ public Output defaultLocale() { return this.defaultLocale; } + /** + * A list of [ISO 639-1](https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes) locale codes that the realm should support. + * + */ @Import(name="supportedLocales", required=true) private Output> supportedLocales; + /** + * @return A list of [ISO 639-1](https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes) locale codes that the realm should support. + * + */ public Output> supportedLocales() { return this.supportedLocales; } @@ -54,24 +70,54 @@ public Builder(RealmInternationalizationArgs defaults) { $ = new RealmInternationalizationArgs(Objects.requireNonNull(defaults)); } + /** + * @param defaultLocale The locale to use by default. This locale code must be present within the `supported_locales` list. + * + * @return builder + * + */ public Builder defaultLocale(Output defaultLocale) { $.defaultLocale = defaultLocale; return this; } + /** + * @param defaultLocale The locale to use by default. This locale code must be present within the `supported_locales` list. + * + * @return builder + * + */ public Builder defaultLocale(String defaultLocale) { return defaultLocale(Output.of(defaultLocale)); } + /** + * @param supportedLocales A list of [ISO 639-1](https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes) locale codes that the realm should support. + * + * @return builder + * + */ public Builder supportedLocales(Output> supportedLocales) { $.supportedLocales = supportedLocales; return this; } + /** + * @param supportedLocales A list of [ISO 639-1](https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes) locale codes that the realm should support. + * + * @return builder + * + */ public Builder supportedLocales(List supportedLocales) { return supportedLocales(Output.of(supportedLocales)); } + /** + * @param supportedLocales A list of [ISO 639-1](https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes) locale codes that the realm should support. + * + * @return builder + * + */ public Builder supportedLocales(String... supportedLocales) { return supportedLocales(List.of(supportedLocales)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmOtpPolicyArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmOtpPolicyArgs.java index 06f57f8a..4458ab56 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmOtpPolicyArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmOtpPolicyArgs.java @@ -17,57 +17,89 @@ public final class RealmOtpPolicyArgs extends com.pulumi.resources.ResourceArgs public static final RealmOtpPolicyArgs Empty = new RealmOtpPolicyArgs(); /** - * What hashing algorithm should be used to generate the OTP. + * What hashing algorithm should be used to generate the OTP, Valid options are `HmacSHA1`,`HmacSHA256` and `HmacSHA512`. Defaults to `HmacSHA1`. * */ @Import(name="algorithm") private @Nullable Output algorithm; /** - * @return What hashing algorithm should be used to generate the OTP. + * @return What hashing algorithm should be used to generate the OTP, Valid options are `HmacSHA1`,`HmacSHA256` and `HmacSHA512`. Defaults to `HmacSHA1`. * */ public Optional> algorithm() { return Optional.ofNullable(this.algorithm); } + /** + * How many digits the OTP have. Defaults to `6`. + * + */ @Import(name="digits") private @Nullable Output digits; + /** + * @return How many digits the OTP have. Defaults to `6`. + * + */ public Optional> digits() { return Optional.ofNullable(this.digits); } + /** + * What should the initial counter value be. Defaults to `2`. + * + */ @Import(name="initialCounter") private @Nullable Output initialCounter; + /** + * @return What should the initial counter value be. Defaults to `2`. + * + */ public Optional> initialCounter() { return Optional.ofNullable(this.initialCounter); } + /** + * How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to `1`. + * + */ @Import(name="lookAheadWindow") private @Nullable Output lookAheadWindow; + /** + * @return How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to `1`. + * + */ public Optional> lookAheadWindow() { return Optional.ofNullable(this.lookAheadWindow); } + /** + * How many seconds should an OTP token be valid. Defaults to `30`. + * + */ @Import(name="period") private @Nullable Output period; + /** + * @return How many seconds should an OTP token be valid. Defaults to `30`. + * + */ public Optional> period() { return Optional.ofNullable(this.period); } /** - * OTP Type, totp for Time-Based One Time Password or hotp for counter base one time password + * One Time Password Type, supported Values are `totp` for Time-Based One Time Password and `hotp` for Counter Based. Defaults to `totp`. * */ @Import(name="type") private @Nullable Output type; /** - * @return OTP Type, totp for Time-Based One Time Password or hotp for counter base one time password + * @return One Time Password Type, supported Values are `totp` for Time-Based One Time Password and `hotp` for Counter Based. Defaults to `totp`. * */ public Optional> type() { @@ -104,7 +136,7 @@ public Builder(RealmOtpPolicyArgs defaults) { } /** - * @param algorithm What hashing algorithm should be used to generate the OTP. + * @param algorithm What hashing algorithm should be used to generate the OTP, Valid options are `HmacSHA1`,`HmacSHA256` and `HmacSHA512`. Defaults to `HmacSHA1`. * * @return builder * @@ -115,7 +147,7 @@ public Builder algorithm(@Nullable Output algorithm) { } /** - * @param algorithm What hashing algorithm should be used to generate the OTP. + * @param algorithm What hashing algorithm should be used to generate the OTP, Valid options are `HmacSHA1`,`HmacSHA256` and `HmacSHA512`. Defaults to `HmacSHA1`. * * @return builder * @@ -124,44 +156,92 @@ public Builder algorithm(String algorithm) { return algorithm(Output.of(algorithm)); } + /** + * @param digits How many digits the OTP have. Defaults to `6`. + * + * @return builder + * + */ public Builder digits(@Nullable Output digits) { $.digits = digits; return this; } + /** + * @param digits How many digits the OTP have. Defaults to `6`. + * + * @return builder + * + */ public Builder digits(Integer digits) { return digits(Output.of(digits)); } + /** + * @param initialCounter What should the initial counter value be. Defaults to `2`. + * + * @return builder + * + */ public Builder initialCounter(@Nullable Output initialCounter) { $.initialCounter = initialCounter; return this; } + /** + * @param initialCounter What should the initial counter value be. Defaults to `2`. + * + * @return builder + * + */ public Builder initialCounter(Integer initialCounter) { return initialCounter(Output.of(initialCounter)); } + /** + * @param lookAheadWindow How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to `1`. + * + * @return builder + * + */ public Builder lookAheadWindow(@Nullable Output lookAheadWindow) { $.lookAheadWindow = lookAheadWindow; return this; } + /** + * @param lookAheadWindow How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to `1`. + * + * @return builder + * + */ public Builder lookAheadWindow(Integer lookAheadWindow) { return lookAheadWindow(Output.of(lookAheadWindow)); } + /** + * @param period How many seconds should an OTP token be valid. Defaults to `30`. + * + * @return builder + * + */ public Builder period(@Nullable Output period) { $.period = period; return this; } + /** + * @param period How many seconds should an OTP token be valid. Defaults to `30`. + * + * @return builder + * + */ public Builder period(Integer period) { return period(Output.of(period)); } /** - * @param type OTP Type, totp for Time-Based One Time Password or hotp for counter base one time password + * @param type One Time Password Type, supported Values are `totp` for Time-Based One Time Password and `hotp` for Counter Based. Defaults to `totp`. * * @return builder * @@ -172,7 +252,7 @@ public Builder type(@Nullable Output type) { } /** - * @param type OTP Type, totp for Time-Based One Time Password or hotp for counter base one time password + * @param type One Time Password Type, supported Values are `totp` for Time-Based One Time Password and `hotp` for Counter Based. Defaults to `totp`. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmSecurityDefensesBruteForceDetectionArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmSecurityDefensesBruteForceDetectionArgs.java index 87a132f0..8373b987 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmSecurityDefensesBruteForceDetectionArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmSecurityDefensesBruteForceDetectionArgs.java @@ -16,9 +16,17 @@ public final class RealmSecurityDefensesBruteForceDetectionArgs extends com.pulu public static final RealmSecurityDefensesBruteForceDetectionArgs Empty = new RealmSecurityDefensesBruteForceDetectionArgs(); + /** + * When will failure count be reset? + * + */ @Import(name="failureResetTimeSeconds") private @Nullable Output failureResetTimeSeconds; + /** + * @return When will failure count be reset? + * + */ public Optional> failureResetTimeSeconds() { return Optional.ofNullable(this.failureResetTimeSeconds); } @@ -30,37 +38,79 @@ public Optional> maxFailureWaitSeconds() { return Optional.ofNullable(this.maxFailureWaitSeconds); } + /** + * How many failures before wait is triggered. + * + */ @Import(name="maxLoginFailures") private @Nullable Output maxLoginFailures; + /** + * @return How many failures before wait is triggered. + * + */ public Optional> maxLoginFailures() { return Optional.ofNullable(this.maxLoginFailures); } + /** + * How long to wait after a quick login failure. + * - ` max_failure_wait_seconds ` - (Optional) Max. time a user will be locked out. + * + */ @Import(name="minimumQuickLoginWaitSeconds") private @Nullable Output minimumQuickLoginWaitSeconds; + /** + * @return How long to wait after a quick login failure. + * - ` max_failure_wait_seconds ` - (Optional) Max. time a user will be locked out. + * + */ public Optional> minimumQuickLoginWaitSeconds() { return Optional.ofNullable(this.minimumQuickLoginWaitSeconds); } + /** + * When `true`, this will lock the user permanently when the user exceeds the maximum login failures. + * + */ @Import(name="permanentLockout") private @Nullable Output permanentLockout; + /** + * @return When `true`, this will lock the user permanently when the user exceeds the maximum login failures. + * + */ public Optional> permanentLockout() { return Optional.ofNullable(this.permanentLockout); } + /** + * Configures the amount of time, in milliseconds, for consecutive failures to lock a user out. + * + */ @Import(name="quickLoginCheckMilliSeconds") private @Nullable Output quickLoginCheckMilliSeconds; + /** + * @return Configures the amount of time, in milliseconds, for consecutive failures to lock a user out. + * + */ public Optional> quickLoginCheckMilliSeconds() { return Optional.ofNullable(this.quickLoginCheckMilliSeconds); } + /** + * This represents the amount of time a user should be locked out when the login failure threshold has been met. + * + */ @Import(name="waitIncrementSeconds") private @Nullable Output waitIncrementSeconds; + /** + * @return This represents the amount of time a user should be locked out when the login failure threshold has been met. + * + */ public Optional> waitIncrementSeconds() { return Optional.ofNullable(this.waitIncrementSeconds); } @@ -95,11 +145,23 @@ public Builder(RealmSecurityDefensesBruteForceDetectionArgs defaults) { $ = new RealmSecurityDefensesBruteForceDetectionArgs(Objects.requireNonNull(defaults)); } + /** + * @param failureResetTimeSeconds When will failure count be reset? + * + * @return builder + * + */ public Builder failureResetTimeSeconds(@Nullable Output failureResetTimeSeconds) { $.failureResetTimeSeconds = failureResetTimeSeconds; return this; } + /** + * @param failureResetTimeSeconds When will failure count be reset? + * + * @return builder + * + */ public Builder failureResetTimeSeconds(Integer failureResetTimeSeconds) { return failureResetTimeSeconds(Output.of(failureResetTimeSeconds)); } @@ -113,47 +175,109 @@ public Builder maxFailureWaitSeconds(Integer maxFailureWaitSeconds) { return maxFailureWaitSeconds(Output.of(maxFailureWaitSeconds)); } + /** + * @param maxLoginFailures How many failures before wait is triggered. + * + * @return builder + * + */ public Builder maxLoginFailures(@Nullable Output maxLoginFailures) { $.maxLoginFailures = maxLoginFailures; return this; } + /** + * @param maxLoginFailures How many failures before wait is triggered. + * + * @return builder + * + */ public Builder maxLoginFailures(Integer maxLoginFailures) { return maxLoginFailures(Output.of(maxLoginFailures)); } + /** + * @param minimumQuickLoginWaitSeconds How long to wait after a quick login failure. + * - ` max_failure_wait_seconds ` - (Optional) Max. time a user will be locked out. + * + * @return builder + * + */ public Builder minimumQuickLoginWaitSeconds(@Nullable Output minimumQuickLoginWaitSeconds) { $.minimumQuickLoginWaitSeconds = minimumQuickLoginWaitSeconds; return this; } + /** + * @param minimumQuickLoginWaitSeconds How long to wait after a quick login failure. + * - ` max_failure_wait_seconds ` - (Optional) Max. time a user will be locked out. + * + * @return builder + * + */ public Builder minimumQuickLoginWaitSeconds(Integer minimumQuickLoginWaitSeconds) { return minimumQuickLoginWaitSeconds(Output.of(minimumQuickLoginWaitSeconds)); } + /** + * @param permanentLockout When `true`, this will lock the user permanently when the user exceeds the maximum login failures. + * + * @return builder + * + */ public Builder permanentLockout(@Nullable Output permanentLockout) { $.permanentLockout = permanentLockout; return this; } + /** + * @param permanentLockout When `true`, this will lock the user permanently when the user exceeds the maximum login failures. + * + * @return builder + * + */ public Builder permanentLockout(Boolean permanentLockout) { return permanentLockout(Output.of(permanentLockout)); } + /** + * @param quickLoginCheckMilliSeconds Configures the amount of time, in milliseconds, for consecutive failures to lock a user out. + * + * @return builder + * + */ public Builder quickLoginCheckMilliSeconds(@Nullable Output quickLoginCheckMilliSeconds) { $.quickLoginCheckMilliSeconds = quickLoginCheckMilliSeconds; return this; } + /** + * @param quickLoginCheckMilliSeconds Configures the amount of time, in milliseconds, for consecutive failures to lock a user out. + * + * @return builder + * + */ public Builder quickLoginCheckMilliSeconds(Integer quickLoginCheckMilliSeconds) { return quickLoginCheckMilliSeconds(Output.of(quickLoginCheckMilliSeconds)); } + /** + * @param waitIncrementSeconds This represents the amount of time a user should be locked out when the login failure threshold has been met. + * + * @return builder + * + */ public Builder waitIncrementSeconds(@Nullable Output waitIncrementSeconds) { $.waitIncrementSeconds = waitIncrementSeconds; return this; } + /** + * @param waitIncrementSeconds This represents the amount of time a user should be locked out when the login failure threshold has been met. + * + * @return builder + * + */ public Builder waitIncrementSeconds(Integer waitIncrementSeconds) { return waitIncrementSeconds(Output.of(waitIncrementSeconds)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmSecurityDefensesHeadersArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmSecurityDefensesHeadersArgs.java index 4f03b42a..56878953 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmSecurityDefensesHeadersArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmSecurityDefensesHeadersArgs.java @@ -15,58 +15,122 @@ public final class RealmSecurityDefensesHeadersArgs extends com.pulumi.resources public static final RealmSecurityDefensesHeadersArgs Empty = new RealmSecurityDefensesHeadersArgs(); + /** + * Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the [W3C-CSP](https://www.w3.org/TR/CSP/) Abstract. + * + */ @Import(name="contentSecurityPolicy") private @Nullable Output contentSecurityPolicy; + /** + * @return Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the [W3C-CSP](https://www.w3.org/TR/CSP/) Abstract. + * + */ public Optional> contentSecurityPolicy() { return Optional.ofNullable(this.contentSecurityPolicy); } + /** + * Used for testing Content Security Policies. + * + */ @Import(name="contentSecurityPolicyReportOnly") private @Nullable Output contentSecurityPolicyReportOnly; + /** + * @return Used for testing Content Security Policies. + * + */ public Optional> contentSecurityPolicyReportOnly() { return Optional.ofNullable(this.contentSecurityPolicyReportOnly); } + /** + * The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests. + * + */ @Import(name="referrerPolicy") private @Nullable Output referrerPolicy; + /** + * @return The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests. + * + */ public Optional> referrerPolicy() { return Optional.ofNullable(this.referrerPolicy); } + /** + * The Script-Transport-Security HTTP header tells browsers to always use HTTPS. + * + */ @Import(name="strictTransportSecurity") private @Nullable Output strictTransportSecurity; + /** + * @return The Script-Transport-Security HTTP header tells browsers to always use HTTPS. + * + */ public Optional> strictTransportSecurity() { return Optional.ofNullable(this.strictTransportSecurity); } + /** + * Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type + * + */ @Import(name="xContentTypeOptions") private @Nullable Output xContentTypeOptions; + /** + * @return Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type + * + */ public Optional> xContentTypeOptions() { return Optional.ofNullable(this.xContentTypeOptions); } + /** + * Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the [RFC7034](https://tools.ietf.org/html/rfc7034) + * + */ @Import(name="xFrameOptions") private @Nullable Output xFrameOptions; + /** + * @return Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the [RFC7034](https://tools.ietf.org/html/rfc7034) + * + */ public Optional> xFrameOptions() { return Optional.ofNullable(this.xFrameOptions); } + /** + * Prevent pages from appearing in search engines. + * + */ @Import(name="xRobotsTag") private @Nullable Output xRobotsTag; + /** + * @return Prevent pages from appearing in search engines. + * + */ public Optional> xRobotsTag() { return Optional.ofNullable(this.xRobotsTag); } + /** + * This header configures the Cross-site scripting (XSS) filter in your browser. + * + */ @Import(name="xXssProtection") private @Nullable Output xXssProtection; + /** + * @return This header configures the Cross-site scripting (XSS) filter in your browser. + * + */ public Optional> xXssProtection() { return Optional.ofNullable(this.xXssProtection); } @@ -102,74 +166,170 @@ public Builder(RealmSecurityDefensesHeadersArgs defaults) { $ = new RealmSecurityDefensesHeadersArgs(Objects.requireNonNull(defaults)); } + /** + * @param contentSecurityPolicy Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the [W3C-CSP](https://www.w3.org/TR/CSP/) Abstract. + * + * @return builder + * + */ public Builder contentSecurityPolicy(@Nullable Output contentSecurityPolicy) { $.contentSecurityPolicy = contentSecurityPolicy; return this; } + /** + * @param contentSecurityPolicy Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the [W3C-CSP](https://www.w3.org/TR/CSP/) Abstract. + * + * @return builder + * + */ public Builder contentSecurityPolicy(String contentSecurityPolicy) { return contentSecurityPolicy(Output.of(contentSecurityPolicy)); } + /** + * @param contentSecurityPolicyReportOnly Used for testing Content Security Policies. + * + * @return builder + * + */ public Builder contentSecurityPolicyReportOnly(@Nullable Output contentSecurityPolicyReportOnly) { $.contentSecurityPolicyReportOnly = contentSecurityPolicyReportOnly; return this; } + /** + * @param contentSecurityPolicyReportOnly Used for testing Content Security Policies. + * + * @return builder + * + */ public Builder contentSecurityPolicyReportOnly(String contentSecurityPolicyReportOnly) { return contentSecurityPolicyReportOnly(Output.of(contentSecurityPolicyReportOnly)); } + /** + * @param referrerPolicy The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests. + * + * @return builder + * + */ public Builder referrerPolicy(@Nullable Output referrerPolicy) { $.referrerPolicy = referrerPolicy; return this; } + /** + * @param referrerPolicy The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests. + * + * @return builder + * + */ public Builder referrerPolicy(String referrerPolicy) { return referrerPolicy(Output.of(referrerPolicy)); } + /** + * @param strictTransportSecurity The Script-Transport-Security HTTP header tells browsers to always use HTTPS. + * + * @return builder + * + */ public Builder strictTransportSecurity(@Nullable Output strictTransportSecurity) { $.strictTransportSecurity = strictTransportSecurity; return this; } + /** + * @param strictTransportSecurity The Script-Transport-Security HTTP header tells browsers to always use HTTPS. + * + * @return builder + * + */ public Builder strictTransportSecurity(String strictTransportSecurity) { return strictTransportSecurity(Output.of(strictTransportSecurity)); } + /** + * @param xContentTypeOptions Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type + * + * @return builder + * + */ public Builder xContentTypeOptions(@Nullable Output xContentTypeOptions) { $.xContentTypeOptions = xContentTypeOptions; return this; } + /** + * @param xContentTypeOptions Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type + * + * @return builder + * + */ public Builder xContentTypeOptions(String xContentTypeOptions) { return xContentTypeOptions(Output.of(xContentTypeOptions)); } + /** + * @param xFrameOptions Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the [RFC7034](https://tools.ietf.org/html/rfc7034) + * + * @return builder + * + */ public Builder xFrameOptions(@Nullable Output xFrameOptions) { $.xFrameOptions = xFrameOptions; return this; } + /** + * @param xFrameOptions Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the [RFC7034](https://tools.ietf.org/html/rfc7034) + * + * @return builder + * + */ public Builder xFrameOptions(String xFrameOptions) { return xFrameOptions(Output.of(xFrameOptions)); } + /** + * @param xRobotsTag Prevent pages from appearing in search engines. + * + * @return builder + * + */ public Builder xRobotsTag(@Nullable Output xRobotsTag) { $.xRobotsTag = xRobotsTag; return this; } + /** + * @param xRobotsTag Prevent pages from appearing in search engines. + * + * @return builder + * + */ public Builder xRobotsTag(String xRobotsTag) { return xRobotsTag(Output.of(xRobotsTag)); } + /** + * @param xXssProtection This header configures the Cross-site scripting (XSS) filter in your browser. + * + * @return builder + * + */ public Builder xXssProtection(@Nullable Output xXssProtection) { $.xXssProtection = xXssProtection; return this; } + /** + * @param xXssProtection This header configures the Cross-site scripting (XSS) filter in your browser. + * + * @return builder + * + */ public Builder xXssProtection(String xXssProtection) { return xXssProtection(Output.of(xXssProtection)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmSmtpServerArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmSmtpServerArgs.java index bb44617c..5b2b7968 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmSmtpServerArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmSmtpServerArgs.java @@ -18,72 +18,152 @@ public final class RealmSmtpServerArgs extends com.pulumi.resources.ResourceArgs public static final RealmSmtpServerArgs Empty = new RealmSmtpServerArgs(); + /** + * Enables authentication to the SMTP server. This block supports the following arguments: + * + */ @Import(name="auth") private @Nullable Output auth; + /** + * @return Enables authentication to the SMTP server. This block supports the following arguments: + * + */ public Optional> auth() { return Optional.ofNullable(this.auth); } + /** + * The email address uses for bounces. + * + */ @Import(name="envelopeFrom") private @Nullable Output envelopeFrom; + /** + * @return The email address uses for bounces. + * + */ public Optional> envelopeFrom() { return Optional.ofNullable(this.envelopeFrom); } + /** + * The email address for the sender. + * + */ @Import(name="from", required=true) private Output from; + /** + * @return The email address for the sender. + * + */ public Output from() { return this.from; } + /** + * The display name of the sender email address. + * + */ @Import(name="fromDisplayName") private @Nullable Output fromDisplayName; + /** + * @return The display name of the sender email address. + * + */ public Optional> fromDisplayName() { return Optional.ofNullable(this.fromDisplayName); } + /** + * The host of the SMTP server. + * + */ @Import(name="host", required=true) private Output host; + /** + * @return The host of the SMTP server. + * + */ public Output host() { return this.host; } + /** + * The port of the SMTP server (defaults to 25). + * + */ @Import(name="port") private @Nullable Output port; + /** + * @return The port of the SMTP server (defaults to 25). + * + */ public Optional> port() { return Optional.ofNullable(this.port); } + /** + * The "reply to" email address. + * + */ @Import(name="replyTo") private @Nullable Output replyTo; + /** + * @return The "reply to" email address. + * + */ public Optional> replyTo() { return Optional.ofNullable(this.replyTo); } + /** + * The display name of the "reply to" email address. + * + */ @Import(name="replyToDisplayName") private @Nullable Output replyToDisplayName; + /** + * @return The display name of the "reply to" email address. + * + */ public Optional> replyToDisplayName() { return Optional.ofNullable(this.replyToDisplayName); } + /** + * When `true`, enables SSL. Defaults to `false`. + * + */ @Import(name="ssl") private @Nullable Output ssl; + /** + * @return When `true`, enables SSL. Defaults to `false`. + * + */ public Optional> ssl() { return Optional.ofNullable(this.ssl); } + /** + * When `true`, enables StartTLS. Defaults to `false`. + * + */ @Import(name="starttls") private @Nullable Output starttls; + /** + * @return When `true`, enables StartTLS. Defaults to `false`. + * + */ public Optional> starttls() { return Optional.ofNullable(this.starttls); } @@ -121,92 +201,212 @@ public Builder(RealmSmtpServerArgs defaults) { $ = new RealmSmtpServerArgs(Objects.requireNonNull(defaults)); } + /** + * @param auth Enables authentication to the SMTP server. This block supports the following arguments: + * + * @return builder + * + */ public Builder auth(@Nullable Output auth) { $.auth = auth; return this; } + /** + * @param auth Enables authentication to the SMTP server. This block supports the following arguments: + * + * @return builder + * + */ public Builder auth(RealmSmtpServerAuthArgs auth) { return auth(Output.of(auth)); } + /** + * @param envelopeFrom The email address uses for bounces. + * + * @return builder + * + */ public Builder envelopeFrom(@Nullable Output envelopeFrom) { $.envelopeFrom = envelopeFrom; return this; } + /** + * @param envelopeFrom The email address uses for bounces. + * + * @return builder + * + */ public Builder envelopeFrom(String envelopeFrom) { return envelopeFrom(Output.of(envelopeFrom)); } + /** + * @param from The email address for the sender. + * + * @return builder + * + */ public Builder from(Output from) { $.from = from; return this; } + /** + * @param from The email address for the sender. + * + * @return builder + * + */ public Builder from(String from) { return from(Output.of(from)); } + /** + * @param fromDisplayName The display name of the sender email address. + * + * @return builder + * + */ public Builder fromDisplayName(@Nullable Output fromDisplayName) { $.fromDisplayName = fromDisplayName; return this; } + /** + * @param fromDisplayName The display name of the sender email address. + * + * @return builder + * + */ public Builder fromDisplayName(String fromDisplayName) { return fromDisplayName(Output.of(fromDisplayName)); } + /** + * @param host The host of the SMTP server. + * + * @return builder + * + */ public Builder host(Output host) { $.host = host; return this; } + /** + * @param host The host of the SMTP server. + * + * @return builder + * + */ public Builder host(String host) { return host(Output.of(host)); } + /** + * @param port The port of the SMTP server (defaults to 25). + * + * @return builder + * + */ public Builder port(@Nullable Output port) { $.port = port; return this; } + /** + * @param port The port of the SMTP server (defaults to 25). + * + * @return builder + * + */ public Builder port(String port) { return port(Output.of(port)); } + /** + * @param replyTo The "reply to" email address. + * + * @return builder + * + */ public Builder replyTo(@Nullable Output replyTo) { $.replyTo = replyTo; return this; } + /** + * @param replyTo The "reply to" email address. + * + * @return builder + * + */ public Builder replyTo(String replyTo) { return replyTo(Output.of(replyTo)); } + /** + * @param replyToDisplayName The display name of the "reply to" email address. + * + * @return builder + * + */ public Builder replyToDisplayName(@Nullable Output replyToDisplayName) { $.replyToDisplayName = replyToDisplayName; return this; } + /** + * @param replyToDisplayName The display name of the "reply to" email address. + * + * @return builder + * + */ public Builder replyToDisplayName(String replyToDisplayName) { return replyToDisplayName(Output.of(replyToDisplayName)); } + /** + * @param ssl When `true`, enables SSL. Defaults to `false`. + * + * @return builder + * + */ public Builder ssl(@Nullable Output ssl) { $.ssl = ssl; return this; } + /** + * @param ssl When `true`, enables SSL. Defaults to `false`. + * + * @return builder + * + */ public Builder ssl(Boolean ssl) { return ssl(Output.of(ssl)); } + /** + * @param starttls When `true`, enables StartTLS. Defaults to `false`. + * + * @return builder + * + */ public Builder starttls(@Nullable Output starttls) { $.starttls = starttls; return this; } + /** + * @param starttls When `true`, enables StartTLS. Defaults to `false`. + * + * @return builder + * + */ public Builder starttls(Boolean starttls) { return starttls(Output.of(starttls)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmSmtpServerAuthArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmSmtpServerAuthArgs.java index e4c84239..6d432991 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmSmtpServerAuthArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmSmtpServerAuthArgs.java @@ -14,16 +14,32 @@ public final class RealmSmtpServerAuthArgs extends com.pulumi.resources.Resource public static final RealmSmtpServerAuthArgs Empty = new RealmSmtpServerAuthArgs(); + /** + * The SMTP server password. + * + */ @Import(name="password", required=true) private Output password; + /** + * @return The SMTP server password. + * + */ public Output password() { return this.password; } + /** + * The SMTP server username. + * + */ @Import(name="username", required=true) private Output username; + /** + * @return The SMTP server username. + * + */ public Output username() { return this.username; } @@ -53,20 +69,44 @@ public Builder(RealmSmtpServerAuthArgs defaults) { $ = new RealmSmtpServerAuthArgs(Objects.requireNonNull(defaults)); } + /** + * @param password The SMTP server password. + * + * @return builder + * + */ public Builder password(Output password) { $.password = password; return this; } + /** + * @param password The SMTP server password. + * + * @return builder + * + */ public Builder password(String password) { return password(Output.of(password)); } + /** + * @param username The SMTP server username. + * + * @return builder + * + */ public Builder username(Output username) { $.username = username; return this; } + /** + * @param username The SMTP server username. + * + * @return builder + * + */ public Builder username(String username) { return username(Output.of(username)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmState.java b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmState.java index c42455af..9549cbc7 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmState.java @@ -88,9 +88,17 @@ public Optional> adminTheme() { return Optional.ofNullable(this.adminTheme); } + /** + * A map of custom attributes to add to the realm. + * + */ @Import(name="attributes") private @Nullable Output> attributes; + /** + * @return A map of custom attributes to add to the realm. + * + */ public Optional>> attributes() { return Optional.ofNullable(this.attributes); } @@ -175,16 +183,32 @@ public Optional> directGrantFlow() { return Optional.ofNullable(this.directGrantFlow); } + /** + * The display name for the realm that is shown when logging in to the admin console. + * + */ @Import(name="displayName") private @Nullable Output displayName; + /** + * @return The display name for the realm that is shown when logging in to the admin console. + * + */ public Optional> displayName() { return Optional.ofNullable(this.displayName); } + /** + * The display name for the realm that is rendered as HTML on the screen when logging in to the admin console. + * + */ @Import(name="displayNameHtml") private @Nullable Output displayNameHtml; + /** + * @return The display name for the realm that is rendered as HTML on the screen when logging in to the admin console. + * + */ public Optional> displayNameHtml() { return Optional.ofNullable(this.displayNameHtml); } @@ -225,16 +249,32 @@ public Optional> emailTheme() { return Optional.ofNullable(this.emailTheme); } + /** + * When `false`, users and clients will not be able to access this realm. Defaults to `true`. + * + */ @Import(name="enabled") private @Nullable Output enabled; + /** + * @return When `false`, users and clients will not be able to access this realm. Defaults to `true`. + * + */ public Optional> enabled() { return Optional.ofNullable(this.enabled); } + /** + * When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name. + * + */ @Import(name="internalId") private @Nullable Output internalId; + /** + * @return When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name. + * + */ public Optional> internalId() { return Optional.ofNullable(this.internalId); } @@ -321,9 +361,17 @@ public Optional> passwordPolicy() { return Optional.ofNullable(this.passwordPolicy); } + /** + * The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak. + * + */ @Import(name="realm") private @Nullable Output realm; + /** + * @return The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak. + * + */ public Optional> realm() { return Optional.ofNullable(this.realm); } @@ -457,9 +505,17 @@ public Optional> ssoSessionMaxLifespanRememberMe() { return Optional.ofNullable(this.ssoSessionMaxLifespanRememberMe); } + /** + * When `true`, users are allowed to manage their own resources. Defaults to `false`. + * + */ @Import(name="userManagedAccess") private @Nullable Output userManagedAccess; + /** + * @return When `true`, users are allowed to manage their own resources. Defaults to `false`. + * + */ public Optional> userManagedAccess() { return Optional.ofNullable(this.userManagedAccess); } @@ -645,11 +701,23 @@ public Builder adminTheme(String adminTheme) { return adminTheme(Output.of(adminTheme)); } + /** + * @param attributes A map of custom attributes to add to the realm. + * + * @return builder + * + */ public Builder attributes(@Nullable Output> attributes) { $.attributes = attributes; return this; } + /** + * @param attributes A map of custom attributes to add to the realm. + * + * @return builder + * + */ public Builder attributes(Map attributes) { return attributes(Output.of(attributes)); } @@ -770,20 +838,44 @@ public Builder directGrantFlow(String directGrantFlow) { return directGrantFlow(Output.of(directGrantFlow)); } + /** + * @param displayName The display name for the realm that is shown when logging in to the admin console. + * + * @return builder + * + */ public Builder displayName(@Nullable Output displayName) { $.displayName = displayName; return this; } + /** + * @param displayName The display name for the realm that is shown when logging in to the admin console. + * + * @return builder + * + */ public Builder displayName(String displayName) { return displayName(Output.of(displayName)); } + /** + * @param displayNameHtml The display name for the realm that is rendered as HTML on the screen when logging in to the admin console. + * + * @return builder + * + */ public Builder displayNameHtml(@Nullable Output displayNameHtml) { $.displayNameHtml = displayNameHtml; return this; } + /** + * @param displayNameHtml The display name for the realm that is rendered as HTML on the screen when logging in to the admin console. + * + * @return builder + * + */ public Builder displayNameHtml(String displayNameHtml) { return displayNameHtml(Output.of(displayNameHtml)); } @@ -836,20 +928,44 @@ public Builder emailTheme(String emailTheme) { return emailTheme(Output.of(emailTheme)); } + /** + * @param enabled When `false`, users and clients will not be able to access this realm. Defaults to `true`. + * + * @return builder + * + */ public Builder enabled(@Nullable Output enabled) { $.enabled = enabled; return this; } + /** + * @param enabled When `false`, users and clients will not be able to access this realm. Defaults to `true`. + * + * @return builder + * + */ public Builder enabled(Boolean enabled) { return enabled(Output.of(enabled)); } + /** + * @param internalId When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name. + * + * @return builder + * + */ public Builder internalId(@Nullable Output internalId) { $.internalId = internalId; return this; } + /** + * @param internalId When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name. + * + * @return builder + * + */ public Builder internalId(String internalId) { return internalId(Output.of(internalId)); } @@ -960,11 +1076,23 @@ public Builder passwordPolicy(String passwordPolicy) { return passwordPolicy(Output.of(passwordPolicy)); } + /** + * @param realm The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak. + * + * @return builder + * + */ public Builder realm(@Nullable Output realm) { $.realm = realm; return this; } + /** + * @param realm The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak. + * + * @return builder + * + */ public Builder realm(String realm) { return realm(Output.of(realm)); } @@ -1140,11 +1268,23 @@ public Builder ssoSessionMaxLifespanRememberMe(String ssoSessionMaxLifespanRemem return ssoSessionMaxLifespanRememberMe(Output.of(ssoSessionMaxLifespanRememberMe)); } + /** + * @param userManagedAccess When `true`, users are allowed to manage their own resources. Defaults to `false`. + * + * @return builder + * + */ public Builder userManagedAccess(@Nullable Output userManagedAccess) { $.userManagedAccess = userManagedAccess; return this; } + /** + * @param userManagedAccess When `true`, users are allowed to manage their own resources. Defaults to `false`. + * + * @return builder + * + */ public Builder userManagedAccess(Boolean userManagedAccess) { return userManagedAccess(Output.of(userManagedAccess)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmWebAuthnPasswordlessPolicyArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmWebAuthnPasswordlessPolicyArgs.java index 32d3753f..91fc9f28 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmWebAuthnPasswordlessPolicyArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmWebAuthnPasswordlessPolicyArgs.java @@ -18,9 +18,17 @@ public final class RealmWebAuthnPasswordlessPolicyArgs extends com.pulumi.resour public static final RealmWebAuthnPasswordlessPolicyArgs Empty = new RealmWebAuthnPasswordlessPolicyArgs(); + /** + * A set of AAGUIDs for which an authenticator can be registered. + * + */ @Import(name="acceptableAaguids") private @Nullable Output> acceptableAaguids; + /** + * @return A set of AAGUIDs for which an authenticator can be registered. + * + */ public Optional>> acceptableAaguids() { return Optional.ofNullable(this.acceptableAaguids); } @@ -55,30 +63,62 @@ public Optional> authenticatorAttachment() { return Optional.ofNullable(this.authenticatorAttachment); } + /** + * When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + * + */ @Import(name="avoidSameAuthenticatorRegister") private @Nullable Output avoidSameAuthenticatorRegister; + /** + * @return When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + * + */ public Optional> avoidSameAuthenticatorRegister() { return Optional.ofNullable(this.avoidSameAuthenticatorRegister); } + /** + * The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + * + */ @Import(name="createTimeout") private @Nullable Output createTimeout; + /** + * @return The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + * + */ public Optional> createTimeout() { return Optional.ofNullable(this.createTimeout); } + /** + * A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + * + */ @Import(name="relyingPartyEntityName") private @Nullable Output relyingPartyEntityName; + /** + * @return A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + * + */ public Optional> relyingPartyEntityName() { return Optional.ofNullable(this.relyingPartyEntityName); } + /** + * The WebAuthn relying party ID. + * + */ @Import(name="relyingPartyId") private @Nullable Output relyingPartyId; + /** + * @return The WebAuthn relying party ID. + * + */ public Optional> relyingPartyId() { return Optional.ofNullable(this.relyingPartyId); } @@ -161,15 +201,33 @@ public Builder(RealmWebAuthnPasswordlessPolicyArgs defaults) { $ = new RealmWebAuthnPasswordlessPolicyArgs(Objects.requireNonNull(defaults)); } + /** + * @param acceptableAaguids A set of AAGUIDs for which an authenticator can be registered. + * + * @return builder + * + */ public Builder acceptableAaguids(@Nullable Output> acceptableAaguids) { $.acceptableAaguids = acceptableAaguids; return this; } + /** + * @param acceptableAaguids A set of AAGUIDs for which an authenticator can be registered. + * + * @return builder + * + */ public Builder acceptableAaguids(List acceptableAaguids) { return acceptableAaguids(Output.of(acceptableAaguids)); } + /** + * @param acceptableAaguids A set of AAGUIDs for which an authenticator can be registered. + * + * @return builder + * + */ public Builder acceptableAaguids(String... acceptableAaguids) { return acceptableAaguids(List.of(acceptableAaguids)); } @@ -216,38 +274,86 @@ public Builder authenticatorAttachment(String authenticatorAttachment) { return authenticatorAttachment(Output.of(authenticatorAttachment)); } + /** + * @param avoidSameAuthenticatorRegister When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + * + * @return builder + * + */ public Builder avoidSameAuthenticatorRegister(@Nullable Output avoidSameAuthenticatorRegister) { $.avoidSameAuthenticatorRegister = avoidSameAuthenticatorRegister; return this; } + /** + * @param avoidSameAuthenticatorRegister When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + * + * @return builder + * + */ public Builder avoidSameAuthenticatorRegister(Boolean avoidSameAuthenticatorRegister) { return avoidSameAuthenticatorRegister(Output.of(avoidSameAuthenticatorRegister)); } + /** + * @param createTimeout The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + * + * @return builder + * + */ public Builder createTimeout(@Nullable Output createTimeout) { $.createTimeout = createTimeout; return this; } + /** + * @param createTimeout The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + * + * @return builder + * + */ public Builder createTimeout(Integer createTimeout) { return createTimeout(Output.of(createTimeout)); } + /** + * @param relyingPartyEntityName A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + * + * @return builder + * + */ public Builder relyingPartyEntityName(@Nullable Output relyingPartyEntityName) { $.relyingPartyEntityName = relyingPartyEntityName; return this; } + /** + * @param relyingPartyEntityName A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + * + * @return builder + * + */ public Builder relyingPartyEntityName(String relyingPartyEntityName) { return relyingPartyEntityName(Output.of(relyingPartyEntityName)); } + /** + * @param relyingPartyId The WebAuthn relying party ID. + * + * @return builder + * + */ public Builder relyingPartyId(@Nullable Output relyingPartyId) { $.relyingPartyId = relyingPartyId; return this; } + /** + * @param relyingPartyId The WebAuthn relying party ID. + * + * @return builder + * + */ public Builder relyingPartyId(String relyingPartyId) { return relyingPartyId(Output.of(relyingPartyId)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmWebAuthnPolicyArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmWebAuthnPolicyArgs.java index c747d7bc..ac739506 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmWebAuthnPolicyArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RealmWebAuthnPolicyArgs.java @@ -18,9 +18,17 @@ public final class RealmWebAuthnPolicyArgs extends com.pulumi.resources.Resource public static final RealmWebAuthnPolicyArgs Empty = new RealmWebAuthnPolicyArgs(); + /** + * A set of AAGUIDs for which an authenticator can be registered. + * + */ @Import(name="acceptableAaguids") private @Nullable Output> acceptableAaguids; + /** + * @return A set of AAGUIDs for which an authenticator can be registered. + * + */ public Optional>> acceptableAaguids() { return Optional.ofNullable(this.acceptableAaguids); } @@ -55,30 +63,62 @@ public Optional> authenticatorAttachment() { return Optional.ofNullable(this.authenticatorAttachment); } + /** + * When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + * + */ @Import(name="avoidSameAuthenticatorRegister") private @Nullable Output avoidSameAuthenticatorRegister; + /** + * @return When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + * + */ public Optional> avoidSameAuthenticatorRegister() { return Optional.ofNullable(this.avoidSameAuthenticatorRegister); } + /** + * The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + * + */ @Import(name="createTimeout") private @Nullable Output createTimeout; + /** + * @return The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + * + */ public Optional> createTimeout() { return Optional.ofNullable(this.createTimeout); } + /** + * A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + * + */ @Import(name="relyingPartyEntityName") private @Nullable Output relyingPartyEntityName; + /** + * @return A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + * + */ public Optional> relyingPartyEntityName() { return Optional.ofNullable(this.relyingPartyEntityName); } + /** + * The WebAuthn relying party ID. + * + */ @Import(name="relyingPartyId") private @Nullable Output relyingPartyId; + /** + * @return The WebAuthn relying party ID. + * + */ public Optional> relyingPartyId() { return Optional.ofNullable(this.relyingPartyId); } @@ -161,15 +201,33 @@ public Builder(RealmWebAuthnPolicyArgs defaults) { $ = new RealmWebAuthnPolicyArgs(Objects.requireNonNull(defaults)); } + /** + * @param acceptableAaguids A set of AAGUIDs for which an authenticator can be registered. + * + * @return builder + * + */ public Builder acceptableAaguids(@Nullable Output> acceptableAaguids) { $.acceptableAaguids = acceptableAaguids; return this; } + /** + * @param acceptableAaguids A set of AAGUIDs for which an authenticator can be registered. + * + * @return builder + * + */ public Builder acceptableAaguids(List acceptableAaguids) { return acceptableAaguids(Output.of(acceptableAaguids)); } + /** + * @param acceptableAaguids A set of AAGUIDs for which an authenticator can be registered. + * + * @return builder + * + */ public Builder acceptableAaguids(String... acceptableAaguids) { return acceptableAaguids(List.of(acceptableAaguids)); } @@ -216,38 +274,86 @@ public Builder authenticatorAttachment(String authenticatorAttachment) { return authenticatorAttachment(Output.of(authenticatorAttachment)); } + /** + * @param avoidSameAuthenticatorRegister When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + * + * @return builder + * + */ public Builder avoidSameAuthenticatorRegister(@Nullable Output avoidSameAuthenticatorRegister) { $.avoidSameAuthenticatorRegister = avoidSameAuthenticatorRegister; return this; } + /** + * @param avoidSameAuthenticatorRegister When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + * + * @return builder + * + */ public Builder avoidSameAuthenticatorRegister(Boolean avoidSameAuthenticatorRegister) { return avoidSameAuthenticatorRegister(Output.of(avoidSameAuthenticatorRegister)); } + /** + * @param createTimeout The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + * + * @return builder + * + */ public Builder createTimeout(@Nullable Output createTimeout) { $.createTimeout = createTimeout; return this; } + /** + * @param createTimeout The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + * + * @return builder + * + */ public Builder createTimeout(Integer createTimeout) { return createTimeout(Output.of(createTimeout)); } + /** + * @param relyingPartyEntityName A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + * + * @return builder + * + */ public Builder relyingPartyEntityName(@Nullable Output relyingPartyEntityName) { $.relyingPartyEntityName = relyingPartyEntityName; return this; } + /** + * @param relyingPartyEntityName A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + * + * @return builder + * + */ public Builder relyingPartyEntityName(String relyingPartyEntityName) { return relyingPartyEntityName(Output.of(relyingPartyEntityName)); } + /** + * @param relyingPartyId The WebAuthn relying party ID. + * + * @return builder + * + */ public Builder relyingPartyId(@Nullable Output relyingPartyId) { $.relyingPartyId = relyingPartyId; return this; } + /** + * @param relyingPartyId The WebAuthn relying party ID. + * + * @return builder + * + */ public Builder relyingPartyId(String relyingPartyId) { return relyingPartyId(Output.of(relyingPartyId)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RoleState.java b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RoleState.java index 1a40c616..39837bd8 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RoleState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/RoleState.java @@ -17,44 +17,92 @@ public final class RoleState extends com.pulumi.resources.ResourceArgs { public static final RoleState Empty = new RoleState(); + /** + * A map representing attributes for the role. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + * + */ @Import(name="attributes") private @Nullable Output> attributes; + /** + * @return A map representing attributes for the role. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + * + */ public Optional>> attributes() { return Optional.ofNullable(this.attributes); } + /** + * When specified, this role will be created as a client role attached to the client with the provided ID + * + */ @Import(name="clientId") private @Nullable Output clientId; + /** + * @return When specified, this role will be created as a client role attached to the client with the provided ID + * + */ public Optional> clientId() { return Optional.ofNullable(this.clientId); } + /** + * When specified, this role will be a composite role, composed of all roles that have an ID present within this list. + * + */ @Import(name="compositeRoles") private @Nullable Output> compositeRoles; + /** + * @return When specified, this role will be a composite role, composed of all roles that have an ID present within this list. + * + */ public Optional>> compositeRoles() { return Optional.ofNullable(this.compositeRoles); } + /** + * The description of the role + * + */ @Import(name="description") private @Nullable Output description; + /** + * @return The description of the role + * + */ public Optional> description() { return Optional.ofNullable(this.description); } + /** + * The name of the role + * + */ @Import(name="name") private @Nullable Output name; + /** + * @return The name of the role + * + */ public Optional> name() { return Optional.ofNullable(this.name); } + /** + * The realm this role exists within. + * + */ @Import(name="realmId") private @Nullable Output realmId; + /** + * @return The realm this role exists within. + * + */ public Optional> realmId() { return Optional.ofNullable(this.realmId); } @@ -88,60 +136,138 @@ public Builder(RoleState defaults) { $ = new RoleState(Objects.requireNonNull(defaults)); } + /** + * @param attributes A map representing attributes for the role. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + * + * @return builder + * + */ public Builder attributes(@Nullable Output> attributes) { $.attributes = attributes; return this; } + /** + * @param attributes A map representing attributes for the role. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + * + * @return builder + * + */ public Builder attributes(Map attributes) { return attributes(Output.of(attributes)); } + /** + * @param clientId When specified, this role will be created as a client role attached to the client with the provided ID + * + * @return builder + * + */ public Builder clientId(@Nullable Output clientId) { $.clientId = clientId; return this; } + /** + * @param clientId When specified, this role will be created as a client role attached to the client with the provided ID + * + * @return builder + * + */ public Builder clientId(String clientId) { return clientId(Output.of(clientId)); } + /** + * @param compositeRoles When specified, this role will be a composite role, composed of all roles that have an ID present within this list. + * + * @return builder + * + */ public Builder compositeRoles(@Nullable Output> compositeRoles) { $.compositeRoles = compositeRoles; return this; } + /** + * @param compositeRoles When specified, this role will be a composite role, composed of all roles that have an ID present within this list. + * + * @return builder + * + */ public Builder compositeRoles(List compositeRoles) { return compositeRoles(Output.of(compositeRoles)); } + /** + * @param compositeRoles When specified, this role will be a composite role, composed of all roles that have an ID present within this list. + * + * @return builder + * + */ public Builder compositeRoles(String... compositeRoles) { return compositeRoles(List.of(compositeRoles)); } + /** + * @param description The description of the role + * + * @return builder + * + */ public Builder description(@Nullable Output description) { $.description = description; return this; } + /** + * @param description The description of the role + * + * @return builder + * + */ public Builder description(String description) { return description(Output.of(description)); } + /** + * @param name The name of the role + * + * @return builder + * + */ public Builder name(@Nullable Output name) { $.name = name; return this; } + /** + * @param name The name of the role + * + * @return builder + * + */ public Builder name(String name) { return name(Output.of(name)); } + /** + * @param realmId The realm this role exists within. + * + * @return builder + * + */ public Builder realmId(@Nullable Output realmId) { $.realmId = realmId; return this; } + /** + * @param realmId The realm this role exists within. + * + * @return builder + * + */ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/UserFederatedIdentityArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/UserFederatedIdentityArgs.java index 90346415..659f006a 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/UserFederatedIdentityArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/UserFederatedIdentityArgs.java @@ -14,23 +14,47 @@ public final class UserFederatedIdentityArgs extends com.pulumi.resources.Resour public static final UserFederatedIdentityArgs Empty = new UserFederatedIdentityArgs(); + /** + * The name of the identity provider + * + */ @Import(name="identityProvider", required=true) private Output identityProvider; + /** + * @return The name of the identity provider + * + */ public Output identityProvider() { return this.identityProvider; } + /** + * The ID of the user defined in the identity provider + * + */ @Import(name="userId", required=true) private Output userId; + /** + * @return The ID of the user defined in the identity provider + * + */ public Output userId() { return this.userId; } + /** + * The user name of the user defined in the identity provider + * + */ @Import(name="userName", required=true) private Output userName; + /** + * @return The user name of the user defined in the identity provider + * + */ public Output userName() { return this.userName; } @@ -61,29 +85,65 @@ public Builder(UserFederatedIdentityArgs defaults) { $ = new UserFederatedIdentityArgs(Objects.requireNonNull(defaults)); } + /** + * @param identityProvider The name of the identity provider + * + * @return builder + * + */ public Builder identityProvider(Output identityProvider) { $.identityProvider = identityProvider; return this; } + /** + * @param identityProvider The name of the identity provider + * + * @return builder + * + */ public Builder identityProvider(String identityProvider) { return identityProvider(Output.of(identityProvider)); } + /** + * @param userId The ID of the user defined in the identity provider + * + * @return builder + * + */ public Builder userId(Output userId) { $.userId = userId; return this; } + /** + * @param userId The ID of the user defined in the identity provider + * + * @return builder + * + */ public Builder userId(String userId) { return userId(Output.of(userId)); } + /** + * @param userName The user name of the user defined in the identity provider + * + * @return builder + * + */ public Builder userName(Output userName) { $.userName = userName; return this; } + /** + * @param userName The user name of the user defined in the identity provider + * + * @return builder + * + */ public Builder userName(String userName) { return userName(Output.of(userName)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/UserInitialPasswordArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/UserInitialPasswordArgs.java index aaeae9dc..0e74f368 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/UserInitialPasswordArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/UserInitialPasswordArgs.java @@ -17,16 +17,32 @@ public final class UserInitialPasswordArgs extends com.pulumi.resources.Resource public static final UserInitialPasswordArgs Empty = new UserInitialPasswordArgs(); + /** + * If set to `true`, the initial password is set up for renewal on first use. Default to `false`. + * + */ @Import(name="temporary") private @Nullable Output temporary; + /** + * @return If set to `true`, the initial password is set up for renewal on first use. Default to `false`. + * + */ public Optional> temporary() { return Optional.ofNullable(this.temporary); } + /** + * The initial password. + * + */ @Import(name="value", required=true) private Output value; + /** + * @return The initial password. + * + */ public Output value() { return this.value; } @@ -56,20 +72,44 @@ public Builder(UserInitialPasswordArgs defaults) { $ = new UserInitialPasswordArgs(Objects.requireNonNull(defaults)); } + /** + * @param temporary If set to `true`, the initial password is set up for renewal on first use. Default to `false`. + * + * @return builder + * + */ public Builder temporary(@Nullable Output temporary) { $.temporary = temporary; return this; } + /** + * @param temporary If set to `true`, the initial password is set up for renewal on first use. Default to `false`. + * + * @return builder + * + */ public Builder temporary(Boolean temporary) { return temporary(Output.of(temporary)); } + /** + * @param value The initial password. + * + * @return builder + * + */ public Builder value(Output value) { $.value = value; return this; } + /** + * @param value The initial password. + * + * @return builder + * + */ public Builder value(String value) { return value(Output.of(value)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/UserState.java b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/UserState.java index 4610f033..23c5c95f 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/UserState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/UserState.java @@ -20,79 +20,167 @@ public final class UserState extends com.pulumi.resources.ResourceArgs { public static final UserState Empty = new UserState(); + /** + * A map representing attributes for the user. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + * + */ @Import(name="attributes") private @Nullable Output> attributes; + /** + * @return A map representing attributes for the user. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + * + */ public Optional>> attributes() { return Optional.ofNullable(this.attributes); } + /** + * The user's email. + * + */ @Import(name="email") private @Nullable Output email; + /** + * @return The user's email. + * + */ public Optional> email() { return Optional.ofNullable(this.email); } + /** + * Whether the email address was validated or not. Default to `false`. + * + */ @Import(name="emailVerified") private @Nullable Output emailVerified; + /** + * @return Whether the email address was validated or not. Default to `false`. + * + */ public Optional> emailVerified() { return Optional.ofNullable(this.emailVerified); } + /** + * When false, this user cannot log in. Defaults to `true`. + * + */ @Import(name="enabled") private @Nullable Output enabled; + /** + * @return When false, this user cannot log in. Defaults to `true`. + * + */ public Optional> enabled() { return Optional.ofNullable(this.enabled); } + /** + * When specified, the user will be linked to a federated identity provider. Refer to the federated user example for more details. + * + */ @Import(name="federatedIdentities") private @Nullable Output> federatedIdentities; + /** + * @return When specified, the user will be linked to a federated identity provider. Refer to the federated user example for more details. + * + */ public Optional>> federatedIdentities() { return Optional.ofNullable(this.federatedIdentities); } + /** + * The user's first name. + * + */ @Import(name="firstName") private @Nullable Output firstName; + /** + * @return The user's first name. + * + */ public Optional> firstName() { return Optional.ofNullable(this.firstName); } + /** + * When given, the user's initial password will be set. This attribute is only respected during initial user creation. + * + */ @Import(name="initialPassword") private @Nullable Output initialPassword; + /** + * @return When given, the user's initial password will be set. This attribute is only respected during initial user creation. + * + */ public Optional> initialPassword() { return Optional.ofNullable(this.initialPassword); } + /** + * The user's last name. + * + */ @Import(name="lastName") private @Nullable Output lastName; + /** + * @return The user's last name. + * + */ public Optional> lastName() { return Optional.ofNullable(this.lastName); } + /** + * The realm this user belongs to. + * + */ @Import(name="realmId") private @Nullable Output realmId; + /** + * @return The realm this user belongs to. + * + */ public Optional> realmId() { return Optional.ofNullable(this.realmId); } + /** + * A list of required user actions. + * + */ @Import(name="requiredActions") private @Nullable Output> requiredActions; + /** + * @return A list of required user actions. + * + */ public Optional>> requiredActions() { return Optional.ofNullable(this.requiredActions); } + /** + * The unique username of this user. + * + */ @Import(name="username") private @Nullable Output username; + /** + * @return The unique username of this user. + * + */ public Optional> username() { return Optional.ofNullable(this.username); } @@ -131,109 +219,253 @@ public Builder(UserState defaults) { $ = new UserState(Objects.requireNonNull(defaults)); } + /** + * @param attributes A map representing attributes for the user. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + * + * @return builder + * + */ public Builder attributes(@Nullable Output> attributes) { $.attributes = attributes; return this; } + /** + * @param attributes A map representing attributes for the user. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + * + * @return builder + * + */ public Builder attributes(Map attributes) { return attributes(Output.of(attributes)); } + /** + * @param email The user's email. + * + * @return builder + * + */ public Builder email(@Nullable Output email) { $.email = email; return this; } + /** + * @param email The user's email. + * + * @return builder + * + */ public Builder email(String email) { return email(Output.of(email)); } + /** + * @param emailVerified Whether the email address was validated or not. Default to `false`. + * + * @return builder + * + */ public Builder emailVerified(@Nullable Output emailVerified) { $.emailVerified = emailVerified; return this; } + /** + * @param emailVerified Whether the email address was validated or not. Default to `false`. + * + * @return builder + * + */ public Builder emailVerified(Boolean emailVerified) { return emailVerified(Output.of(emailVerified)); } + /** + * @param enabled When false, this user cannot log in. Defaults to `true`. + * + * @return builder + * + */ public Builder enabled(@Nullable Output enabled) { $.enabled = enabled; return this; } + /** + * @param enabled When false, this user cannot log in. Defaults to `true`. + * + * @return builder + * + */ public Builder enabled(Boolean enabled) { return enabled(Output.of(enabled)); } + /** + * @param federatedIdentities When specified, the user will be linked to a federated identity provider. Refer to the federated user example for more details. + * + * @return builder + * + */ public Builder federatedIdentities(@Nullable Output> federatedIdentities) { $.federatedIdentities = federatedIdentities; return this; } + /** + * @param federatedIdentities When specified, the user will be linked to a federated identity provider. Refer to the federated user example for more details. + * + * @return builder + * + */ public Builder federatedIdentities(List federatedIdentities) { return federatedIdentities(Output.of(federatedIdentities)); } + /** + * @param federatedIdentities When specified, the user will be linked to a federated identity provider. Refer to the federated user example for more details. + * + * @return builder + * + */ public Builder federatedIdentities(UserFederatedIdentityArgs... federatedIdentities) { return federatedIdentities(List.of(federatedIdentities)); } + /** + * @param firstName The user's first name. + * + * @return builder + * + */ public Builder firstName(@Nullable Output firstName) { $.firstName = firstName; return this; } + /** + * @param firstName The user's first name. + * + * @return builder + * + */ public Builder firstName(String firstName) { return firstName(Output.of(firstName)); } + /** + * @param initialPassword When given, the user's initial password will be set. This attribute is only respected during initial user creation. + * + * @return builder + * + */ public Builder initialPassword(@Nullable Output initialPassword) { $.initialPassword = initialPassword; return this; } + /** + * @param initialPassword When given, the user's initial password will be set. This attribute is only respected during initial user creation. + * + * @return builder + * + */ public Builder initialPassword(UserInitialPasswordArgs initialPassword) { return initialPassword(Output.of(initialPassword)); } + /** + * @param lastName The user's last name. + * + * @return builder + * + */ public Builder lastName(@Nullable Output lastName) { $.lastName = lastName; return this; } + /** + * @param lastName The user's last name. + * + * @return builder + * + */ public Builder lastName(String lastName) { return lastName(Output.of(lastName)); } + /** + * @param realmId The realm this user belongs to. + * + * @return builder + * + */ public Builder realmId(@Nullable Output realmId) { $.realmId = realmId; return this; } + /** + * @param realmId The realm this user belongs to. + * + * @return builder + * + */ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } + /** + * @param requiredActions A list of required user actions. + * + * @return builder + * + */ public Builder requiredActions(@Nullable Output> requiredActions) { $.requiredActions = requiredActions; return this; } + /** + * @param requiredActions A list of required user actions. + * + * @return builder + * + */ public Builder requiredActions(List requiredActions) { return requiredActions(Output.of(requiredActions)); } + /** + * @param requiredActions A list of required user actions. + * + * @return builder + * + */ public Builder requiredActions(String... requiredActions) { return requiredActions(List.of(requiredActions)); } + /** + * @param username The unique username of this user. + * + * @return builder + * + */ public Builder username(@Nullable Output username) { $.username = username; return this; } + /** + * @param username The unique username of this user. + * + * @return builder + * + */ public Builder username(String username) { return username(Output.of(username)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/FullNameMapper.java b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/FullNameMapper.java index 8e0eaf6c..ad975169 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/FullNameMapper.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/FullNameMapper.java @@ -16,15 +16,12 @@ import javax.annotation.Nullable; /** - * ## # keycloak.ldap.FullNameMapper + * Allows for creating and managing full name mappers for Keycloak users federated via LDAP. * - * Allows for creating and managing full name mappers for Keycloak users federated - * via LDAP. + * The LDAP full name mapper can map a user's full name from an LDAP attribute to the first and last name attributes of a + * Keycloak user. * - * The LDAP full name mapper can map a user's full name from an LDAP attribute - * to the first and last name attributes of a Keycloak user. - * - * ### Example Usage + * ## Example Usage * * <!--Start PulumiCodeChooser --> *
@@ -54,7 +51,7 @@
  * 
  *     public static void stack(Context ctx) {
  *         var realm = new Realm("realm", RealmArgs.builder()
- *             .realm("test")
+ *             .realm("my-realm")
  *             .enabled(true)
  *             .build());
  * 
@@ -86,83 +83,104 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference + * ## Import * - * The following arguments are supported: + * LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. * - * - `realm_id` - (Required) The realm that this LDAP mapper will exist in. - * - `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. - * - `name` - (Required) Display name of this mapper when displayed in the console. - * - `ldap_full_name_attribute` - (Required) The name of the LDAP attribute containing the user's full name. - * - `read_only` - (Optional) When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. - * - `write_only` - (Optional) When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. + * The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. * - * ### Import + * Example: * - * LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. - * The ID of the LDAP user federation provider and the mapper can be found within - * the Keycloak GUI, and they are typically GUIDs: + * bash + * + * ```sh + * $ pulumi import keycloak:ldap/fullNameMapper:FullNameMapper ldap_full_name_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 + * ``` * */ @ResourceType(type="keycloak:ldap/fullNameMapper:FullNameMapper") public class FullNameMapper extends com.pulumi.resources.CustomResource { + /** + * The name of the LDAP attribute containing the user's full name. + * + */ @Export(name="ldapFullNameAttribute", refs={String.class}, tree="[0]") private Output ldapFullNameAttribute; + /** + * @return The name of the LDAP attribute containing the user's full name. + * + */ public Output ldapFullNameAttribute() { return this.ldapFullNameAttribute; } /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. * */ @Export(name="ldapUserFederationId", refs={String.class}, tree="[0]") private Output ldapUserFederationId; /** - * @return The ldap user federation provider to attach this mapper to. + * @return The ID of the LDAP user federation provider to attach this mapper to. * */ public Output ldapUserFederationId() { return this.ldapUserFederationId; } /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. * */ @Export(name="name", refs={String.class}, tree="[0]") private Output name; /** - * @return Display name of the mapper when displayed in the console. + * @return Display name of this mapper when displayed in the console. * */ public Output name() { return this.name; } + /** + * When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. + * + */ @Export(name="readOnly", refs={Boolean.class}, tree="[0]") private Output readOnly; + /** + * @return When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. + * + */ public Output> readOnly() { return Codegen.optional(this.readOnly); } /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. * */ @Export(name="realmId", refs={String.class}, tree="[0]") private Output realmId; /** - * @return The realm in which the ldap user federation provider exists. + * @return The realm that this LDAP mapper will exist in. * */ public Output realmId() { return this.realmId; } + /** + * When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. + * + */ @Export(name="writeOnly", refs={Boolean.class}, tree="[0]") private Output writeOnly; + /** + * @return When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. + * + */ public Output> writeOnly() { return Codegen.optional(this.writeOnly); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/FullNameMapperArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/FullNameMapperArgs.java index f7e00f1d..ea700ef2 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/FullNameMapperArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/FullNameMapperArgs.java @@ -17,22 +17,30 @@ public final class FullNameMapperArgs extends com.pulumi.resources.ResourceArgs public static final FullNameMapperArgs Empty = new FullNameMapperArgs(); + /** + * The name of the LDAP attribute containing the user's full name. + * + */ @Import(name="ldapFullNameAttribute", required=true) private Output ldapFullNameAttribute; + /** + * @return The name of the LDAP attribute containing the user's full name. + * + */ public Output ldapFullNameAttribute() { return this.ldapFullNameAttribute; } /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. * */ @Import(name="ldapUserFederationId", required=true) private Output ldapUserFederationId; /** - * @return The ldap user federation provider to attach this mapper to. + * @return The ID of the LDAP user federation provider to attach this mapper to. * */ public Output ldapUserFederationId() { @@ -40,45 +48,61 @@ public Output ldapUserFederationId() { } /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. * */ @Import(name="name") private @Nullable Output name; /** - * @return Display name of the mapper when displayed in the console. + * @return Display name of this mapper when displayed in the console. * */ public Optional> name() { return Optional.ofNullable(this.name); } + /** + * When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. + * + */ @Import(name="readOnly") private @Nullable Output readOnly; + /** + * @return When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. + * + */ public Optional> readOnly() { return Optional.ofNullable(this.readOnly); } /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. * */ @Import(name="realmId", required=true) private Output realmId; /** - * @return The realm in which the ldap user federation provider exists. + * @return The realm that this LDAP mapper will exist in. * */ public Output realmId() { return this.realmId; } + /** + * When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. + * + */ @Import(name="writeOnly") private @Nullable Output writeOnly; + /** + * @return When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. + * + */ public Optional> writeOnly() { return Optional.ofNullable(this.writeOnly); } @@ -112,17 +136,29 @@ public Builder(FullNameMapperArgs defaults) { $ = new FullNameMapperArgs(Objects.requireNonNull(defaults)); } + /** + * @param ldapFullNameAttribute The name of the LDAP attribute containing the user's full name. + * + * @return builder + * + */ public Builder ldapFullNameAttribute(Output ldapFullNameAttribute) { $.ldapFullNameAttribute = ldapFullNameAttribute; return this; } + /** + * @param ldapFullNameAttribute The name of the LDAP attribute containing the user's full name. + * + * @return builder + * + */ public Builder ldapFullNameAttribute(String ldapFullNameAttribute) { return ldapFullNameAttribute(Output.of(ldapFullNameAttribute)); } /** - * @param ldapUserFederationId The ldap user federation provider to attach this mapper to. + * @param ldapUserFederationId The ID of the LDAP user federation provider to attach this mapper to. * * @return builder * @@ -133,7 +169,7 @@ public Builder ldapUserFederationId(Output ldapUserFederationId) { } /** - * @param ldapUserFederationId The ldap user federation provider to attach this mapper to. + * @param ldapUserFederationId The ID of the LDAP user federation provider to attach this mapper to. * * @return builder * @@ -143,7 +179,7 @@ public Builder ldapUserFederationId(String ldapUserFederationId) { } /** - * @param name Display name of the mapper when displayed in the console. + * @param name Display name of this mapper when displayed in the console. * * @return builder * @@ -154,7 +190,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name Display name of the mapper when displayed in the console. + * @param name Display name of this mapper when displayed in the console. * * @return builder * @@ -163,17 +199,29 @@ public Builder name(String name) { return name(Output.of(name)); } + /** + * @param readOnly When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. + * + * @return builder + * + */ public Builder readOnly(@Nullable Output readOnly) { $.readOnly = readOnly; return this; } + /** + * @param readOnly When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. + * + * @return builder + * + */ public Builder readOnly(Boolean readOnly) { return readOnly(Output.of(readOnly)); } /** - * @param realmId The realm in which the ldap user federation provider exists. + * @param realmId The realm that this LDAP mapper will exist in. * * @return builder * @@ -184,7 +232,7 @@ public Builder realmId(Output realmId) { } /** - * @param realmId The realm in which the ldap user federation provider exists. + * @param realmId The realm that this LDAP mapper will exist in. * * @return builder * @@ -193,11 +241,23 @@ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } + /** + * @param writeOnly When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. + * + * @return builder + * + */ public Builder writeOnly(@Nullable Output writeOnly) { $.writeOnly = writeOnly; return this; } + /** + * @param writeOnly When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. + * + * @return builder + * + */ public Builder writeOnly(Boolean writeOnly) { return writeOnly(Output.of(writeOnly)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/GroupMapper.java b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/GroupMapper.java index 3db4d4f3..d8700952 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/GroupMapper.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/GroupMapper.java @@ -17,16 +17,12 @@ import javax.annotation.Nullable; /** - * ## # keycloak.ldap.GroupMapper + * Allows for creating and managing group mappers for Keycloak users federated via LDAP. * - * Allows for creating and managing group mappers for Keycloak users federated - * via LDAP. + * The LDAP group mapper can be used to map an LDAP user's groups from some DN to Keycloak groups. This group mapper will also + * create the groups within Keycloak if they do not already exist. * - * The LDAP group mapper can be used to map an LDAP user's groups from some DN - * to Keycloak groups. This group mapper will also create the groups within Keycloak - * if they do not already exist. - * - * ### Example Usage + * ## Example Usage * * <!--Start PulumiCodeChooser --> *
@@ -56,7 +52,7 @@
  * 
  *     public static void stack(Context ctx) {
  *         var realm = new Realm("realm", RealmArgs.builder()
- *             .realm("test")
+ *             .realm("my-realm")
  *             .enabled(true)
  *             .build());
  * 
@@ -94,166 +90,272 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference + * ## Import * - * The following arguments are supported: + * LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. * - * - `realm_id` - (Required) The realm that this LDAP mapper will exist in. - * - `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. - * - `name` - (Required) Display name of this mapper when displayed in the console. - * - `ldap_groups_dn` - (Required) The LDAP DN where groups can be found. - * - `group_name_ldap_attribute` - (Required) The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. - * - `group_object_classes` - (Required) Array of strings representing the object classes for the group. Must contain at least one. - * - `preserve_group_inheritance` - (Optional) When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. - * - `ignore_missing_groups` - (Optional) When `true`, missing groups in the hierarchy will be ignored. - * - `membership_ldap_attribute` - (Required) The name of the LDAP attribute that is used for membership mappings. - * - `membership_attribute_type` - (Optional) Can be one of `DN` or `UID`. Defaults to `DN`. - * - `membership_user_ldap_attribute` - (Required) The name of the LDAP attribute on a user that is used for membership mappings. - * - `groups_ldap_filter` - (Optional) When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. - * - `mode` - (Optional) Can be one of `READ_ONLY` or `LDAP_ONLY`. Defaults to `READ_ONLY`. - * - `user_roles_retrieve_strategy` - (Optional) Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. - * - `memberof_ldap_attribute` - (Optional) Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. - * - `mapped_group_attributes` - (Optional) Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. - * - `drop_non_existing_groups_during_sync` - (Optional) When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. + * The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. * - * ### Import + * Example: * - * LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. - * The ID of the LDAP user federation provider and the mapper can be found within - * the Keycloak GUI, and they are typically GUIDs: + * bash + * + * ```sh + * $ pulumi import keycloak:ldap/groupMapper:GroupMapper ldap_group_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 + * ``` * */ @ResourceType(type="keycloak:ldap/groupMapper:GroupMapper") public class GroupMapper extends com.pulumi.resources.CustomResource { + /** + * When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. + * + */ @Export(name="dropNonExistingGroupsDuringSync", refs={Boolean.class}, tree="[0]") private Output dropNonExistingGroupsDuringSync; + /** + * @return When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. + * + */ public Output> dropNonExistingGroupsDuringSync() { return Codegen.optional(this.dropNonExistingGroupsDuringSync); } + /** + * The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. + * + */ @Export(name="groupNameLdapAttribute", refs={String.class}, tree="[0]") private Output groupNameLdapAttribute; + /** + * @return The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. + * + */ public Output groupNameLdapAttribute() { return this.groupNameLdapAttribute; } + /** + * List of strings representing the object classes for the group. Must contain at least one. + * + */ @Export(name="groupObjectClasses", refs={List.class,String.class}, tree="[0,1]") private Output> groupObjectClasses; + /** + * @return List of strings representing the object classes for the group. Must contain at least one. + * + */ public Output> groupObjectClasses() { return this.groupObjectClasses; } + /** + * When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. + * + */ @Export(name="groupsLdapFilter", refs={String.class}, tree="[0]") private Output groupsLdapFilter; + /** + * @return When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. + * + */ public Output> groupsLdapFilter() { return Codegen.optional(this.groupsLdapFilter); } + /** + * Keycloak group path the LDAP groups are added to. For example if value `/Applications/App1` is used, then LDAP groups will be available in Keycloak under group `App1`, which is the child of top level group `Applications`. The configured group path must already exist in Keycloak when creating this mapper. + * + */ @Export(name="groupsPath", refs={String.class}, tree="[0]") private Output groupsPath; + /** + * @return Keycloak group path the LDAP groups are added to. For example if value `/Applications/App1` is used, then LDAP groups will be available in Keycloak under group `App1`, which is the child of top level group `Applications`. The configured group path must already exist in Keycloak when creating this mapper. + * + */ public Output groupsPath() { return this.groupsPath; } + /** + * When `true`, missing groups in the hierarchy will be ignored. + * + */ @Export(name="ignoreMissingGroups", refs={Boolean.class}, tree="[0]") private Output ignoreMissingGroups; + /** + * @return When `true`, missing groups in the hierarchy will be ignored. + * + */ public Output> ignoreMissingGroups() { return Codegen.optional(this.ignoreMissingGroups); } + /** + * The LDAP DN where groups can be found. + * + */ @Export(name="ldapGroupsDn", refs={String.class}, tree="[0]") private Output ldapGroupsDn; + /** + * @return The LDAP DN where groups can be found. + * + */ public Output ldapGroupsDn() { return this.ldapGroupsDn; } /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. * */ @Export(name="ldapUserFederationId", refs={String.class}, tree="[0]") private Output ldapUserFederationId; /** - * @return The ldap user federation provider to attach this mapper to. + * @return The ID of the LDAP user federation provider to attach this mapper to. * */ public Output ldapUserFederationId() { return this.ldapUserFederationId; } + /** + * Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. + * + */ @Export(name="mappedGroupAttributes", refs={List.class,String.class}, tree="[0,1]") private Output> mappedGroupAttributes; + /** + * @return Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. + * + */ public Output>> mappedGroupAttributes() { return Codegen.optional(this.mappedGroupAttributes); } + /** + * Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. + * + */ @Export(name="memberofLdapAttribute", refs={String.class}, tree="[0]") private Output memberofLdapAttribute; + /** + * @return Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. + * + */ public Output> memberofLdapAttribute() { return Codegen.optional(this.memberofLdapAttribute); } + /** + * Can be one of `DN` or `UID`. Defaults to `DN`. + * + */ @Export(name="membershipAttributeType", refs={String.class}, tree="[0]") private Output membershipAttributeType; + /** + * @return Can be one of `DN` or `UID`. Defaults to `DN`. + * + */ public Output> membershipAttributeType() { return Codegen.optional(this.membershipAttributeType); } + /** + * The name of the LDAP attribute that is used for membership mappings. + * + */ @Export(name="membershipLdapAttribute", refs={String.class}, tree="[0]") private Output membershipLdapAttribute; + /** + * @return The name of the LDAP attribute that is used for membership mappings. + * + */ public Output membershipLdapAttribute() { return this.membershipLdapAttribute; } + /** + * The name of the LDAP attribute on a user that is used for membership mappings. + * + */ @Export(name="membershipUserLdapAttribute", refs={String.class}, tree="[0]") private Output membershipUserLdapAttribute; + /** + * @return The name of the LDAP attribute on a user that is used for membership mappings. + * + */ public Output membershipUserLdapAttribute() { return this.membershipUserLdapAttribute; } + /** + * Can be one of `READ_ONLY`, `LDAP_ONLY` or `IMPORT`. Defaults to `READ_ONLY`. + * + */ @Export(name="mode", refs={String.class}, tree="[0]") private Output mode; + /** + * @return Can be one of `READ_ONLY`, `LDAP_ONLY` or `IMPORT`. Defaults to `READ_ONLY`. + * + */ public Output> mode() { return Codegen.optional(this.mode); } /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. * */ @Export(name="name", refs={String.class}, tree="[0]") private Output name; /** - * @return Display name of the mapper when displayed in the console. + * @return Display name of this mapper when displayed in the console. * */ public Output name() { return this.name; } + /** + * When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. + * + */ @Export(name="preserveGroupInheritance", refs={Boolean.class}, tree="[0]") private Output preserveGroupInheritance; + /** + * @return When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. + * + */ public Output> preserveGroupInheritance() { return Codegen.optional(this.preserveGroupInheritance); } /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. * */ @Export(name="realmId", refs={String.class}, tree="[0]") private Output realmId; /** - * @return The realm in which the ldap user federation provider exists. + * @return The realm that this LDAP mapper will exist in. * */ public Output realmId() { return this.realmId; } + /** + * Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. + * + */ @Export(name="userRolesRetrieveStrategy", refs={String.class}, tree="[0]") private Output userRolesRetrieveStrategy; + /** + * @return Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. + * + */ public Output> userRolesRetrieveStrategy() { return Codegen.optional(this.userRolesRetrieveStrategy); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/GroupMapperArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/GroupMapperArgs.java index a4d4a6a3..92736c04 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/GroupMapperArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/GroupMapperArgs.java @@ -18,152 +18,272 @@ public final class GroupMapperArgs extends com.pulumi.resources.ResourceArgs { public static final GroupMapperArgs Empty = new GroupMapperArgs(); + /** + * When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. + * + */ @Import(name="dropNonExistingGroupsDuringSync") private @Nullable Output dropNonExistingGroupsDuringSync; + /** + * @return When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. + * + */ public Optional> dropNonExistingGroupsDuringSync() { return Optional.ofNullable(this.dropNonExistingGroupsDuringSync); } + /** + * The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. + * + */ @Import(name="groupNameLdapAttribute", required=true) private Output groupNameLdapAttribute; + /** + * @return The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. + * + */ public Output groupNameLdapAttribute() { return this.groupNameLdapAttribute; } + /** + * List of strings representing the object classes for the group. Must contain at least one. + * + */ @Import(name="groupObjectClasses", required=true) private Output> groupObjectClasses; + /** + * @return List of strings representing the object classes for the group. Must contain at least one. + * + */ public Output> groupObjectClasses() { return this.groupObjectClasses; } + /** + * When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. + * + */ @Import(name="groupsLdapFilter") private @Nullable Output groupsLdapFilter; + /** + * @return When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. + * + */ public Optional> groupsLdapFilter() { return Optional.ofNullable(this.groupsLdapFilter); } + /** + * Keycloak group path the LDAP groups are added to. For example if value `/Applications/App1` is used, then LDAP groups will be available in Keycloak under group `App1`, which is the child of top level group `Applications`. The configured group path must already exist in Keycloak when creating this mapper. + * + */ @Import(name="groupsPath") private @Nullable Output groupsPath; + /** + * @return Keycloak group path the LDAP groups are added to. For example if value `/Applications/App1` is used, then LDAP groups will be available in Keycloak under group `App1`, which is the child of top level group `Applications`. The configured group path must already exist in Keycloak when creating this mapper. + * + */ public Optional> groupsPath() { return Optional.ofNullable(this.groupsPath); } + /** + * When `true`, missing groups in the hierarchy will be ignored. + * + */ @Import(name="ignoreMissingGroups") private @Nullable Output ignoreMissingGroups; + /** + * @return When `true`, missing groups in the hierarchy will be ignored. + * + */ public Optional> ignoreMissingGroups() { return Optional.ofNullable(this.ignoreMissingGroups); } + /** + * The LDAP DN where groups can be found. + * + */ @Import(name="ldapGroupsDn", required=true) private Output ldapGroupsDn; + /** + * @return The LDAP DN where groups can be found. + * + */ public Output ldapGroupsDn() { return this.ldapGroupsDn; } /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. * */ @Import(name="ldapUserFederationId", required=true) private Output ldapUserFederationId; /** - * @return The ldap user federation provider to attach this mapper to. + * @return The ID of the LDAP user federation provider to attach this mapper to. * */ public Output ldapUserFederationId() { return this.ldapUserFederationId; } + /** + * Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. + * + */ @Import(name="mappedGroupAttributes") private @Nullable Output> mappedGroupAttributes; + /** + * @return Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. + * + */ public Optional>> mappedGroupAttributes() { return Optional.ofNullable(this.mappedGroupAttributes); } + /** + * Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. + * + */ @Import(name="memberofLdapAttribute") private @Nullable Output memberofLdapAttribute; + /** + * @return Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. + * + */ public Optional> memberofLdapAttribute() { return Optional.ofNullable(this.memberofLdapAttribute); } + /** + * Can be one of `DN` or `UID`. Defaults to `DN`. + * + */ @Import(name="membershipAttributeType") private @Nullable Output membershipAttributeType; + /** + * @return Can be one of `DN` or `UID`. Defaults to `DN`. + * + */ public Optional> membershipAttributeType() { return Optional.ofNullable(this.membershipAttributeType); } + /** + * The name of the LDAP attribute that is used for membership mappings. + * + */ @Import(name="membershipLdapAttribute", required=true) private Output membershipLdapAttribute; + /** + * @return The name of the LDAP attribute that is used for membership mappings. + * + */ public Output membershipLdapAttribute() { return this.membershipLdapAttribute; } + /** + * The name of the LDAP attribute on a user that is used for membership mappings. + * + */ @Import(name="membershipUserLdapAttribute", required=true) private Output membershipUserLdapAttribute; + /** + * @return The name of the LDAP attribute on a user that is used for membership mappings. + * + */ public Output membershipUserLdapAttribute() { return this.membershipUserLdapAttribute; } + /** + * Can be one of `READ_ONLY`, `LDAP_ONLY` or `IMPORT`. Defaults to `READ_ONLY`. + * + */ @Import(name="mode") private @Nullable Output mode; + /** + * @return Can be one of `READ_ONLY`, `LDAP_ONLY` or `IMPORT`. Defaults to `READ_ONLY`. + * + */ public Optional> mode() { return Optional.ofNullable(this.mode); } /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. * */ @Import(name="name") private @Nullable Output name; /** - * @return Display name of the mapper when displayed in the console. + * @return Display name of this mapper when displayed in the console. * */ public Optional> name() { return Optional.ofNullable(this.name); } + /** + * When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. + * + */ @Import(name="preserveGroupInheritance") private @Nullable Output preserveGroupInheritance; + /** + * @return When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. + * + */ public Optional> preserveGroupInheritance() { return Optional.ofNullable(this.preserveGroupInheritance); } /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. * */ @Import(name="realmId", required=true) private Output realmId; /** - * @return The realm in which the ldap user federation provider exists. + * @return The realm that this LDAP mapper will exist in. * */ public Output realmId() { return this.realmId; } + /** + * Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. + * + */ @Import(name="userRolesRetrieveStrategy") private @Nullable Output userRolesRetrieveStrategy; + /** + * @return Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. + * + */ public Optional> userRolesRetrieveStrategy() { return Optional.ofNullable(this.userRolesRetrieveStrategy); } @@ -209,75 +329,165 @@ public Builder(GroupMapperArgs defaults) { $ = new GroupMapperArgs(Objects.requireNonNull(defaults)); } + /** + * @param dropNonExistingGroupsDuringSync When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. + * + * @return builder + * + */ public Builder dropNonExistingGroupsDuringSync(@Nullable Output dropNonExistingGroupsDuringSync) { $.dropNonExistingGroupsDuringSync = dropNonExistingGroupsDuringSync; return this; } + /** + * @param dropNonExistingGroupsDuringSync When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. + * + * @return builder + * + */ public Builder dropNonExistingGroupsDuringSync(Boolean dropNonExistingGroupsDuringSync) { return dropNonExistingGroupsDuringSync(Output.of(dropNonExistingGroupsDuringSync)); } + /** + * @param groupNameLdapAttribute The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. + * + * @return builder + * + */ public Builder groupNameLdapAttribute(Output groupNameLdapAttribute) { $.groupNameLdapAttribute = groupNameLdapAttribute; return this; } + /** + * @param groupNameLdapAttribute The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. + * + * @return builder + * + */ public Builder groupNameLdapAttribute(String groupNameLdapAttribute) { return groupNameLdapAttribute(Output.of(groupNameLdapAttribute)); } + /** + * @param groupObjectClasses List of strings representing the object classes for the group. Must contain at least one. + * + * @return builder + * + */ public Builder groupObjectClasses(Output> groupObjectClasses) { $.groupObjectClasses = groupObjectClasses; return this; } + /** + * @param groupObjectClasses List of strings representing the object classes for the group. Must contain at least one. + * + * @return builder + * + */ public Builder groupObjectClasses(List groupObjectClasses) { return groupObjectClasses(Output.of(groupObjectClasses)); } + /** + * @param groupObjectClasses List of strings representing the object classes for the group. Must contain at least one. + * + * @return builder + * + */ public Builder groupObjectClasses(String... groupObjectClasses) { return groupObjectClasses(List.of(groupObjectClasses)); } + /** + * @param groupsLdapFilter When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. + * + * @return builder + * + */ public Builder groupsLdapFilter(@Nullable Output groupsLdapFilter) { $.groupsLdapFilter = groupsLdapFilter; return this; } + /** + * @param groupsLdapFilter When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. + * + * @return builder + * + */ public Builder groupsLdapFilter(String groupsLdapFilter) { return groupsLdapFilter(Output.of(groupsLdapFilter)); } + /** + * @param groupsPath Keycloak group path the LDAP groups are added to. For example if value `/Applications/App1` is used, then LDAP groups will be available in Keycloak under group `App1`, which is the child of top level group `Applications`. The configured group path must already exist in Keycloak when creating this mapper. + * + * @return builder + * + */ public Builder groupsPath(@Nullable Output groupsPath) { $.groupsPath = groupsPath; return this; } + /** + * @param groupsPath Keycloak group path the LDAP groups are added to. For example if value `/Applications/App1` is used, then LDAP groups will be available in Keycloak under group `App1`, which is the child of top level group `Applications`. The configured group path must already exist in Keycloak when creating this mapper. + * + * @return builder + * + */ public Builder groupsPath(String groupsPath) { return groupsPath(Output.of(groupsPath)); } + /** + * @param ignoreMissingGroups When `true`, missing groups in the hierarchy will be ignored. + * + * @return builder + * + */ public Builder ignoreMissingGroups(@Nullable Output ignoreMissingGroups) { $.ignoreMissingGroups = ignoreMissingGroups; return this; } + /** + * @param ignoreMissingGroups When `true`, missing groups in the hierarchy will be ignored. + * + * @return builder + * + */ public Builder ignoreMissingGroups(Boolean ignoreMissingGroups) { return ignoreMissingGroups(Output.of(ignoreMissingGroups)); } + /** + * @param ldapGroupsDn The LDAP DN where groups can be found. + * + * @return builder + * + */ public Builder ldapGroupsDn(Output ldapGroupsDn) { $.ldapGroupsDn = ldapGroupsDn; return this; } + /** + * @param ldapGroupsDn The LDAP DN where groups can be found. + * + * @return builder + * + */ public Builder ldapGroupsDn(String ldapGroupsDn) { return ldapGroupsDn(Output.of(ldapGroupsDn)); } /** - * @param ldapUserFederationId The ldap user federation provider to attach this mapper to. + * @param ldapUserFederationId The ID of the LDAP user federation provider to attach this mapper to. * * @return builder * @@ -288,7 +498,7 @@ public Builder ldapUserFederationId(Output ldapUserFederationId) { } /** - * @param ldapUserFederationId The ldap user federation provider to attach this mapper to. + * @param ldapUserFederationId The ID of the LDAP user federation provider to attach this mapper to. * * @return builder * @@ -297,66 +507,144 @@ public Builder ldapUserFederationId(String ldapUserFederationId) { return ldapUserFederationId(Output.of(ldapUserFederationId)); } + /** + * @param mappedGroupAttributes Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. + * + * @return builder + * + */ public Builder mappedGroupAttributes(@Nullable Output> mappedGroupAttributes) { $.mappedGroupAttributes = mappedGroupAttributes; return this; } + /** + * @param mappedGroupAttributes Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. + * + * @return builder + * + */ public Builder mappedGroupAttributes(List mappedGroupAttributes) { return mappedGroupAttributes(Output.of(mappedGroupAttributes)); } + /** + * @param mappedGroupAttributes Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. + * + * @return builder + * + */ public Builder mappedGroupAttributes(String... mappedGroupAttributes) { return mappedGroupAttributes(List.of(mappedGroupAttributes)); } + /** + * @param memberofLdapAttribute Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. + * + * @return builder + * + */ public Builder memberofLdapAttribute(@Nullable Output memberofLdapAttribute) { $.memberofLdapAttribute = memberofLdapAttribute; return this; } + /** + * @param memberofLdapAttribute Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. + * + * @return builder + * + */ public Builder memberofLdapAttribute(String memberofLdapAttribute) { return memberofLdapAttribute(Output.of(memberofLdapAttribute)); } + /** + * @param membershipAttributeType Can be one of `DN` or `UID`. Defaults to `DN`. + * + * @return builder + * + */ public Builder membershipAttributeType(@Nullable Output membershipAttributeType) { $.membershipAttributeType = membershipAttributeType; return this; } + /** + * @param membershipAttributeType Can be one of `DN` or `UID`. Defaults to `DN`. + * + * @return builder + * + */ public Builder membershipAttributeType(String membershipAttributeType) { return membershipAttributeType(Output.of(membershipAttributeType)); } + /** + * @param membershipLdapAttribute The name of the LDAP attribute that is used for membership mappings. + * + * @return builder + * + */ public Builder membershipLdapAttribute(Output membershipLdapAttribute) { $.membershipLdapAttribute = membershipLdapAttribute; return this; } + /** + * @param membershipLdapAttribute The name of the LDAP attribute that is used for membership mappings. + * + * @return builder + * + */ public Builder membershipLdapAttribute(String membershipLdapAttribute) { return membershipLdapAttribute(Output.of(membershipLdapAttribute)); } + /** + * @param membershipUserLdapAttribute The name of the LDAP attribute on a user that is used for membership mappings. + * + * @return builder + * + */ public Builder membershipUserLdapAttribute(Output membershipUserLdapAttribute) { $.membershipUserLdapAttribute = membershipUserLdapAttribute; return this; } + /** + * @param membershipUserLdapAttribute The name of the LDAP attribute on a user that is used for membership mappings. + * + * @return builder + * + */ public Builder membershipUserLdapAttribute(String membershipUserLdapAttribute) { return membershipUserLdapAttribute(Output.of(membershipUserLdapAttribute)); } + /** + * @param mode Can be one of `READ_ONLY`, `LDAP_ONLY` or `IMPORT`. Defaults to `READ_ONLY`. + * + * @return builder + * + */ public Builder mode(@Nullable Output mode) { $.mode = mode; return this; } + /** + * @param mode Can be one of `READ_ONLY`, `LDAP_ONLY` or `IMPORT`. Defaults to `READ_ONLY`. + * + * @return builder + * + */ public Builder mode(String mode) { return mode(Output.of(mode)); } /** - * @param name Display name of the mapper when displayed in the console. + * @param name Display name of this mapper when displayed in the console. * * @return builder * @@ -367,7 +655,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name Display name of the mapper when displayed in the console. + * @param name Display name of this mapper when displayed in the console. * * @return builder * @@ -376,17 +664,29 @@ public Builder name(String name) { return name(Output.of(name)); } + /** + * @param preserveGroupInheritance When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. + * + * @return builder + * + */ public Builder preserveGroupInheritance(@Nullable Output preserveGroupInheritance) { $.preserveGroupInheritance = preserveGroupInheritance; return this; } + /** + * @param preserveGroupInheritance When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. + * + * @return builder + * + */ public Builder preserveGroupInheritance(Boolean preserveGroupInheritance) { return preserveGroupInheritance(Output.of(preserveGroupInheritance)); } /** - * @param realmId The realm in which the ldap user federation provider exists. + * @param realmId The realm that this LDAP mapper will exist in. * * @return builder * @@ -397,7 +697,7 @@ public Builder realmId(Output realmId) { } /** - * @param realmId The realm in which the ldap user federation provider exists. + * @param realmId The realm that this LDAP mapper will exist in. * * @return builder * @@ -406,11 +706,23 @@ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } + /** + * @param userRolesRetrieveStrategy Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. + * + * @return builder + * + */ public Builder userRolesRetrieveStrategy(@Nullable Output userRolesRetrieveStrategy) { $.userRolesRetrieveStrategy = userRolesRetrieveStrategy; return this; } + /** + * @param userRolesRetrieveStrategy Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. + * + * @return builder + * + */ public Builder userRolesRetrieveStrategy(String userRolesRetrieveStrategy) { return userRolesRetrieveStrategy(Output.of(userRolesRetrieveStrategy)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/HardcodedRoleMapper.java b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/HardcodedRoleMapper.java index b84ed5c4..1f4d1c0e 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/HardcodedRoleMapper.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/HardcodedRoleMapper.java @@ -14,11 +14,13 @@ import javax.annotation.Nullable; /** - * ## # keycloak.ldap.HardcodedRoleMapper + * Allows for creating and managing hardcoded role mappers for Keycloak users federated via LDAP. * - * This mapper will grant a specified Keycloak role to each Keycloak user linked with LDAP. + * The LDAP hardcoded role mapper will grant a specified Keycloak role to each Keycloak user linked with LDAP. * - * ### Example Usage + * ## Example Usage + * + * ### Realm Role) * * <!--Start PulumiCodeChooser --> *
@@ -32,6 +34,8 @@
  * import com.pulumi.keycloak.RealmArgs;
  * import com.pulumi.keycloak.ldap.UserFederation;
  * import com.pulumi.keycloak.ldap.UserFederationArgs;
+ * import com.pulumi.keycloak.Role;
+ * import com.pulumi.keycloak.RoleArgs;
  * import com.pulumi.keycloak.ldap.HardcodedRoleMapper;
  * import com.pulumi.keycloak.ldap.HardcodedRoleMapperArgs;
  * import java.util.List;
@@ -48,7 +52,7 @@
  * 
  *     public static void stack(Context ctx) {
  *         var realm = new Realm("realm", RealmArgs.builder()
- *             .realm("test")
+ *             .realm("my-realm")
  *             .enabled(true)
  *             .build());
  * 
@@ -67,11 +71,17 @@
  *             .bindCredential("admin")
  *             .build());
  * 
+ *         var realmAdminRole = new Role("realmAdminRole", RoleArgs.builder()
+ *             .realmId(realm.id())
+ *             .name("my-admin-role")
+ *             .description("My Realm Role")
+ *             .build());
+ * 
  *         var assignAdminRoleToAllUsers = new HardcodedRoleMapper("assignAdminRoleToAllUsers", HardcodedRoleMapperArgs.builder()
  *             .realmId(realm.id())
  *             .ldapUserFederationId(ldapUserFederation.id())
  *             .name("assign-admin-role-to-all-users")
- *             .role("admin")
+ *             .role(realmAdminRole.name())
  *             .build());
  * 
  *     }
@@ -80,75 +90,156 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference + * ### Client Role) + * + * <!--Start PulumiCodeChooser --> + *
+ * {@code
+ * package generated_program;
+ * 
+ * import com.pulumi.Context;
+ * import com.pulumi.Pulumi;
+ * import com.pulumi.core.Output;
+ * import com.pulumi.keycloak.Realm;
+ * import com.pulumi.keycloak.RealmArgs;
+ * import com.pulumi.keycloak.ldap.UserFederation;
+ * import com.pulumi.keycloak.ldap.UserFederationArgs;
+ * import com.pulumi.keycloak.openid.OpenidFunctions;
+ * import com.pulumi.keycloak.openid.inputs.GetClientArgs;
+ * import com.pulumi.keycloak.KeycloakFunctions;
+ * import com.pulumi.keycloak.inputs.GetRoleArgs;
+ * import com.pulumi.keycloak.ldap.HardcodedRoleMapper;
+ * import com.pulumi.keycloak.ldap.HardcodedRoleMapperArgs;
+ * import java.util.List;
+ * import java.util.ArrayList;
+ * import java.util.Map;
+ * import java.io.File;
+ * import java.nio.file.Files;
+ * import java.nio.file.Paths;
+ * 
+ * public class App {
+ *     public static void main(String[] args) {
+ *         Pulumi.run(App::stack);
+ *     }
+ * 
+ *     public static void stack(Context ctx) {
+ *         var realm = new Realm("realm", RealmArgs.builder()
+ *             .realm("my-realm")
+ *             .enabled(true)
+ *             .build());
+ * 
+ *         var ldapUserFederation = new UserFederation("ldapUserFederation", UserFederationArgs.builder()
+ *             .name("openldap")
+ *             .realmId(realm.id())
+ *             .usernameLdapAttribute("cn")
+ *             .rdnLdapAttribute("cn")
+ *             .uuidLdapAttribute("entryDN")
+ *             .userObjectClasses(            
+ *                 "simpleSecurityObject",
+ *                 "organizationalRole")
+ *             .connectionUrl("ldap://openldap")
+ *             .usersDn("dc=example,dc=org")
+ *             .bindDn("cn=admin,dc=example,dc=org")
+ *             .bindCredential("admin")
+ *             .build());
  * 
- * The following arguments are supported:
+ *         // data sources aren't technically necessary here, but they are helpful for demonstration purposes
+ *         final var realmManagement = OpenidFunctions.getClient(GetClientArgs.builder()
+ *             .realmId(realm.id())
+ *             .clientId("realm-management")
+ *             .build());
  * 
- * - `realm_id` - (Required) The realm that this LDAP mapper will exist in.
- * - `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to.
- * - `name` - (Required) Display name of this mapper when displayed in the console.
- * - `role` - (Required) The role which should be assigned to the users.
+ *         final var createClient = KeycloakFunctions.getRole(GetRoleArgs.builder()
+ *             .realmId(realm.id())
+ *             .clientId(realmManagement.applyValue(getClientResult -> getClientResult).applyValue(realmManagement -> realmManagement.applyValue(getClientResult -> getClientResult.id())))
+ *             .name("create-client")
+ *             .build());
  * 
- * ### Import
+ *         var assignAdminRoleToAllUsers = new HardcodedRoleMapper("assignAdminRoleToAllUsers", HardcodedRoleMapperArgs.builder()
+ *             .realmId(realm.id())
+ *             .ldapUserFederationId(ldapUserFederation.id())
+ *             .name("assign-admin-role-to-all-users")
+ *             .role(Output.tuple(realmManagement.applyValue(getClientResult -> getClientResult), createClient.applyValue(getRoleResult -> getRoleResult)).applyValue(values -> {
+ *                 var realmManagement = values.t1;
+ *                 var createClient = values.t2;
+ *                 return String.format("%s.%s", realmManagement.applyValue(getClientResult -> getClientResult.clientId()),createClient.applyValue(getRoleResult -> getRoleResult.name()));
+ *             }))
+ *             .build());
+ * 
+ *     }
+ * }
+ * }
+ * 
+ * <!--End PulumiCodeChooser --> + * + * ## Import * * LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. - * The ID of the LDAP user federation provider and the mapper can be found within - * the Keycloak GUI, and they are typically GUIDs: + * + * The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. + * + * Example: + * + * bash + * + * ```sh + * $ pulumi import keycloak:ldap/hardcodedRoleMapper:HardcodedRoleMapper assign_admin_role_to_all_users my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 + * ``` * */ @ResourceType(type="keycloak:ldap/hardcodedRoleMapper:HardcodedRoleMapper") public class HardcodedRoleMapper extends com.pulumi.resources.CustomResource { /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. * */ @Export(name="ldapUserFederationId", refs={String.class}, tree="[0]") private Output ldapUserFederationId; /** - * @return The ldap user federation provider to attach this mapper to. + * @return The ID of the LDAP user federation provider to attach this mapper to. * */ public Output ldapUserFederationId() { return this.ldapUserFederationId; } /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. * */ @Export(name="name", refs={String.class}, tree="[0]") private Output name; /** - * @return Display name of the mapper when displayed in the console. + * @return Display name of this mapper when displayed in the console. * */ public Output name() { return this.name; } /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. * */ @Export(name="realmId", refs={String.class}, tree="[0]") private Output realmId; /** - * @return The realm in which the ldap user federation provider exists. + * @return The realm that this LDAP mapper will exist in. * */ public Output realmId() { return this.realmId; } /** - * Role to grant to user. + * The name of the role which should be assigned to the users. Client roles should use the format `{{client_id}}.{{client_role_name}}`. * */ @Export(name="role", refs={String.class}, tree="[0]") private Output role; /** - * @return Role to grant to user. + * @return The name of the role which should be assigned to the users. Client roles should use the format `{{client_id}}.{{client_role_name}}`. * */ public Output role() { diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/HardcodedRoleMapperArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/HardcodedRoleMapperArgs.java index 3e60e2e3..9c305379 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/HardcodedRoleMapperArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/HardcodedRoleMapperArgs.java @@ -17,14 +17,14 @@ public final class HardcodedRoleMapperArgs extends com.pulumi.resources.Resource public static final HardcodedRoleMapperArgs Empty = new HardcodedRoleMapperArgs(); /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. * */ @Import(name="ldapUserFederationId", required=true) private Output ldapUserFederationId; /** - * @return The ldap user federation provider to attach this mapper to. + * @return The ID of the LDAP user federation provider to attach this mapper to. * */ public Output ldapUserFederationId() { @@ -32,14 +32,14 @@ public Output ldapUserFederationId() { } /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. * */ @Import(name="name") private @Nullable Output name; /** - * @return Display name of the mapper when displayed in the console. + * @return Display name of this mapper when displayed in the console. * */ public Optional> name() { @@ -47,14 +47,14 @@ public Optional> name() { } /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. * */ @Import(name="realmId", required=true) private Output realmId; /** - * @return The realm in which the ldap user federation provider exists. + * @return The realm that this LDAP mapper will exist in. * */ public Output realmId() { @@ -62,14 +62,14 @@ public Output realmId() { } /** - * Role to grant to user. + * The name of the role which should be assigned to the users. Client roles should use the format `{{client_id}}.{{client_role_name}}`. * */ @Import(name="role", required=true) private Output role; /** - * @return Role to grant to user. + * @return The name of the role which should be assigned to the users. Client roles should use the format `{{client_id}}.{{client_role_name}}`. * */ public Output role() { @@ -104,7 +104,7 @@ public Builder(HardcodedRoleMapperArgs defaults) { } /** - * @param ldapUserFederationId The ldap user federation provider to attach this mapper to. + * @param ldapUserFederationId The ID of the LDAP user federation provider to attach this mapper to. * * @return builder * @@ -115,7 +115,7 @@ public Builder ldapUserFederationId(Output ldapUserFederationId) { } /** - * @param ldapUserFederationId The ldap user federation provider to attach this mapper to. + * @param ldapUserFederationId The ID of the LDAP user federation provider to attach this mapper to. * * @return builder * @@ -125,7 +125,7 @@ public Builder ldapUserFederationId(String ldapUserFederationId) { } /** - * @param name Display name of the mapper when displayed in the console. + * @param name Display name of this mapper when displayed in the console. * * @return builder * @@ -136,7 +136,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name Display name of the mapper when displayed in the console. + * @param name Display name of this mapper when displayed in the console. * * @return builder * @@ -146,7 +146,7 @@ public Builder name(String name) { } /** - * @param realmId The realm in which the ldap user federation provider exists. + * @param realmId The realm that this LDAP mapper will exist in. * * @return builder * @@ -157,7 +157,7 @@ public Builder realmId(Output realmId) { } /** - * @param realmId The realm in which the ldap user federation provider exists. + * @param realmId The realm that this LDAP mapper will exist in. * * @return builder * @@ -167,7 +167,7 @@ public Builder realmId(String realmId) { } /** - * @param role Role to grant to user. + * @param role The name of the role which should be assigned to the users. Client roles should use the format `{{client_id}}.{{client_role_name}}`. * * @return builder * @@ -178,7 +178,7 @@ public Builder role(Output role) { } /** - * @param role Role to grant to user. + * @param role The name of the role which should be assigned to the users. Client roles should use the format `{{client_id}}.{{client_role_name}}`. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/MsadUserAccountControlMapper.java b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/MsadUserAccountControlMapper.java index c39bb3f4..48da3f5d 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/MsadUserAccountControlMapper.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/MsadUserAccountControlMapper.java @@ -16,8 +16,6 @@ import javax.annotation.Nullable; /** - * ## # keycloak.ldap.MsadUserAccountControlMapper - * * Allows for creating and managing MSAD user account control mappers for Keycloak * users federated via LDAP. * @@ -26,7 +24,7 @@ * AD user state to Keycloak in order to enforce settings like expired passwords * or disabled accounts. * - * ### Example Usage + * ## Example Usage * * <!--Start PulumiCodeChooser --> *
@@ -56,7 +54,7 @@
  * 
  *     public static void stack(Context ctx) {
  *         var realm = new Realm("realm", RealmArgs.builder()
- *             .realm("test")
+ *             .realm("my-realm")
  *             .enabled(true)
  *             .build());
  * 
@@ -88,67 +86,74 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference + * ## Import * - * The following arguments are supported: + * LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. * - * - `realm_id` - (Required) The realm that this LDAP mapper will exist in. - * - `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. - * - `name` - (Required) Display name of this mapper when displayed in the console. - * - `ldap_password_policy_hints_enabled` - (Optional) When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. + * The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. * - * ### Import + * Example: * - * LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. - * The ID of the LDAP user federation provider and the mapper can be found within - * the Keycloak GUI, and they are typically GUIDs: + * bash + * + * ```sh + * $ pulumi import keycloak:ldap/msadUserAccountControlMapper:MsadUserAccountControlMapper msad_user_account_control_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 + * ``` * */ @ResourceType(type="keycloak:ldap/msadUserAccountControlMapper:MsadUserAccountControlMapper") public class MsadUserAccountControlMapper extends com.pulumi.resources.CustomResource { + /** + * When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. + * + */ @Export(name="ldapPasswordPolicyHintsEnabled", refs={Boolean.class}, tree="[0]") private Output ldapPasswordPolicyHintsEnabled; + /** + * @return When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. + * + */ public Output> ldapPasswordPolicyHintsEnabled() { return Codegen.optional(this.ldapPasswordPolicyHintsEnabled); } /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. * */ @Export(name="ldapUserFederationId", refs={String.class}, tree="[0]") private Output ldapUserFederationId; /** - * @return The ldap user federation provider to attach this mapper to. + * @return The ID of the LDAP user federation provider to attach this mapper to. * */ public Output ldapUserFederationId() { return this.ldapUserFederationId; } /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. * */ @Export(name="name", refs={String.class}, tree="[0]") private Output name; /** - * @return Display name of the mapper when displayed in the console. + * @return Display name of this mapper when displayed in the console. * */ public Output name() { return this.name; } /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. * */ @Export(name="realmId", refs={String.class}, tree="[0]") private Output realmId; /** - * @return The realm in which the ldap user federation provider exists. + * @return The realm that this LDAP mapper will exist in. * */ public Output realmId() { diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/MsadUserAccountControlMapperArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/MsadUserAccountControlMapperArgs.java index 02fed747..9533fc4f 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/MsadUserAccountControlMapperArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/MsadUserAccountControlMapperArgs.java @@ -17,22 +17,30 @@ public final class MsadUserAccountControlMapperArgs extends com.pulumi.resources public static final MsadUserAccountControlMapperArgs Empty = new MsadUserAccountControlMapperArgs(); + /** + * When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. + * + */ @Import(name="ldapPasswordPolicyHintsEnabled") private @Nullable Output ldapPasswordPolicyHintsEnabled; + /** + * @return When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. + * + */ public Optional> ldapPasswordPolicyHintsEnabled() { return Optional.ofNullable(this.ldapPasswordPolicyHintsEnabled); } /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. * */ @Import(name="ldapUserFederationId", required=true) private Output ldapUserFederationId; /** - * @return The ldap user federation provider to attach this mapper to. + * @return The ID of the LDAP user federation provider to attach this mapper to. * */ public Output ldapUserFederationId() { @@ -40,14 +48,14 @@ public Output ldapUserFederationId() { } /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. * */ @Import(name="name") private @Nullable Output name; /** - * @return Display name of the mapper when displayed in the console. + * @return Display name of this mapper when displayed in the console. * */ public Optional> name() { @@ -55,14 +63,14 @@ public Optional> name() { } /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. * */ @Import(name="realmId", required=true) private Output realmId; /** - * @return The realm in which the ldap user federation provider exists. + * @return The realm that this LDAP mapper will exist in. * */ public Output realmId() { @@ -96,17 +104,29 @@ public Builder(MsadUserAccountControlMapperArgs defaults) { $ = new MsadUserAccountControlMapperArgs(Objects.requireNonNull(defaults)); } + /** + * @param ldapPasswordPolicyHintsEnabled When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. + * + * @return builder + * + */ public Builder ldapPasswordPolicyHintsEnabled(@Nullable Output ldapPasswordPolicyHintsEnabled) { $.ldapPasswordPolicyHintsEnabled = ldapPasswordPolicyHintsEnabled; return this; } + /** + * @param ldapPasswordPolicyHintsEnabled When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. + * + * @return builder + * + */ public Builder ldapPasswordPolicyHintsEnabled(Boolean ldapPasswordPolicyHintsEnabled) { return ldapPasswordPolicyHintsEnabled(Output.of(ldapPasswordPolicyHintsEnabled)); } /** - * @param ldapUserFederationId The ldap user federation provider to attach this mapper to. + * @param ldapUserFederationId The ID of the LDAP user federation provider to attach this mapper to. * * @return builder * @@ -117,7 +137,7 @@ public Builder ldapUserFederationId(Output ldapUserFederationId) { } /** - * @param ldapUserFederationId The ldap user federation provider to attach this mapper to. + * @param ldapUserFederationId The ID of the LDAP user federation provider to attach this mapper to. * * @return builder * @@ -127,7 +147,7 @@ public Builder ldapUserFederationId(String ldapUserFederationId) { } /** - * @param name Display name of the mapper when displayed in the console. + * @param name Display name of this mapper when displayed in the console. * * @return builder * @@ -138,7 +158,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name Display name of the mapper when displayed in the console. + * @param name Display name of this mapper when displayed in the console. * * @return builder * @@ -148,7 +168,7 @@ public Builder name(String name) { } /** - * @param realmId The realm in which the ldap user federation provider exists. + * @param realmId The realm that this LDAP mapper will exist in. * * @return builder * @@ -159,7 +179,7 @@ public Builder realmId(Output realmId) { } /** - * @param realmId The realm in which the ldap user federation provider exists. + * @param realmId The realm that this LDAP mapper will exist in. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/UserAttributeMapper.java b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/UserAttributeMapper.java index f8dbd185..936772cf 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/UserAttributeMapper.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/UserAttributeMapper.java @@ -16,15 +16,13 @@ import javax.annotation.Nullable; /** - * ## # keycloak.ldap.UserAttributeMapper - * * Allows for creating and managing user attribute mappers for Keycloak users * federated via LDAP. * * The LDAP user attribute mapper can be used to map a single LDAP attribute * to an attribute on the Keycloak user model. * - * ### Example Usage + * ## Example Usage * * <!--Start PulumiCodeChooser --> *
@@ -54,7 +52,7 @@
  * 
  *     public static void stack(Context ctx) {
  *         var realm = new Realm("realm", RealmArgs.builder()
- *             .realm("test")
+ *             .realm("my-realm")
  *             .enabled(true)
  *             .build());
  * 
@@ -87,163 +85,158 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference + * ## Import + * + * LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. * - * The following arguments are supported: + * The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. * - * - `realm_id` - (Required) The realm that this LDAP mapper will exist in. - * - `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. - * - `name` - (Required) Display name of this mapper when displayed in the console. - * - `user_model_attribute` - (Required) Name of the user property or attribute you want to map the LDAP attribute into. - * - `ldap_attribute` - (Required) Name of the mapped attribute on the LDAP object. - * - `read_only` - (Optional) When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. - * - `always_read_value_from_ldap` - (Optional) When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. - * - `is_mandatory_in_ldap` - (Optional) When `true`, this attribute must exist in LDAP. Defaults to `false`. + * Example: * - * ### Import + * bash * - * LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. - * The ID of the LDAP user federation provider and the mapper can be found within - * the Keycloak GUI, and they are typically GUIDs: + * ```sh + * $ pulumi import keycloak:ldap/userAttributeMapper:UserAttributeMapper ldap_user_attribute_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 + * ``` * */ @ResourceType(type="keycloak:ldap/userAttributeMapper:UserAttributeMapper") public class UserAttributeMapper extends com.pulumi.resources.CustomResource { /** - * When true, the value fetched from LDAP will override the value stored in Keycloak. + * When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. * */ @Export(name="alwaysReadValueFromLdap", refs={Boolean.class}, tree="[0]") private Output alwaysReadValueFromLdap; /** - * @return When true, the value fetched from LDAP will override the value stored in Keycloak. + * @return When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. * */ public Output> alwaysReadValueFromLdap() { return Codegen.optional(this.alwaysReadValueFromLdap); } /** - * Default value to set in LDAP if is_mandatory_in_ldap and the value is empty + * Default value to set in LDAP if `is_mandatory_in_ldap` is true and the value is empty. * */ @Export(name="attributeDefaultValue", refs={String.class}, tree="[0]") private Output attributeDefaultValue; /** - * @return Default value to set in LDAP if is_mandatory_in_ldap and the value is empty + * @return Default value to set in LDAP if `is_mandatory_in_ldap` is true and the value is empty. * */ public Output> attributeDefaultValue() { return Codegen.optional(this.attributeDefaultValue); } /** - * Should be true for binary LDAP attributes + * Should be true for binary LDAP attributes. * */ @Export(name="isBinaryAttribute", refs={Boolean.class}, tree="[0]") private Output isBinaryAttribute; /** - * @return Should be true for binary LDAP attributes + * @return Should be true for binary LDAP attributes. * */ public Output> isBinaryAttribute() { return Codegen.optional(this.isBinaryAttribute); } /** - * When true, this attribute must exist in LDAP. + * When `true`, this attribute must exist in LDAP. Defaults to `false`. * */ @Export(name="isMandatoryInLdap", refs={Boolean.class}, tree="[0]") private Output isMandatoryInLdap; /** - * @return When true, this attribute must exist in LDAP. + * @return When `true`, this attribute must exist in LDAP. Defaults to `false`. * */ public Output> isMandatoryInLdap() { return Codegen.optional(this.isMandatoryInLdap); } /** - * Name of the mapped attribute on LDAP object. + * Name of the mapped attribute on the LDAP object. * */ @Export(name="ldapAttribute", refs={String.class}, tree="[0]") private Output ldapAttribute; /** - * @return Name of the mapped attribute on LDAP object. + * @return Name of the mapped attribute on the LDAP object. * */ public Output ldapAttribute() { return this.ldapAttribute; } /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. * */ @Export(name="ldapUserFederationId", refs={String.class}, tree="[0]") private Output ldapUserFederationId; /** - * @return The ldap user federation provider to attach this mapper to. + * @return The ID of the LDAP user federation provider to attach this mapper to. * */ public Output ldapUserFederationId() { return this.ldapUserFederationId; } /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. * */ @Export(name="name", refs={String.class}, tree="[0]") private Output name; /** - * @return Display name of the mapper when displayed in the console. + * @return Display name of this mapper when displayed in the console. * */ public Output name() { return this.name; } /** - * When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. + * When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. * */ @Export(name="readOnly", refs={Boolean.class}, tree="[0]") private Output readOnly; /** - * @return When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. + * @return When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. * */ public Output> readOnly() { return Codegen.optional(this.readOnly); } /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. * */ @Export(name="realmId", refs={String.class}, tree="[0]") private Output realmId; /** - * @return The realm in which the ldap user federation provider exists. + * @return The realm that this LDAP mapper will exist in. * */ public Output realmId() { return this.realmId; } /** - * Name of the UserModel property or attribute you want to map the LDAP attribute into. + * Name of the user property or attribute you want to map the LDAP attribute into. * */ @Export(name="userModelAttribute", refs={String.class}, tree="[0]") private Output userModelAttribute; /** - * @return Name of the UserModel property or attribute you want to map the LDAP attribute into. + * @return Name of the user property or attribute you want to map the LDAP attribute into. * */ public Output userModelAttribute() { diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/UserAttributeMapperArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/UserAttributeMapperArgs.java index 6d802629..c23f9ad5 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/UserAttributeMapperArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/UserAttributeMapperArgs.java @@ -18,14 +18,14 @@ public final class UserAttributeMapperArgs extends com.pulumi.resources.Resource public static final UserAttributeMapperArgs Empty = new UserAttributeMapperArgs(); /** - * When true, the value fetched from LDAP will override the value stored in Keycloak. + * When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. * */ @Import(name="alwaysReadValueFromLdap") private @Nullable Output alwaysReadValueFromLdap; /** - * @return When true, the value fetched from LDAP will override the value stored in Keycloak. + * @return When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. * */ public Optional> alwaysReadValueFromLdap() { @@ -33,14 +33,14 @@ public Optional> alwaysReadValueFromLdap() { } /** - * Default value to set in LDAP if is_mandatory_in_ldap and the value is empty + * Default value to set in LDAP if `is_mandatory_in_ldap` is true and the value is empty. * */ @Import(name="attributeDefaultValue") private @Nullable Output attributeDefaultValue; /** - * @return Default value to set in LDAP if is_mandatory_in_ldap and the value is empty + * @return Default value to set in LDAP if `is_mandatory_in_ldap` is true and the value is empty. * */ public Optional> attributeDefaultValue() { @@ -48,14 +48,14 @@ public Optional> attributeDefaultValue() { } /** - * Should be true for binary LDAP attributes + * Should be true for binary LDAP attributes. * */ @Import(name="isBinaryAttribute") private @Nullable Output isBinaryAttribute; /** - * @return Should be true for binary LDAP attributes + * @return Should be true for binary LDAP attributes. * */ public Optional> isBinaryAttribute() { @@ -63,14 +63,14 @@ public Optional> isBinaryAttribute() { } /** - * When true, this attribute must exist in LDAP. + * When `true`, this attribute must exist in LDAP. Defaults to `false`. * */ @Import(name="isMandatoryInLdap") private @Nullable Output isMandatoryInLdap; /** - * @return When true, this attribute must exist in LDAP. + * @return When `true`, this attribute must exist in LDAP. Defaults to `false`. * */ public Optional> isMandatoryInLdap() { @@ -78,14 +78,14 @@ public Optional> isMandatoryInLdap() { } /** - * Name of the mapped attribute on LDAP object. + * Name of the mapped attribute on the LDAP object. * */ @Import(name="ldapAttribute", required=true) private Output ldapAttribute; /** - * @return Name of the mapped attribute on LDAP object. + * @return Name of the mapped attribute on the LDAP object. * */ public Output ldapAttribute() { @@ -93,14 +93,14 @@ public Output ldapAttribute() { } /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. * */ @Import(name="ldapUserFederationId", required=true) private Output ldapUserFederationId; /** - * @return The ldap user federation provider to attach this mapper to. + * @return The ID of the LDAP user federation provider to attach this mapper to. * */ public Output ldapUserFederationId() { @@ -108,14 +108,14 @@ public Output ldapUserFederationId() { } /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. * */ @Import(name="name") private @Nullable Output name; /** - * @return Display name of the mapper when displayed in the console. + * @return Display name of this mapper when displayed in the console. * */ public Optional> name() { @@ -123,14 +123,14 @@ public Optional> name() { } /** - * When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. + * When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. * */ @Import(name="readOnly") private @Nullable Output readOnly; /** - * @return When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. + * @return When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. * */ public Optional> readOnly() { @@ -138,14 +138,14 @@ public Optional> readOnly() { } /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. * */ @Import(name="realmId", required=true) private Output realmId; /** - * @return The realm in which the ldap user federation provider exists. + * @return The realm that this LDAP mapper will exist in. * */ public Output realmId() { @@ -153,14 +153,14 @@ public Output realmId() { } /** - * Name of the UserModel property or attribute you want to map the LDAP attribute into. + * Name of the user property or attribute you want to map the LDAP attribute into. * */ @Import(name="userModelAttribute", required=true) private Output userModelAttribute; /** - * @return Name of the UserModel property or attribute you want to map the LDAP attribute into. + * @return Name of the user property or attribute you want to map the LDAP attribute into. * */ public Output userModelAttribute() { @@ -201,7 +201,7 @@ public Builder(UserAttributeMapperArgs defaults) { } /** - * @param alwaysReadValueFromLdap When true, the value fetched from LDAP will override the value stored in Keycloak. + * @param alwaysReadValueFromLdap When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. * * @return builder * @@ -212,7 +212,7 @@ public Builder alwaysReadValueFromLdap(@Nullable Output alwaysReadValue } /** - * @param alwaysReadValueFromLdap When true, the value fetched from LDAP will override the value stored in Keycloak. + * @param alwaysReadValueFromLdap When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. * * @return builder * @@ -222,7 +222,7 @@ public Builder alwaysReadValueFromLdap(Boolean alwaysReadValueFromLdap) { } /** - * @param attributeDefaultValue Default value to set in LDAP if is_mandatory_in_ldap and the value is empty + * @param attributeDefaultValue Default value to set in LDAP if `is_mandatory_in_ldap` is true and the value is empty. * * @return builder * @@ -233,7 +233,7 @@ public Builder attributeDefaultValue(@Nullable Output attributeDefaultVa } /** - * @param attributeDefaultValue Default value to set in LDAP if is_mandatory_in_ldap and the value is empty + * @param attributeDefaultValue Default value to set in LDAP if `is_mandatory_in_ldap` is true and the value is empty. * * @return builder * @@ -243,7 +243,7 @@ public Builder attributeDefaultValue(String attributeDefaultValue) { } /** - * @param isBinaryAttribute Should be true for binary LDAP attributes + * @param isBinaryAttribute Should be true for binary LDAP attributes. * * @return builder * @@ -254,7 +254,7 @@ public Builder isBinaryAttribute(@Nullable Output isBinaryAttribute) { } /** - * @param isBinaryAttribute Should be true for binary LDAP attributes + * @param isBinaryAttribute Should be true for binary LDAP attributes. * * @return builder * @@ -264,7 +264,7 @@ public Builder isBinaryAttribute(Boolean isBinaryAttribute) { } /** - * @param isMandatoryInLdap When true, this attribute must exist in LDAP. + * @param isMandatoryInLdap When `true`, this attribute must exist in LDAP. Defaults to `false`. * * @return builder * @@ -275,7 +275,7 @@ public Builder isMandatoryInLdap(@Nullable Output isMandatoryInLdap) { } /** - * @param isMandatoryInLdap When true, this attribute must exist in LDAP. + * @param isMandatoryInLdap When `true`, this attribute must exist in LDAP. Defaults to `false`. * * @return builder * @@ -285,7 +285,7 @@ public Builder isMandatoryInLdap(Boolean isMandatoryInLdap) { } /** - * @param ldapAttribute Name of the mapped attribute on LDAP object. + * @param ldapAttribute Name of the mapped attribute on the LDAP object. * * @return builder * @@ -296,7 +296,7 @@ public Builder ldapAttribute(Output ldapAttribute) { } /** - * @param ldapAttribute Name of the mapped attribute on LDAP object. + * @param ldapAttribute Name of the mapped attribute on the LDAP object. * * @return builder * @@ -306,7 +306,7 @@ public Builder ldapAttribute(String ldapAttribute) { } /** - * @param ldapUserFederationId The ldap user federation provider to attach this mapper to. + * @param ldapUserFederationId The ID of the LDAP user federation provider to attach this mapper to. * * @return builder * @@ -317,7 +317,7 @@ public Builder ldapUserFederationId(Output ldapUserFederationId) { } /** - * @param ldapUserFederationId The ldap user federation provider to attach this mapper to. + * @param ldapUserFederationId The ID of the LDAP user federation provider to attach this mapper to. * * @return builder * @@ -327,7 +327,7 @@ public Builder ldapUserFederationId(String ldapUserFederationId) { } /** - * @param name Display name of the mapper when displayed in the console. + * @param name Display name of this mapper when displayed in the console. * * @return builder * @@ -338,7 +338,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name Display name of the mapper when displayed in the console. + * @param name Display name of this mapper when displayed in the console. * * @return builder * @@ -348,7 +348,7 @@ public Builder name(String name) { } /** - * @param readOnly When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. + * @param readOnly When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. * * @return builder * @@ -359,7 +359,7 @@ public Builder readOnly(@Nullable Output readOnly) { } /** - * @param readOnly When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. + * @param readOnly When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. * * @return builder * @@ -369,7 +369,7 @@ public Builder readOnly(Boolean readOnly) { } /** - * @param realmId The realm in which the ldap user federation provider exists. + * @param realmId The realm that this LDAP mapper will exist in. * * @return builder * @@ -380,7 +380,7 @@ public Builder realmId(Output realmId) { } /** - * @param realmId The realm in which the ldap user federation provider exists. + * @param realmId The realm that this LDAP mapper will exist in. * * @return builder * @@ -390,7 +390,7 @@ public Builder realmId(String realmId) { } /** - * @param userModelAttribute Name of the UserModel property or attribute you want to map the LDAP attribute into. + * @param userModelAttribute Name of the user property or attribute you want to map the LDAP attribute into. * * @return builder * @@ -401,7 +401,7 @@ public Builder userModelAttribute(Output userModelAttribute) { } /** - * @param userModelAttribute Name of the UserModel property or attribute you want to map the LDAP attribute into. + * @param userModelAttribute Name of the user property or attribute you want to map the LDAP attribute into. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/UserFederation.java b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/UserFederation.java index 1bba495c..77e306ae 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/UserFederation.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/UserFederation.java @@ -20,8 +20,6 @@ import javax.annotation.Nullable; /** - * ## # keycloak.ldap.UserFederation - * * Allows for creating and managing LDAP user federation providers within Keycloak. * * Keycloak can use an LDAP user federation provider to federate users to Keycloak @@ -29,7 +27,7 @@ * will exist within the realm and will be able to log in to clients. Federated * users can have their attributes defined using mappers. * - * ### Example Usage + * ## Example Usage * * <!--Start PulumiCodeChooser --> *
@@ -43,6 +41,7 @@
  * import com.pulumi.keycloak.RealmArgs;
  * import com.pulumi.keycloak.ldap.UserFederation;
  * import com.pulumi.keycloak.ldap.UserFederationArgs;
+ * import com.pulumi.keycloak.ldap.inputs.UserFederationKerberosArgs;
  * import java.util.List;
  * import java.util.ArrayList;
  * import java.util.Map;
@@ -50,14 +49,14 @@
  * import java.nio.file.Files;
  * import java.nio.file.Paths;
  * 
- * public class App {
- *     public static void main(String[] args) {
+ * public class App }{{@code
+ *     public static void main(String[] args) }{{@code
  *         Pulumi.run(App::stack);
- *     }
+ *     }}{@code
  * 
- *     public static void stack(Context ctx) {
+ *     public static void stack(Context ctx) }{{@code
  *         var realm = new Realm("realm", RealmArgs.builder()
- *             .realm("test")
+ *             .realm("my-realm")
  *             .enabled(true)
  *             .build());
  * 
@@ -77,140 +76,113 @@
  *             .bindCredential("admin")
  *             .connectionTimeout("5s")
  *             .readTimeout("10s")
+ *             .kerberos(UserFederationKerberosArgs.builder()
+ *                 .kerberosRealm("FOO.LOCAL")
+ *                 .serverPrincipal("HTTP/host.foo.com}{@literal @}{@code FOO.LOCAL")
+ *                 .keyTab("/etc/host.keytab")
+ *                 .build())
  *             .build());
  * 
- *     }
- * }
+ *     }}{@code
+ * }}{@code
  * }
  * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference + * ## Import * - * The following arguments are supported: + * LDAP user federation providers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}`. * - * - `realm_id` - (Required) The realm that this provider will provide user federation for. - * - `name` - (Required) Display name of the provider when displayed in the console. - * - `enabled` - (Optional) When `false`, this provider will not be used when performing queries for users. Defaults to `true`. - * - `priority` - (Optional) Priority of this provider when looking up users. Lower values are first. Defaults to `0`. - * - `import_enabled` - (Optional) When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. - * - `edit_mode` - (Optional) Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. - * - `sync_registrations` - (Optional) When `true`, newly created users will be synced back to LDAP. Defaults to `false`. - * - `vendor` - (Optional) Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OPTIONAL`. - * - `username_ldap_attribute` - (Required) Name of the LDAP attribute to use as the Keycloak username. - * - `rdn_ldap_attribute` - (Required) Name of the LDAP attribute to use as the relative distinguished name. - * - `uuid_ldap_attribute` - (Required) Name of the LDAP attribute to use as a unique object identifier for objects in LDAP. - * - `user_object_classes` - (Required) Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. - * - `connection_url` - (Required) Connection URL to the LDAP server. - * - `users_dn` - (Required) Full DN of LDAP tree where your users are. - * - `bind_dn` - (Optional) DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bind_credential` is set. - * - `bind_credential` - (Optional) Password of LDAP admin. This attribute must be set if `bind_dn` is set. - * - `custom_user_search_filter` - (Optional) Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. - * - `search_scope` - (Optional) Can be one of `ONE_LEVEL` or `SUBTREE`: - * - `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`. - * - `SUBTREE`: Search entire LDAP subtree. - * - `validate_password_policy` - (Optional) When `true`, Keycloak will validate passwords using the realm policy before updating it. - * - `use_truststore_spi` - (Optional) Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: - * - `ALWAYS` - Always use the truststore SPI for LDAP connections. - * - `NEVER` - Never use the truststore SPI for LDAP connections. - * - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. - * - `connection_timeout` - (Optional) LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). - * - `read_timeout` - (Optional) LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). - * - `pagination` - (Optional) When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. - * - `batch_size_for_sync` - (Optional) The number of users to sync within a single transaction. Defaults to `1000`. - * - `full_sync_period` - (Optional) How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync. - * - `changed_sync_period` - (Optional) How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. - * - `cache_policy` - (Optional) Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + * The ID of the LDAP user federation provider can be found within the Keycloak GUI and is typically a GUID: * - * ### Import + * bash * - * LDAP user federation providers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}`. - * The ID of the LDAP user federation provider can be found within the Keycloak GUI and is typically a GUID: + * ```sh + * $ pulumi import keycloak:ldap/userFederation:UserFederation ldap_user_federation my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860 + * ``` * */ @ResourceType(type="keycloak:ldap/userFederation:UserFederation") public class UserFederation extends com.pulumi.resources.CustomResource { /** - * The number of users to sync within a single transaction. + * The number of users to sync within a single transaction. Defaults to `1000`. * */ @Export(name="batchSizeForSync", refs={Integer.class}, tree="[0]") private Output batchSizeForSync; /** - * @return The number of users to sync within a single transaction. + * @return The number of users to sync within a single transaction. Defaults to `1000`. * */ public Output> batchSizeForSync() { return Codegen.optional(this.batchSizeForSync); } /** - * Password of LDAP admin. + * Password of LDAP admin. This attribute must be set if `bind_dn` is set. * */ @Export(name="bindCredential", refs={String.class}, tree="[0]") private Output bindCredential; /** - * @return Password of LDAP admin. + * @return Password of LDAP admin. This attribute must be set if `bind_dn` is set. * */ public Output> bindCredential() { return Codegen.optional(this.bindCredential); } /** - * DN of LDAP admin, which will be used by Keycloak to access LDAP server. + * DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bind_credential` is set. * */ @Export(name="bindDn", refs={String.class}, tree="[0]") private Output bindDn; /** - * @return DN of LDAP admin, which will be used by Keycloak to access LDAP server. + * @return DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bind_credential` is set. * */ public Output> bindDn() { return Codegen.optional(this.bindDn); } /** - * Settings regarding cache policy for this realm. + * A block containing the cache settings. * */ @Export(name="cache", refs={UserFederationCache.class}, tree="[0]") private Output cache; /** - * @return Settings regarding cache policy for this realm. + * @return A block containing the cache settings. * */ public Output> cache() { return Codegen.optional(this.cache); } /** - * How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users - * sync. + * How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. * */ @Export(name="changedSyncPeriod", refs={Integer.class}, tree="[0]") private Output changedSyncPeriod; /** - * @return How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users - * sync. + * @return How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. * */ public Output> changedSyncPeriod() { return Codegen.optional(this.changedSyncPeriod); } /** - * LDAP connection timeout (duration string) + * LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). * */ @Export(name="connectionTimeout", refs={String.class}, tree="[0]") private Output connectionTimeout; /** - * @return LDAP connection timeout (duration string) + * @return LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). * */ public Output> connectionTimeout() { @@ -231,58 +203,56 @@ public Output connectionUrl() { return this.connectionUrl; } /** - * Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'. + * Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. * */ @Export(name="customUserSearchFilter", refs={String.class}, tree="[0]") private Output customUserSearchFilter; /** - * @return Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'. + * @return Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. * */ public Output> customUserSearchFilter() { return Codegen.optional(this.customUserSearchFilter); } /** - * When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP - * user federation provider. + * When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to `false`. * */ @Export(name="deleteDefaultMappers", refs={Boolean.class}, tree="[0]") private Output deleteDefaultMappers; /** - * @return When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP - * user federation provider. + * @return When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to `false`. * */ public Output> deleteDefaultMappers() { return Codegen.optional(this.deleteDefaultMappers); } /** - * READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP. + * Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. * */ @Export(name="editMode", refs={String.class}, tree="[0]") private Output editMode; /** - * @return READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP. + * @return Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. * */ public Output> editMode() { return Codegen.optional(this.editMode); } /** - * When false, this provider will not be used when performing queries for users. + * When `false`, this provider will not be used when performing queries for users. Defaults to `true`. * */ @Export(name="enabled", refs={Boolean.class}, tree="[0]") private Output enabled; /** - * @return When false, this provider will not be used when performing queries for users. + * @return When `false`, this provider will not be used when performing queries for users. Defaults to `true`. * */ public Output> enabled() { @@ -303,28 +273,28 @@ public Output> fullSyncPeriod() { return Codegen.optional(this.fullSyncPeriod); } /** - * When true, LDAP users will be imported into the Keycloak database. + * When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. * */ @Export(name="importEnabled", refs={Boolean.class}, tree="[0]") private Output importEnabled; /** - * @return When true, LDAP users will be imported into the Keycloak database. + * @return When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. * */ public Output> importEnabled() { return Codegen.optional(this.importEnabled); } /** - * Settings regarding kerberos authentication for this realm. + * A block containing the kerberos settings. * */ @Export(name="kerberos", refs={UserFederationKerberos.class}, tree="[0]") private Output kerberos; /** - * @return Settings regarding kerberos authentication for this realm. + * @return A block containing the kerberos settings. * */ public Output> kerberos() { @@ -345,28 +315,28 @@ public Output name() { return this.name; } /** - * When true, Keycloak assumes the LDAP server supports pagination. + * When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. * */ @Export(name="pagination", refs={Boolean.class}, tree="[0]") private Output pagination; /** - * @return When true, Keycloak assumes the LDAP server supports pagination. + * @return When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. * */ public Output> pagination() { return Codegen.optional(this.pagination); } /** - * Priority of this provider when looking up users. Lower values are first. + * Priority of this provider when looking up users. Lower values are first. Defaults to `0`. * */ @Export(name="priority", refs={Integer.class}, tree="[0]") private Output priority; /** - * @return Priority of this provider when looking up users. Lower values are first. + * @return Priority of this provider when looking up users. Lower values are first. Defaults to `0`. * */ public Output> priority() { @@ -387,70 +357,74 @@ public Output rdnLdapAttribute() { return this.rdnLdapAttribute; } /** - * LDAP read timeout (duration string) + * LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). * */ @Export(name="readTimeout", refs={String.class}, tree="[0]") private Output readTimeout; /** - * @return LDAP read timeout (duration string) + * @return LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). * */ public Output> readTimeout() { return Codegen.optional(this.readTimeout); } /** - * The realm this provider will provide user federation for. + * The realm that this provider will provide user federation for. * */ @Export(name="realmId", refs={String.class}, tree="[0]") private Output realmId; /** - * @return The realm this provider will provide user federation for. + * @return The realm that this provider will provide user federation for. * */ public Output realmId() { return this.realmId; } /** - * ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree. + * Can be one of `ONE_LEVEL` or `SUBTREE`: + * - `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`. + * - `SUBTREE`: Search entire LDAP subtree. * */ @Export(name="searchScope", refs={String.class}, tree="[0]") private Output searchScope; /** - * @return ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree. + * @return Can be one of `ONE_LEVEL` or `SUBTREE`: + * - `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`. + * - `SUBTREE`: Search entire LDAP subtree. * */ public Output> searchScope() { return Codegen.optional(this.searchScope); } /** - * When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. + * When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. * */ @Export(name="startTls", refs={Boolean.class}, tree="[0]") private Output startTls; /** - * @return When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. + * @return When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. * */ public Output> startTls() { return Codegen.optional(this.startTls); } /** - * When true, newly created users will be synced back to LDAP. + * When `true`, newly created users will be synced back to LDAP. Defaults to `false`. * */ @Export(name="syncRegistrations", refs={Boolean.class}, tree="[0]") private Output syncRegistrations; /** - * @return When true, newly created users will be synced back to LDAP. + * @return When `true`, newly created users will be synced back to LDAP. Defaults to `false`. * */ public Output> syncRegistrations() { @@ -484,21 +458,35 @@ public Output> trustEmail() { public Output> usePasswordModifyExtendedOp() { return Codegen.optional(this.usePasswordModifyExtendedOp); } + /** + * Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: + * - `ALWAYS` - Always use the truststore SPI for LDAP connections. + * - `NEVER` - Never use the truststore SPI for LDAP connections. + * - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. + * + */ @Export(name="useTruststoreSpi", refs={String.class}, tree="[0]") private Output useTruststoreSpi; + /** + * @return Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: + * - `ALWAYS` - Always use the truststore SPI for LDAP connections. + * - `NEVER` - Never use the truststore SPI for LDAP connections. + * - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. + * + */ public Output> useTruststoreSpi() { return Codegen.optional(this.useTruststoreSpi); } /** - * All values of LDAP objectClass attribute for users in LDAP. + * Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. * */ @Export(name="userObjectClasses", refs={List.class,String.class}, tree="[0,1]") private Output> userObjectClasses; /** - * @return All values of LDAP objectClass attribute for users in LDAP. + * @return Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. * */ public Output> userObjectClasses() { @@ -547,28 +535,28 @@ public Output uuidLdapAttribute() { return this.uuidLdapAttribute; } /** - * When true, Keycloak will validate passwords using the realm policy before updating it. + * When `true`, Keycloak will validate passwords using the realm policy before updating it. * */ @Export(name="validatePasswordPolicy", refs={Boolean.class}, tree="[0]") private Output validatePasswordPolicy; /** - * @return When true, Keycloak will validate passwords using the realm policy before updating it. + * @return When `true`, Keycloak will validate passwords using the realm policy before updating it. * */ public Output> validatePasswordPolicy() { return Codegen.optional(this.validatePasswordPolicy); } /** - * LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required. + * Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`. * */ @Export(name="vendor", refs={String.class}, tree="[0]") private Output vendor; /** - * @return LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required. + * @return Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`. * */ public Output> vendor() { diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/UserFederationArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/UserFederationArgs.java index 7003b8c2..a571e144 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/UserFederationArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/UserFederationArgs.java @@ -22,14 +22,14 @@ public final class UserFederationArgs extends com.pulumi.resources.ResourceArgs public static final UserFederationArgs Empty = new UserFederationArgs(); /** - * The number of users to sync within a single transaction. + * The number of users to sync within a single transaction. Defaults to `1000`. * */ @Import(name="batchSizeForSync") private @Nullable Output batchSizeForSync; /** - * @return The number of users to sync within a single transaction. + * @return The number of users to sync within a single transaction. Defaults to `1000`. * */ public Optional> batchSizeForSync() { @@ -37,14 +37,14 @@ public Optional> batchSizeForSync() { } /** - * Password of LDAP admin. + * Password of LDAP admin. This attribute must be set if `bind_dn` is set. * */ @Import(name="bindCredential") private @Nullable Output bindCredential; /** - * @return Password of LDAP admin. + * @return Password of LDAP admin. This attribute must be set if `bind_dn` is set. * */ public Optional> bindCredential() { @@ -52,14 +52,14 @@ public Optional> bindCredential() { } /** - * DN of LDAP admin, which will be used by Keycloak to access LDAP server. + * DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bind_credential` is set. * */ @Import(name="bindDn") private @Nullable Output bindDn; /** - * @return DN of LDAP admin, which will be used by Keycloak to access LDAP server. + * @return DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bind_credential` is set. * */ public Optional> bindDn() { @@ -67,14 +67,14 @@ public Optional> bindDn() { } /** - * Settings regarding cache policy for this realm. + * A block containing the cache settings. * */ @Import(name="cache") private @Nullable Output cache; /** - * @return Settings regarding cache policy for this realm. + * @return A block containing the cache settings. * */ public Optional> cache() { @@ -82,16 +82,14 @@ public Optional> cache() { } /** - * How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users - * sync. + * How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. * */ @Import(name="changedSyncPeriod") private @Nullable Output changedSyncPeriod; /** - * @return How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users - * sync. + * @return How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. * */ public Optional> changedSyncPeriod() { @@ -99,14 +97,14 @@ public Optional> changedSyncPeriod() { } /** - * LDAP connection timeout (duration string) + * LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). * */ @Import(name="connectionTimeout") private @Nullable Output connectionTimeout; /** - * @return LDAP connection timeout (duration string) + * @return LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). * */ public Optional> connectionTimeout() { @@ -129,14 +127,14 @@ public Output connectionUrl() { } /** - * Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'. + * Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. * */ @Import(name="customUserSearchFilter") private @Nullable Output customUserSearchFilter; /** - * @return Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'. + * @return Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. * */ public Optional> customUserSearchFilter() { @@ -144,16 +142,14 @@ public Optional> customUserSearchFilter() { } /** - * When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP - * user federation provider. + * When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to `false`. * */ @Import(name="deleteDefaultMappers") private @Nullable Output deleteDefaultMappers; /** - * @return When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP - * user federation provider. + * @return When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to `false`. * */ public Optional> deleteDefaultMappers() { @@ -161,14 +157,14 @@ public Optional> deleteDefaultMappers() { } /** - * READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP. + * Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. * */ @Import(name="editMode") private @Nullable Output editMode; /** - * @return READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP. + * @return Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. * */ public Optional> editMode() { @@ -176,14 +172,14 @@ public Optional> editMode() { } /** - * When false, this provider will not be used when performing queries for users. + * When `false`, this provider will not be used when performing queries for users. Defaults to `true`. * */ @Import(name="enabled") private @Nullable Output enabled; /** - * @return When false, this provider will not be used when performing queries for users. + * @return When `false`, this provider will not be used when performing queries for users. Defaults to `true`. * */ public Optional> enabled() { @@ -206,14 +202,14 @@ public Optional> fullSyncPeriod() { } /** - * When true, LDAP users will be imported into the Keycloak database. + * When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. * */ @Import(name="importEnabled") private @Nullable Output importEnabled; /** - * @return When true, LDAP users will be imported into the Keycloak database. + * @return When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. * */ public Optional> importEnabled() { @@ -221,14 +217,14 @@ public Optional> importEnabled() { } /** - * Settings regarding kerberos authentication for this realm. + * A block containing the kerberos settings. * */ @Import(name="kerberos") private @Nullable Output kerberos; /** - * @return Settings regarding kerberos authentication for this realm. + * @return A block containing the kerberos settings. * */ public Optional> kerberos() { @@ -251,14 +247,14 @@ public Optional> name() { } /** - * When true, Keycloak assumes the LDAP server supports pagination. + * When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. * */ @Import(name="pagination") private @Nullable Output pagination; /** - * @return When true, Keycloak assumes the LDAP server supports pagination. + * @return When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. * */ public Optional> pagination() { @@ -266,14 +262,14 @@ public Optional> pagination() { } /** - * Priority of this provider when looking up users. Lower values are first. + * Priority of this provider when looking up users. Lower values are first. Defaults to `0`. * */ @Import(name="priority") private @Nullable Output priority; /** - * @return Priority of this provider when looking up users. Lower values are first. + * @return Priority of this provider when looking up users. Lower values are first. Defaults to `0`. * */ public Optional> priority() { @@ -296,14 +292,14 @@ public Output rdnLdapAttribute() { } /** - * LDAP read timeout (duration string) + * LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). * */ @Import(name="readTimeout") private @Nullable Output readTimeout; /** - * @return LDAP read timeout (duration string) + * @return LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). * */ public Optional> readTimeout() { @@ -311,14 +307,14 @@ public Optional> readTimeout() { } /** - * The realm this provider will provide user federation for. + * The realm that this provider will provide user federation for. * */ @Import(name="realmId", required=true) private Output realmId; /** - * @return The realm this provider will provide user federation for. + * @return The realm that this provider will provide user federation for. * */ public Output realmId() { @@ -326,14 +322,18 @@ public Output realmId() { } /** - * ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree. + * Can be one of `ONE_LEVEL` or `SUBTREE`: + * - `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`. + * - `SUBTREE`: Search entire LDAP subtree. * */ @Import(name="searchScope") private @Nullable Output searchScope; /** - * @return ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree. + * @return Can be one of `ONE_LEVEL` or `SUBTREE`: + * - `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`. + * - `SUBTREE`: Search entire LDAP subtree. * */ public Optional> searchScope() { @@ -341,14 +341,14 @@ public Optional> searchScope() { } /** - * When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. + * When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. * */ @Import(name="startTls") private @Nullable Output startTls; /** - * @return When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. + * @return When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. * */ public Optional> startTls() { @@ -356,14 +356,14 @@ public Optional> startTls() { } /** - * When true, newly created users will be synced back to LDAP. + * When `true`, newly created users will be synced back to LDAP. Defaults to `false`. * */ @Import(name="syncRegistrations") private @Nullable Output syncRegistrations; /** - * @return When true, newly created users will be synced back to LDAP. + * @return When `true`, newly created users will be synced back to LDAP. Defaults to `false`. * */ public Optional> syncRegistrations() { @@ -400,22 +400,36 @@ public Optional> usePasswordModifyExtendedOp() { return Optional.ofNullable(this.usePasswordModifyExtendedOp); } + /** + * Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: + * - `ALWAYS` - Always use the truststore SPI for LDAP connections. + * - `NEVER` - Never use the truststore SPI for LDAP connections. + * - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. + * + */ @Import(name="useTruststoreSpi") private @Nullable Output useTruststoreSpi; + /** + * @return Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: + * - `ALWAYS` - Always use the truststore SPI for LDAP connections. + * - `NEVER` - Never use the truststore SPI for LDAP connections. + * - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. + * + */ public Optional> useTruststoreSpi() { return Optional.ofNullable(this.useTruststoreSpi); } /** - * All values of LDAP objectClass attribute for users in LDAP. + * Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. * */ @Import(name="userObjectClasses", required=true) private Output> userObjectClasses; /** - * @return All values of LDAP objectClass attribute for users in LDAP. + * @return Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. * */ public Output> userObjectClasses() { @@ -468,14 +482,14 @@ public Output uuidLdapAttribute() { } /** - * When true, Keycloak will validate passwords using the realm policy before updating it. + * When `true`, Keycloak will validate passwords using the realm policy before updating it. * */ @Import(name="validatePasswordPolicy") private @Nullable Output validatePasswordPolicy; /** - * @return When true, Keycloak will validate passwords using the realm policy before updating it. + * @return When `true`, Keycloak will validate passwords using the realm policy before updating it. * */ public Optional> validatePasswordPolicy() { @@ -483,14 +497,14 @@ public Optional> validatePasswordPolicy() { } /** - * LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required. + * Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`. * */ @Import(name="vendor") private @Nullable Output vendor; /** - * @return LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required. + * @return Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`. * */ public Optional> vendor() { @@ -553,7 +567,7 @@ public Builder(UserFederationArgs defaults) { } /** - * @param batchSizeForSync The number of users to sync within a single transaction. + * @param batchSizeForSync The number of users to sync within a single transaction. Defaults to `1000`. * * @return builder * @@ -564,7 +578,7 @@ public Builder batchSizeForSync(@Nullable Output batchSizeForSync) { } /** - * @param batchSizeForSync The number of users to sync within a single transaction. + * @param batchSizeForSync The number of users to sync within a single transaction. Defaults to `1000`. * * @return builder * @@ -574,7 +588,7 @@ public Builder batchSizeForSync(Integer batchSizeForSync) { } /** - * @param bindCredential Password of LDAP admin. + * @param bindCredential Password of LDAP admin. This attribute must be set if `bind_dn` is set. * * @return builder * @@ -585,7 +599,7 @@ public Builder bindCredential(@Nullable Output bindCredential) { } /** - * @param bindCredential Password of LDAP admin. + * @param bindCredential Password of LDAP admin. This attribute must be set if `bind_dn` is set. * * @return builder * @@ -595,7 +609,7 @@ public Builder bindCredential(String bindCredential) { } /** - * @param bindDn DN of LDAP admin, which will be used by Keycloak to access LDAP server. + * @param bindDn DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bind_credential` is set. * * @return builder * @@ -606,7 +620,7 @@ public Builder bindDn(@Nullable Output bindDn) { } /** - * @param bindDn DN of LDAP admin, which will be used by Keycloak to access LDAP server. + * @param bindDn DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bind_credential` is set. * * @return builder * @@ -616,7 +630,7 @@ public Builder bindDn(String bindDn) { } /** - * @param cache Settings regarding cache policy for this realm. + * @param cache A block containing the cache settings. * * @return builder * @@ -627,7 +641,7 @@ public Builder cache(@Nullable Output cache) { } /** - * @param cache Settings regarding cache policy for this realm. + * @param cache A block containing the cache settings. * * @return builder * @@ -637,8 +651,7 @@ public Builder cache(UserFederationCacheArgs cache) { } /** - * @param changedSyncPeriod How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users - * sync. + * @param changedSyncPeriod How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. * * @return builder * @@ -649,8 +662,7 @@ public Builder changedSyncPeriod(@Nullable Output changedSyncPeriod) { } /** - * @param changedSyncPeriod How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users - * sync. + * @param changedSyncPeriod How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. * * @return builder * @@ -660,7 +672,7 @@ public Builder changedSyncPeriod(Integer changedSyncPeriod) { } /** - * @param connectionTimeout LDAP connection timeout (duration string) + * @param connectionTimeout LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). * * @return builder * @@ -671,7 +683,7 @@ public Builder connectionTimeout(@Nullable Output connectionTimeout) { } /** - * @param connectionTimeout LDAP connection timeout (duration string) + * @param connectionTimeout LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). * * @return builder * @@ -702,7 +714,7 @@ public Builder connectionUrl(String connectionUrl) { } /** - * @param customUserSearchFilter Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'. + * @param customUserSearchFilter Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. * * @return builder * @@ -713,7 +725,7 @@ public Builder customUserSearchFilter(@Nullable Output customUserSearchF } /** - * @param customUserSearchFilter Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'. + * @param customUserSearchFilter Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. * * @return builder * @@ -723,8 +735,7 @@ public Builder customUserSearchFilter(String customUserSearchFilter) { } /** - * @param deleteDefaultMappers When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP - * user federation provider. + * @param deleteDefaultMappers When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to `false`. * * @return builder * @@ -735,8 +746,7 @@ public Builder deleteDefaultMappers(@Nullable Output deleteDefaultMappe } /** - * @param deleteDefaultMappers When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP - * user federation provider. + * @param deleteDefaultMappers When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to `false`. * * @return builder * @@ -746,7 +756,7 @@ public Builder deleteDefaultMappers(Boolean deleteDefaultMappers) { } /** - * @param editMode READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP. + * @param editMode Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. * * @return builder * @@ -757,7 +767,7 @@ public Builder editMode(@Nullable Output editMode) { } /** - * @param editMode READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP. + * @param editMode Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. * * @return builder * @@ -767,7 +777,7 @@ public Builder editMode(String editMode) { } /** - * @param enabled When false, this provider will not be used when performing queries for users. + * @param enabled When `false`, this provider will not be used when performing queries for users. Defaults to `true`. * * @return builder * @@ -778,7 +788,7 @@ public Builder enabled(@Nullable Output enabled) { } /** - * @param enabled When false, this provider will not be used when performing queries for users. + * @param enabled When `false`, this provider will not be used when performing queries for users. Defaults to `true`. * * @return builder * @@ -809,7 +819,7 @@ public Builder fullSyncPeriod(Integer fullSyncPeriod) { } /** - * @param importEnabled When true, LDAP users will be imported into the Keycloak database. + * @param importEnabled When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. * * @return builder * @@ -820,7 +830,7 @@ public Builder importEnabled(@Nullable Output importEnabled) { } /** - * @param importEnabled When true, LDAP users will be imported into the Keycloak database. + * @param importEnabled When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. * * @return builder * @@ -830,7 +840,7 @@ public Builder importEnabled(Boolean importEnabled) { } /** - * @param kerberos Settings regarding kerberos authentication for this realm. + * @param kerberos A block containing the kerberos settings. * * @return builder * @@ -841,7 +851,7 @@ public Builder kerberos(@Nullable Output kerberos) { } /** - * @param kerberos Settings regarding kerberos authentication for this realm. + * @param kerberos A block containing the kerberos settings. * * @return builder * @@ -872,7 +882,7 @@ public Builder name(String name) { } /** - * @param pagination When true, Keycloak assumes the LDAP server supports pagination. + * @param pagination When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. * * @return builder * @@ -883,7 +893,7 @@ public Builder pagination(@Nullable Output pagination) { } /** - * @param pagination When true, Keycloak assumes the LDAP server supports pagination. + * @param pagination When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. * * @return builder * @@ -893,7 +903,7 @@ public Builder pagination(Boolean pagination) { } /** - * @param priority Priority of this provider when looking up users. Lower values are first. + * @param priority Priority of this provider when looking up users. Lower values are first. Defaults to `0`. * * @return builder * @@ -904,7 +914,7 @@ public Builder priority(@Nullable Output priority) { } /** - * @param priority Priority of this provider when looking up users. Lower values are first. + * @param priority Priority of this provider when looking up users. Lower values are first. Defaults to `0`. * * @return builder * @@ -935,7 +945,7 @@ public Builder rdnLdapAttribute(String rdnLdapAttribute) { } /** - * @param readTimeout LDAP read timeout (duration string) + * @param readTimeout LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). * * @return builder * @@ -946,7 +956,7 @@ public Builder readTimeout(@Nullable Output readTimeout) { } /** - * @param readTimeout LDAP read timeout (duration string) + * @param readTimeout LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). * * @return builder * @@ -956,7 +966,7 @@ public Builder readTimeout(String readTimeout) { } /** - * @param realmId The realm this provider will provide user federation for. + * @param realmId The realm that this provider will provide user federation for. * * @return builder * @@ -967,7 +977,7 @@ public Builder realmId(Output realmId) { } /** - * @param realmId The realm this provider will provide user federation for. + * @param realmId The realm that this provider will provide user federation for. * * @return builder * @@ -977,7 +987,9 @@ public Builder realmId(String realmId) { } /** - * @param searchScope ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree. + * @param searchScope Can be one of `ONE_LEVEL` or `SUBTREE`: + * - `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`. + * - `SUBTREE`: Search entire LDAP subtree. * * @return builder * @@ -988,7 +1000,9 @@ public Builder searchScope(@Nullable Output searchScope) { } /** - * @param searchScope ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree. + * @param searchScope Can be one of `ONE_LEVEL` or `SUBTREE`: + * - `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`. + * - `SUBTREE`: Search entire LDAP subtree. * * @return builder * @@ -998,7 +1012,7 @@ public Builder searchScope(String searchScope) { } /** - * @param startTls When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. + * @param startTls When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. * * @return builder * @@ -1009,7 +1023,7 @@ public Builder startTls(@Nullable Output startTls) { } /** - * @param startTls When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. + * @param startTls When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. * * @return builder * @@ -1019,7 +1033,7 @@ public Builder startTls(Boolean startTls) { } /** - * @param syncRegistrations When true, newly created users will be synced back to LDAP. + * @param syncRegistrations When `true`, newly created users will be synced back to LDAP. Defaults to `false`. * * @return builder * @@ -1030,7 +1044,7 @@ public Builder syncRegistrations(@Nullable Output syncRegistrations) { } /** - * @param syncRegistrations When true, newly created users will be synced back to LDAP. + * @param syncRegistrations When `true`, newly created users will be synced back to LDAP. Defaults to `false`. * * @return builder * @@ -1081,17 +1095,35 @@ public Builder usePasswordModifyExtendedOp(Boolean usePasswordModifyExtendedOp) return usePasswordModifyExtendedOp(Output.of(usePasswordModifyExtendedOp)); } + /** + * @param useTruststoreSpi Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: + * - `ALWAYS` - Always use the truststore SPI for LDAP connections. + * - `NEVER` - Never use the truststore SPI for LDAP connections. + * - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. + * + * @return builder + * + */ public Builder useTruststoreSpi(@Nullable Output useTruststoreSpi) { $.useTruststoreSpi = useTruststoreSpi; return this; } + /** + * @param useTruststoreSpi Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: + * - `ALWAYS` - Always use the truststore SPI for LDAP connections. + * - `NEVER` - Never use the truststore SPI for LDAP connections. + * - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. + * + * @return builder + * + */ public Builder useTruststoreSpi(String useTruststoreSpi) { return useTruststoreSpi(Output.of(useTruststoreSpi)); } /** - * @param userObjectClasses All values of LDAP objectClass attribute for users in LDAP. + * @param userObjectClasses Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. * * @return builder * @@ -1102,7 +1134,7 @@ public Builder userObjectClasses(Output> userObjectClasses) { } /** - * @param userObjectClasses All values of LDAP objectClass attribute for users in LDAP. + * @param userObjectClasses Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. * * @return builder * @@ -1112,7 +1144,7 @@ public Builder userObjectClasses(List userObjectClasses) { } /** - * @param userObjectClasses All values of LDAP objectClass attribute for users in LDAP. + * @param userObjectClasses Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. * * @return builder * @@ -1185,7 +1217,7 @@ public Builder uuidLdapAttribute(String uuidLdapAttribute) { } /** - * @param validatePasswordPolicy When true, Keycloak will validate passwords using the realm policy before updating it. + * @param validatePasswordPolicy When `true`, Keycloak will validate passwords using the realm policy before updating it. * * @return builder * @@ -1196,7 +1228,7 @@ public Builder validatePasswordPolicy(@Nullable Output validatePassword } /** - * @param validatePasswordPolicy When true, Keycloak will validate passwords using the realm policy before updating it. + * @param validatePasswordPolicy When `true`, Keycloak will validate passwords using the realm policy before updating it. * * @return builder * @@ -1206,7 +1238,7 @@ public Builder validatePasswordPolicy(Boolean validatePasswordPolicy) { } /** - * @param vendor LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required. + * @param vendor Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`. * * @return builder * @@ -1217,7 +1249,7 @@ public Builder vendor(@Nullable Output vendor) { } /** - * @param vendor LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required. + * @param vendor Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/FullNameMapperState.java b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/FullNameMapperState.java index fbf0daca..6de57790 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/FullNameMapperState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/FullNameMapperState.java @@ -16,22 +16,30 @@ public final class FullNameMapperState extends com.pulumi.resources.ResourceArgs public static final FullNameMapperState Empty = new FullNameMapperState(); + /** + * The name of the LDAP attribute containing the user's full name. + * + */ @Import(name="ldapFullNameAttribute") private @Nullable Output ldapFullNameAttribute; + /** + * @return The name of the LDAP attribute containing the user's full name. + * + */ public Optional> ldapFullNameAttribute() { return Optional.ofNullable(this.ldapFullNameAttribute); } /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. * */ @Import(name="ldapUserFederationId") private @Nullable Output ldapUserFederationId; /** - * @return The ldap user federation provider to attach this mapper to. + * @return The ID of the LDAP user federation provider to attach this mapper to. * */ public Optional> ldapUserFederationId() { @@ -39,45 +47,61 @@ public Optional> ldapUserFederationId() { } /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. * */ @Import(name="name") private @Nullable Output name; /** - * @return Display name of the mapper when displayed in the console. + * @return Display name of this mapper when displayed in the console. * */ public Optional> name() { return Optional.ofNullable(this.name); } + /** + * When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. + * + */ @Import(name="readOnly") private @Nullable Output readOnly; + /** + * @return When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. + * + */ public Optional> readOnly() { return Optional.ofNullable(this.readOnly); } /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. * */ @Import(name="realmId") private @Nullable Output realmId; /** - * @return The realm in which the ldap user federation provider exists. + * @return The realm that this LDAP mapper will exist in. * */ public Optional> realmId() { return Optional.ofNullable(this.realmId); } + /** + * When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. + * + */ @Import(name="writeOnly") private @Nullable Output writeOnly; + /** + * @return When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. + * + */ public Optional> writeOnly() { return Optional.ofNullable(this.writeOnly); } @@ -111,17 +135,29 @@ public Builder(FullNameMapperState defaults) { $ = new FullNameMapperState(Objects.requireNonNull(defaults)); } + /** + * @param ldapFullNameAttribute The name of the LDAP attribute containing the user's full name. + * + * @return builder + * + */ public Builder ldapFullNameAttribute(@Nullable Output ldapFullNameAttribute) { $.ldapFullNameAttribute = ldapFullNameAttribute; return this; } + /** + * @param ldapFullNameAttribute The name of the LDAP attribute containing the user's full name. + * + * @return builder + * + */ public Builder ldapFullNameAttribute(String ldapFullNameAttribute) { return ldapFullNameAttribute(Output.of(ldapFullNameAttribute)); } /** - * @param ldapUserFederationId The ldap user federation provider to attach this mapper to. + * @param ldapUserFederationId The ID of the LDAP user federation provider to attach this mapper to. * * @return builder * @@ -132,7 +168,7 @@ public Builder ldapUserFederationId(@Nullable Output ldapUserFederationI } /** - * @param ldapUserFederationId The ldap user federation provider to attach this mapper to. + * @param ldapUserFederationId The ID of the LDAP user federation provider to attach this mapper to. * * @return builder * @@ -142,7 +178,7 @@ public Builder ldapUserFederationId(String ldapUserFederationId) { } /** - * @param name Display name of the mapper when displayed in the console. + * @param name Display name of this mapper when displayed in the console. * * @return builder * @@ -153,7 +189,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name Display name of the mapper when displayed in the console. + * @param name Display name of this mapper when displayed in the console. * * @return builder * @@ -162,17 +198,29 @@ public Builder name(String name) { return name(Output.of(name)); } + /** + * @param readOnly When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. + * + * @return builder + * + */ public Builder readOnly(@Nullable Output readOnly) { $.readOnly = readOnly; return this; } + /** + * @param readOnly When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. + * + * @return builder + * + */ public Builder readOnly(Boolean readOnly) { return readOnly(Output.of(readOnly)); } /** - * @param realmId The realm in which the ldap user federation provider exists. + * @param realmId The realm that this LDAP mapper will exist in. * * @return builder * @@ -183,7 +231,7 @@ public Builder realmId(@Nullable Output realmId) { } /** - * @param realmId The realm in which the ldap user federation provider exists. + * @param realmId The realm that this LDAP mapper will exist in. * * @return builder * @@ -192,11 +240,23 @@ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } + /** + * @param writeOnly When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. + * + * @return builder + * + */ public Builder writeOnly(@Nullable Output writeOnly) { $.writeOnly = writeOnly; return this; } + /** + * @param writeOnly When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. + * + * @return builder + * + */ public Builder writeOnly(Boolean writeOnly) { return writeOnly(Output.of(writeOnly)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/GroupMapperState.java b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/GroupMapperState.java index a86a45f0..94ed461f 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/GroupMapperState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/GroupMapperState.java @@ -17,152 +17,272 @@ public final class GroupMapperState extends com.pulumi.resources.ResourceArgs { public static final GroupMapperState Empty = new GroupMapperState(); + /** + * When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. + * + */ @Import(name="dropNonExistingGroupsDuringSync") private @Nullable Output dropNonExistingGroupsDuringSync; + /** + * @return When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. + * + */ public Optional> dropNonExistingGroupsDuringSync() { return Optional.ofNullable(this.dropNonExistingGroupsDuringSync); } + /** + * The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. + * + */ @Import(name="groupNameLdapAttribute") private @Nullable Output groupNameLdapAttribute; + /** + * @return The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. + * + */ public Optional> groupNameLdapAttribute() { return Optional.ofNullable(this.groupNameLdapAttribute); } + /** + * List of strings representing the object classes for the group. Must contain at least one. + * + */ @Import(name="groupObjectClasses") private @Nullable Output> groupObjectClasses; + /** + * @return List of strings representing the object classes for the group. Must contain at least one. + * + */ public Optional>> groupObjectClasses() { return Optional.ofNullable(this.groupObjectClasses); } + /** + * When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. + * + */ @Import(name="groupsLdapFilter") private @Nullable Output groupsLdapFilter; + /** + * @return When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. + * + */ public Optional> groupsLdapFilter() { return Optional.ofNullable(this.groupsLdapFilter); } + /** + * Keycloak group path the LDAP groups are added to. For example if value `/Applications/App1` is used, then LDAP groups will be available in Keycloak under group `App1`, which is the child of top level group `Applications`. The configured group path must already exist in Keycloak when creating this mapper. + * + */ @Import(name="groupsPath") private @Nullable Output groupsPath; + /** + * @return Keycloak group path the LDAP groups are added to. For example if value `/Applications/App1` is used, then LDAP groups will be available in Keycloak under group `App1`, which is the child of top level group `Applications`. The configured group path must already exist in Keycloak when creating this mapper. + * + */ public Optional> groupsPath() { return Optional.ofNullable(this.groupsPath); } + /** + * When `true`, missing groups in the hierarchy will be ignored. + * + */ @Import(name="ignoreMissingGroups") private @Nullable Output ignoreMissingGroups; + /** + * @return When `true`, missing groups in the hierarchy will be ignored. + * + */ public Optional> ignoreMissingGroups() { return Optional.ofNullable(this.ignoreMissingGroups); } + /** + * The LDAP DN where groups can be found. + * + */ @Import(name="ldapGroupsDn") private @Nullable Output ldapGroupsDn; + /** + * @return The LDAP DN where groups can be found. + * + */ public Optional> ldapGroupsDn() { return Optional.ofNullable(this.ldapGroupsDn); } /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. * */ @Import(name="ldapUserFederationId") private @Nullable Output ldapUserFederationId; /** - * @return The ldap user federation provider to attach this mapper to. + * @return The ID of the LDAP user federation provider to attach this mapper to. * */ public Optional> ldapUserFederationId() { return Optional.ofNullable(this.ldapUserFederationId); } + /** + * Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. + * + */ @Import(name="mappedGroupAttributes") private @Nullable Output> mappedGroupAttributes; + /** + * @return Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. + * + */ public Optional>> mappedGroupAttributes() { return Optional.ofNullable(this.mappedGroupAttributes); } + /** + * Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. + * + */ @Import(name="memberofLdapAttribute") private @Nullable Output memberofLdapAttribute; + /** + * @return Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. + * + */ public Optional> memberofLdapAttribute() { return Optional.ofNullable(this.memberofLdapAttribute); } + /** + * Can be one of `DN` or `UID`. Defaults to `DN`. + * + */ @Import(name="membershipAttributeType") private @Nullable Output membershipAttributeType; + /** + * @return Can be one of `DN` or `UID`. Defaults to `DN`. + * + */ public Optional> membershipAttributeType() { return Optional.ofNullable(this.membershipAttributeType); } + /** + * The name of the LDAP attribute that is used for membership mappings. + * + */ @Import(name="membershipLdapAttribute") private @Nullable Output membershipLdapAttribute; + /** + * @return The name of the LDAP attribute that is used for membership mappings. + * + */ public Optional> membershipLdapAttribute() { return Optional.ofNullable(this.membershipLdapAttribute); } + /** + * The name of the LDAP attribute on a user that is used for membership mappings. + * + */ @Import(name="membershipUserLdapAttribute") private @Nullable Output membershipUserLdapAttribute; + /** + * @return The name of the LDAP attribute on a user that is used for membership mappings. + * + */ public Optional> membershipUserLdapAttribute() { return Optional.ofNullable(this.membershipUserLdapAttribute); } + /** + * Can be one of `READ_ONLY`, `LDAP_ONLY` or `IMPORT`. Defaults to `READ_ONLY`. + * + */ @Import(name="mode") private @Nullable Output mode; + /** + * @return Can be one of `READ_ONLY`, `LDAP_ONLY` or `IMPORT`. Defaults to `READ_ONLY`. + * + */ public Optional> mode() { return Optional.ofNullable(this.mode); } /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. * */ @Import(name="name") private @Nullable Output name; /** - * @return Display name of the mapper when displayed in the console. + * @return Display name of this mapper when displayed in the console. * */ public Optional> name() { return Optional.ofNullable(this.name); } + /** + * When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. + * + */ @Import(name="preserveGroupInheritance") private @Nullable Output preserveGroupInheritance; + /** + * @return When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. + * + */ public Optional> preserveGroupInheritance() { return Optional.ofNullable(this.preserveGroupInheritance); } /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. * */ @Import(name="realmId") private @Nullable Output realmId; /** - * @return The realm in which the ldap user federation provider exists. + * @return The realm that this LDAP mapper will exist in. * */ public Optional> realmId() { return Optional.ofNullable(this.realmId); } + /** + * Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. + * + */ @Import(name="userRolesRetrieveStrategy") private @Nullable Output userRolesRetrieveStrategy; + /** + * @return Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. + * + */ public Optional> userRolesRetrieveStrategy() { return Optional.ofNullable(this.userRolesRetrieveStrategy); } @@ -208,75 +328,165 @@ public Builder(GroupMapperState defaults) { $ = new GroupMapperState(Objects.requireNonNull(defaults)); } + /** + * @param dropNonExistingGroupsDuringSync When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. + * + * @return builder + * + */ public Builder dropNonExistingGroupsDuringSync(@Nullable Output dropNonExistingGroupsDuringSync) { $.dropNonExistingGroupsDuringSync = dropNonExistingGroupsDuringSync; return this; } + /** + * @param dropNonExistingGroupsDuringSync When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. + * + * @return builder + * + */ public Builder dropNonExistingGroupsDuringSync(Boolean dropNonExistingGroupsDuringSync) { return dropNonExistingGroupsDuringSync(Output.of(dropNonExistingGroupsDuringSync)); } + /** + * @param groupNameLdapAttribute The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. + * + * @return builder + * + */ public Builder groupNameLdapAttribute(@Nullable Output groupNameLdapAttribute) { $.groupNameLdapAttribute = groupNameLdapAttribute; return this; } + /** + * @param groupNameLdapAttribute The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. + * + * @return builder + * + */ public Builder groupNameLdapAttribute(String groupNameLdapAttribute) { return groupNameLdapAttribute(Output.of(groupNameLdapAttribute)); } + /** + * @param groupObjectClasses List of strings representing the object classes for the group. Must contain at least one. + * + * @return builder + * + */ public Builder groupObjectClasses(@Nullable Output> groupObjectClasses) { $.groupObjectClasses = groupObjectClasses; return this; } + /** + * @param groupObjectClasses List of strings representing the object classes for the group. Must contain at least one. + * + * @return builder + * + */ public Builder groupObjectClasses(List groupObjectClasses) { return groupObjectClasses(Output.of(groupObjectClasses)); } + /** + * @param groupObjectClasses List of strings representing the object classes for the group. Must contain at least one. + * + * @return builder + * + */ public Builder groupObjectClasses(String... groupObjectClasses) { return groupObjectClasses(List.of(groupObjectClasses)); } + /** + * @param groupsLdapFilter When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. + * + * @return builder + * + */ public Builder groupsLdapFilter(@Nullable Output groupsLdapFilter) { $.groupsLdapFilter = groupsLdapFilter; return this; } + /** + * @param groupsLdapFilter When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. + * + * @return builder + * + */ public Builder groupsLdapFilter(String groupsLdapFilter) { return groupsLdapFilter(Output.of(groupsLdapFilter)); } + /** + * @param groupsPath Keycloak group path the LDAP groups are added to. For example if value `/Applications/App1` is used, then LDAP groups will be available in Keycloak under group `App1`, which is the child of top level group `Applications`. The configured group path must already exist in Keycloak when creating this mapper. + * + * @return builder + * + */ public Builder groupsPath(@Nullable Output groupsPath) { $.groupsPath = groupsPath; return this; } + /** + * @param groupsPath Keycloak group path the LDAP groups are added to. For example if value `/Applications/App1` is used, then LDAP groups will be available in Keycloak under group `App1`, which is the child of top level group `Applications`. The configured group path must already exist in Keycloak when creating this mapper. + * + * @return builder + * + */ public Builder groupsPath(String groupsPath) { return groupsPath(Output.of(groupsPath)); } + /** + * @param ignoreMissingGroups When `true`, missing groups in the hierarchy will be ignored. + * + * @return builder + * + */ public Builder ignoreMissingGroups(@Nullable Output ignoreMissingGroups) { $.ignoreMissingGroups = ignoreMissingGroups; return this; } + /** + * @param ignoreMissingGroups When `true`, missing groups in the hierarchy will be ignored. + * + * @return builder + * + */ public Builder ignoreMissingGroups(Boolean ignoreMissingGroups) { return ignoreMissingGroups(Output.of(ignoreMissingGroups)); } + /** + * @param ldapGroupsDn The LDAP DN where groups can be found. + * + * @return builder + * + */ public Builder ldapGroupsDn(@Nullable Output ldapGroupsDn) { $.ldapGroupsDn = ldapGroupsDn; return this; } + /** + * @param ldapGroupsDn The LDAP DN where groups can be found. + * + * @return builder + * + */ public Builder ldapGroupsDn(String ldapGroupsDn) { return ldapGroupsDn(Output.of(ldapGroupsDn)); } /** - * @param ldapUserFederationId The ldap user federation provider to attach this mapper to. + * @param ldapUserFederationId The ID of the LDAP user federation provider to attach this mapper to. * * @return builder * @@ -287,7 +497,7 @@ public Builder ldapUserFederationId(@Nullable Output ldapUserFederationI } /** - * @param ldapUserFederationId The ldap user federation provider to attach this mapper to. + * @param ldapUserFederationId The ID of the LDAP user federation provider to attach this mapper to. * * @return builder * @@ -296,66 +506,144 @@ public Builder ldapUserFederationId(String ldapUserFederationId) { return ldapUserFederationId(Output.of(ldapUserFederationId)); } + /** + * @param mappedGroupAttributes Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. + * + * @return builder + * + */ public Builder mappedGroupAttributes(@Nullable Output> mappedGroupAttributes) { $.mappedGroupAttributes = mappedGroupAttributes; return this; } + /** + * @param mappedGroupAttributes Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. + * + * @return builder + * + */ public Builder mappedGroupAttributes(List mappedGroupAttributes) { return mappedGroupAttributes(Output.of(mappedGroupAttributes)); } + /** + * @param mappedGroupAttributes Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. + * + * @return builder + * + */ public Builder mappedGroupAttributes(String... mappedGroupAttributes) { return mappedGroupAttributes(List.of(mappedGroupAttributes)); } + /** + * @param memberofLdapAttribute Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. + * + * @return builder + * + */ public Builder memberofLdapAttribute(@Nullable Output memberofLdapAttribute) { $.memberofLdapAttribute = memberofLdapAttribute; return this; } + /** + * @param memberofLdapAttribute Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. + * + * @return builder + * + */ public Builder memberofLdapAttribute(String memberofLdapAttribute) { return memberofLdapAttribute(Output.of(memberofLdapAttribute)); } + /** + * @param membershipAttributeType Can be one of `DN` or `UID`. Defaults to `DN`. + * + * @return builder + * + */ public Builder membershipAttributeType(@Nullable Output membershipAttributeType) { $.membershipAttributeType = membershipAttributeType; return this; } + /** + * @param membershipAttributeType Can be one of `DN` or `UID`. Defaults to `DN`. + * + * @return builder + * + */ public Builder membershipAttributeType(String membershipAttributeType) { return membershipAttributeType(Output.of(membershipAttributeType)); } + /** + * @param membershipLdapAttribute The name of the LDAP attribute that is used for membership mappings. + * + * @return builder + * + */ public Builder membershipLdapAttribute(@Nullable Output membershipLdapAttribute) { $.membershipLdapAttribute = membershipLdapAttribute; return this; } + /** + * @param membershipLdapAttribute The name of the LDAP attribute that is used for membership mappings. + * + * @return builder + * + */ public Builder membershipLdapAttribute(String membershipLdapAttribute) { return membershipLdapAttribute(Output.of(membershipLdapAttribute)); } + /** + * @param membershipUserLdapAttribute The name of the LDAP attribute on a user that is used for membership mappings. + * + * @return builder + * + */ public Builder membershipUserLdapAttribute(@Nullable Output membershipUserLdapAttribute) { $.membershipUserLdapAttribute = membershipUserLdapAttribute; return this; } + /** + * @param membershipUserLdapAttribute The name of the LDAP attribute on a user that is used for membership mappings. + * + * @return builder + * + */ public Builder membershipUserLdapAttribute(String membershipUserLdapAttribute) { return membershipUserLdapAttribute(Output.of(membershipUserLdapAttribute)); } + /** + * @param mode Can be one of `READ_ONLY`, `LDAP_ONLY` or `IMPORT`. Defaults to `READ_ONLY`. + * + * @return builder + * + */ public Builder mode(@Nullable Output mode) { $.mode = mode; return this; } + /** + * @param mode Can be one of `READ_ONLY`, `LDAP_ONLY` or `IMPORT`. Defaults to `READ_ONLY`. + * + * @return builder + * + */ public Builder mode(String mode) { return mode(Output.of(mode)); } /** - * @param name Display name of the mapper when displayed in the console. + * @param name Display name of this mapper when displayed in the console. * * @return builder * @@ -366,7 +654,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name Display name of the mapper when displayed in the console. + * @param name Display name of this mapper when displayed in the console. * * @return builder * @@ -375,17 +663,29 @@ public Builder name(String name) { return name(Output.of(name)); } + /** + * @param preserveGroupInheritance When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. + * + * @return builder + * + */ public Builder preserveGroupInheritance(@Nullable Output preserveGroupInheritance) { $.preserveGroupInheritance = preserveGroupInheritance; return this; } + /** + * @param preserveGroupInheritance When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. + * + * @return builder + * + */ public Builder preserveGroupInheritance(Boolean preserveGroupInheritance) { return preserveGroupInheritance(Output.of(preserveGroupInheritance)); } /** - * @param realmId The realm in which the ldap user federation provider exists. + * @param realmId The realm that this LDAP mapper will exist in. * * @return builder * @@ -396,7 +696,7 @@ public Builder realmId(@Nullable Output realmId) { } /** - * @param realmId The realm in which the ldap user federation provider exists. + * @param realmId The realm that this LDAP mapper will exist in. * * @return builder * @@ -405,11 +705,23 @@ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } + /** + * @param userRolesRetrieveStrategy Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. + * + * @return builder + * + */ public Builder userRolesRetrieveStrategy(@Nullable Output userRolesRetrieveStrategy) { $.userRolesRetrieveStrategy = userRolesRetrieveStrategy; return this; } + /** + * @param userRolesRetrieveStrategy Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. + * + * @return builder + * + */ public Builder userRolesRetrieveStrategy(String userRolesRetrieveStrategy) { return userRolesRetrieveStrategy(Output.of(userRolesRetrieveStrategy)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/HardcodedRoleMapperState.java b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/HardcodedRoleMapperState.java index 155933fe..b4c48632 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/HardcodedRoleMapperState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/HardcodedRoleMapperState.java @@ -16,14 +16,14 @@ public final class HardcodedRoleMapperState extends com.pulumi.resources.Resourc public static final HardcodedRoleMapperState Empty = new HardcodedRoleMapperState(); /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. * */ @Import(name="ldapUserFederationId") private @Nullable Output ldapUserFederationId; /** - * @return The ldap user federation provider to attach this mapper to. + * @return The ID of the LDAP user federation provider to attach this mapper to. * */ public Optional> ldapUserFederationId() { @@ -31,14 +31,14 @@ public Optional> ldapUserFederationId() { } /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. * */ @Import(name="name") private @Nullable Output name; /** - * @return Display name of the mapper when displayed in the console. + * @return Display name of this mapper when displayed in the console. * */ public Optional> name() { @@ -46,14 +46,14 @@ public Optional> name() { } /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. * */ @Import(name="realmId") private @Nullable Output realmId; /** - * @return The realm in which the ldap user federation provider exists. + * @return The realm that this LDAP mapper will exist in. * */ public Optional> realmId() { @@ -61,14 +61,14 @@ public Optional> realmId() { } /** - * Role to grant to user. + * The name of the role which should be assigned to the users. Client roles should use the format `{{client_id}}.{{client_role_name}}`. * */ @Import(name="role") private @Nullable Output role; /** - * @return Role to grant to user. + * @return The name of the role which should be assigned to the users. Client roles should use the format `{{client_id}}.{{client_role_name}}`. * */ public Optional> role() { @@ -103,7 +103,7 @@ public Builder(HardcodedRoleMapperState defaults) { } /** - * @param ldapUserFederationId The ldap user federation provider to attach this mapper to. + * @param ldapUserFederationId The ID of the LDAP user federation provider to attach this mapper to. * * @return builder * @@ -114,7 +114,7 @@ public Builder ldapUserFederationId(@Nullable Output ldapUserFederationI } /** - * @param ldapUserFederationId The ldap user federation provider to attach this mapper to. + * @param ldapUserFederationId The ID of the LDAP user federation provider to attach this mapper to. * * @return builder * @@ -124,7 +124,7 @@ public Builder ldapUserFederationId(String ldapUserFederationId) { } /** - * @param name Display name of the mapper when displayed in the console. + * @param name Display name of this mapper when displayed in the console. * * @return builder * @@ -135,7 +135,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name Display name of the mapper when displayed in the console. + * @param name Display name of this mapper when displayed in the console. * * @return builder * @@ -145,7 +145,7 @@ public Builder name(String name) { } /** - * @param realmId The realm in which the ldap user federation provider exists. + * @param realmId The realm that this LDAP mapper will exist in. * * @return builder * @@ -156,7 +156,7 @@ public Builder realmId(@Nullable Output realmId) { } /** - * @param realmId The realm in which the ldap user federation provider exists. + * @param realmId The realm that this LDAP mapper will exist in. * * @return builder * @@ -166,7 +166,7 @@ public Builder realmId(String realmId) { } /** - * @param role Role to grant to user. + * @param role The name of the role which should be assigned to the users. Client roles should use the format `{{client_id}}.{{client_role_name}}`. * * @return builder * @@ -177,7 +177,7 @@ public Builder role(@Nullable Output role) { } /** - * @param role Role to grant to user. + * @param role The name of the role which should be assigned to the users. Client roles should use the format `{{client_id}}.{{client_role_name}}`. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/MsadUserAccountControlMapperState.java b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/MsadUserAccountControlMapperState.java index dbcae593..37f76da5 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/MsadUserAccountControlMapperState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/MsadUserAccountControlMapperState.java @@ -16,22 +16,30 @@ public final class MsadUserAccountControlMapperState extends com.pulumi.resource public static final MsadUserAccountControlMapperState Empty = new MsadUserAccountControlMapperState(); + /** + * When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. + * + */ @Import(name="ldapPasswordPolicyHintsEnabled") private @Nullable Output ldapPasswordPolicyHintsEnabled; + /** + * @return When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. + * + */ public Optional> ldapPasswordPolicyHintsEnabled() { return Optional.ofNullable(this.ldapPasswordPolicyHintsEnabled); } /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. * */ @Import(name="ldapUserFederationId") private @Nullable Output ldapUserFederationId; /** - * @return The ldap user federation provider to attach this mapper to. + * @return The ID of the LDAP user federation provider to attach this mapper to. * */ public Optional> ldapUserFederationId() { @@ -39,14 +47,14 @@ public Optional> ldapUserFederationId() { } /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. * */ @Import(name="name") private @Nullable Output name; /** - * @return Display name of the mapper when displayed in the console. + * @return Display name of this mapper when displayed in the console. * */ public Optional> name() { @@ -54,14 +62,14 @@ public Optional> name() { } /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. * */ @Import(name="realmId") private @Nullable Output realmId; /** - * @return The realm in which the ldap user federation provider exists. + * @return The realm that this LDAP mapper will exist in. * */ public Optional> realmId() { @@ -95,17 +103,29 @@ public Builder(MsadUserAccountControlMapperState defaults) { $ = new MsadUserAccountControlMapperState(Objects.requireNonNull(defaults)); } + /** + * @param ldapPasswordPolicyHintsEnabled When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. + * + * @return builder + * + */ public Builder ldapPasswordPolicyHintsEnabled(@Nullable Output ldapPasswordPolicyHintsEnabled) { $.ldapPasswordPolicyHintsEnabled = ldapPasswordPolicyHintsEnabled; return this; } + /** + * @param ldapPasswordPolicyHintsEnabled When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. + * + * @return builder + * + */ public Builder ldapPasswordPolicyHintsEnabled(Boolean ldapPasswordPolicyHintsEnabled) { return ldapPasswordPolicyHintsEnabled(Output.of(ldapPasswordPolicyHintsEnabled)); } /** - * @param ldapUserFederationId The ldap user federation provider to attach this mapper to. + * @param ldapUserFederationId The ID of the LDAP user federation provider to attach this mapper to. * * @return builder * @@ -116,7 +136,7 @@ public Builder ldapUserFederationId(@Nullable Output ldapUserFederationI } /** - * @param ldapUserFederationId The ldap user federation provider to attach this mapper to. + * @param ldapUserFederationId The ID of the LDAP user federation provider to attach this mapper to. * * @return builder * @@ -126,7 +146,7 @@ public Builder ldapUserFederationId(String ldapUserFederationId) { } /** - * @param name Display name of the mapper when displayed in the console. + * @param name Display name of this mapper when displayed in the console. * * @return builder * @@ -137,7 +157,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name Display name of the mapper when displayed in the console. + * @param name Display name of this mapper when displayed in the console. * * @return builder * @@ -147,7 +167,7 @@ public Builder name(String name) { } /** - * @param realmId The realm in which the ldap user federation provider exists. + * @param realmId The realm that this LDAP mapper will exist in. * * @return builder * @@ -158,7 +178,7 @@ public Builder realmId(@Nullable Output realmId) { } /** - * @param realmId The realm in which the ldap user federation provider exists. + * @param realmId The realm that this LDAP mapper will exist in. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/UserAttributeMapperState.java b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/UserAttributeMapperState.java index d95ac367..83d72111 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/UserAttributeMapperState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/UserAttributeMapperState.java @@ -17,14 +17,14 @@ public final class UserAttributeMapperState extends com.pulumi.resources.Resourc public static final UserAttributeMapperState Empty = new UserAttributeMapperState(); /** - * When true, the value fetched from LDAP will override the value stored in Keycloak. + * When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. * */ @Import(name="alwaysReadValueFromLdap") private @Nullable Output alwaysReadValueFromLdap; /** - * @return When true, the value fetched from LDAP will override the value stored in Keycloak. + * @return When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. * */ public Optional> alwaysReadValueFromLdap() { @@ -32,14 +32,14 @@ public Optional> alwaysReadValueFromLdap() { } /** - * Default value to set in LDAP if is_mandatory_in_ldap and the value is empty + * Default value to set in LDAP if `is_mandatory_in_ldap` is true and the value is empty. * */ @Import(name="attributeDefaultValue") private @Nullable Output attributeDefaultValue; /** - * @return Default value to set in LDAP if is_mandatory_in_ldap and the value is empty + * @return Default value to set in LDAP if `is_mandatory_in_ldap` is true and the value is empty. * */ public Optional> attributeDefaultValue() { @@ -47,14 +47,14 @@ public Optional> attributeDefaultValue() { } /** - * Should be true for binary LDAP attributes + * Should be true for binary LDAP attributes. * */ @Import(name="isBinaryAttribute") private @Nullable Output isBinaryAttribute; /** - * @return Should be true for binary LDAP attributes + * @return Should be true for binary LDAP attributes. * */ public Optional> isBinaryAttribute() { @@ -62,14 +62,14 @@ public Optional> isBinaryAttribute() { } /** - * When true, this attribute must exist in LDAP. + * When `true`, this attribute must exist in LDAP. Defaults to `false`. * */ @Import(name="isMandatoryInLdap") private @Nullable Output isMandatoryInLdap; /** - * @return When true, this attribute must exist in LDAP. + * @return When `true`, this attribute must exist in LDAP. Defaults to `false`. * */ public Optional> isMandatoryInLdap() { @@ -77,14 +77,14 @@ public Optional> isMandatoryInLdap() { } /** - * Name of the mapped attribute on LDAP object. + * Name of the mapped attribute on the LDAP object. * */ @Import(name="ldapAttribute") private @Nullable Output ldapAttribute; /** - * @return Name of the mapped attribute on LDAP object. + * @return Name of the mapped attribute on the LDAP object. * */ public Optional> ldapAttribute() { @@ -92,14 +92,14 @@ public Optional> ldapAttribute() { } /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. * */ @Import(name="ldapUserFederationId") private @Nullable Output ldapUserFederationId; /** - * @return The ldap user federation provider to attach this mapper to. + * @return The ID of the LDAP user federation provider to attach this mapper to. * */ public Optional> ldapUserFederationId() { @@ -107,14 +107,14 @@ public Optional> ldapUserFederationId() { } /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. * */ @Import(name="name") private @Nullable Output name; /** - * @return Display name of the mapper when displayed in the console. + * @return Display name of this mapper when displayed in the console. * */ public Optional> name() { @@ -122,14 +122,14 @@ public Optional> name() { } /** - * When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. + * When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. * */ @Import(name="readOnly") private @Nullable Output readOnly; /** - * @return When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. + * @return When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. * */ public Optional> readOnly() { @@ -137,14 +137,14 @@ public Optional> readOnly() { } /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. * */ @Import(name="realmId") private @Nullable Output realmId; /** - * @return The realm in which the ldap user federation provider exists. + * @return The realm that this LDAP mapper will exist in. * */ public Optional> realmId() { @@ -152,14 +152,14 @@ public Optional> realmId() { } /** - * Name of the UserModel property or attribute you want to map the LDAP attribute into. + * Name of the user property or attribute you want to map the LDAP attribute into. * */ @Import(name="userModelAttribute") private @Nullable Output userModelAttribute; /** - * @return Name of the UserModel property or attribute you want to map the LDAP attribute into. + * @return Name of the user property or attribute you want to map the LDAP attribute into. * */ public Optional> userModelAttribute() { @@ -200,7 +200,7 @@ public Builder(UserAttributeMapperState defaults) { } /** - * @param alwaysReadValueFromLdap When true, the value fetched from LDAP will override the value stored in Keycloak. + * @param alwaysReadValueFromLdap When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. * * @return builder * @@ -211,7 +211,7 @@ public Builder alwaysReadValueFromLdap(@Nullable Output alwaysReadValue } /** - * @param alwaysReadValueFromLdap When true, the value fetched from LDAP will override the value stored in Keycloak. + * @param alwaysReadValueFromLdap When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. * * @return builder * @@ -221,7 +221,7 @@ public Builder alwaysReadValueFromLdap(Boolean alwaysReadValueFromLdap) { } /** - * @param attributeDefaultValue Default value to set in LDAP if is_mandatory_in_ldap and the value is empty + * @param attributeDefaultValue Default value to set in LDAP if `is_mandatory_in_ldap` is true and the value is empty. * * @return builder * @@ -232,7 +232,7 @@ public Builder attributeDefaultValue(@Nullable Output attributeDefaultVa } /** - * @param attributeDefaultValue Default value to set in LDAP if is_mandatory_in_ldap and the value is empty + * @param attributeDefaultValue Default value to set in LDAP if `is_mandatory_in_ldap` is true and the value is empty. * * @return builder * @@ -242,7 +242,7 @@ public Builder attributeDefaultValue(String attributeDefaultValue) { } /** - * @param isBinaryAttribute Should be true for binary LDAP attributes + * @param isBinaryAttribute Should be true for binary LDAP attributes. * * @return builder * @@ -253,7 +253,7 @@ public Builder isBinaryAttribute(@Nullable Output isBinaryAttribute) { } /** - * @param isBinaryAttribute Should be true for binary LDAP attributes + * @param isBinaryAttribute Should be true for binary LDAP attributes. * * @return builder * @@ -263,7 +263,7 @@ public Builder isBinaryAttribute(Boolean isBinaryAttribute) { } /** - * @param isMandatoryInLdap When true, this attribute must exist in LDAP. + * @param isMandatoryInLdap When `true`, this attribute must exist in LDAP. Defaults to `false`. * * @return builder * @@ -274,7 +274,7 @@ public Builder isMandatoryInLdap(@Nullable Output isMandatoryInLdap) { } /** - * @param isMandatoryInLdap When true, this attribute must exist in LDAP. + * @param isMandatoryInLdap When `true`, this attribute must exist in LDAP. Defaults to `false`. * * @return builder * @@ -284,7 +284,7 @@ public Builder isMandatoryInLdap(Boolean isMandatoryInLdap) { } /** - * @param ldapAttribute Name of the mapped attribute on LDAP object. + * @param ldapAttribute Name of the mapped attribute on the LDAP object. * * @return builder * @@ -295,7 +295,7 @@ public Builder ldapAttribute(@Nullable Output ldapAttribute) { } /** - * @param ldapAttribute Name of the mapped attribute on LDAP object. + * @param ldapAttribute Name of the mapped attribute on the LDAP object. * * @return builder * @@ -305,7 +305,7 @@ public Builder ldapAttribute(String ldapAttribute) { } /** - * @param ldapUserFederationId The ldap user federation provider to attach this mapper to. + * @param ldapUserFederationId The ID of the LDAP user federation provider to attach this mapper to. * * @return builder * @@ -316,7 +316,7 @@ public Builder ldapUserFederationId(@Nullable Output ldapUserFederationI } /** - * @param ldapUserFederationId The ldap user federation provider to attach this mapper to. + * @param ldapUserFederationId The ID of the LDAP user federation provider to attach this mapper to. * * @return builder * @@ -326,7 +326,7 @@ public Builder ldapUserFederationId(String ldapUserFederationId) { } /** - * @param name Display name of the mapper when displayed in the console. + * @param name Display name of this mapper when displayed in the console. * * @return builder * @@ -337,7 +337,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name Display name of the mapper when displayed in the console. + * @param name Display name of this mapper when displayed in the console. * * @return builder * @@ -347,7 +347,7 @@ public Builder name(String name) { } /** - * @param readOnly When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. + * @param readOnly When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. * * @return builder * @@ -358,7 +358,7 @@ public Builder readOnly(@Nullable Output readOnly) { } /** - * @param readOnly When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. + * @param readOnly When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. * * @return builder * @@ -368,7 +368,7 @@ public Builder readOnly(Boolean readOnly) { } /** - * @param realmId The realm in which the ldap user federation provider exists. + * @param realmId The realm that this LDAP mapper will exist in. * * @return builder * @@ -379,7 +379,7 @@ public Builder realmId(@Nullable Output realmId) { } /** - * @param realmId The realm in which the ldap user federation provider exists. + * @param realmId The realm that this LDAP mapper will exist in. * * @return builder * @@ -389,7 +389,7 @@ public Builder realmId(String realmId) { } /** - * @param userModelAttribute Name of the UserModel property or attribute you want to map the LDAP attribute into. + * @param userModelAttribute Name of the user property or attribute you want to map the LDAP attribute into. * * @return builder * @@ -400,7 +400,7 @@ public Builder userModelAttribute(@Nullable Output userModelAttribute) { } /** - * @param userModelAttribute Name of the UserModel property or attribute you want to map the LDAP attribute into. + * @param userModelAttribute Name of the user property or attribute you want to map the LDAP attribute into. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/UserFederationCacheArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/UserFederationCacheArgs.java index e315a09a..ada4a894 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/UserFederationCacheArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/UserFederationCacheArgs.java @@ -17,14 +17,14 @@ public final class UserFederationCacheArgs extends com.pulumi.resources.Resource public static final UserFederationCacheArgs Empty = new UserFederationCacheArgs(); /** - * Day of the week the entry will become invalid on. + * Day of the week the entry will become invalid on * */ @Import(name="evictionDay") private @Nullable Output evictionDay; /** - * @return Day of the week the entry will become invalid on. + * @return Day of the week the entry will become invalid on * */ public Optional> evictionDay() { @@ -76,9 +76,17 @@ public Optional> maxLifespan() { return Optional.ofNullable(this.maxLifespan); } + /** + * Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + * + */ @Import(name="policy") private @Nullable Output policy; + /** + * @return Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + * + */ public Optional> policy() { return Optional.ofNullable(this.policy); } @@ -112,7 +120,7 @@ public Builder(UserFederationCacheArgs defaults) { } /** - * @param evictionDay Day of the week the entry will become invalid on. + * @param evictionDay Day of the week the entry will become invalid on * * @return builder * @@ -123,7 +131,7 @@ public Builder evictionDay(@Nullable Output evictionDay) { } /** - * @param evictionDay Day of the week the entry will become invalid on. + * @param evictionDay Day of the week the entry will become invalid on * * @return builder * @@ -195,11 +203,23 @@ public Builder maxLifespan(String maxLifespan) { return maxLifespan(Output.of(maxLifespan)); } + /** + * @param policy Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + * + * @return builder + * + */ public Builder policy(@Nullable Output policy) { $.policy = policy; return this; } + /** + * @param policy Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + * + * @return builder + * + */ public Builder policy(String policy) { return policy(Output.of(policy)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/UserFederationKerberosArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/UserFederationKerberosArgs.java index 5ad90bc9..ae1b8bae 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/UserFederationKerberosArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/UserFederationKerberosArgs.java @@ -18,14 +18,14 @@ public final class UserFederationKerberosArgs extends com.pulumi.resources.Resou public static final UserFederationKerberosArgs Empty = new UserFederationKerberosArgs(); /** - * The name of the kerberos realm, e.g. FOO.LOCAL + * The name of the kerberos realm, e.g. FOO.LOCAL. * */ @Import(name="kerberosRealm", required=true) private Output kerberosRealm; /** - * @return The name of the kerberos realm, e.g. FOO.LOCAL + * @return The name of the kerberos realm, e.g. FOO.LOCAL. * */ public Output kerberosRealm() { @@ -105,7 +105,7 @@ public Builder(UserFederationKerberosArgs defaults) { } /** - * @param kerberosRealm The name of the kerberos realm, e.g. FOO.LOCAL + * @param kerberosRealm The name of the kerberos realm, e.g. FOO.LOCAL. * * @return builder * @@ -116,7 +116,7 @@ public Builder kerberosRealm(Output kerberosRealm) { } /** - * @param kerberosRealm The name of the kerberos realm, e.g. FOO.LOCAL + * @param kerberosRealm The name of the kerberos realm, e.g. FOO.LOCAL. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/UserFederationState.java b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/UserFederationState.java index 41dbf961..03e33b2f 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/UserFederationState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/UserFederationState.java @@ -21,14 +21,14 @@ public final class UserFederationState extends com.pulumi.resources.ResourceArgs public static final UserFederationState Empty = new UserFederationState(); /** - * The number of users to sync within a single transaction. + * The number of users to sync within a single transaction. Defaults to `1000`. * */ @Import(name="batchSizeForSync") private @Nullable Output batchSizeForSync; /** - * @return The number of users to sync within a single transaction. + * @return The number of users to sync within a single transaction. Defaults to `1000`. * */ public Optional> batchSizeForSync() { @@ -36,14 +36,14 @@ public Optional> batchSizeForSync() { } /** - * Password of LDAP admin. + * Password of LDAP admin. This attribute must be set if `bind_dn` is set. * */ @Import(name="bindCredential") private @Nullable Output bindCredential; /** - * @return Password of LDAP admin. + * @return Password of LDAP admin. This attribute must be set if `bind_dn` is set. * */ public Optional> bindCredential() { @@ -51,14 +51,14 @@ public Optional> bindCredential() { } /** - * DN of LDAP admin, which will be used by Keycloak to access LDAP server. + * DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bind_credential` is set. * */ @Import(name="bindDn") private @Nullable Output bindDn; /** - * @return DN of LDAP admin, which will be used by Keycloak to access LDAP server. + * @return DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bind_credential` is set. * */ public Optional> bindDn() { @@ -66,14 +66,14 @@ public Optional> bindDn() { } /** - * Settings regarding cache policy for this realm. + * A block containing the cache settings. * */ @Import(name="cache") private @Nullable Output cache; /** - * @return Settings regarding cache policy for this realm. + * @return A block containing the cache settings. * */ public Optional> cache() { @@ -81,16 +81,14 @@ public Optional> cache() { } /** - * How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users - * sync. + * How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. * */ @Import(name="changedSyncPeriod") private @Nullable Output changedSyncPeriod; /** - * @return How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users - * sync. + * @return How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. * */ public Optional> changedSyncPeriod() { @@ -98,14 +96,14 @@ public Optional> changedSyncPeriod() { } /** - * LDAP connection timeout (duration string) + * LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). * */ @Import(name="connectionTimeout") private @Nullable Output connectionTimeout; /** - * @return LDAP connection timeout (duration string) + * @return LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). * */ public Optional> connectionTimeout() { @@ -128,14 +126,14 @@ public Optional> connectionUrl() { } /** - * Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'. + * Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. * */ @Import(name="customUserSearchFilter") private @Nullable Output customUserSearchFilter; /** - * @return Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'. + * @return Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. * */ public Optional> customUserSearchFilter() { @@ -143,16 +141,14 @@ public Optional> customUserSearchFilter() { } /** - * When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP - * user federation provider. + * When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to `false`. * */ @Import(name="deleteDefaultMappers") private @Nullable Output deleteDefaultMappers; /** - * @return When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP - * user federation provider. + * @return When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to `false`. * */ public Optional> deleteDefaultMappers() { @@ -160,14 +156,14 @@ public Optional> deleteDefaultMappers() { } /** - * READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP. + * Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. * */ @Import(name="editMode") private @Nullable Output editMode; /** - * @return READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP. + * @return Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. * */ public Optional> editMode() { @@ -175,14 +171,14 @@ public Optional> editMode() { } /** - * When false, this provider will not be used when performing queries for users. + * When `false`, this provider will not be used when performing queries for users. Defaults to `true`. * */ @Import(name="enabled") private @Nullable Output enabled; /** - * @return When false, this provider will not be used when performing queries for users. + * @return When `false`, this provider will not be used when performing queries for users. Defaults to `true`. * */ public Optional> enabled() { @@ -205,14 +201,14 @@ public Optional> fullSyncPeriod() { } /** - * When true, LDAP users will be imported into the Keycloak database. + * When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. * */ @Import(name="importEnabled") private @Nullable Output importEnabled; /** - * @return When true, LDAP users will be imported into the Keycloak database. + * @return When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. * */ public Optional> importEnabled() { @@ -220,14 +216,14 @@ public Optional> importEnabled() { } /** - * Settings regarding kerberos authentication for this realm. + * A block containing the kerberos settings. * */ @Import(name="kerberos") private @Nullable Output kerberos; /** - * @return Settings regarding kerberos authentication for this realm. + * @return A block containing the kerberos settings. * */ public Optional> kerberos() { @@ -250,14 +246,14 @@ public Optional> name() { } /** - * When true, Keycloak assumes the LDAP server supports pagination. + * When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. * */ @Import(name="pagination") private @Nullable Output pagination; /** - * @return When true, Keycloak assumes the LDAP server supports pagination. + * @return When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. * */ public Optional> pagination() { @@ -265,14 +261,14 @@ public Optional> pagination() { } /** - * Priority of this provider when looking up users. Lower values are first. + * Priority of this provider when looking up users. Lower values are first. Defaults to `0`. * */ @Import(name="priority") private @Nullable Output priority; /** - * @return Priority of this provider when looking up users. Lower values are first. + * @return Priority of this provider when looking up users. Lower values are first. Defaults to `0`. * */ public Optional> priority() { @@ -295,14 +291,14 @@ public Optional> rdnLdapAttribute() { } /** - * LDAP read timeout (duration string) + * LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). * */ @Import(name="readTimeout") private @Nullable Output readTimeout; /** - * @return LDAP read timeout (duration string) + * @return LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). * */ public Optional> readTimeout() { @@ -310,14 +306,14 @@ public Optional> readTimeout() { } /** - * The realm this provider will provide user federation for. + * The realm that this provider will provide user federation for. * */ @Import(name="realmId") private @Nullable Output realmId; /** - * @return The realm this provider will provide user federation for. + * @return The realm that this provider will provide user federation for. * */ public Optional> realmId() { @@ -325,14 +321,18 @@ public Optional> realmId() { } /** - * ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree. + * Can be one of `ONE_LEVEL` or `SUBTREE`: + * - `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`. + * - `SUBTREE`: Search entire LDAP subtree. * */ @Import(name="searchScope") private @Nullable Output searchScope; /** - * @return ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree. + * @return Can be one of `ONE_LEVEL` or `SUBTREE`: + * - `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`. + * - `SUBTREE`: Search entire LDAP subtree. * */ public Optional> searchScope() { @@ -340,14 +340,14 @@ public Optional> searchScope() { } /** - * When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. + * When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. * */ @Import(name="startTls") private @Nullable Output startTls; /** - * @return When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. + * @return When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. * */ public Optional> startTls() { @@ -355,14 +355,14 @@ public Optional> startTls() { } /** - * When true, newly created users will be synced back to LDAP. + * When `true`, newly created users will be synced back to LDAP. Defaults to `false`. * */ @Import(name="syncRegistrations") private @Nullable Output syncRegistrations; /** - * @return When true, newly created users will be synced back to LDAP. + * @return When `true`, newly created users will be synced back to LDAP. Defaults to `false`. * */ public Optional> syncRegistrations() { @@ -399,22 +399,36 @@ public Optional> usePasswordModifyExtendedOp() { return Optional.ofNullable(this.usePasswordModifyExtendedOp); } + /** + * Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: + * - `ALWAYS` - Always use the truststore SPI for LDAP connections. + * - `NEVER` - Never use the truststore SPI for LDAP connections. + * - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. + * + */ @Import(name="useTruststoreSpi") private @Nullable Output useTruststoreSpi; + /** + * @return Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: + * - `ALWAYS` - Always use the truststore SPI for LDAP connections. + * - `NEVER` - Never use the truststore SPI for LDAP connections. + * - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. + * + */ public Optional> useTruststoreSpi() { return Optional.ofNullable(this.useTruststoreSpi); } /** - * All values of LDAP objectClass attribute for users in LDAP. + * Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. * */ @Import(name="userObjectClasses") private @Nullable Output> userObjectClasses; /** - * @return All values of LDAP objectClass attribute for users in LDAP. + * @return Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. * */ public Optional>> userObjectClasses() { @@ -467,14 +481,14 @@ public Optional> uuidLdapAttribute() { } /** - * When true, Keycloak will validate passwords using the realm policy before updating it. + * When `true`, Keycloak will validate passwords using the realm policy before updating it. * */ @Import(name="validatePasswordPolicy") private @Nullable Output validatePasswordPolicy; /** - * @return When true, Keycloak will validate passwords using the realm policy before updating it. + * @return When `true`, Keycloak will validate passwords using the realm policy before updating it. * */ public Optional> validatePasswordPolicy() { @@ -482,14 +496,14 @@ public Optional> validatePasswordPolicy() { } /** - * LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required. + * Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`. * */ @Import(name="vendor") private @Nullable Output vendor; /** - * @return LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required. + * @return Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`. * */ public Optional> vendor() { @@ -552,7 +566,7 @@ public Builder(UserFederationState defaults) { } /** - * @param batchSizeForSync The number of users to sync within a single transaction. + * @param batchSizeForSync The number of users to sync within a single transaction. Defaults to `1000`. * * @return builder * @@ -563,7 +577,7 @@ public Builder batchSizeForSync(@Nullable Output batchSizeForSync) { } /** - * @param batchSizeForSync The number of users to sync within a single transaction. + * @param batchSizeForSync The number of users to sync within a single transaction. Defaults to `1000`. * * @return builder * @@ -573,7 +587,7 @@ public Builder batchSizeForSync(Integer batchSizeForSync) { } /** - * @param bindCredential Password of LDAP admin. + * @param bindCredential Password of LDAP admin. This attribute must be set if `bind_dn` is set. * * @return builder * @@ -584,7 +598,7 @@ public Builder bindCredential(@Nullable Output bindCredential) { } /** - * @param bindCredential Password of LDAP admin. + * @param bindCredential Password of LDAP admin. This attribute must be set if `bind_dn` is set. * * @return builder * @@ -594,7 +608,7 @@ public Builder bindCredential(String bindCredential) { } /** - * @param bindDn DN of LDAP admin, which will be used by Keycloak to access LDAP server. + * @param bindDn DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bind_credential` is set. * * @return builder * @@ -605,7 +619,7 @@ public Builder bindDn(@Nullable Output bindDn) { } /** - * @param bindDn DN of LDAP admin, which will be used by Keycloak to access LDAP server. + * @param bindDn DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bind_credential` is set. * * @return builder * @@ -615,7 +629,7 @@ public Builder bindDn(String bindDn) { } /** - * @param cache Settings regarding cache policy for this realm. + * @param cache A block containing the cache settings. * * @return builder * @@ -626,7 +640,7 @@ public Builder cache(@Nullable Output cache) { } /** - * @param cache Settings regarding cache policy for this realm. + * @param cache A block containing the cache settings. * * @return builder * @@ -636,8 +650,7 @@ public Builder cache(UserFederationCacheArgs cache) { } /** - * @param changedSyncPeriod How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users - * sync. + * @param changedSyncPeriod How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. * * @return builder * @@ -648,8 +661,7 @@ public Builder changedSyncPeriod(@Nullable Output changedSyncPeriod) { } /** - * @param changedSyncPeriod How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users - * sync. + * @param changedSyncPeriod How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. * * @return builder * @@ -659,7 +671,7 @@ public Builder changedSyncPeriod(Integer changedSyncPeriod) { } /** - * @param connectionTimeout LDAP connection timeout (duration string) + * @param connectionTimeout LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). * * @return builder * @@ -670,7 +682,7 @@ public Builder connectionTimeout(@Nullable Output connectionTimeout) { } /** - * @param connectionTimeout LDAP connection timeout (duration string) + * @param connectionTimeout LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). * * @return builder * @@ -701,7 +713,7 @@ public Builder connectionUrl(String connectionUrl) { } /** - * @param customUserSearchFilter Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'. + * @param customUserSearchFilter Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. * * @return builder * @@ -712,7 +724,7 @@ public Builder customUserSearchFilter(@Nullable Output customUserSearchF } /** - * @param customUserSearchFilter Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'. + * @param customUserSearchFilter Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. * * @return builder * @@ -722,8 +734,7 @@ public Builder customUserSearchFilter(String customUserSearchFilter) { } /** - * @param deleteDefaultMappers When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP - * user federation provider. + * @param deleteDefaultMappers When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to `false`. * * @return builder * @@ -734,8 +745,7 @@ public Builder deleteDefaultMappers(@Nullable Output deleteDefaultMappe } /** - * @param deleteDefaultMappers When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP - * user federation provider. + * @param deleteDefaultMappers When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to `false`. * * @return builder * @@ -745,7 +755,7 @@ public Builder deleteDefaultMappers(Boolean deleteDefaultMappers) { } /** - * @param editMode READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP. + * @param editMode Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. * * @return builder * @@ -756,7 +766,7 @@ public Builder editMode(@Nullable Output editMode) { } /** - * @param editMode READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP. + * @param editMode Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. * * @return builder * @@ -766,7 +776,7 @@ public Builder editMode(String editMode) { } /** - * @param enabled When false, this provider will not be used when performing queries for users. + * @param enabled When `false`, this provider will not be used when performing queries for users. Defaults to `true`. * * @return builder * @@ -777,7 +787,7 @@ public Builder enabled(@Nullable Output enabled) { } /** - * @param enabled When false, this provider will not be used when performing queries for users. + * @param enabled When `false`, this provider will not be used when performing queries for users. Defaults to `true`. * * @return builder * @@ -808,7 +818,7 @@ public Builder fullSyncPeriod(Integer fullSyncPeriod) { } /** - * @param importEnabled When true, LDAP users will be imported into the Keycloak database. + * @param importEnabled When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. * * @return builder * @@ -819,7 +829,7 @@ public Builder importEnabled(@Nullable Output importEnabled) { } /** - * @param importEnabled When true, LDAP users will be imported into the Keycloak database. + * @param importEnabled When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. * * @return builder * @@ -829,7 +839,7 @@ public Builder importEnabled(Boolean importEnabled) { } /** - * @param kerberos Settings regarding kerberos authentication for this realm. + * @param kerberos A block containing the kerberos settings. * * @return builder * @@ -840,7 +850,7 @@ public Builder kerberos(@Nullable Output kerberos) { } /** - * @param kerberos Settings regarding kerberos authentication for this realm. + * @param kerberos A block containing the kerberos settings. * * @return builder * @@ -871,7 +881,7 @@ public Builder name(String name) { } /** - * @param pagination When true, Keycloak assumes the LDAP server supports pagination. + * @param pagination When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. * * @return builder * @@ -882,7 +892,7 @@ public Builder pagination(@Nullable Output pagination) { } /** - * @param pagination When true, Keycloak assumes the LDAP server supports pagination. + * @param pagination When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. * * @return builder * @@ -892,7 +902,7 @@ public Builder pagination(Boolean pagination) { } /** - * @param priority Priority of this provider when looking up users. Lower values are first. + * @param priority Priority of this provider when looking up users. Lower values are first. Defaults to `0`. * * @return builder * @@ -903,7 +913,7 @@ public Builder priority(@Nullable Output priority) { } /** - * @param priority Priority of this provider when looking up users. Lower values are first. + * @param priority Priority of this provider when looking up users. Lower values are first. Defaults to `0`. * * @return builder * @@ -934,7 +944,7 @@ public Builder rdnLdapAttribute(String rdnLdapAttribute) { } /** - * @param readTimeout LDAP read timeout (duration string) + * @param readTimeout LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). * * @return builder * @@ -945,7 +955,7 @@ public Builder readTimeout(@Nullable Output readTimeout) { } /** - * @param readTimeout LDAP read timeout (duration string) + * @param readTimeout LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). * * @return builder * @@ -955,7 +965,7 @@ public Builder readTimeout(String readTimeout) { } /** - * @param realmId The realm this provider will provide user federation for. + * @param realmId The realm that this provider will provide user federation for. * * @return builder * @@ -966,7 +976,7 @@ public Builder realmId(@Nullable Output realmId) { } /** - * @param realmId The realm this provider will provide user federation for. + * @param realmId The realm that this provider will provide user federation for. * * @return builder * @@ -976,7 +986,9 @@ public Builder realmId(String realmId) { } /** - * @param searchScope ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree. + * @param searchScope Can be one of `ONE_LEVEL` or `SUBTREE`: + * - `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`. + * - `SUBTREE`: Search entire LDAP subtree. * * @return builder * @@ -987,7 +999,9 @@ public Builder searchScope(@Nullable Output searchScope) { } /** - * @param searchScope ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree. + * @param searchScope Can be one of `ONE_LEVEL` or `SUBTREE`: + * - `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`. + * - `SUBTREE`: Search entire LDAP subtree. * * @return builder * @@ -997,7 +1011,7 @@ public Builder searchScope(String searchScope) { } /** - * @param startTls When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. + * @param startTls When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. * * @return builder * @@ -1008,7 +1022,7 @@ public Builder startTls(@Nullable Output startTls) { } /** - * @param startTls When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. + * @param startTls When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. * * @return builder * @@ -1018,7 +1032,7 @@ public Builder startTls(Boolean startTls) { } /** - * @param syncRegistrations When true, newly created users will be synced back to LDAP. + * @param syncRegistrations When `true`, newly created users will be synced back to LDAP. Defaults to `false`. * * @return builder * @@ -1029,7 +1043,7 @@ public Builder syncRegistrations(@Nullable Output syncRegistrations) { } /** - * @param syncRegistrations When true, newly created users will be synced back to LDAP. + * @param syncRegistrations When `true`, newly created users will be synced back to LDAP. Defaults to `false`. * * @return builder * @@ -1080,17 +1094,35 @@ public Builder usePasswordModifyExtendedOp(Boolean usePasswordModifyExtendedOp) return usePasswordModifyExtendedOp(Output.of(usePasswordModifyExtendedOp)); } + /** + * @param useTruststoreSpi Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: + * - `ALWAYS` - Always use the truststore SPI for LDAP connections. + * - `NEVER` - Never use the truststore SPI for LDAP connections. + * - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. + * + * @return builder + * + */ public Builder useTruststoreSpi(@Nullable Output useTruststoreSpi) { $.useTruststoreSpi = useTruststoreSpi; return this; } + /** + * @param useTruststoreSpi Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: + * - `ALWAYS` - Always use the truststore SPI for LDAP connections. + * - `NEVER` - Never use the truststore SPI for LDAP connections. + * - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. + * + * @return builder + * + */ public Builder useTruststoreSpi(String useTruststoreSpi) { return useTruststoreSpi(Output.of(useTruststoreSpi)); } /** - * @param userObjectClasses All values of LDAP objectClass attribute for users in LDAP. + * @param userObjectClasses Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. * * @return builder * @@ -1101,7 +1133,7 @@ public Builder userObjectClasses(@Nullable Output> userObjectClasse } /** - * @param userObjectClasses All values of LDAP objectClass attribute for users in LDAP. + * @param userObjectClasses Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. * * @return builder * @@ -1111,7 +1143,7 @@ public Builder userObjectClasses(List userObjectClasses) { } /** - * @param userObjectClasses All values of LDAP objectClass attribute for users in LDAP. + * @param userObjectClasses Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. * * @return builder * @@ -1184,7 +1216,7 @@ public Builder uuidLdapAttribute(String uuidLdapAttribute) { } /** - * @param validatePasswordPolicy When true, Keycloak will validate passwords using the realm policy before updating it. + * @param validatePasswordPolicy When `true`, Keycloak will validate passwords using the realm policy before updating it. * * @return builder * @@ -1195,7 +1227,7 @@ public Builder validatePasswordPolicy(@Nullable Output validatePassword } /** - * @param validatePasswordPolicy When true, Keycloak will validate passwords using the realm policy before updating it. + * @param validatePasswordPolicy When `true`, Keycloak will validate passwords using the realm policy before updating it. * * @return builder * @@ -1205,7 +1237,7 @@ public Builder validatePasswordPolicy(Boolean validatePasswordPolicy) { } /** - * @param vendor LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required. + * @param vendor Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`. * * @return builder * @@ -1216,7 +1248,7 @@ public Builder vendor(@Nullable Output vendor) { } /** - * @param vendor LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required. + * @param vendor Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/outputs/UserFederationCache.java b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/outputs/UserFederationCache.java index d95e9688..3089acb6 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/outputs/UserFederationCache.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/outputs/UserFederationCache.java @@ -13,7 +13,7 @@ @CustomType public final class UserFederationCache { /** - * @return Day of the week the entry will become invalid on. + * @return Day of the week the entry will become invalid on * */ private @Nullable Integer evictionDay; @@ -32,11 +32,15 @@ public final class UserFederationCache { * */ private @Nullable String maxLifespan; + /** + * @return Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + * + */ private @Nullable String policy; private UserFederationCache() {} /** - * @return Day of the week the entry will become invalid on. + * @return Day of the week the entry will become invalid on * */ public Optional evictionDay() { @@ -63,6 +67,10 @@ public Optional evictionMinute() { public Optional maxLifespan() { return Optional.ofNullable(this.maxLifespan); } + /** + * @return Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + * + */ public Optional policy() { return Optional.ofNullable(this.policy); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/outputs/UserFederationKerberos.java b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/outputs/UserFederationKerberos.java index 07403dc2..55d15a26 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/outputs/UserFederationKerberos.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/outputs/UserFederationKerberos.java @@ -14,7 +14,7 @@ @CustomType public final class UserFederationKerberos { /** - * @return The name of the kerberos realm, e.g. FOO.LOCAL + * @return The name of the kerberos realm, e.g. FOO.LOCAL. * */ private String kerberosRealm; @@ -36,7 +36,7 @@ public final class UserFederationKerberos { private UserFederationKerberos() {} /** - * @return The name of the kerberos realm, e.g. FOO.LOCAL + * @return The name of the kerberos realm, e.g. FOO.LOCAL. * */ public String kerberosRealm() { diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/AudienceProtocolMapper.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/AudienceProtocolMapper.java index 47f951cc..964c6f09 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/AudienceProtocolMapper.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/AudienceProtocolMapper.java @@ -16,16 +16,14 @@ import javax.annotation.Nullable; /** - * ## # keycloak.openid.AudienceProtocolMapper + * Allows for creating and managing audience protocol mappers within Keycloak. * - * Allows for creating and managing audience protocol mappers within - * Keycloak. This mapper was added in Keycloak v4.6.0.Final. + * Audience protocol mappers allow you add audiences to the `aud` claim within issued tokens. The audience can be a custom + * string, or it can be mapped to the ID of a pre-existing client. * - * Audience protocol mappers allow you add audiences to the `aud` claim - * within issued tokens. The audience can be a custom string, or it can be - * mapped to the ID of a pre-existing client. + * ## Example Usage * - * ### Example Usage (Client) + * ### Client) * * <!--Start PulumiCodeChooser --> *
@@ -61,8 +59,8 @@
  * 
  *         var openidClient = new Client("openidClient", ClientArgs.builder()
  *             .realmId(realm.id())
- *             .clientId("test-client")
- *             .name("test client")
+ *             .clientId("client")
+ *             .name("client")
  *             .enabled(true)
  *             .accessType("CONFIDENTIAL")
  *             .validRedirectUris("http://localhost:8080/openid-callback")
@@ -81,7 +79,7 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Example Usage (Client Scope) + * ### Client Scope) * * <!--Start PulumiCodeChooser --> *
@@ -133,137 +131,136 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realm_id` - (Required) The realm this protocol mapper exists within. - * - `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. - * - `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. - * - `name` - (Required) The display name of this protocol mapper in the GUI. - * - `included_client_audience` - (Required if `included_custom_audience` is not specified) A client ID to include within the token's `aud` claim. - * - `included_custom_audience` - (Required if `included_client_audience` is not specified) A custom audience to include within the token's `aud` claim. - * - `add_to_id_token` - (Optional) Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. - * - `add_to_access_token` - (Optional) Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. - * - * ### Import + * ## Import * * Protocol mappers can be imported using one of the following formats: + * * - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + * * - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` * * Example: * + * bash + * + * ```sh + * $ pulumi import keycloak:openid/audienceProtocolMapper:AudienceProtocolMapper audience_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` + * + * ```sh + * $ pulumi import keycloak:openid/audienceProtocolMapper:AudienceProtocolMapper audience_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` + * */ @ResourceType(type="keycloak:openid/audienceProtocolMapper:AudienceProtocolMapper") public class AudienceProtocolMapper extends com.pulumi.resources.CustomResource { /** - * Indicates if this claim should be added to the access token. + * Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. * */ @Export(name="addToAccessToken", refs={Boolean.class}, tree="[0]") private Output addToAccessToken; /** - * @return Indicates if this claim should be added to the access token. + * @return Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. * */ public Output> addToAccessToken() { return Codegen.optional(this.addToAccessToken); } /** - * Indicates if this claim should be added to the id token. + * Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. * */ @Export(name="addToIdToken", refs={Boolean.class}, tree="[0]") private Output addToIdToken; /** - * @return Indicates if this claim should be added to the id token. + * @return Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. * */ public Output> addToIdToken() { return Codegen.optional(this.addToIdToken); } /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Export(name="clientId", refs={String.class}, tree="[0]") private Output clientId; /** - * @return The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Output> clientId() { return Codegen.optional(this.clientId); } /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Export(name="clientScopeId", refs={String.class}, tree="[0]") private Output clientScopeId; /** - * @return The mapper's associated client scope. Cannot be used at the same time as client_id. + * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Output> clientScopeId() { return Codegen.optional(this.clientScopeId); } /** - * A client ID to include within the token's `aud` claim. Cannot be used with included_custom_audience + * A client ID to include within the token's `aud` claim. Conflicts with `included_custom_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. * */ @Export(name="includedClientAudience", refs={String.class}, tree="[0]") private Output includedClientAudience; /** - * @return A client ID to include within the token's `aud` claim. Cannot be used with included_custom_audience + * @return A client ID to include within the token's `aud` claim. Conflicts with `included_custom_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. * */ public Output> includedClientAudience() { return Codegen.optional(this.includedClientAudience); } /** - * A custom audience to include within the token's `aud` claim. Cannot be used with included_custom_audience + * A custom audience to include within the token's `aud` claim. Conflicts with `included_client_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. * */ @Export(name="includedCustomAudience", refs={String.class}, tree="[0]") private Output includedCustomAudience; /** - * @return A custom audience to include within the token's `aud` claim. Cannot be used with included_custom_audience + * @return A custom audience to include within the token's `aud` claim. Conflicts with `included_client_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. * */ public Output> includedCustomAudience() { return Codegen.optional(this.includedCustomAudience); } /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. * */ @Export(name="name", refs={String.class}, tree="[0]") private Output name; /** - * @return A human-friendly name that will appear in the Keycloak console. + * @return The display name of this protocol mapper in the GUI. * */ public Output name() { return this.name; } /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. * */ @Export(name="realmId", refs={String.class}, tree="[0]") private Output realmId; /** - * @return The realm id where the associated client or client scope exists. + * @return The realm this protocol mapper exists within. * */ public Output realmId() { diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/AudienceProtocolMapperArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/AudienceProtocolMapperArgs.java index 0282f4b8..176dce94 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/AudienceProtocolMapperArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/AudienceProtocolMapperArgs.java @@ -18,14 +18,14 @@ public final class AudienceProtocolMapperArgs extends com.pulumi.resources.Resou public static final AudienceProtocolMapperArgs Empty = new AudienceProtocolMapperArgs(); /** - * Indicates if this claim should be added to the access token. + * Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. * */ @Import(name="addToAccessToken") private @Nullable Output addToAccessToken; /** - * @return Indicates if this claim should be added to the access token. + * @return Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. * */ public Optional> addToAccessToken() { @@ -33,14 +33,14 @@ public Optional> addToAccessToken() { } /** - * Indicates if this claim should be added to the id token. + * Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. * */ @Import(name="addToIdToken") private @Nullable Output addToIdToken; /** - * @return Indicates if this claim should be added to the id token. + * @return Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. * */ public Optional> addToIdToken() { @@ -48,14 +48,14 @@ public Optional> addToIdToken() { } /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Import(name="clientId") private @Nullable Output clientId; /** - * @return The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Optional> clientId() { @@ -63,14 +63,14 @@ public Optional> clientId() { } /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Import(name="clientScopeId") private @Nullable Output clientScopeId; /** - * @return The mapper's associated client scope. Cannot be used at the same time as client_id. + * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Optional> clientScopeId() { @@ -78,14 +78,14 @@ public Optional> clientScopeId() { } /** - * A client ID to include within the token's `aud` claim. Cannot be used with included_custom_audience + * A client ID to include within the token's `aud` claim. Conflicts with `included_custom_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. * */ @Import(name="includedClientAudience") private @Nullable Output includedClientAudience; /** - * @return A client ID to include within the token's `aud` claim. Cannot be used with included_custom_audience + * @return A client ID to include within the token's `aud` claim. Conflicts with `included_custom_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. * */ public Optional> includedClientAudience() { @@ -93,14 +93,14 @@ public Optional> includedClientAudience() { } /** - * A custom audience to include within the token's `aud` claim. Cannot be used with included_custom_audience + * A custom audience to include within the token's `aud` claim. Conflicts with `included_client_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. * */ @Import(name="includedCustomAudience") private @Nullable Output includedCustomAudience; /** - * @return A custom audience to include within the token's `aud` claim. Cannot be used with included_custom_audience + * @return A custom audience to include within the token's `aud` claim. Conflicts with `included_client_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. * */ public Optional> includedCustomAudience() { @@ -108,14 +108,14 @@ public Optional> includedCustomAudience() { } /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. * */ @Import(name="name") private @Nullable Output name; /** - * @return A human-friendly name that will appear in the Keycloak console. + * @return The display name of this protocol mapper in the GUI. * */ public Optional> name() { @@ -123,14 +123,14 @@ public Optional> name() { } /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. * */ @Import(name="realmId", required=true) private Output realmId; /** - * @return The realm id where the associated client or client scope exists. + * @return The realm this protocol mapper exists within. * */ public Output realmId() { @@ -169,7 +169,7 @@ public Builder(AudienceProtocolMapperArgs defaults) { } /** - * @param addToAccessToken Indicates if this claim should be added to the access token. + * @param addToAccessToken Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. * * @return builder * @@ -180,7 +180,7 @@ public Builder addToAccessToken(@Nullable Output addToAccessToken) { } /** - * @param addToAccessToken Indicates if this claim should be added to the access token. + * @param addToAccessToken Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. * * @return builder * @@ -190,7 +190,7 @@ public Builder addToAccessToken(Boolean addToAccessToken) { } /** - * @param addToIdToken Indicates if this claim should be added to the id token. + * @param addToIdToken Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. * * @return builder * @@ -201,7 +201,7 @@ public Builder addToIdToken(@Nullable Output addToIdToken) { } /** - * @param addToIdToken Indicates if this claim should be added to the id token. + * @param addToIdToken Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. * * @return builder * @@ -211,7 +211,7 @@ public Builder addToIdToken(Boolean addToIdToken) { } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -222,7 +222,7 @@ public Builder clientId(@Nullable Output clientId) { } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -232,7 +232,7 @@ public Builder clientId(String clientId) { } /** - * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -243,7 +243,7 @@ public Builder clientScopeId(@Nullable Output clientScopeId) { } /** - * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -253,7 +253,7 @@ public Builder clientScopeId(String clientScopeId) { } /** - * @param includedClientAudience A client ID to include within the token's `aud` claim. Cannot be used with included_custom_audience + * @param includedClientAudience A client ID to include within the token's `aud` claim. Conflicts with `included_custom_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. * * @return builder * @@ -264,7 +264,7 @@ public Builder includedClientAudience(@Nullable Output includedClientAud } /** - * @param includedClientAudience A client ID to include within the token's `aud` claim. Cannot be used with included_custom_audience + * @param includedClientAudience A client ID to include within the token's `aud` claim. Conflicts with `included_custom_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. * * @return builder * @@ -274,7 +274,7 @@ public Builder includedClientAudience(String includedClientAudience) { } /** - * @param includedCustomAudience A custom audience to include within the token's `aud` claim. Cannot be used with included_custom_audience + * @param includedCustomAudience A custom audience to include within the token's `aud` claim. Conflicts with `included_client_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. * * @return builder * @@ -285,7 +285,7 @@ public Builder includedCustomAudience(@Nullable Output includedCustomAud } /** - * @param includedCustomAudience A custom audience to include within the token's `aud` claim. Cannot be used with included_custom_audience + * @param includedCustomAudience A custom audience to include within the token's `aud` claim. Conflicts with `included_client_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. * * @return builder * @@ -295,7 +295,7 @@ public Builder includedCustomAudience(String includedCustomAudience) { } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -306,7 +306,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -316,7 +316,7 @@ public Builder name(String name) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * @@ -327,7 +327,7 @@ public Builder realmId(Output realmId) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/Client.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/Client.java index 0455f1a5..32fd6659 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/Client.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/Client.java @@ -20,15 +20,13 @@ import javax.annotation.Nullable; /** - * ## # keycloak.openid.Client - * * Allows for creating and managing Keycloak clients that use the OpenID Connect protocol. * * Clients are entities that can use Keycloak for user authentication. Typically, * clients are applications that redirect users to Keycloak for authentication * in order to take advantage of Keycloak's user sessions for SSO. * - * ### Example Usage + * ## Example Usage * * <!--Start PulumiCodeChooser --> *
@@ -67,6 +65,11 @@
  *             .enabled(true)
  *             .accessType("CONFIDENTIAL")
  *             .validRedirectUris("http://localhost:8080/openid-callback")
+ *             .loginTheme("keycloak")
+ *             .extraConfig(Map.ofEntries(
+ *                 Map.entry("key1", "value1"),
+ *                 Map.entry("key2", "value2")
+ *             ))
  *             .build());
  * 
  *     }
@@ -75,187 +78,360 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realm_id` - (Required) The realm this client is attached to. - * - `client_id` - (Required) The unique ID of this client, referenced in the URI during authentication and in issued tokens. - * - `name` - (Optional) The display name of this client in the GUI. - * - `enabled` - (Optional) When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. - * - `description` - (Optional) The description of this client in the GUI. - * - `access_type` - (Required) Specifies the type of client, which can be one of the following: - * - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. - * This client should be used for applications using the Authorization Code or Client Credentials grant flows. - * - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect - * URIs for security. This client should be used for applications using the Implicit grant flow. - * - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. - * - `client_secret` - (Optional) The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and - * should be treated with the same care as a password. If omitted, Keycloak will generate a GUID for this attribute. - * - `standard_flow_enabled` - (Optional) When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. - * - `implicit_flow_enabled` - (Optional) When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. - * - `direct_access_grants_enabled` - (Optional) When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. - * - `service_accounts_enabled` - (Optional) When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. - * - `valid_redirect_uris` - (Optional) A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple - * wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled` - * is set to `true`. - * - `web_origins` - (Optional) A list of allowed CORS origins. `+` can be used to permit all valid redirect URIs, and `*` can be used to permit all origins. - * - `admin_url` - (Optional) URL to the admin interface of the client. - * - `base_url` - (Optional) Default URL to use when the auth server needs to redirect or link back to the client. - * - `pkce_code_challenge_method` - (Optional) The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. - * - `full_scope_allowed` - (Optional) - Allow to include all roles mappings in the access token. - * - * ### Attributes Reference - * - * In addition to the arguments listed above, the following computed attributes are exported: - * - * - `service_account_user_id` - When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account. - * - * ### Import + * ## Import * * Clients can be imported using the format `{{realm_id}}/{{client_keycloak_id}}`, where `client_keycloak_id` is the unique ID that Keycloak + * * assigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID. * * Example: * + * bash + * + * ```sh + * $ pulumi import keycloak:openid/client:Client openid_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352 + * ``` + * */ @ResourceType(type="keycloak:openid/client:Client") public class Client extends com.pulumi.resources.CustomResource { + /** + * The amount of time in seconds before an access token expires. This will override the default for the realm. + * + */ @Export(name="accessTokenLifespan", refs={String.class}, tree="[0]") private Output accessTokenLifespan; + /** + * @return The amount of time in seconds before an access token expires. This will override the default for the realm. + * + */ public Output accessTokenLifespan() { return this.accessTokenLifespan; } + /** + * Specifies the type of client, which can be one of the following: + * - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. + * This client should be used for applications using the Authorization Code or Client Credentials grant flows. + * - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect + * URIs for security. This client should be used for applications using the Implicit grant flow. + * - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. + * + */ @Export(name="accessType", refs={String.class}, tree="[0]") private Output accessType; + /** + * @return Specifies the type of client, which can be one of the following: + * - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. + * This client should be used for applications using the Authorization Code or Client Credentials grant flows. + * - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect + * URIs for security. This client should be used for applications using the Implicit grant flow. + * - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. + * + */ public Output accessType() { return this.accessType; } + /** + * URL to the admin interface of the client. + * + */ @Export(name="adminUrl", refs={String.class}, tree="[0]") private Output adminUrl; + /** + * @return URL to the admin interface of the client. + * + */ public Output adminUrl() { return this.adminUrl; } + /** + * Override realm authentication flow bindings + * + */ @Export(name="authenticationFlowBindingOverrides", refs={ClientAuthenticationFlowBindingOverrides.class}, tree="[0]") private Output authenticationFlowBindingOverrides; + /** + * @return Override realm authentication flow bindings + * + */ public Output> authenticationFlowBindingOverrides() { return Codegen.optional(this.authenticationFlowBindingOverrides); } + /** + * When this block is present, fine-grained authorization will be enabled for this client. The client's `access_type` must be `CONFIDENTIAL`, and `service_accounts_enabled` must be `true`. This block has the following arguments: + * + */ @Export(name="authorization", refs={ClientAuthorization.class}, tree="[0]") private Output authorization; + /** + * @return When this block is present, fine-grained authorization will be enabled for this client. The client's `access_type` must be `CONFIDENTIAL`, and `service_accounts_enabled` must be `true`. This block has the following arguments: + * + */ public Output> authorization() { return Codegen.optional(this.authorization); } + /** + * Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event. + * + */ @Export(name="backchannelLogoutRevokeOfflineSessions", refs={Boolean.class}, tree="[0]") private Output backchannelLogoutRevokeOfflineSessions; + /** + * @return Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event. + * + */ public Output> backchannelLogoutRevokeOfflineSessions() { return Codegen.optional(this.backchannelLogoutRevokeOfflineSessions); } + /** + * When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`. + * + */ @Export(name="backchannelLogoutSessionRequired", refs={Boolean.class}, tree="[0]") private Output backchannelLogoutSessionRequired; + /** + * @return When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`. + * + */ public Output> backchannelLogoutSessionRequired() { return Codegen.optional(this.backchannelLogoutSessionRequired); } + /** + * The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case. + * + */ @Export(name="backchannelLogoutUrl", refs={String.class}, tree="[0]") private Output backchannelLogoutUrl; + /** + * @return The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case. + * + */ public Output> backchannelLogoutUrl() { return Codegen.optional(this.backchannelLogoutUrl); } + /** + * Default URL to use when the auth server needs to redirect or link back to the client. + * + */ @Export(name="baseUrl", refs={String.class}, tree="[0]") private Output baseUrl; + /** + * @return Default URL to use when the auth server needs to redirect or link back to the client. + * + */ public Output baseUrl() { return this.baseUrl; } + /** + * Defaults to `client-secret`. The authenticator type for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types: + * - `client-secret` (Default) Use client id and client secret to authenticate client. + * - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = <alg>` + * - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extra_config` with `attributes.x509.subjectdn = <subjectDn>` + * - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = <alg>` + * + */ @Export(name="clientAuthenticatorType", refs={String.class}, tree="[0]") private Output clientAuthenticatorType; + /** + * @return Defaults to `client-secret`. The authenticator type for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types: + * - `client-secret` (Default) Use client id and client secret to authenticate client. + * - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = <alg>` + * - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extra_config` with `attributes.x509.subjectdn = <subjectDn>` + * - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = <alg>` + * + */ public Output> clientAuthenticatorType() { return Codegen.optional(this.clientAuthenticatorType); } + /** + * The Client ID for this client, referenced in the URI during authentication and in issued tokens. + * + */ @Export(name="clientId", refs={String.class}, tree="[0]") private Output clientId; + /** + * @return The Client ID for this client, referenced in the URI during authentication and in issued tokens. + * + */ public Output clientId() { return this.clientId; } + /** + * Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value. + * + */ @Export(name="clientOfflineSessionIdleTimeout", refs={String.class}, tree="[0]") private Output clientOfflineSessionIdleTimeout; + /** + * @return Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value. + * + */ public Output clientOfflineSessionIdleTimeout() { return this.clientOfflineSessionIdleTimeout; } + /** + * Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value. + * + */ @Export(name="clientOfflineSessionMaxLifespan", refs={String.class}, tree="[0]") private Output clientOfflineSessionMaxLifespan; + /** + * @return Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value. + * + */ public Output clientOfflineSessionMaxLifespan() { return this.clientOfflineSessionMaxLifespan; } + /** + * The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. + * + */ @Export(name="clientSecret", refs={String.class}, tree="[0]") private Output clientSecret; + /** + * @return The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. + * + */ public Output clientSecret() { return this.clientSecret; } + /** + * Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value. + * + */ @Export(name="clientSessionIdleTimeout", refs={String.class}, tree="[0]") private Output clientSessionIdleTimeout; + /** + * @return Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value. + * + */ public Output clientSessionIdleTimeout() { return this.clientSessionIdleTimeout; } + /** + * Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value. + * + */ @Export(name="clientSessionMaxLifespan", refs={String.class}, tree="[0]") private Output clientSessionMaxLifespan; + /** + * @return Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value. + * + */ public Output clientSessionMaxLifespan() { return this.clientSessionMaxLifespan; } + /** + * When `true`, users have to consent to client access. Defaults to `false`. + * + */ @Export(name="consentRequired", refs={Boolean.class}, tree="[0]") private Output consentRequired; + /** + * @return When `true`, users have to consent to client access. Defaults to `false`. + * + */ public Output consentRequired() { return this.consentRequired; } + /** + * The text to display on the consent screen about permissions specific to this client. This is applicable only when `display_on_consent_screen` is `true`. + * + */ @Export(name="consentScreenText", refs={String.class}, tree="[0]") private Output consentScreenText; + /** + * @return The text to display on the consent screen about permissions specific to this client. This is applicable only when `display_on_consent_screen` is `true`. + * + */ public Output consentScreenText() { return this.consentScreenText; } + /** + * The description of this client in the GUI. + * + */ @Export(name="description", refs={String.class}, tree="[0]") private Output description; + /** + * @return The description of this client in the GUI. + * + */ public Output description() { return this.description; } + /** + * When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. + * + */ @Export(name="directAccessGrantsEnabled", refs={Boolean.class}, tree="[0]") private Output directAccessGrantsEnabled; + /** + * @return When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. + * + */ public Output directAccessGrantsEnabled() { return this.directAccessGrantsEnabled; } + /** + * When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consent_required` is `true`. + * + */ @Export(name="displayOnConsentScreen", refs={Boolean.class}, tree="[0]") private Output displayOnConsentScreen; + /** + * @return When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consent_required` is `true`. + * + */ public Output displayOnConsentScreen() { return this.displayOnConsentScreen; } + /** + * When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + * + */ @Export(name="enabled", refs={Boolean.class}, tree="[0]") private Output enabled; + /** + * @return When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + * + */ public Output> enabled() { return Codegen.optional(this.enabled); } + /** + * When `true`, the parameter `session_state` will not be included in OpenID Connect Authentication Response. + * + */ @Export(name="excludeSessionStateFromAuthResponse", refs={Boolean.class}, tree="[0]") private Output excludeSessionStateFromAuthResponse; + /** + * @return When `true`, the parameter `session_state` will not be included in OpenID Connect Authentication Response. + * + */ public Output excludeSessionStateFromAuthResponse() { return this.excludeSessionStateFromAuthResponse; } @@ -265,135 +441,315 @@ public Output excludeSessionStateFromAuthResponse() { public Output>> extraConfig() { return Codegen.optional(this.extraConfig); } + /** + * When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannel_logout_url`. Defaults to `false`. + * + */ @Export(name="frontchannelLogoutEnabled", refs={Boolean.class}, tree="[0]") private Output frontchannelLogoutEnabled; + /** + * @return When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannel_logout_url`. Defaults to `false`. + * + */ public Output frontchannelLogoutEnabled() { return this.frontchannelLogoutEnabled; } + /** + * The frontchannel logout url. This is applicable only when `frontchannel_logout_enabled` is `true`. + * + */ @Export(name="frontchannelLogoutUrl", refs={String.class}, tree="[0]") private Output frontchannelLogoutUrl; + /** + * @return The frontchannel logout url. This is applicable only when `frontchannel_logout_enabled` is `true`. + * + */ public Output> frontchannelLogoutUrl() { return Codegen.optional(this.frontchannelLogoutUrl); } + /** + * Allow to include all roles mappings in the access token. + * + */ @Export(name="fullScopeAllowed", refs={Boolean.class}, tree="[0]") private Output fullScopeAllowed; + /** + * @return Allow to include all roles mappings in the access token. + * + */ public Output> fullScopeAllowed() { return Codegen.optional(this.fullScopeAllowed); } + /** + * When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. + * + */ @Export(name="implicitFlowEnabled", refs={Boolean.class}, tree="[0]") private Output implicitFlowEnabled; + /** + * @return When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. + * + */ public Output implicitFlowEnabled() { return this.implicitFlowEnabled; } + /** + * When `true`, the client with the specified `client_id` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`. + * + */ @Export(name="import", refs={Boolean.class}, tree="[0]") private Output import_; + /** + * @return When `true`, the client with the specified `client_id` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`. + * + */ public Output> import_() { return Codegen.optional(this.import_); } + /** + * The client login theme. This will override the default theme for the realm. + * + */ @Export(name="loginTheme", refs={String.class}, tree="[0]") private Output loginTheme; + /** + * @return The client login theme. This will override the default theme for the realm. + * + */ public Output> loginTheme() { return Codegen.optional(this.loginTheme); } + /** + * The display name of this client in the GUI. + * + */ @Export(name="name", refs={String.class}, tree="[0]") private Output name; + /** + * @return The display name of this client in the GUI. + * + */ public Output name() { return this.name; } + /** + * Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser. + * + */ @Export(name="oauth2DeviceAuthorizationGrantEnabled", refs={Boolean.class}, tree="[0]") private Output oauth2DeviceAuthorizationGrantEnabled; + /** + * @return Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser. + * + */ public Output> oauth2DeviceAuthorizationGrantEnabled() { return Codegen.optional(this.oauth2DeviceAuthorizationGrantEnabled); } + /** + * The maximum amount of time a client has to finish the device code flow before it expires. + * + */ @Export(name="oauth2DeviceCodeLifespan", refs={String.class}, tree="[0]") private Output oauth2DeviceCodeLifespan; + /** + * @return The maximum amount of time a client has to finish the device code flow before it expires. + * + */ public Output> oauth2DeviceCodeLifespan() { return Codegen.optional(this.oauth2DeviceCodeLifespan); } + /** + * The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint. + * + */ @Export(name="oauth2DevicePollingInterval", refs={String.class}, tree="[0]") private Output oauth2DevicePollingInterval; + /** + * @return The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint. + * + */ public Output> oauth2DevicePollingInterval() { return Codegen.optional(this.oauth2DevicePollingInterval); } + /** + * The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. + * + */ @Export(name="pkceCodeChallengeMethod", refs={String.class}, tree="[0]") private Output pkceCodeChallengeMethod; + /** + * @return The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. + * + */ public Output> pkceCodeChallengeMethod() { return Codegen.optional(this.pkceCodeChallengeMethod); } + /** + * The realm this client is attached to. + * + */ @Export(name="realmId", refs={String.class}, tree="[0]") private Output realmId; + /** + * @return The realm this client is attached to. + * + */ public Output realmId() { return this.realmId; } + /** + * (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the `.id` attribute). + * + */ @Export(name="resourceServerId", refs={String.class}, tree="[0]") private Output resourceServerId; + /** + * @return (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the `.id` attribute). + * + */ public Output resourceServerId() { return this.resourceServerId; } + /** + * When specified, this URL is prepended to any relative URLs found within `valid_redirect_uris`, `web_origins`, and `admin_url`. NOTE: Due to limitations in the Keycloak API, when the `root_url` attribute is used, the `valid_redirect_uris`, `web_origins`, and `admin_url` attributes will be required. + * + */ @Export(name="rootUrl", refs={String.class}, tree="[0]") private Output rootUrl; + /** + * @return When specified, this URL is prepended to any relative URLs found within `valid_redirect_uris`, `web_origins`, and `admin_url`. NOTE: Due to limitations in the Keycloak API, when the `root_url` attribute is used, the `valid_redirect_uris`, `web_origins`, and `admin_url` attributes will be required. + * + */ public Output rootUrl() { return this.rootUrl; } + /** + * (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account. + * + */ @Export(name="serviceAccountUserId", refs={String.class}, tree="[0]") private Output serviceAccountUserId; + /** + * @return (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account. + * + */ public Output serviceAccountUserId() { return this.serviceAccountUserId; } + /** + * When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. + * + */ @Export(name="serviceAccountsEnabled", refs={Boolean.class}, tree="[0]") private Output serviceAccountsEnabled; + /** + * @return When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. + * + */ public Output serviceAccountsEnabled() { return this.serviceAccountsEnabled; } + /** + * When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. + * + */ @Export(name="standardFlowEnabled", refs={Boolean.class}, tree="[0]") private Output standardFlowEnabled; + /** + * @return When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. + * + */ public Output standardFlowEnabled() { return this.standardFlowEnabled; } + /** + * If this is `true`, a refresh_token will be created and added to the token response. If this is `false` then no refresh_token will be generated. Defaults to `true`. + * + */ @Export(name="useRefreshTokens", refs={Boolean.class}, tree="[0]") private Output useRefreshTokens; + /** + * @return If this is `true`, a refresh_token will be created and added to the token response. If this is `false` then no refresh_token will be generated. Defaults to `true`. + * + */ public Output> useRefreshTokens() { return Codegen.optional(this.useRefreshTokens); } + /** + * If this is `true`, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is `false` then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`. + * + */ @Export(name="useRefreshTokensClientCredentials", refs={Boolean.class}, tree="[0]") private Output useRefreshTokensClientCredentials; + /** + * @return If this is `true`, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is `false` then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`. + * + */ public Output> useRefreshTokensClientCredentials() { return Codegen.optional(this.useRefreshTokensClientCredentials); } + /** + * A list of valid URIs a browser is permitted to redirect to after a successful logout. + * + */ @Export(name="validPostLogoutRedirectUris", refs={List.class,String.class}, tree="[0,1]") private Output> validPostLogoutRedirectUris; + /** + * @return A list of valid URIs a browser is permitted to redirect to after a successful logout. + * + */ public Output> validPostLogoutRedirectUris() { return this.validPostLogoutRedirectUris; } + /** + * A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple + * wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled` + * is set to `true`. + * + */ @Export(name="validRedirectUris", refs={List.class,String.class}, tree="[0,1]") private Output> validRedirectUris; + /** + * @return A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple + * wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled` + * is set to `true`. + * + */ public Output> validRedirectUris() { return this.validRedirectUris; } + /** + * A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`." + * + */ @Export(name="webOrigins", refs={List.class,String.class}, tree="[0,1]") private Output> webOrigins; + /** + * @return A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`." + * + */ public Output> webOrigins() { return this.webOrigins; } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientArgs.java index 893de25b..7824e536 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientArgs.java @@ -21,163 +21,365 @@ public final class ClientArgs extends com.pulumi.resources.ResourceArgs { public static final ClientArgs Empty = new ClientArgs(); + /** + * The amount of time in seconds before an access token expires. This will override the default for the realm. + * + */ @Import(name="accessTokenLifespan") private @Nullable Output accessTokenLifespan; + /** + * @return The amount of time in seconds before an access token expires. This will override the default for the realm. + * + */ public Optional> accessTokenLifespan() { return Optional.ofNullable(this.accessTokenLifespan); } + /** + * Specifies the type of client, which can be one of the following: + * - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. + * This client should be used for applications using the Authorization Code or Client Credentials grant flows. + * - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect + * URIs for security. This client should be used for applications using the Implicit grant flow. + * - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. + * + */ @Import(name="accessType", required=true) private Output accessType; + /** + * @return Specifies the type of client, which can be one of the following: + * - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. + * This client should be used for applications using the Authorization Code or Client Credentials grant flows. + * - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect + * URIs for security. This client should be used for applications using the Implicit grant flow. + * - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. + * + */ public Output accessType() { return this.accessType; } + /** + * URL to the admin interface of the client. + * + */ @Import(name="adminUrl") private @Nullable Output adminUrl; + /** + * @return URL to the admin interface of the client. + * + */ public Optional> adminUrl() { return Optional.ofNullable(this.adminUrl); } + /** + * Override realm authentication flow bindings + * + */ @Import(name="authenticationFlowBindingOverrides") private @Nullable Output authenticationFlowBindingOverrides; + /** + * @return Override realm authentication flow bindings + * + */ public Optional> authenticationFlowBindingOverrides() { return Optional.ofNullable(this.authenticationFlowBindingOverrides); } + /** + * When this block is present, fine-grained authorization will be enabled for this client. The client's `access_type` must be `CONFIDENTIAL`, and `service_accounts_enabled` must be `true`. This block has the following arguments: + * + */ @Import(name="authorization") private @Nullable Output authorization; + /** + * @return When this block is present, fine-grained authorization will be enabled for this client. The client's `access_type` must be `CONFIDENTIAL`, and `service_accounts_enabled` must be `true`. This block has the following arguments: + * + */ public Optional> authorization() { return Optional.ofNullable(this.authorization); } + /** + * Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event. + * + */ @Import(name="backchannelLogoutRevokeOfflineSessions") private @Nullable Output backchannelLogoutRevokeOfflineSessions; + /** + * @return Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event. + * + */ public Optional> backchannelLogoutRevokeOfflineSessions() { return Optional.ofNullable(this.backchannelLogoutRevokeOfflineSessions); } + /** + * When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`. + * + */ @Import(name="backchannelLogoutSessionRequired") private @Nullable Output backchannelLogoutSessionRequired; + /** + * @return When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`. + * + */ public Optional> backchannelLogoutSessionRequired() { return Optional.ofNullable(this.backchannelLogoutSessionRequired); } + /** + * The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case. + * + */ @Import(name="backchannelLogoutUrl") private @Nullable Output backchannelLogoutUrl; + /** + * @return The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case. + * + */ public Optional> backchannelLogoutUrl() { return Optional.ofNullable(this.backchannelLogoutUrl); } + /** + * Default URL to use when the auth server needs to redirect or link back to the client. + * + */ @Import(name="baseUrl") private @Nullable Output baseUrl; + /** + * @return Default URL to use when the auth server needs to redirect or link back to the client. + * + */ public Optional> baseUrl() { return Optional.ofNullable(this.baseUrl); } + /** + * Defaults to `client-secret`. The authenticator type for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types: + * - `client-secret` (Default) Use client id and client secret to authenticate client. + * - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = <alg>` + * - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extra_config` with `attributes.x509.subjectdn = <subjectDn>` + * - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = <alg>` + * + */ @Import(name="clientAuthenticatorType") private @Nullable Output clientAuthenticatorType; + /** + * @return Defaults to `client-secret`. The authenticator type for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types: + * - `client-secret` (Default) Use client id and client secret to authenticate client. + * - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = <alg>` + * - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extra_config` with `attributes.x509.subjectdn = <subjectDn>` + * - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = <alg>` + * + */ public Optional> clientAuthenticatorType() { return Optional.ofNullable(this.clientAuthenticatorType); } + /** + * The Client ID for this client, referenced in the URI during authentication and in issued tokens. + * + */ @Import(name="clientId", required=true) private Output clientId; + /** + * @return The Client ID for this client, referenced in the URI during authentication and in issued tokens. + * + */ public Output clientId() { return this.clientId; } + /** + * Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value. + * + */ @Import(name="clientOfflineSessionIdleTimeout") private @Nullable Output clientOfflineSessionIdleTimeout; + /** + * @return Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value. + * + */ public Optional> clientOfflineSessionIdleTimeout() { return Optional.ofNullable(this.clientOfflineSessionIdleTimeout); } + /** + * Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value. + * + */ @Import(name="clientOfflineSessionMaxLifespan") private @Nullable Output clientOfflineSessionMaxLifespan; + /** + * @return Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value. + * + */ public Optional> clientOfflineSessionMaxLifespan() { return Optional.ofNullable(this.clientOfflineSessionMaxLifespan); } + /** + * The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. + * + */ @Import(name="clientSecret") private @Nullable Output clientSecret; + /** + * @return The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. + * + */ public Optional> clientSecret() { return Optional.ofNullable(this.clientSecret); } + /** + * Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value. + * + */ @Import(name="clientSessionIdleTimeout") private @Nullable Output clientSessionIdleTimeout; + /** + * @return Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value. + * + */ public Optional> clientSessionIdleTimeout() { return Optional.ofNullable(this.clientSessionIdleTimeout); } + /** + * Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value. + * + */ @Import(name="clientSessionMaxLifespan") private @Nullable Output clientSessionMaxLifespan; + /** + * @return Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value. + * + */ public Optional> clientSessionMaxLifespan() { return Optional.ofNullable(this.clientSessionMaxLifespan); } + /** + * When `true`, users have to consent to client access. Defaults to `false`. + * + */ @Import(name="consentRequired") private @Nullable Output consentRequired; + /** + * @return When `true`, users have to consent to client access. Defaults to `false`. + * + */ public Optional> consentRequired() { return Optional.ofNullable(this.consentRequired); } + /** + * The text to display on the consent screen about permissions specific to this client. This is applicable only when `display_on_consent_screen` is `true`. + * + */ @Import(name="consentScreenText") private @Nullable Output consentScreenText; + /** + * @return The text to display on the consent screen about permissions specific to this client. This is applicable only when `display_on_consent_screen` is `true`. + * + */ public Optional> consentScreenText() { return Optional.ofNullable(this.consentScreenText); } + /** + * The description of this client in the GUI. + * + */ @Import(name="description") private @Nullable Output description; + /** + * @return The description of this client in the GUI. + * + */ public Optional> description() { return Optional.ofNullable(this.description); } + /** + * When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. + * + */ @Import(name="directAccessGrantsEnabled") private @Nullable Output directAccessGrantsEnabled; + /** + * @return When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. + * + */ public Optional> directAccessGrantsEnabled() { return Optional.ofNullable(this.directAccessGrantsEnabled); } + /** + * When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consent_required` is `true`. + * + */ @Import(name="displayOnConsentScreen") private @Nullable Output displayOnConsentScreen; + /** + * @return When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consent_required` is `true`. + * + */ public Optional> displayOnConsentScreen() { return Optional.ofNullable(this.displayOnConsentScreen); } + /** + * When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + * + */ @Import(name="enabled") private @Nullable Output enabled; + /** + * @return When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + * + */ public Optional> enabled() { return Optional.ofNullable(this.enabled); } + /** + * When `true`, the parameter `session_state` will not be included in OpenID Connect Authentication Response. + * + */ @Import(name="excludeSessionStateFromAuthResponse") private @Nullable Output excludeSessionStateFromAuthResponse; + /** + * @return When `true`, the parameter `session_state` will not be included in OpenID Connect Authentication Response. + * + */ public Optional> excludeSessionStateFromAuthResponse() { return Optional.ofNullable(this.excludeSessionStateFromAuthResponse); } @@ -189,142 +391,306 @@ public Optional>> extraConfig() { return Optional.ofNullable(this.extraConfig); } + /** + * When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannel_logout_url`. Defaults to `false`. + * + */ @Import(name="frontchannelLogoutEnabled") private @Nullable Output frontchannelLogoutEnabled; + /** + * @return When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannel_logout_url`. Defaults to `false`. + * + */ public Optional> frontchannelLogoutEnabled() { return Optional.ofNullable(this.frontchannelLogoutEnabled); } + /** + * The frontchannel logout url. This is applicable only when `frontchannel_logout_enabled` is `true`. + * + */ @Import(name="frontchannelLogoutUrl") private @Nullable Output frontchannelLogoutUrl; + /** + * @return The frontchannel logout url. This is applicable only when `frontchannel_logout_enabled` is `true`. + * + */ public Optional> frontchannelLogoutUrl() { return Optional.ofNullable(this.frontchannelLogoutUrl); } + /** + * Allow to include all roles mappings in the access token. + * + */ @Import(name="fullScopeAllowed") private @Nullable Output fullScopeAllowed; + /** + * @return Allow to include all roles mappings in the access token. + * + */ public Optional> fullScopeAllowed() { return Optional.ofNullable(this.fullScopeAllowed); } + /** + * When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. + * + */ @Import(name="implicitFlowEnabled") private @Nullable Output implicitFlowEnabled; + /** + * @return When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. + * + */ public Optional> implicitFlowEnabled() { return Optional.ofNullable(this.implicitFlowEnabled); } + /** + * When `true`, the client with the specified `client_id` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`. + * + */ @Import(name="import") private @Nullable Output import_; + /** + * @return When `true`, the client with the specified `client_id` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`. + * + */ public Optional> import_() { return Optional.ofNullable(this.import_); } + /** + * The client login theme. This will override the default theme for the realm. + * + */ @Import(name="loginTheme") private @Nullable Output loginTheme; + /** + * @return The client login theme. This will override the default theme for the realm. + * + */ public Optional> loginTheme() { return Optional.ofNullable(this.loginTheme); } + /** + * The display name of this client in the GUI. + * + */ @Import(name="name") private @Nullable Output name; + /** + * @return The display name of this client in the GUI. + * + */ public Optional> name() { return Optional.ofNullable(this.name); } + /** + * Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser. + * + */ @Import(name="oauth2DeviceAuthorizationGrantEnabled") private @Nullable Output oauth2DeviceAuthorizationGrantEnabled; + /** + * @return Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser. + * + */ public Optional> oauth2DeviceAuthorizationGrantEnabled() { return Optional.ofNullable(this.oauth2DeviceAuthorizationGrantEnabled); } + /** + * The maximum amount of time a client has to finish the device code flow before it expires. + * + */ @Import(name="oauth2DeviceCodeLifespan") private @Nullable Output oauth2DeviceCodeLifespan; + /** + * @return The maximum amount of time a client has to finish the device code flow before it expires. + * + */ public Optional> oauth2DeviceCodeLifespan() { return Optional.ofNullable(this.oauth2DeviceCodeLifespan); } + /** + * The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint. + * + */ @Import(name="oauth2DevicePollingInterval") private @Nullable Output oauth2DevicePollingInterval; + /** + * @return The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint. + * + */ public Optional> oauth2DevicePollingInterval() { return Optional.ofNullable(this.oauth2DevicePollingInterval); } + /** + * The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. + * + */ @Import(name="pkceCodeChallengeMethod") private @Nullable Output pkceCodeChallengeMethod; + /** + * @return The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. + * + */ public Optional> pkceCodeChallengeMethod() { return Optional.ofNullable(this.pkceCodeChallengeMethod); } + /** + * The realm this client is attached to. + * + */ @Import(name="realmId", required=true) private Output realmId; + /** + * @return The realm this client is attached to. + * + */ public Output realmId() { return this.realmId; } + /** + * When specified, this URL is prepended to any relative URLs found within `valid_redirect_uris`, `web_origins`, and `admin_url`. NOTE: Due to limitations in the Keycloak API, when the `root_url` attribute is used, the `valid_redirect_uris`, `web_origins`, and `admin_url` attributes will be required. + * + */ @Import(name="rootUrl") private @Nullable Output rootUrl; + /** + * @return When specified, this URL is prepended to any relative URLs found within `valid_redirect_uris`, `web_origins`, and `admin_url`. NOTE: Due to limitations in the Keycloak API, when the `root_url` attribute is used, the `valid_redirect_uris`, `web_origins`, and `admin_url` attributes will be required. + * + */ public Optional> rootUrl() { return Optional.ofNullable(this.rootUrl); } + /** + * When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. + * + */ @Import(name="serviceAccountsEnabled") private @Nullable Output serviceAccountsEnabled; + /** + * @return When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. + * + */ public Optional> serviceAccountsEnabled() { return Optional.ofNullable(this.serviceAccountsEnabled); } + /** + * When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. + * + */ @Import(name="standardFlowEnabled") private @Nullable Output standardFlowEnabled; + /** + * @return When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. + * + */ public Optional> standardFlowEnabled() { return Optional.ofNullable(this.standardFlowEnabled); } + /** + * If this is `true`, a refresh_token will be created and added to the token response. If this is `false` then no refresh_token will be generated. Defaults to `true`. + * + */ @Import(name="useRefreshTokens") private @Nullable Output useRefreshTokens; + /** + * @return If this is `true`, a refresh_token will be created and added to the token response. If this is `false` then no refresh_token will be generated. Defaults to `true`. + * + */ public Optional> useRefreshTokens() { return Optional.ofNullable(this.useRefreshTokens); } + /** + * If this is `true`, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is `false` then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`. + * + */ @Import(name="useRefreshTokensClientCredentials") private @Nullable Output useRefreshTokensClientCredentials; + /** + * @return If this is `true`, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is `false` then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`. + * + */ public Optional> useRefreshTokensClientCredentials() { return Optional.ofNullable(this.useRefreshTokensClientCredentials); } + /** + * A list of valid URIs a browser is permitted to redirect to after a successful logout. + * + */ @Import(name="validPostLogoutRedirectUris") private @Nullable Output> validPostLogoutRedirectUris; + /** + * @return A list of valid URIs a browser is permitted to redirect to after a successful logout. + * + */ public Optional>> validPostLogoutRedirectUris() { return Optional.ofNullable(this.validPostLogoutRedirectUris); } + /** + * A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple + * wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled` + * is set to `true`. + * + */ @Import(name="validRedirectUris") private @Nullable Output> validRedirectUris; + /** + * @return A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple + * wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled` + * is set to `true`. + * + */ public Optional>> validRedirectUris() { return Optional.ofNullable(this.validRedirectUris); } + /** + * A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`." + * + */ @Import(name="webOrigins") private @Nullable Output> webOrigins; + /** + * @return A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`." + * + */ public Optional>> webOrigins() { return Optional.ofNullable(this.webOrigins); } @@ -396,209 +762,503 @@ public Builder(ClientArgs defaults) { $ = new ClientArgs(Objects.requireNonNull(defaults)); } + /** + * @param accessTokenLifespan The amount of time in seconds before an access token expires. This will override the default for the realm. + * + * @return builder + * + */ public Builder accessTokenLifespan(@Nullable Output accessTokenLifespan) { $.accessTokenLifespan = accessTokenLifespan; return this; } + /** + * @param accessTokenLifespan The amount of time in seconds before an access token expires. This will override the default for the realm. + * + * @return builder + * + */ public Builder accessTokenLifespan(String accessTokenLifespan) { return accessTokenLifespan(Output.of(accessTokenLifespan)); } + /** + * @param accessType Specifies the type of client, which can be one of the following: + * - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. + * This client should be used for applications using the Authorization Code or Client Credentials grant flows. + * - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect + * URIs for security. This client should be used for applications using the Implicit grant flow. + * - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. + * + * @return builder + * + */ public Builder accessType(Output accessType) { $.accessType = accessType; return this; } + /** + * @param accessType Specifies the type of client, which can be one of the following: + * - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. + * This client should be used for applications using the Authorization Code or Client Credentials grant flows. + * - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect + * URIs for security. This client should be used for applications using the Implicit grant flow. + * - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. + * + * @return builder + * + */ public Builder accessType(String accessType) { return accessType(Output.of(accessType)); } + /** + * @param adminUrl URL to the admin interface of the client. + * + * @return builder + * + */ public Builder adminUrl(@Nullable Output adminUrl) { $.adminUrl = adminUrl; return this; } + /** + * @param adminUrl URL to the admin interface of the client. + * + * @return builder + * + */ public Builder adminUrl(String adminUrl) { return adminUrl(Output.of(adminUrl)); } + /** + * @param authenticationFlowBindingOverrides Override realm authentication flow bindings + * + * @return builder + * + */ public Builder authenticationFlowBindingOverrides(@Nullable Output authenticationFlowBindingOverrides) { $.authenticationFlowBindingOverrides = authenticationFlowBindingOverrides; return this; } + /** + * @param authenticationFlowBindingOverrides Override realm authentication flow bindings + * + * @return builder + * + */ public Builder authenticationFlowBindingOverrides(ClientAuthenticationFlowBindingOverridesArgs authenticationFlowBindingOverrides) { return authenticationFlowBindingOverrides(Output.of(authenticationFlowBindingOverrides)); } + /** + * @param authorization When this block is present, fine-grained authorization will be enabled for this client. The client's `access_type` must be `CONFIDENTIAL`, and `service_accounts_enabled` must be `true`. This block has the following arguments: + * + * @return builder + * + */ public Builder authorization(@Nullable Output authorization) { $.authorization = authorization; return this; } + /** + * @param authorization When this block is present, fine-grained authorization will be enabled for this client. The client's `access_type` must be `CONFIDENTIAL`, and `service_accounts_enabled` must be `true`. This block has the following arguments: + * + * @return builder + * + */ public Builder authorization(ClientAuthorizationArgs authorization) { return authorization(Output.of(authorization)); } + /** + * @param backchannelLogoutRevokeOfflineSessions Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event. + * + * @return builder + * + */ public Builder backchannelLogoutRevokeOfflineSessions(@Nullable Output backchannelLogoutRevokeOfflineSessions) { $.backchannelLogoutRevokeOfflineSessions = backchannelLogoutRevokeOfflineSessions; return this; } + /** + * @param backchannelLogoutRevokeOfflineSessions Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event. + * + * @return builder + * + */ public Builder backchannelLogoutRevokeOfflineSessions(Boolean backchannelLogoutRevokeOfflineSessions) { return backchannelLogoutRevokeOfflineSessions(Output.of(backchannelLogoutRevokeOfflineSessions)); } + /** + * @param backchannelLogoutSessionRequired When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`. + * + * @return builder + * + */ public Builder backchannelLogoutSessionRequired(@Nullable Output backchannelLogoutSessionRequired) { $.backchannelLogoutSessionRequired = backchannelLogoutSessionRequired; return this; } + /** + * @param backchannelLogoutSessionRequired When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`. + * + * @return builder + * + */ public Builder backchannelLogoutSessionRequired(Boolean backchannelLogoutSessionRequired) { return backchannelLogoutSessionRequired(Output.of(backchannelLogoutSessionRequired)); } + /** + * @param backchannelLogoutUrl The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case. + * + * @return builder + * + */ public Builder backchannelLogoutUrl(@Nullable Output backchannelLogoutUrl) { $.backchannelLogoutUrl = backchannelLogoutUrl; return this; } + /** + * @param backchannelLogoutUrl The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case. + * + * @return builder + * + */ public Builder backchannelLogoutUrl(String backchannelLogoutUrl) { return backchannelLogoutUrl(Output.of(backchannelLogoutUrl)); } + /** + * @param baseUrl Default URL to use when the auth server needs to redirect or link back to the client. + * + * @return builder + * + */ public Builder baseUrl(@Nullable Output baseUrl) { $.baseUrl = baseUrl; return this; } + /** + * @param baseUrl Default URL to use when the auth server needs to redirect or link back to the client. + * + * @return builder + * + */ public Builder baseUrl(String baseUrl) { return baseUrl(Output.of(baseUrl)); } + /** + * @param clientAuthenticatorType Defaults to `client-secret`. The authenticator type for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types: + * - `client-secret` (Default) Use client id and client secret to authenticate client. + * - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = <alg>` + * - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extra_config` with `attributes.x509.subjectdn = <subjectDn>` + * - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = <alg>` + * + * @return builder + * + */ public Builder clientAuthenticatorType(@Nullable Output clientAuthenticatorType) { $.clientAuthenticatorType = clientAuthenticatorType; return this; } + /** + * @param clientAuthenticatorType Defaults to `client-secret`. The authenticator type for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types: + * - `client-secret` (Default) Use client id and client secret to authenticate client. + * - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = <alg>` + * - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extra_config` with `attributes.x509.subjectdn = <subjectDn>` + * - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = <alg>` + * + * @return builder + * + */ public Builder clientAuthenticatorType(String clientAuthenticatorType) { return clientAuthenticatorType(Output.of(clientAuthenticatorType)); } + /** + * @param clientId The Client ID for this client, referenced in the URI during authentication and in issued tokens. + * + * @return builder + * + */ public Builder clientId(Output clientId) { $.clientId = clientId; return this; } + /** + * @param clientId The Client ID for this client, referenced in the URI during authentication and in issued tokens. + * + * @return builder + * + */ public Builder clientId(String clientId) { return clientId(Output.of(clientId)); } + /** + * @param clientOfflineSessionIdleTimeout Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value. + * + * @return builder + * + */ public Builder clientOfflineSessionIdleTimeout(@Nullable Output clientOfflineSessionIdleTimeout) { $.clientOfflineSessionIdleTimeout = clientOfflineSessionIdleTimeout; return this; } + /** + * @param clientOfflineSessionIdleTimeout Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value. + * + * @return builder + * + */ public Builder clientOfflineSessionIdleTimeout(String clientOfflineSessionIdleTimeout) { return clientOfflineSessionIdleTimeout(Output.of(clientOfflineSessionIdleTimeout)); } + /** + * @param clientOfflineSessionMaxLifespan Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value. + * + * @return builder + * + */ public Builder clientOfflineSessionMaxLifespan(@Nullable Output clientOfflineSessionMaxLifespan) { $.clientOfflineSessionMaxLifespan = clientOfflineSessionMaxLifespan; return this; } + /** + * @param clientOfflineSessionMaxLifespan Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value. + * + * @return builder + * + */ public Builder clientOfflineSessionMaxLifespan(String clientOfflineSessionMaxLifespan) { return clientOfflineSessionMaxLifespan(Output.of(clientOfflineSessionMaxLifespan)); } + /** + * @param clientSecret The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. + * + * @return builder + * + */ public Builder clientSecret(@Nullable Output clientSecret) { $.clientSecret = clientSecret; return this; } + /** + * @param clientSecret The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. + * + * @return builder + * + */ public Builder clientSecret(String clientSecret) { return clientSecret(Output.of(clientSecret)); } + /** + * @param clientSessionIdleTimeout Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value. + * + * @return builder + * + */ public Builder clientSessionIdleTimeout(@Nullable Output clientSessionIdleTimeout) { $.clientSessionIdleTimeout = clientSessionIdleTimeout; return this; } + /** + * @param clientSessionIdleTimeout Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value. + * + * @return builder + * + */ public Builder clientSessionIdleTimeout(String clientSessionIdleTimeout) { return clientSessionIdleTimeout(Output.of(clientSessionIdleTimeout)); } + /** + * @param clientSessionMaxLifespan Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value. + * + * @return builder + * + */ public Builder clientSessionMaxLifespan(@Nullable Output clientSessionMaxLifespan) { $.clientSessionMaxLifespan = clientSessionMaxLifespan; return this; } + /** + * @param clientSessionMaxLifespan Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value. + * + * @return builder + * + */ public Builder clientSessionMaxLifespan(String clientSessionMaxLifespan) { return clientSessionMaxLifespan(Output.of(clientSessionMaxLifespan)); } + /** + * @param consentRequired When `true`, users have to consent to client access. Defaults to `false`. + * + * @return builder + * + */ public Builder consentRequired(@Nullable Output consentRequired) { $.consentRequired = consentRequired; return this; } + /** + * @param consentRequired When `true`, users have to consent to client access. Defaults to `false`. + * + * @return builder + * + */ public Builder consentRequired(Boolean consentRequired) { return consentRequired(Output.of(consentRequired)); } + /** + * @param consentScreenText The text to display on the consent screen about permissions specific to this client. This is applicable only when `display_on_consent_screen` is `true`. + * + * @return builder + * + */ public Builder consentScreenText(@Nullable Output consentScreenText) { $.consentScreenText = consentScreenText; return this; } + /** + * @param consentScreenText The text to display on the consent screen about permissions specific to this client. This is applicable only when `display_on_consent_screen` is `true`. + * + * @return builder + * + */ public Builder consentScreenText(String consentScreenText) { return consentScreenText(Output.of(consentScreenText)); } + /** + * @param description The description of this client in the GUI. + * + * @return builder + * + */ public Builder description(@Nullable Output description) { $.description = description; return this; } + /** + * @param description The description of this client in the GUI. + * + * @return builder + * + */ public Builder description(String description) { return description(Output.of(description)); } + /** + * @param directAccessGrantsEnabled When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. + * + * @return builder + * + */ public Builder directAccessGrantsEnabled(@Nullable Output directAccessGrantsEnabled) { $.directAccessGrantsEnabled = directAccessGrantsEnabled; return this; } + /** + * @param directAccessGrantsEnabled When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. + * + * @return builder + * + */ public Builder directAccessGrantsEnabled(Boolean directAccessGrantsEnabled) { return directAccessGrantsEnabled(Output.of(directAccessGrantsEnabled)); } + /** + * @param displayOnConsentScreen When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consent_required` is `true`. + * + * @return builder + * + */ public Builder displayOnConsentScreen(@Nullable Output displayOnConsentScreen) { $.displayOnConsentScreen = displayOnConsentScreen; return this; } + /** + * @param displayOnConsentScreen When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consent_required` is `true`. + * + * @return builder + * + */ public Builder displayOnConsentScreen(Boolean displayOnConsentScreen) { return displayOnConsentScreen(Output.of(displayOnConsentScreen)); } + /** + * @param enabled When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + * + * @return builder + * + */ public Builder enabled(@Nullable Output enabled) { $.enabled = enabled; return this; } + /** + * @param enabled When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + * + * @return builder + * + */ public Builder enabled(Boolean enabled) { return enabled(Output.of(enabled)); } + /** + * @param excludeSessionStateFromAuthResponse When `true`, the parameter `session_state` will not be included in OpenID Connect Authentication Response. + * + * @return builder + * + */ public Builder excludeSessionStateFromAuthResponse(@Nullable Output excludeSessionStateFromAuthResponse) { $.excludeSessionStateFromAuthResponse = excludeSessionStateFromAuthResponse; return this; } + /** + * @param excludeSessionStateFromAuthResponse When `true`, the parameter `session_state` will not be included in OpenID Connect Authentication Response. + * + * @return builder + * + */ public Builder excludeSessionStateFromAuthResponse(Boolean excludeSessionStateFromAuthResponse) { return excludeSessionStateFromAuthResponse(Output.of(excludeSessionStateFromAuthResponse)); } @@ -612,194 +1272,458 @@ public Builder extraConfig(Map extraConfig) { return extraConfig(Output.of(extraConfig)); } + /** + * @param frontchannelLogoutEnabled When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannel_logout_url`. Defaults to `false`. + * + * @return builder + * + */ public Builder frontchannelLogoutEnabled(@Nullable Output frontchannelLogoutEnabled) { $.frontchannelLogoutEnabled = frontchannelLogoutEnabled; return this; } + /** + * @param frontchannelLogoutEnabled When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannel_logout_url`. Defaults to `false`. + * + * @return builder + * + */ public Builder frontchannelLogoutEnabled(Boolean frontchannelLogoutEnabled) { return frontchannelLogoutEnabled(Output.of(frontchannelLogoutEnabled)); } + /** + * @param frontchannelLogoutUrl The frontchannel logout url. This is applicable only when `frontchannel_logout_enabled` is `true`. + * + * @return builder + * + */ public Builder frontchannelLogoutUrl(@Nullable Output frontchannelLogoutUrl) { $.frontchannelLogoutUrl = frontchannelLogoutUrl; return this; } + /** + * @param frontchannelLogoutUrl The frontchannel logout url. This is applicable only when `frontchannel_logout_enabled` is `true`. + * + * @return builder + * + */ public Builder frontchannelLogoutUrl(String frontchannelLogoutUrl) { return frontchannelLogoutUrl(Output.of(frontchannelLogoutUrl)); } + /** + * @param fullScopeAllowed Allow to include all roles mappings in the access token. + * + * @return builder + * + */ public Builder fullScopeAllowed(@Nullable Output fullScopeAllowed) { $.fullScopeAllowed = fullScopeAllowed; return this; } + /** + * @param fullScopeAllowed Allow to include all roles mappings in the access token. + * + * @return builder + * + */ public Builder fullScopeAllowed(Boolean fullScopeAllowed) { return fullScopeAllowed(Output.of(fullScopeAllowed)); } + /** + * @param implicitFlowEnabled When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. + * + * @return builder + * + */ public Builder implicitFlowEnabled(@Nullable Output implicitFlowEnabled) { $.implicitFlowEnabled = implicitFlowEnabled; return this; } + /** + * @param implicitFlowEnabled When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. + * + * @return builder + * + */ public Builder implicitFlowEnabled(Boolean implicitFlowEnabled) { return implicitFlowEnabled(Output.of(implicitFlowEnabled)); } + /** + * @param import_ When `true`, the client with the specified `client_id` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`. + * + * @return builder + * + */ public Builder import_(@Nullable Output import_) { $.import_ = import_; return this; } + /** + * @param import_ When `true`, the client with the specified `client_id` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`. + * + * @return builder + * + */ public Builder import_(Boolean import_) { return import_(Output.of(import_)); } + /** + * @param loginTheme The client login theme. This will override the default theme for the realm. + * + * @return builder + * + */ public Builder loginTheme(@Nullable Output loginTheme) { $.loginTheme = loginTheme; return this; } + /** + * @param loginTheme The client login theme. This will override the default theme for the realm. + * + * @return builder + * + */ public Builder loginTheme(String loginTheme) { return loginTheme(Output.of(loginTheme)); } + /** + * @param name The display name of this client in the GUI. + * + * @return builder + * + */ public Builder name(@Nullable Output name) { $.name = name; return this; } + /** + * @param name The display name of this client in the GUI. + * + * @return builder + * + */ public Builder name(String name) { return name(Output.of(name)); } + /** + * @param oauth2DeviceAuthorizationGrantEnabled Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser. + * + * @return builder + * + */ public Builder oauth2DeviceAuthorizationGrantEnabled(@Nullable Output oauth2DeviceAuthorizationGrantEnabled) { $.oauth2DeviceAuthorizationGrantEnabled = oauth2DeviceAuthorizationGrantEnabled; return this; } + /** + * @param oauth2DeviceAuthorizationGrantEnabled Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser. + * + * @return builder + * + */ public Builder oauth2DeviceAuthorizationGrantEnabled(Boolean oauth2DeviceAuthorizationGrantEnabled) { return oauth2DeviceAuthorizationGrantEnabled(Output.of(oauth2DeviceAuthorizationGrantEnabled)); } + /** + * @param oauth2DeviceCodeLifespan The maximum amount of time a client has to finish the device code flow before it expires. + * + * @return builder + * + */ public Builder oauth2DeviceCodeLifespan(@Nullable Output oauth2DeviceCodeLifespan) { $.oauth2DeviceCodeLifespan = oauth2DeviceCodeLifespan; return this; } + /** + * @param oauth2DeviceCodeLifespan The maximum amount of time a client has to finish the device code flow before it expires. + * + * @return builder + * + */ public Builder oauth2DeviceCodeLifespan(String oauth2DeviceCodeLifespan) { return oauth2DeviceCodeLifespan(Output.of(oauth2DeviceCodeLifespan)); } + /** + * @param oauth2DevicePollingInterval The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint. + * + * @return builder + * + */ public Builder oauth2DevicePollingInterval(@Nullable Output oauth2DevicePollingInterval) { $.oauth2DevicePollingInterval = oauth2DevicePollingInterval; return this; } + /** + * @param oauth2DevicePollingInterval The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint. + * + * @return builder + * + */ public Builder oauth2DevicePollingInterval(String oauth2DevicePollingInterval) { return oauth2DevicePollingInterval(Output.of(oauth2DevicePollingInterval)); } + /** + * @param pkceCodeChallengeMethod The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. + * + * @return builder + * + */ public Builder pkceCodeChallengeMethod(@Nullable Output pkceCodeChallengeMethod) { $.pkceCodeChallengeMethod = pkceCodeChallengeMethod; return this; } + /** + * @param pkceCodeChallengeMethod The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. + * + * @return builder + * + */ public Builder pkceCodeChallengeMethod(String pkceCodeChallengeMethod) { return pkceCodeChallengeMethod(Output.of(pkceCodeChallengeMethod)); } + /** + * @param realmId The realm this client is attached to. + * + * @return builder + * + */ public Builder realmId(Output realmId) { $.realmId = realmId; return this; } + /** + * @param realmId The realm this client is attached to. + * + * @return builder + * + */ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } + /** + * @param rootUrl When specified, this URL is prepended to any relative URLs found within `valid_redirect_uris`, `web_origins`, and `admin_url`. NOTE: Due to limitations in the Keycloak API, when the `root_url` attribute is used, the `valid_redirect_uris`, `web_origins`, and `admin_url` attributes will be required. + * + * @return builder + * + */ public Builder rootUrl(@Nullable Output rootUrl) { $.rootUrl = rootUrl; return this; } + /** + * @param rootUrl When specified, this URL is prepended to any relative URLs found within `valid_redirect_uris`, `web_origins`, and `admin_url`. NOTE: Due to limitations in the Keycloak API, when the `root_url` attribute is used, the `valid_redirect_uris`, `web_origins`, and `admin_url` attributes will be required. + * + * @return builder + * + */ public Builder rootUrl(String rootUrl) { return rootUrl(Output.of(rootUrl)); } + /** + * @param serviceAccountsEnabled When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. + * + * @return builder + * + */ public Builder serviceAccountsEnabled(@Nullable Output serviceAccountsEnabled) { $.serviceAccountsEnabled = serviceAccountsEnabled; return this; } + /** + * @param serviceAccountsEnabled When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. + * + * @return builder + * + */ public Builder serviceAccountsEnabled(Boolean serviceAccountsEnabled) { return serviceAccountsEnabled(Output.of(serviceAccountsEnabled)); } + /** + * @param standardFlowEnabled When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. + * + * @return builder + * + */ public Builder standardFlowEnabled(@Nullable Output standardFlowEnabled) { $.standardFlowEnabled = standardFlowEnabled; return this; } + /** + * @param standardFlowEnabled When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. + * + * @return builder + * + */ public Builder standardFlowEnabled(Boolean standardFlowEnabled) { return standardFlowEnabled(Output.of(standardFlowEnabled)); } + /** + * @param useRefreshTokens If this is `true`, a refresh_token will be created and added to the token response. If this is `false` then no refresh_token will be generated. Defaults to `true`. + * + * @return builder + * + */ public Builder useRefreshTokens(@Nullable Output useRefreshTokens) { $.useRefreshTokens = useRefreshTokens; return this; } + /** + * @param useRefreshTokens If this is `true`, a refresh_token will be created and added to the token response. If this is `false` then no refresh_token will be generated. Defaults to `true`. + * + * @return builder + * + */ public Builder useRefreshTokens(Boolean useRefreshTokens) { return useRefreshTokens(Output.of(useRefreshTokens)); } + /** + * @param useRefreshTokensClientCredentials If this is `true`, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is `false` then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`. + * + * @return builder + * + */ public Builder useRefreshTokensClientCredentials(@Nullable Output useRefreshTokensClientCredentials) { $.useRefreshTokensClientCredentials = useRefreshTokensClientCredentials; return this; } + /** + * @param useRefreshTokensClientCredentials If this is `true`, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is `false` then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`. + * + * @return builder + * + */ public Builder useRefreshTokensClientCredentials(Boolean useRefreshTokensClientCredentials) { return useRefreshTokensClientCredentials(Output.of(useRefreshTokensClientCredentials)); } + /** + * @param validPostLogoutRedirectUris A list of valid URIs a browser is permitted to redirect to after a successful logout. + * + * @return builder + * + */ public Builder validPostLogoutRedirectUris(@Nullable Output> validPostLogoutRedirectUris) { $.validPostLogoutRedirectUris = validPostLogoutRedirectUris; return this; } + /** + * @param validPostLogoutRedirectUris A list of valid URIs a browser is permitted to redirect to after a successful logout. + * + * @return builder + * + */ public Builder validPostLogoutRedirectUris(List validPostLogoutRedirectUris) { return validPostLogoutRedirectUris(Output.of(validPostLogoutRedirectUris)); } + /** + * @param validPostLogoutRedirectUris A list of valid URIs a browser is permitted to redirect to after a successful logout. + * + * @return builder + * + */ public Builder validPostLogoutRedirectUris(String... validPostLogoutRedirectUris) { return validPostLogoutRedirectUris(List.of(validPostLogoutRedirectUris)); } + /** + * @param validRedirectUris A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple + * wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled` + * is set to `true`. + * + * @return builder + * + */ public Builder validRedirectUris(@Nullable Output> validRedirectUris) { $.validRedirectUris = validRedirectUris; return this; } + /** + * @param validRedirectUris A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple + * wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled` + * is set to `true`. + * + * @return builder + * + */ public Builder validRedirectUris(List validRedirectUris) { return validRedirectUris(Output.of(validRedirectUris)); } + /** + * @param validRedirectUris A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple + * wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled` + * is set to `true`. + * + * @return builder + * + */ public Builder validRedirectUris(String... validRedirectUris) { return validRedirectUris(List.of(validRedirectUris)); } + /** + * @param webOrigins A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`." + * + * @return builder + * + */ public Builder webOrigins(@Nullable Output> webOrigins) { $.webOrigins = webOrigins; return this; } + /** + * @param webOrigins A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`." + * + * @return builder + * + */ public Builder webOrigins(List webOrigins) { return webOrigins(Output.of(webOrigins)); } + /** + * @param webOrigins A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`." + * + * @return builder + * + */ public Builder webOrigins(String... webOrigins) { return webOrigins(List.of(webOrigins)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientDefaultScopes.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientDefaultScopes.java index cc7e44c8..96ea292c 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientDefaultScopes.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientDefaultScopes.java @@ -79,37 +79,54 @@ * * <!--End PulumiCodeChooser --> * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realm_id` - (Required) The realm this client and scopes exists in. - * - `client_id` - (Required) The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. - * - `default_scopes` - (Required) An array of client scope names to attach to this client. - * - * ### Import + * ## Import * * This resource does not support import. Instead of importing, feel free to create this resource + * * as if it did not already exist on the server. * */ @ResourceType(type="keycloak:openid/clientDefaultScopes:ClientDefaultScopes") public class ClientDefaultScopes extends com.pulumi.resources.CustomResource { + /** + * The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. + * + */ @Export(name="clientId", refs={String.class}, tree="[0]") private Output clientId; + /** + * @return The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. + * + */ public Output clientId() { return this.clientId; } + /** + * An array of client scope names to attach to this client. + * + */ @Export(name="defaultScopes", refs={List.class,String.class}, tree="[0,1]") private Output> defaultScopes; + /** + * @return An array of client scope names to attach to this client. + * + */ public Output> defaultScopes() { return this.defaultScopes; } + /** + * The realm this client and scopes exists in. + * + */ @Export(name="realmId", refs={String.class}, tree="[0]") private Output realmId; + /** + * @return The realm this client and scopes exists in. + * + */ public Output realmId() { return this.realmId; } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientDefaultScopesArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientDefaultScopesArgs.java index 0739808f..627e0580 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientDefaultScopesArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientDefaultScopesArgs.java @@ -15,23 +15,47 @@ public final class ClientDefaultScopesArgs extends com.pulumi.resources.Resource public static final ClientDefaultScopesArgs Empty = new ClientDefaultScopesArgs(); + /** + * The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. + * + */ @Import(name="clientId", required=true) private Output clientId; + /** + * @return The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. + * + */ public Output clientId() { return this.clientId; } + /** + * An array of client scope names to attach to this client. + * + */ @Import(name="defaultScopes", required=true) private Output> defaultScopes; + /** + * @return An array of client scope names to attach to this client. + * + */ public Output> defaultScopes() { return this.defaultScopes; } + /** + * The realm this client and scopes exists in. + * + */ @Import(name="realmId", required=true) private Output realmId; + /** + * @return The realm this client and scopes exists in. + * + */ public Output realmId() { return this.realmId; } @@ -62,33 +86,75 @@ public Builder(ClientDefaultScopesArgs defaults) { $ = new ClientDefaultScopesArgs(Objects.requireNonNull(defaults)); } + /** + * @param clientId The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. + * + * @return builder + * + */ public Builder clientId(Output clientId) { $.clientId = clientId; return this; } + /** + * @param clientId The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. + * + * @return builder + * + */ public Builder clientId(String clientId) { return clientId(Output.of(clientId)); } + /** + * @param defaultScopes An array of client scope names to attach to this client. + * + * @return builder + * + */ public Builder defaultScopes(Output> defaultScopes) { $.defaultScopes = defaultScopes; return this; } + /** + * @param defaultScopes An array of client scope names to attach to this client. + * + * @return builder + * + */ public Builder defaultScopes(List defaultScopes) { return defaultScopes(Output.of(defaultScopes)); } + /** + * @param defaultScopes An array of client scope names to attach to this client. + * + * @return builder + * + */ public Builder defaultScopes(String... defaultScopes) { return defaultScopes(List.of(defaultScopes)); } + /** + * @param realmId The realm this client and scopes exists in. + * + * @return builder + * + */ public Builder realmId(Output realmId) { $.realmId = realmId; return this; } + /** + * @param realmId The realm this client and scopes exists in. + * + * @return builder + * + */ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientOptionalScopes.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientOptionalScopes.java index 476606f8..cec9749e 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientOptionalScopes.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientOptionalScopes.java @@ -69,6 +69,7 @@ * "address", * "phone", * "offline_access", + * "microprofile-jwt", * clientScope.name()) * .build()); * @@ -78,37 +79,54 @@ * * <!--End PulumiCodeChooser --> * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realm_id` - (Required) The realm this client and scopes exists in. - * - `client_id` - (Required) The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. - * - `optional_scopes` - (Required) An array of client scope names to attach to this client as optional scopes. - * - * ### Import + * ## Import * * This resource does not support import. Instead of importing, feel free to create this resource + * * as if it did not already exist on the server. * */ @ResourceType(type="keycloak:openid/clientOptionalScopes:ClientOptionalScopes") public class ClientOptionalScopes extends com.pulumi.resources.CustomResource { + /** + * The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. + * + */ @Export(name="clientId", refs={String.class}, tree="[0]") private Output clientId; + /** + * @return The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. + * + */ public Output clientId() { return this.clientId; } + /** + * An array of client scope names to attach to this client as optional scopes. + * + */ @Export(name="optionalScopes", refs={List.class,String.class}, tree="[0,1]") private Output> optionalScopes; + /** + * @return An array of client scope names to attach to this client as optional scopes. + * + */ public Output> optionalScopes() { return this.optionalScopes; } + /** + * The realm this client and scopes exists in. + * + */ @Export(name="realmId", refs={String.class}, tree="[0]") private Output realmId; + /** + * @return The realm this client and scopes exists in. + * + */ public Output realmId() { return this.realmId; } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientOptionalScopesArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientOptionalScopesArgs.java index 3328ac9a..70f6795a 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientOptionalScopesArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientOptionalScopesArgs.java @@ -15,23 +15,47 @@ public final class ClientOptionalScopesArgs extends com.pulumi.resources.Resourc public static final ClientOptionalScopesArgs Empty = new ClientOptionalScopesArgs(); + /** + * The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. + * + */ @Import(name="clientId", required=true) private Output clientId; + /** + * @return The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. + * + */ public Output clientId() { return this.clientId; } + /** + * An array of client scope names to attach to this client as optional scopes. + * + */ @Import(name="optionalScopes", required=true) private Output> optionalScopes; + /** + * @return An array of client scope names to attach to this client as optional scopes. + * + */ public Output> optionalScopes() { return this.optionalScopes; } + /** + * The realm this client and scopes exists in. + * + */ @Import(name="realmId", required=true) private Output realmId; + /** + * @return The realm this client and scopes exists in. + * + */ public Output realmId() { return this.realmId; } @@ -62,33 +86,75 @@ public Builder(ClientOptionalScopesArgs defaults) { $ = new ClientOptionalScopesArgs(Objects.requireNonNull(defaults)); } + /** + * @param clientId The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. + * + * @return builder + * + */ public Builder clientId(Output clientId) { $.clientId = clientId; return this; } + /** + * @param clientId The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. + * + * @return builder + * + */ public Builder clientId(String clientId) { return clientId(Output.of(clientId)); } + /** + * @param optionalScopes An array of client scope names to attach to this client as optional scopes. + * + * @return builder + * + */ public Builder optionalScopes(Output> optionalScopes) { $.optionalScopes = optionalScopes; return this; } + /** + * @param optionalScopes An array of client scope names to attach to this client as optional scopes. + * + * @return builder + * + */ public Builder optionalScopes(List optionalScopes) { return optionalScopes(Output.of(optionalScopes)); } + /** + * @param optionalScopes An array of client scope names to attach to this client as optional scopes. + * + * @return builder + * + */ public Builder optionalScopes(String... optionalScopes) { return optionalScopes(List.of(optionalScopes)); } + /** + * @param realmId The realm this client and scopes exists in. + * + * @return builder + * + */ public Builder realmId(Output realmId) { $.realmId = realmId; return this; } + /** + * @param realmId The realm this client and scopes exists in. + * + * @return builder + * + */ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientScope.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientScope.java index 6a51839f..575cd70e 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientScope.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientScope.java @@ -17,16 +17,12 @@ import javax.annotation.Nullable; /** - * ## # keycloak.openid.ClientScope + * Allows for creating and managing Keycloak client scopes that can be attached to clients that use the OpenID Connect protocol. * - * Allows for creating and managing Keycloak client scopes that can be attached to - * clients that use the OpenID Connect protocol. + * Client Scopes can be used to share common protocol and role mappings between multiple clients within a realm. They can also + * be used by clients to conditionally request claims or roles for a user based on the OAuth 2.0 `scope` parameter. * - * Client Scopes can be used to share common protocol and role mappings between multiple - * clients within a realm. They can also be used by clients to conditionally request - * claims or roles for a user based on the OAuth 2.0 `scope` parameter. - * - * ### Example Usage + * ## Example Usage * * <!--Start PulumiCodeChooser --> *
@@ -62,6 +58,8 @@
  *             .realmId(realm.id())
  *             .name("groups")
  *             .description("When requested, this scope will map a user's group memberships to a claim")
+ *             .includeInTokenScope(true)
+ *             .guiOrder(1)
  *             .build());
  * 
  *     }
@@ -70,60 +68,104 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realm_id` - (Required) The realm this client scope belongs to. - * - `name` - (Required) The display name of this client scope in the GUI. - * - `description` - (Optional) The description of this client scope in the GUI. - * - `consent_screen_text` - (Optional) When set, a consent screen will be displayed to users - * authenticating to clients with this scope attached. The consent screen will display the string - * value of this attribute. - * - * ### Import + * ## Import * * Client scopes can be imported using the format `{{realm_id}}/{{client_scope_id}}`, where `client_scope_id` is the unique ID that Keycloak + * * assigns to the client scope upon creation. This value can be found in the URI when editing this client scope in the GUI, and is typically a GUID. * * Example: * + * bash + * + * ```sh + * $ pulumi import keycloak:openid/clientScope:ClientScope openid_client_scope my-realm/8e8f7fe1-df9b-40ed-bed3-4597aa0dac52 + * ``` + * */ @ResourceType(type="keycloak:openid/clientScope:ClientScope") public class ClientScope extends com.pulumi.resources.CustomResource { + /** + * When set, a consent screen will be displayed to users authenticating to clients with this scope attached. The consent screen will display the string value of this attribute. + * + */ @Export(name="consentScreenText", refs={String.class}, tree="[0]") private Output consentScreenText; + /** + * @return When set, a consent screen will be displayed to users authenticating to clients with this scope attached. The consent screen will display the string value of this attribute. + * + */ public Output> consentScreenText() { return Codegen.optional(this.consentScreenText); } + /** + * The description of this client scope in the GUI. + * + */ @Export(name="description", refs={String.class}, tree="[0]") private Output description; + /** + * @return The description of this client scope in the GUI. + * + */ public Output> description() { return Codegen.optional(this.description); } + /** + * Specify order of the client scope in GUI (such as in Consent page) as integer. + * + */ @Export(name="guiOrder", refs={Integer.class}, tree="[0]") private Output guiOrder; + /** + * @return Specify order of the client scope in GUI (such as in Consent page) as integer. + * + */ public Output> guiOrder() { return Codegen.optional(this.guiOrder); } + /** + * When `true`, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response. + * + */ @Export(name="includeInTokenScope", refs={Boolean.class}, tree="[0]") private Output includeInTokenScope; + /** + * @return When `true`, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response. + * + */ public Output> includeInTokenScope() { return Codegen.optional(this.includeInTokenScope); } + /** + * The display name of this client scope in the GUI. + * + */ @Export(name="name", refs={String.class}, tree="[0]") private Output name; + /** + * @return The display name of this client scope in the GUI. + * + */ public Output name() { return this.name; } + /** + * The realm this client scope belongs to. + * + */ @Export(name="realmId", refs={String.class}, tree="[0]") private Output realmId; + /** + * @return The realm this client scope belongs to. + * + */ public Output realmId() { return this.realmId; } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientScopeArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientScopeArgs.java index bfded08a..4a04427d 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientScopeArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientScopeArgs.java @@ -18,44 +18,92 @@ public final class ClientScopeArgs extends com.pulumi.resources.ResourceArgs { public static final ClientScopeArgs Empty = new ClientScopeArgs(); + /** + * When set, a consent screen will be displayed to users authenticating to clients with this scope attached. The consent screen will display the string value of this attribute. + * + */ @Import(name="consentScreenText") private @Nullable Output consentScreenText; + /** + * @return When set, a consent screen will be displayed to users authenticating to clients with this scope attached. The consent screen will display the string value of this attribute. + * + */ public Optional> consentScreenText() { return Optional.ofNullable(this.consentScreenText); } + /** + * The description of this client scope in the GUI. + * + */ @Import(name="description") private @Nullable Output description; + /** + * @return The description of this client scope in the GUI. + * + */ public Optional> description() { return Optional.ofNullable(this.description); } + /** + * Specify order of the client scope in GUI (such as in Consent page) as integer. + * + */ @Import(name="guiOrder") private @Nullable Output guiOrder; + /** + * @return Specify order of the client scope in GUI (such as in Consent page) as integer. + * + */ public Optional> guiOrder() { return Optional.ofNullable(this.guiOrder); } + /** + * When `true`, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response. + * + */ @Import(name="includeInTokenScope") private @Nullable Output includeInTokenScope; + /** + * @return When `true`, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response. + * + */ public Optional> includeInTokenScope() { return Optional.ofNullable(this.includeInTokenScope); } + /** + * The display name of this client scope in the GUI. + * + */ @Import(name="name") private @Nullable Output name; + /** + * @return The display name of this client scope in the GUI. + * + */ public Optional> name() { return Optional.ofNullable(this.name); } + /** + * The realm this client scope belongs to. + * + */ @Import(name="realmId", required=true) private Output realmId; + /** + * @return The realm this client scope belongs to. + * + */ public Output realmId() { return this.realmId; } @@ -89,56 +137,128 @@ public Builder(ClientScopeArgs defaults) { $ = new ClientScopeArgs(Objects.requireNonNull(defaults)); } + /** + * @param consentScreenText When set, a consent screen will be displayed to users authenticating to clients with this scope attached. The consent screen will display the string value of this attribute. + * + * @return builder + * + */ public Builder consentScreenText(@Nullable Output consentScreenText) { $.consentScreenText = consentScreenText; return this; } + /** + * @param consentScreenText When set, a consent screen will be displayed to users authenticating to clients with this scope attached. The consent screen will display the string value of this attribute. + * + * @return builder + * + */ public Builder consentScreenText(String consentScreenText) { return consentScreenText(Output.of(consentScreenText)); } + /** + * @param description The description of this client scope in the GUI. + * + * @return builder + * + */ public Builder description(@Nullable Output description) { $.description = description; return this; } + /** + * @param description The description of this client scope in the GUI. + * + * @return builder + * + */ public Builder description(String description) { return description(Output.of(description)); } + /** + * @param guiOrder Specify order of the client scope in GUI (such as in Consent page) as integer. + * + * @return builder + * + */ public Builder guiOrder(@Nullable Output guiOrder) { $.guiOrder = guiOrder; return this; } + /** + * @param guiOrder Specify order of the client scope in GUI (such as in Consent page) as integer. + * + * @return builder + * + */ public Builder guiOrder(Integer guiOrder) { return guiOrder(Output.of(guiOrder)); } + /** + * @param includeInTokenScope When `true`, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response. + * + * @return builder + * + */ public Builder includeInTokenScope(@Nullable Output includeInTokenScope) { $.includeInTokenScope = includeInTokenScope; return this; } + /** + * @param includeInTokenScope When `true`, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response. + * + * @return builder + * + */ public Builder includeInTokenScope(Boolean includeInTokenScope) { return includeInTokenScope(Output.of(includeInTokenScope)); } + /** + * @param name The display name of this client scope in the GUI. + * + * @return builder + * + */ public Builder name(@Nullable Output name) { $.name = name; return this; } + /** + * @param name The display name of this client scope in the GUI. + * + * @return builder + * + */ public Builder name(String name) { return name(Output.of(name)); } + /** + * @param realmId The realm this client scope belongs to. + * + * @return builder + * + */ public Builder realmId(Output realmId) { $.realmId = realmId; return this; } + /** + * @param realmId The realm this client scope belongs to. + * + * @return builder + * + */ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/FullNameProtocolMapper.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/FullNameProtocolMapper.java index 3969488c..a5643d21 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/FullNameProtocolMapper.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/FullNameProtocolMapper.java @@ -16,17 +16,16 @@ import javax.annotation.Nullable; /** - * ## # keycloak.openid.FullNameProtocolMapper + * Allows for creating and managing full name protocol mappers within Keycloak. * - * Allows for creating and managing full name protocol mappers within - * Keycloak. + * Full name protocol mappers allow you to map a user's first and last name to the OpenID Connect `name` claim in a token. * - * Full name protocol mappers allow you to map a user's first and last name - * to the OpenID Connect `name` claim in a token. Protocol mappers can be defined - * for a single client, or they can be defined for a client scope which can - * be shared between multiple different clients. + * Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + * multiple different clients. * - * ### Example Usage (Client) + * ## Example Usage + * + * ### Client) * * <!--Start PulumiCodeChooser --> *
@@ -62,8 +61,8 @@
  * 
  *         var openidClient = new Client("openidClient", ClientArgs.builder()
  *             .realmId(realm.id())
- *             .clientId("test-client")
- *             .name("test client")
+ *             .clientId("client")
+ *             .name("client")
  *             .enabled(true)
  *             .accessType("CONFIDENTIAL")
  *             .validRedirectUris("http://localhost:8080/openid-callback")
@@ -81,7 +80,7 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Example Usage (Client Scope) + * ### Client Scope) * * <!--Start PulumiCodeChooser --> *
@@ -117,7 +116,7 @@
  * 
  *         var clientScope = new ClientScope("clientScope", ClientScopeArgs.builder()
  *             .realmId(realm.id())
- *             .name("test-client-scope")
+ *             .name("client-scope")
  *             .build());
  * 
  *         var fullNameMapper = new FullNameProtocolMapper("fullNameMapper", FullNameProtocolMapperArgs.builder()
@@ -132,98 +131,122 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realm_id` - (Required) The realm this protocol mapper exists within. - * - `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. - * - `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. - * - `name` - (Required) The display name of this protocol mapper in the GUI. - * - `add_to_id_token` - (Optional) Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. - * - `add_to_access_token` - (Optional) Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. - * - `add_to_userinfo` - (Optional) Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. - * - * ### Import + * ## Import * * Protocol mappers can be imported using one of the following formats: + * * - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + * * - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` * * Example: * + * bash + * + * ```sh + * $ pulumi import keycloak:openid/fullNameProtocolMapper:FullNameProtocolMapper full_name_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` + * + * ```sh + * $ pulumi import keycloak:openid/fullNameProtocolMapper:FullNameProtocolMapper full_name_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` + * */ @ResourceType(type="keycloak:openid/fullNameProtocolMapper:FullNameProtocolMapper") public class FullNameProtocolMapper extends com.pulumi.resources.CustomResource { + /** + * Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. + * + */ @Export(name="addToAccessToken", refs={Boolean.class}, tree="[0]") private Output addToAccessToken; + /** + * @return Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. + * + */ public Output> addToAccessToken() { return Codegen.optional(this.addToAccessToken); } + /** + * Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. + * + */ @Export(name="addToIdToken", refs={Boolean.class}, tree="[0]") private Output addToIdToken; + /** + * @return Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. + * + */ public Output> addToIdToken() { return Codegen.optional(this.addToIdToken); } + /** + * Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. + * + */ @Export(name="addToUserinfo", refs={Boolean.class}, tree="[0]") private Output addToUserinfo; + /** + * @return Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. + * + */ public Output> addToUserinfo() { return Codegen.optional(this.addToUserinfo); } /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Export(name="clientId", refs={String.class}, tree="[0]") private Output clientId; /** - * @return The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Output> clientId() { return Codegen.optional(this.clientId); } /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Export(name="clientScopeId", refs={String.class}, tree="[0]") private Output clientScopeId; /** - * @return The mapper's associated client scope. Cannot be used at the same time as client_id. + * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Output> clientScopeId() { return Codegen.optional(this.clientScopeId); } /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. * */ @Export(name="name", refs={String.class}, tree="[0]") private Output name; /** - * @return A human-friendly name that will appear in the Keycloak console. + * @return The display name of this protocol mapper in the GUI. * */ public Output name() { return this.name; } /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. * */ @Export(name="realmId", refs={String.class}, tree="[0]") private Output realmId; /** - * @return The realm id where the associated client or client scope exists. + * @return The realm this protocol mapper exists within. * */ public Output realmId() { diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/FullNameProtocolMapperArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/FullNameProtocolMapperArgs.java index 3293347d..3545f9d6 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/FullNameProtocolMapperArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/FullNameProtocolMapperArgs.java @@ -17,36 +17,60 @@ public final class FullNameProtocolMapperArgs extends com.pulumi.resources.Resou public static final FullNameProtocolMapperArgs Empty = new FullNameProtocolMapperArgs(); + /** + * Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. + * + */ @Import(name="addToAccessToken") private @Nullable Output addToAccessToken; + /** + * @return Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. + * + */ public Optional> addToAccessToken() { return Optional.ofNullable(this.addToAccessToken); } + /** + * Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. + * + */ @Import(name="addToIdToken") private @Nullable Output addToIdToken; + /** + * @return Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. + * + */ public Optional> addToIdToken() { return Optional.ofNullable(this.addToIdToken); } + /** + * Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. + * + */ @Import(name="addToUserinfo") private @Nullable Output addToUserinfo; + /** + * @return Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. + * + */ public Optional> addToUserinfo() { return Optional.ofNullable(this.addToUserinfo); } /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Import(name="clientId") private @Nullable Output clientId; /** - * @return The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Optional> clientId() { @@ -54,14 +78,14 @@ public Optional> clientId() { } /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Import(name="clientScopeId") private @Nullable Output clientScopeId; /** - * @return The mapper's associated client scope. Cannot be used at the same time as client_id. + * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Optional> clientScopeId() { @@ -69,14 +93,14 @@ public Optional> clientScopeId() { } /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. * */ @Import(name="name") private @Nullable Output name; /** - * @return A human-friendly name that will appear in the Keycloak console. + * @return The display name of this protocol mapper in the GUI. * */ public Optional> name() { @@ -84,14 +108,14 @@ public Optional> name() { } /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. * */ @Import(name="realmId", required=true) private Output realmId; /** - * @return The realm id where the associated client or client scope exists. + * @return The realm this protocol mapper exists within. * */ public Output realmId() { @@ -128,35 +152,71 @@ public Builder(FullNameProtocolMapperArgs defaults) { $ = new FullNameProtocolMapperArgs(Objects.requireNonNull(defaults)); } + /** + * @param addToAccessToken Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. + * + * @return builder + * + */ public Builder addToAccessToken(@Nullable Output addToAccessToken) { $.addToAccessToken = addToAccessToken; return this; } + /** + * @param addToAccessToken Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. + * + * @return builder + * + */ public Builder addToAccessToken(Boolean addToAccessToken) { return addToAccessToken(Output.of(addToAccessToken)); } + /** + * @param addToIdToken Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. + * + * @return builder + * + */ public Builder addToIdToken(@Nullable Output addToIdToken) { $.addToIdToken = addToIdToken; return this; } + /** + * @param addToIdToken Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. + * + * @return builder + * + */ public Builder addToIdToken(Boolean addToIdToken) { return addToIdToken(Output.of(addToIdToken)); } + /** + * @param addToUserinfo Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. + * + * @return builder + * + */ public Builder addToUserinfo(@Nullable Output addToUserinfo) { $.addToUserinfo = addToUserinfo; return this; } + /** + * @param addToUserinfo Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. + * + * @return builder + * + */ public Builder addToUserinfo(Boolean addToUserinfo) { return addToUserinfo(Output.of(addToUserinfo)); } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -167,7 +227,7 @@ public Builder clientId(@Nullable Output clientId) { } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -177,7 +237,7 @@ public Builder clientId(String clientId) { } /** - * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -188,7 +248,7 @@ public Builder clientScopeId(@Nullable Output clientScopeId) { } /** - * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -198,7 +258,7 @@ public Builder clientScopeId(String clientScopeId) { } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -209,7 +269,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -219,7 +279,7 @@ public Builder name(String name) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * @@ -230,7 +290,7 @@ public Builder realmId(Output realmId) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/GroupMembershipProtocolMapper.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/GroupMembershipProtocolMapper.java index 51ec593c..018eecfb 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/GroupMembershipProtocolMapper.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/GroupMembershipProtocolMapper.java @@ -16,17 +16,16 @@ import javax.annotation.Nullable; /** - * ## # keycloak.openid.GroupMembershipProtocolMapper + * Allows for creating and managing group membership protocol mappers within Keycloak. * - * Allows for creating and managing group membership protocol mappers within - * Keycloak. + * Group membership protocol mappers allow you to map a user's group memberships to a claim in a token. * - * Group membership protocol mappers allow you to map a user's group memberships - * to a claim in a token. Protocol mappers can be defined for a single client, - * or they can be defined for a client scope which can be shared between multiple - * different clients. + * Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + * multiple different clients. * - * ### Example Usage (Client) + * ## Example Usage + * + * ### Client) * * <!--Start PulumiCodeChooser --> *
@@ -62,8 +61,8 @@
  * 
  *         var openidClient = new Client("openidClient", ClientArgs.builder()
  *             .realmId(realm.id())
- *             .clientId("test-client")
- *             .name("test client")
+ *             .clientId("client")
+ *             .name("client")
  *             .enabled(true)
  *             .accessType("CONFIDENTIAL")
  *             .validRedirectUris("http://localhost:8080/openid-callback")
@@ -82,7 +81,7 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Example Usage (Client Scope) + * ### Client Scope) * * <!--Start PulumiCodeChooser --> *
@@ -118,7 +117,7 @@
  * 
  *         var clientScope = new ClientScope("clientScope", ClientScopeArgs.builder()
  *             .realmId(realm.id())
- *             .name("test-client-scope")
+ *             .name("client-scope")
  *             .build());
  * 
  *         var groupMembershipMapper = new GroupMembershipProtocolMapper("groupMembershipMapper", GroupMembershipProtocolMapperArgs.builder()
@@ -134,112 +133,150 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realm_id` - (Required) The realm this protocol mapper exists within. - * - `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. - * - `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. - * - `name` - (Required) The display name of this protocol mapper in the GUI. - * - `claim_name` - (Required) The name of the claim to insert into a token. - * - `full_path` - (Optional) Indicates whether the full path of the group including its parents will be used. Defaults to `true`. - * - `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. - * - `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. - * - `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. - * - * ### Import + * ## Import * * Protocol mappers can be imported using one of the following formats: + * * - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + * * - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` * * Example: * + * bash + * + * ```sh + * $ pulumi import keycloak:openid/groupMembershipProtocolMapper:GroupMembershipProtocolMapper group_membership_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` + * + * ```sh + * $ pulumi import keycloak:openid/groupMembershipProtocolMapper:GroupMembershipProtocolMapper group_membership_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` + * */ @ResourceType(type="keycloak:openid/groupMembershipProtocolMapper:GroupMembershipProtocolMapper") public class GroupMembershipProtocolMapper extends com.pulumi.resources.CustomResource { + /** + * Indicates if the property should be added as a claim to the access token. Defaults to `true`. + * + */ @Export(name="addToAccessToken", refs={Boolean.class}, tree="[0]") private Output addToAccessToken; + /** + * @return Indicates if the property should be added as a claim to the access token. Defaults to `true`. + * + */ public Output> addToAccessToken() { return Codegen.optional(this.addToAccessToken); } + /** + * Indicates if the property should be added as a claim to the id token. Defaults to `true`. + * + */ @Export(name="addToIdToken", refs={Boolean.class}, tree="[0]") private Output addToIdToken; + /** + * @return Indicates if the property should be added as a claim to the id token. Defaults to `true`. + * + */ public Output> addToIdToken() { return Codegen.optional(this.addToIdToken); } + /** + * Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + * + */ @Export(name="addToUserinfo", refs={Boolean.class}, tree="[0]") private Output addToUserinfo; + /** + * @return Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + * + */ public Output> addToUserinfo() { return Codegen.optional(this.addToUserinfo); } + /** + * The name of the claim to insert into a token. + * + */ @Export(name="claimName", refs={String.class}, tree="[0]") private Output claimName; + /** + * @return The name of the claim to insert into a token. + * + */ public Output claimName() { return this.claimName; } /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Export(name="clientId", refs={String.class}, tree="[0]") private Output clientId; /** - * @return The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Output> clientId() { return Codegen.optional(this.clientId); } /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Export(name="clientScopeId", refs={String.class}, tree="[0]") private Output clientScopeId; /** - * @return The mapper's associated client scope. Cannot be used at the same time as client_id. + * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Output> clientScopeId() { return Codegen.optional(this.clientScopeId); } + /** + * Indicates whether the full path of the group including its parents will be used. Defaults to `true`. + * + */ @Export(name="fullPath", refs={Boolean.class}, tree="[0]") private Output fullPath; + /** + * @return Indicates whether the full path of the group including its parents will be used. Defaults to `true`. + * + */ public Output> fullPath() { return Codegen.optional(this.fullPath); } /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. * */ @Export(name="name", refs={String.class}, tree="[0]") private Output name; /** - * @return A human-friendly name that will appear in the Keycloak console. + * @return The display name of this protocol mapper in the GUI. * */ public Output name() { return this.name; } /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. * */ @Export(name="realmId", refs={String.class}, tree="[0]") private Output realmId; /** - * @return The realm id where the associated client or client scope exists. + * @return The realm this protocol mapper exists within. * */ public Output realmId() { diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/GroupMembershipProtocolMapperArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/GroupMembershipProtocolMapperArgs.java index 70b9239d..e4b68021 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/GroupMembershipProtocolMapperArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/GroupMembershipProtocolMapperArgs.java @@ -17,43 +17,75 @@ public final class GroupMembershipProtocolMapperArgs extends com.pulumi.resource public static final GroupMembershipProtocolMapperArgs Empty = new GroupMembershipProtocolMapperArgs(); + /** + * Indicates if the property should be added as a claim to the access token. Defaults to `true`. + * + */ @Import(name="addToAccessToken") private @Nullable Output addToAccessToken; + /** + * @return Indicates if the property should be added as a claim to the access token. Defaults to `true`. + * + */ public Optional> addToAccessToken() { return Optional.ofNullable(this.addToAccessToken); } + /** + * Indicates if the property should be added as a claim to the id token. Defaults to `true`. + * + */ @Import(name="addToIdToken") private @Nullable Output addToIdToken; + /** + * @return Indicates if the property should be added as a claim to the id token. Defaults to `true`. + * + */ public Optional> addToIdToken() { return Optional.ofNullable(this.addToIdToken); } + /** + * Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + * + */ @Import(name="addToUserinfo") private @Nullable Output addToUserinfo; + /** + * @return Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + * + */ public Optional> addToUserinfo() { return Optional.ofNullable(this.addToUserinfo); } + /** + * The name of the claim to insert into a token. + * + */ @Import(name="claimName", required=true) private Output claimName; + /** + * @return The name of the claim to insert into a token. + * + */ public Output claimName() { return this.claimName; } /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Import(name="clientId") private @Nullable Output clientId; /** - * @return The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Optional> clientId() { @@ -61,36 +93,44 @@ public Optional> clientId() { } /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Import(name="clientScopeId") private @Nullable Output clientScopeId; /** - * @return The mapper's associated client scope. Cannot be used at the same time as client_id. + * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Optional> clientScopeId() { return Optional.ofNullable(this.clientScopeId); } + /** + * Indicates whether the full path of the group including its parents will be used. Defaults to `true`. + * + */ @Import(name="fullPath") private @Nullable Output fullPath; + /** + * @return Indicates whether the full path of the group including its parents will be used. Defaults to `true`. + * + */ public Optional> fullPath() { return Optional.ofNullable(this.fullPath); } /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. * */ @Import(name="name") private @Nullable Output name; /** - * @return A human-friendly name that will appear in the Keycloak console. + * @return The display name of this protocol mapper in the GUI. * */ public Optional> name() { @@ -98,14 +138,14 @@ public Optional> name() { } /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. * */ @Import(name="realmId", required=true) private Output realmId; /** - * @return The realm id where the associated client or client scope exists. + * @return The realm this protocol mapper exists within. * */ public Output realmId() { @@ -144,44 +184,92 @@ public Builder(GroupMembershipProtocolMapperArgs defaults) { $ = new GroupMembershipProtocolMapperArgs(Objects.requireNonNull(defaults)); } + /** + * @param addToAccessToken Indicates if the property should be added as a claim to the access token. Defaults to `true`. + * + * @return builder + * + */ public Builder addToAccessToken(@Nullable Output addToAccessToken) { $.addToAccessToken = addToAccessToken; return this; } + /** + * @param addToAccessToken Indicates if the property should be added as a claim to the access token. Defaults to `true`. + * + * @return builder + * + */ public Builder addToAccessToken(Boolean addToAccessToken) { return addToAccessToken(Output.of(addToAccessToken)); } + /** + * @param addToIdToken Indicates if the property should be added as a claim to the id token. Defaults to `true`. + * + * @return builder + * + */ public Builder addToIdToken(@Nullable Output addToIdToken) { $.addToIdToken = addToIdToken; return this; } + /** + * @param addToIdToken Indicates if the property should be added as a claim to the id token. Defaults to `true`. + * + * @return builder + * + */ public Builder addToIdToken(Boolean addToIdToken) { return addToIdToken(Output.of(addToIdToken)); } + /** + * @param addToUserinfo Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + * + * @return builder + * + */ public Builder addToUserinfo(@Nullable Output addToUserinfo) { $.addToUserinfo = addToUserinfo; return this; } + /** + * @param addToUserinfo Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + * + * @return builder + * + */ public Builder addToUserinfo(Boolean addToUserinfo) { return addToUserinfo(Output.of(addToUserinfo)); } + /** + * @param claimName The name of the claim to insert into a token. + * + * @return builder + * + */ public Builder claimName(Output claimName) { $.claimName = claimName; return this; } + /** + * @param claimName The name of the claim to insert into a token. + * + * @return builder + * + */ public Builder claimName(String claimName) { return claimName(Output.of(claimName)); } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -192,7 +280,7 @@ public Builder clientId(@Nullable Output clientId) { } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -202,7 +290,7 @@ public Builder clientId(String clientId) { } /** - * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -213,7 +301,7 @@ public Builder clientScopeId(@Nullable Output clientScopeId) { } /** - * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -222,17 +310,29 @@ public Builder clientScopeId(String clientScopeId) { return clientScopeId(Output.of(clientScopeId)); } + /** + * @param fullPath Indicates whether the full path of the group including its parents will be used. Defaults to `true`. + * + * @return builder + * + */ public Builder fullPath(@Nullable Output fullPath) { $.fullPath = fullPath; return this; } + /** + * @param fullPath Indicates whether the full path of the group including its parents will be used. Defaults to `true`. + * + * @return builder + * + */ public Builder fullPath(Boolean fullPath) { return fullPath(Output.of(fullPath)); } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -243,7 +343,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -253,7 +353,7 @@ public Builder name(String name) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * @@ -264,7 +364,7 @@ public Builder realmId(Output realmId) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/HardcodedClaimProtocolMapper.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/HardcodedClaimProtocolMapper.java index c48b0e4e..755edb30 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/HardcodedClaimProtocolMapper.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/HardcodedClaimProtocolMapper.java @@ -16,17 +16,16 @@ import javax.annotation.Nullable; /** - * ## # keycloak.openid.HardcodedClaimProtocolMapper + * Allows for creating and managing hardcoded claim protocol mappers within Keycloak. * - * Allows for creating and managing hardcoded claim protocol mappers within - * Keycloak. + * Hardcoded claim protocol mappers allow you to define a claim with a hardcoded value. * - * Hardcoded claim protocol mappers allow you to define a claim with a hardcoded - * value. Protocol mappers can be defined for a single client, or they can - * be defined for a client scope which can be shared between multiple different - * clients. + * Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + * multiple different clients. * - * ### Example Usage (Client) + * ## Example Usage + * + * ### Client) * * <!--Start PulumiCodeChooser --> *
@@ -62,8 +61,8 @@
  * 
  *         var openidClient = new Client("openidClient", ClientArgs.builder()
  *             .realmId(realm.id())
- *             .clientId("test-client")
- *             .name("test client")
+ *             .clientId("client")
+ *             .name("client")
  *             .enabled(true)
  *             .accessType("CONFIDENTIAL")
  *             .validRedirectUris("http://localhost:8080/openid-callback")
@@ -83,7 +82,7 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Example Usage (Client Scope) + * ### Client Scope) * * <!--Start PulumiCodeChooser --> *
@@ -119,7 +118,7 @@
  * 
  *         var clientScope = new ClientScope("clientScope", ClientScopeArgs.builder()
  *             .realmId(realm.id())
- *             .name("test-client-scope")
+ *             .name("client-scope")
  *             .build());
  * 
  *         var hardcodedClaimMapper = new HardcodedClaimProtocolMapper("hardcodedClaimMapper", HardcodedClaimProtocolMapperArgs.builder()
@@ -136,151 +135,164 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realm_id` - (Required) The realm this protocol mapper exists within. - * - `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. - * - `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. - * - `name` - (Required) The display name of this protocol mapper in the GUI. - * - `claim_name` - (Required) The name of the claim to insert into a token. - * - `claim_value` - (Required) The hardcoded value of the claim. - * - `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`. - * - `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. - * - `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. - * - `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. - * - * ### Import + * ## Import * * Protocol mappers can be imported using one of the following formats: + * * - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + * * - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` * * Example: * + * bash + * + * ```sh + * $ pulumi import keycloak:openid/hardcodedClaimProtocolMapper:HardcodedClaimProtocolMapper hardcoded_claim_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` + * + * ```sh + * $ pulumi import keycloak:openid/hardcodedClaimProtocolMapper:HardcodedClaimProtocolMapper hardcoded_claim_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` + * */ @ResourceType(type="keycloak:openid/hardcodedClaimProtocolMapper:HardcodedClaimProtocolMapper") public class HardcodedClaimProtocolMapper extends com.pulumi.resources.CustomResource { /** - * Indicates if the attribute should be a claim in the access token. + * Indicates if the property should be added as a claim to the access token. Defaults to `true`. * */ @Export(name="addToAccessToken", refs={Boolean.class}, tree="[0]") private Output addToAccessToken; /** - * @return Indicates if the attribute should be a claim in the access token. + * @return Indicates if the property should be added as a claim to the access token. Defaults to `true`. * */ public Output> addToAccessToken() { return Codegen.optional(this.addToAccessToken); } /** - * Indicates if the attribute should be a claim in the id token. + * Indicates if the property should be added as a claim to the id token. Defaults to `true`. * */ @Export(name="addToIdToken", refs={Boolean.class}, tree="[0]") private Output addToIdToken; /** - * @return Indicates if the attribute should be a claim in the id token. + * @return Indicates if the property should be added as a claim to the id token. Defaults to `true`. * */ public Output> addToIdToken() { return Codegen.optional(this.addToIdToken); } /** - * Indicates if the attribute should appear in the userinfo response body. + * Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. * */ @Export(name="addToUserinfo", refs={Boolean.class}, tree="[0]") private Output addToUserinfo; /** - * @return Indicates if the attribute should appear in the userinfo response body. + * @return Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. * */ public Output> addToUserinfo() { return Codegen.optional(this.addToUserinfo); } + /** + * The name of the claim to insert into a token. + * + */ @Export(name="claimName", refs={String.class}, tree="[0]") private Output claimName; + /** + * @return The name of the claim to insert into a token. + * + */ public Output claimName() { return this.claimName; } + /** + * The hardcoded value of the claim. + * + */ @Export(name="claimValue", refs={String.class}, tree="[0]") private Output claimValue; + /** + * @return The hardcoded value of the claim. + * + */ public Output claimValue() { return this.claimValue; } /** - * Claim type used when serializing tokens. + * The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * */ @Export(name="claimValueType", refs={String.class}, tree="[0]") private Output claimValueType; /** - * @return Claim type used when serializing tokens. + * @return The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * */ public Output> claimValueType() { return Codegen.optional(this.claimValueType); } /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Export(name="clientId", refs={String.class}, tree="[0]") private Output clientId; /** - * @return The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Output> clientId() { return Codegen.optional(this.clientId); } /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Export(name="clientScopeId", refs={String.class}, tree="[0]") private Output clientScopeId; /** - * @return The mapper's associated client scope. Cannot be used at the same time as client_id. + * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Output> clientScopeId() { return Codegen.optional(this.clientScopeId); } /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. * */ @Export(name="name", refs={String.class}, tree="[0]") private Output name; /** - * @return A human-friendly name that will appear in the Keycloak console. + * @return The display name of this protocol mapper in the GUI. * */ public Output name() { return this.name; } /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. * */ @Export(name="realmId", refs={String.class}, tree="[0]") private Output realmId; /** - * @return The realm id where the associated client or client scope exists. + * @return The realm this protocol mapper exists within. * */ public Output realmId() { diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/HardcodedClaimProtocolMapperArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/HardcodedClaimProtocolMapperArgs.java index 5e9a969f..8601fb0c 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/HardcodedClaimProtocolMapperArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/HardcodedClaimProtocolMapperArgs.java @@ -18,14 +18,14 @@ public final class HardcodedClaimProtocolMapperArgs extends com.pulumi.resources public static final HardcodedClaimProtocolMapperArgs Empty = new HardcodedClaimProtocolMapperArgs(); /** - * Indicates if the attribute should be a claim in the access token. + * Indicates if the property should be added as a claim to the access token. Defaults to `true`. * */ @Import(name="addToAccessToken") private @Nullable Output addToAccessToken; /** - * @return Indicates if the attribute should be a claim in the access token. + * @return Indicates if the property should be added as a claim to the access token. Defaults to `true`. * */ public Optional> addToAccessToken() { @@ -33,14 +33,14 @@ public Optional> addToAccessToken() { } /** - * Indicates if the attribute should be a claim in the id token. + * Indicates if the property should be added as a claim to the id token. Defaults to `true`. * */ @Import(name="addToIdToken") private @Nullable Output addToIdToken; /** - * @return Indicates if the attribute should be a claim in the id token. + * @return Indicates if the property should be added as a claim to the id token. Defaults to `true`. * */ public Optional> addToIdToken() { @@ -48,43 +48,59 @@ public Optional> addToIdToken() { } /** - * Indicates if the attribute should appear in the userinfo response body. + * Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. * */ @Import(name="addToUserinfo") private @Nullable Output addToUserinfo; /** - * @return Indicates if the attribute should appear in the userinfo response body. + * @return Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. * */ public Optional> addToUserinfo() { return Optional.ofNullable(this.addToUserinfo); } + /** + * The name of the claim to insert into a token. + * + */ @Import(name="claimName", required=true) private Output claimName; + /** + * @return The name of the claim to insert into a token. + * + */ public Output claimName() { return this.claimName; } + /** + * The hardcoded value of the claim. + * + */ @Import(name="claimValue", required=true) private Output claimValue; + /** + * @return The hardcoded value of the claim. + * + */ public Output claimValue() { return this.claimValue; } /** - * Claim type used when serializing tokens. + * The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * */ @Import(name="claimValueType") private @Nullable Output claimValueType; /** - * @return Claim type used when serializing tokens. + * @return The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * */ public Optional> claimValueType() { @@ -92,14 +108,14 @@ public Optional> claimValueType() { } /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Import(name="clientId") private @Nullable Output clientId; /** - * @return The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Optional> clientId() { @@ -107,14 +123,14 @@ public Optional> clientId() { } /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Import(name="clientScopeId") private @Nullable Output clientScopeId; /** - * @return The mapper's associated client scope. Cannot be used at the same time as client_id. + * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Optional> clientScopeId() { @@ -122,14 +138,14 @@ public Optional> clientScopeId() { } /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. * */ @Import(name="name") private @Nullable Output name; /** - * @return A human-friendly name that will appear in the Keycloak console. + * @return The display name of this protocol mapper in the GUI. * */ public Optional> name() { @@ -137,14 +153,14 @@ public Optional> name() { } /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. * */ @Import(name="realmId", required=true) private Output realmId; /** - * @return The realm id where the associated client or client scope exists. + * @return The realm this protocol mapper exists within. * */ public Output realmId() { @@ -185,7 +201,7 @@ public Builder(HardcodedClaimProtocolMapperArgs defaults) { } /** - * @param addToAccessToken Indicates if the attribute should be a claim in the access token. + * @param addToAccessToken Indicates if the property should be added as a claim to the access token. Defaults to `true`. * * @return builder * @@ -196,7 +212,7 @@ public Builder addToAccessToken(@Nullable Output addToAccessToken) { } /** - * @param addToAccessToken Indicates if the attribute should be a claim in the access token. + * @param addToAccessToken Indicates if the property should be added as a claim to the access token. Defaults to `true`. * * @return builder * @@ -206,7 +222,7 @@ public Builder addToAccessToken(Boolean addToAccessToken) { } /** - * @param addToIdToken Indicates if the attribute should be a claim in the id token. + * @param addToIdToken Indicates if the property should be added as a claim to the id token. Defaults to `true`. * * @return builder * @@ -217,7 +233,7 @@ public Builder addToIdToken(@Nullable Output addToIdToken) { } /** - * @param addToIdToken Indicates if the attribute should be a claim in the id token. + * @param addToIdToken Indicates if the property should be added as a claim to the id token. Defaults to `true`. * * @return builder * @@ -227,7 +243,7 @@ public Builder addToIdToken(Boolean addToIdToken) { } /** - * @param addToUserinfo Indicates if the attribute should appear in the userinfo response body. + * @param addToUserinfo Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. * * @return builder * @@ -238,7 +254,7 @@ public Builder addToUserinfo(@Nullable Output addToUserinfo) { } /** - * @param addToUserinfo Indicates if the attribute should appear in the userinfo response body. + * @param addToUserinfo Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. * * @return builder * @@ -247,26 +263,50 @@ public Builder addToUserinfo(Boolean addToUserinfo) { return addToUserinfo(Output.of(addToUserinfo)); } + /** + * @param claimName The name of the claim to insert into a token. + * + * @return builder + * + */ public Builder claimName(Output claimName) { $.claimName = claimName; return this; } + /** + * @param claimName The name of the claim to insert into a token. + * + * @return builder + * + */ public Builder claimName(String claimName) { return claimName(Output.of(claimName)); } + /** + * @param claimValue The hardcoded value of the claim. + * + * @return builder + * + */ public Builder claimValue(Output claimValue) { $.claimValue = claimValue; return this; } + /** + * @param claimValue The hardcoded value of the claim. + * + * @return builder + * + */ public Builder claimValue(String claimValue) { return claimValue(Output.of(claimValue)); } /** - * @param claimValueType Claim type used when serializing tokens. + * @param claimValueType The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * * @return builder * @@ -277,7 +317,7 @@ public Builder claimValueType(@Nullable Output claimValueType) { } /** - * @param claimValueType Claim type used when serializing tokens. + * @param claimValueType The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * * @return builder * @@ -287,7 +327,7 @@ public Builder claimValueType(String claimValueType) { } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -298,7 +338,7 @@ public Builder clientId(@Nullable Output clientId) { } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -308,7 +348,7 @@ public Builder clientId(String clientId) { } /** - * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -319,7 +359,7 @@ public Builder clientScopeId(@Nullable Output clientScopeId) { } /** - * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -329,7 +369,7 @@ public Builder clientScopeId(String clientScopeId) { } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -340,7 +380,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -350,7 +390,7 @@ public Builder name(String name) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * @@ -361,7 +401,7 @@ public Builder realmId(Output realmId) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/HardcodedRoleProtocolMapper.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/HardcodedRoleProtocolMapper.java index d2253657..4cb32fd3 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/HardcodedRoleProtocolMapper.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/HardcodedRoleProtocolMapper.java @@ -15,17 +15,16 @@ import javax.annotation.Nullable; /** - * ## # keycloak.openid.HardcodedRoleProtocolMapper + * Allows for creating and managing hardcoded role protocol mappers within Keycloak. * - * Allows for creating and managing hardcoded role protocol mappers within - * Keycloak. + * Hardcoded role protocol mappers allow you to specify a single role to always map to an access token for a client. * - * Hardcoded role protocol mappers allow you to specify a single role to - * always map to an access token for a client. Protocol mappers can be - * defined for a single client, or they can be defined for a client scope - * which can be shared between multiple different clients. + * Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + * multiple different clients. * - * ### Example Usage (Client) + * ## Example Usage + * + * ### Client) * * <!--Start PulumiCodeChooser --> *
@@ -68,8 +67,8 @@
  * 
  *         var openidClient = new Client("openidClient", ClientArgs.builder()
  *             .realmId(realm.id())
- *             .clientId("test-client")
- *             .name("test client")
+ *             .clientId("client")
+ *             .name("client")
  *             .enabled(true)
  *             .accessType("CONFIDENTIAL")
  *             .validRedirectUris("http://localhost:8080/openid-callback")
@@ -88,7 +87,7 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Example Usage (Client Scope) + * ### Client Scope) * * <!--Start PulumiCodeChooser --> *
@@ -131,7 +130,7 @@
  * 
  *         var clientScope = new ClientScope("clientScope", ClientScopeArgs.builder()
  *             .realmId(realm.id())
- *             .name("test-client-scope")
+ *             .name("client-scope")
  *             .build());
  * 
  *         var hardcodedRoleMapper = new HardcodedRoleProtocolMapper("hardcodedRoleMapper", HardcodedRoleProtocolMapperArgs.builder()
@@ -147,87 +146,96 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realm_id` - (Required) The realm this protocol mapper exists within. - * - `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. - * - `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. - * - `name` - (Required) The display name of this protocol mapper in the - * GUI. - * - `role_id` - (Required) The ID of the role to map to an access token. - * - * ### Import + * ## Import * * Protocol mappers can be imported using one of the following formats: + * * - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + * * - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` * * Example: * + * bash + * + * ```sh + * $ pulumi import keycloak:openid/hardcodedRoleProtocolMapper:HardcodedRoleProtocolMapper hardcoded_role_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` + * + * ```sh + * $ pulumi import keycloak:openid/hardcodedRoleProtocolMapper:HardcodedRoleProtocolMapper hardcoded_role_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` + * */ @ResourceType(type="keycloak:openid/hardcodedRoleProtocolMapper:HardcodedRoleProtocolMapper") public class HardcodedRoleProtocolMapper extends com.pulumi.resources.CustomResource { /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Export(name="clientId", refs={String.class}, tree="[0]") private Output clientId; /** - * @return The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Output> clientId() { return Codegen.optional(this.clientId); } /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Export(name="clientScopeId", refs={String.class}, tree="[0]") private Output clientScopeId; /** - * @return The mapper's associated client scope. Cannot be used at the same time as client_id. + * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Output> clientScopeId() { return Codegen.optional(this.clientScopeId); } /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. * */ @Export(name="name", refs={String.class}, tree="[0]") private Output name; /** - * @return A human-friendly name that will appear in the Keycloak console. + * @return The display name of this protocol mapper in the GUI. * */ public Output name() { return this.name; } /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. * */ @Export(name="realmId", refs={String.class}, tree="[0]") private Output realmId; /** - * @return The realm id where the associated client or client scope exists. + * @return The realm this protocol mapper exists within. * */ public Output realmId() { return this.realmId; } + /** + * The ID of the role to map to an access token. + * + */ @Export(name="roleId", refs={String.class}, tree="[0]") private Output roleId; + /** + * @return The ID of the role to map to an access token. + * + */ public Output roleId() { return this.roleId; } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/HardcodedRoleProtocolMapperArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/HardcodedRoleProtocolMapperArgs.java index e8fcbbd5..4cc7de07 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/HardcodedRoleProtocolMapperArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/HardcodedRoleProtocolMapperArgs.java @@ -17,14 +17,14 @@ public final class HardcodedRoleProtocolMapperArgs extends com.pulumi.resources. public static final HardcodedRoleProtocolMapperArgs Empty = new HardcodedRoleProtocolMapperArgs(); /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Import(name="clientId") private @Nullable Output clientId; /** - * @return The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Optional> clientId() { @@ -32,14 +32,14 @@ public Optional> clientId() { } /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Import(name="clientScopeId") private @Nullable Output clientScopeId; /** - * @return The mapper's associated client scope. Cannot be used at the same time as client_id. + * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Optional> clientScopeId() { @@ -47,14 +47,14 @@ public Optional> clientScopeId() { } /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. * */ @Import(name="name") private @Nullable Output name; /** - * @return A human-friendly name that will appear in the Keycloak console. + * @return The display name of this protocol mapper in the GUI. * */ public Optional> name() { @@ -62,23 +62,31 @@ public Optional> name() { } /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. * */ @Import(name="realmId", required=true) private Output realmId; /** - * @return The realm id where the associated client or client scope exists. + * @return The realm this protocol mapper exists within. * */ public Output realmId() { return this.realmId; } + /** + * The ID of the role to map to an access token. + * + */ @Import(name="roleId", required=true) private Output roleId; + /** + * @return The ID of the role to map to an access token. + * + */ public Output roleId() { return this.roleId; } @@ -112,7 +120,7 @@ public Builder(HardcodedRoleProtocolMapperArgs defaults) { } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -123,7 +131,7 @@ public Builder clientId(@Nullable Output clientId) { } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -133,7 +141,7 @@ public Builder clientId(String clientId) { } /** - * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -144,7 +152,7 @@ public Builder clientScopeId(@Nullable Output clientScopeId) { } /** - * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -154,7 +162,7 @@ public Builder clientScopeId(String clientScopeId) { } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -165,7 +173,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -175,7 +183,7 @@ public Builder name(String name) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * @@ -186,7 +194,7 @@ public Builder realmId(Output realmId) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * @@ -195,11 +203,23 @@ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } + /** + * @param roleId The ID of the role to map to an access token. + * + * @return builder + * + */ public Builder roleId(Output roleId) { $.roleId = roleId; return this; } + /** + * @param roleId The ID of the role to map to an access token. + * + * @return builder + * + */ public Builder roleId(String roleId) { return roleId(Output.of(roleId)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/OpenidFunctions.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/OpenidFunctions.java index 45e5a90e..d281aa65 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/OpenidFunctions.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/OpenidFunctions.java @@ -24,11 +24,9 @@ public final class OpenidFunctions { /** - * ## # keycloak.openid.Client data source - * * This data source can be used to fetch properties of a Keycloak OpenID client for usage with other resources. * - * ### Example Usage + * ## Example Usage * * <!--Start PulumiCodeChooser --> *
@@ -73,27 +71,14 @@ public final class OpenidFunctions {
      * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realm_id` - (Required) The realm id. - * - `client_id` - (Required) The client id. - * - * ### Attributes Reference - * - * See the docs for the `keycloak.openid.Client` resource for details on the exported attributes. - * */ public static Output getClient(GetClientArgs args) { return getClient(args, InvokeOptions.Empty); } /** - * ## # keycloak.openid.Client data source - * * This data source can be used to fetch properties of a Keycloak OpenID client for usage with other resources. * - * ### Example Usage + * ## Example Usage * * <!--Start PulumiCodeChooser --> *
@@ -138,27 +123,14 @@ public static Output getClient(GetClientArgs args) {
      * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realm_id` - (Required) The realm id. - * - `client_id` - (Required) The client id. - * - * ### Attributes Reference - * - * See the docs for the `keycloak.openid.Client` resource for details on the exported attributes. - * */ public static CompletableFuture getClientPlain(GetClientPlainArgs args) { return getClientPlain(args, InvokeOptions.Empty); } /** - * ## # keycloak.openid.Client data source - * * This data source can be used to fetch properties of a Keycloak OpenID client for usage with other resources. * - * ### Example Usage + * ## Example Usage * * <!--Start PulumiCodeChooser --> *
@@ -203,27 +175,14 @@ public static CompletableFuture getClientPlain(GetClientPlainAr
      * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realm_id` - (Required) The realm id. - * - `client_id` - (Required) The client id. - * - * ### Attributes Reference - * - * See the docs for the `keycloak.openid.Client` resource for details on the exported attributes. - * */ public static Output getClient(GetClientArgs args, InvokeOptions options) { return Deployment.getInstance().invoke("keycloak:openid/getClient:getClient", TypeShape.of(GetClientResult.class), args, Utilities.withVersion(options)); } /** - * ## # keycloak.openid.Client data source - * * This data source can be used to fetch properties of a Keycloak OpenID client for usage with other resources. * - * ### Example Usage + * ## Example Usage * * <!--Start PulumiCodeChooser --> *
@@ -268,17 +227,6 @@ public static Output getClient(GetClientArgs args, InvokeOption
      * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realm_id` - (Required) The realm id. - * - `client_id` - (Required) The client id. - * - * ### Attributes Reference - * - * See the docs for the `keycloak.openid.Client` resource for details on the exported attributes. - * */ public static CompletableFuture getClientPlain(GetClientPlainArgs args, InvokeOptions options) { return Deployment.getInstance().invokeAsync("keycloak:openid/getClient:getClient", TypeShape.of(GetClientResult.class), args, Utilities.withVersion(options)); diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/UserAttributeProtocolMapper.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/UserAttributeProtocolMapper.java index 27689961..75998b6c 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/UserAttributeProtocolMapper.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/UserAttributeProtocolMapper.java @@ -16,17 +16,16 @@ import javax.annotation.Nullable; /** - * ## # keycloak.openid.UserAttributeProtocolMapper + * Allows for creating and managing user attribute protocol mappers within Keycloak. * - * Allows for creating and managing user attribute protocol mappers within - * Keycloak. + * User attribute protocol mappers allow you to map custom attributes defined for a user within Keycloak to a claim in a token. * - * User attribute protocol mappers allow you to map custom attributes defined - * for a user within Keycloak to a claim in a token. Protocol mappers can be - * defined for a single client, or they can be defined for a client scope which - * can be shared between multiple different clients. + * Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + * multiple different clients. * - * ### Example Usage (Client) + * ## Example Usage + * + * ### Client) * * <!--Start PulumiCodeChooser --> *
@@ -62,8 +61,8 @@
  * 
  *         var openidClient = new Client("openidClient", ClientArgs.builder()
  *             .realmId(realm.id())
- *             .clientId("test-client")
- *             .name("test client")
+ *             .clientId("client")
+ *             .name("client")
  *             .enabled(true)
  *             .accessType("CONFIDENTIAL")
  *             .validRedirectUris("http://localhost:8080/openid-callback")
@@ -72,7 +71,7 @@
  *         var userAttributeMapper = new UserAttributeProtocolMapper("userAttributeMapper", UserAttributeProtocolMapperArgs.builder()
  *             .realmId(realm.id())
  *             .clientId(openidClient.id())
- *             .name("test-mapper")
+ *             .name("user-attribute-mapper")
  *             .userAttribute("foo")
  *             .claimName("bar")
  *             .build());
@@ -83,7 +82,7 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Example Usage (Client Scope) + * ### Client Scope) * * <!--Start PulumiCodeChooser --> *
@@ -119,13 +118,13 @@
  * 
  *         var clientScope = new ClientScope("clientScope", ClientScopeArgs.builder()
  *             .realmId(realm.id())
- *             .name("test-client-scope")
+ *             .name("client-scope")
  *             .build());
  * 
  *         var userAttributeMapper = new UserAttributeProtocolMapper("userAttributeMapper", UserAttributeProtocolMapperArgs.builder()
  *             .realmId(realm.id())
  *             .clientScopeId(clientScope.id())
- *             .name("test-mapper")
+ *             .name("user-attribute-mapper")
  *             .userAttribute("foo")
  *             .claimName("bar")
  *             .build());
@@ -136,182 +135,194 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realm_id` - (Required) The realm this protocol mapper exists within. - * - `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. - * - `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. - * - `name` - (Required) The display name of this protocol mapper in the GUI. - * - `user_attribute` - (Required) The custom user attribute to map a claim for. - * - `claim_name` - (Required) The name of the claim to insert into a token. - * - `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`. - * - `multivalued` - (Optional) Indicates whether this attribute is a single value or an array of values. Defaults to `false`. - * - `add_to_id_token` - (Optional) Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. - * - `add_to_access_token` - (Optional) Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. - * - `add_to_userinfo` - (Optional) Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. - * - * ### Import + * ## Import * * Protocol mappers can be imported using one of the following formats: + * * - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + * * - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` * * Example: * + * bash + * + * ```sh + * $ pulumi import keycloak:openid/userAttributeProtocolMapper:UserAttributeProtocolMapper user_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` + * + * ```sh + * $ pulumi import keycloak:openid/userAttributeProtocolMapper:UserAttributeProtocolMapper user_attribute_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` + * */ @ResourceType(type="keycloak:openid/userAttributeProtocolMapper:UserAttributeProtocolMapper") public class UserAttributeProtocolMapper extends com.pulumi.resources.CustomResource { /** - * Indicates if the attribute should be a claim in the access token. + * Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. * */ @Export(name="addToAccessToken", refs={Boolean.class}, tree="[0]") private Output addToAccessToken; /** - * @return Indicates if the attribute should be a claim in the access token. + * @return Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. * */ public Output> addToAccessToken() { return Codegen.optional(this.addToAccessToken); } /** - * Indicates if the attribute should be a claim in the id token. + * Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. * */ @Export(name="addToIdToken", refs={Boolean.class}, tree="[0]") private Output addToIdToken; /** - * @return Indicates if the attribute should be a claim in the id token. + * @return Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. * */ public Output> addToIdToken() { return Codegen.optional(this.addToIdToken); } /** - * Indicates if the attribute should appear in the userinfo response body. + * Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. * */ @Export(name="addToUserinfo", refs={Boolean.class}, tree="[0]") private Output addToUserinfo; /** - * @return Indicates if the attribute should appear in the userinfo response body. + * @return Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. * */ public Output> addToUserinfo() { return Codegen.optional(this.addToUserinfo); } /** - * Indicates if attribute values should be aggregated within the group attributes + * Indicates whether this attribute is a single value or an array of values. Defaults to `false`. * */ @Export(name="aggregateAttributes", refs={Boolean.class}, tree="[0]") private Output aggregateAttributes; /** - * @return Indicates if attribute values should be aggregated within the group attributes + * @return Indicates whether this attribute is a single value or an array of values. Defaults to `false`. * */ public Output> aggregateAttributes() { return Codegen.optional(this.aggregateAttributes); } + /** + * The name of the claim to insert into a token. + * + */ @Export(name="claimName", refs={String.class}, tree="[0]") private Output claimName; + /** + * @return The name of the claim to insert into a token. + * + */ public Output claimName() { return this.claimName; } /** - * Claim type used when serializing tokens. + * The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * */ @Export(name="claimValueType", refs={String.class}, tree="[0]") private Output claimValueType; /** - * @return Claim type used when serializing tokens. + * @return The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * */ public Output> claimValueType() { return Codegen.optional(this.claimValueType); } /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Export(name="clientId", refs={String.class}, tree="[0]") private Output clientId; /** - * @return The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Output> clientId() { return Codegen.optional(this.clientId); } /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Export(name="clientScopeId", refs={String.class}, tree="[0]") private Output clientScopeId; /** - * @return The mapper's associated client scope. Cannot be used at the same time as client_id. + * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Output> clientScopeId() { return Codegen.optional(this.clientScopeId); } /** - * Indicates whether this attribute is a single value or an array of values. + * Indicates whether this attribute is a single value or an array of values. Defaults to `false`. * */ @Export(name="multivalued", refs={Boolean.class}, tree="[0]") private Output multivalued; /** - * @return Indicates whether this attribute is a single value or an array of values. + * @return Indicates whether this attribute is a single value or an array of values. Defaults to `false`. * */ public Output> multivalued() { return Codegen.optional(this.multivalued); } /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. * */ @Export(name="name", refs={String.class}, tree="[0]") private Output name; /** - * @return A human-friendly name that will appear in the Keycloak console. + * @return The display name of this protocol mapper in the GUI. * */ public Output name() { return this.name; } /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. * */ @Export(name="realmId", refs={String.class}, tree="[0]") private Output realmId; /** - * @return The realm id where the associated client or client scope exists. + * @return The realm this protocol mapper exists within. * */ public Output realmId() { return this.realmId; } + /** + * The custom user attribute to map a claim for. + * + */ @Export(name="userAttribute", refs={String.class}, tree="[0]") private Output userAttribute; + /** + * @return The custom user attribute to map a claim for. + * + */ public Output userAttribute() { return this.userAttribute; } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/UserAttributeProtocolMapperArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/UserAttributeProtocolMapperArgs.java index 827697c7..6d1bb712 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/UserAttributeProtocolMapperArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/UserAttributeProtocolMapperArgs.java @@ -18,14 +18,14 @@ public final class UserAttributeProtocolMapperArgs extends com.pulumi.resources. public static final UserAttributeProtocolMapperArgs Empty = new UserAttributeProtocolMapperArgs(); /** - * Indicates if the attribute should be a claim in the access token. + * Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. * */ @Import(name="addToAccessToken") private @Nullable Output addToAccessToken; /** - * @return Indicates if the attribute should be a claim in the access token. + * @return Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. * */ public Optional> addToAccessToken() { @@ -33,14 +33,14 @@ public Optional> addToAccessToken() { } /** - * Indicates if the attribute should be a claim in the id token. + * Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. * */ @Import(name="addToIdToken") private @Nullable Output addToIdToken; /** - * @return Indicates if the attribute should be a claim in the id token. + * @return Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. * */ public Optional> addToIdToken() { @@ -48,14 +48,14 @@ public Optional> addToIdToken() { } /** - * Indicates if the attribute should appear in the userinfo response body. + * Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. * */ @Import(name="addToUserinfo") private @Nullable Output addToUserinfo; /** - * @return Indicates if the attribute should appear in the userinfo response body. + * @return Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. * */ public Optional> addToUserinfo() { @@ -63,36 +63,44 @@ public Optional> addToUserinfo() { } /** - * Indicates if attribute values should be aggregated within the group attributes + * Indicates whether this attribute is a single value or an array of values. Defaults to `false`. * */ @Import(name="aggregateAttributes") private @Nullable Output aggregateAttributes; /** - * @return Indicates if attribute values should be aggregated within the group attributes + * @return Indicates whether this attribute is a single value or an array of values. Defaults to `false`. * */ public Optional> aggregateAttributes() { return Optional.ofNullable(this.aggregateAttributes); } + /** + * The name of the claim to insert into a token. + * + */ @Import(name="claimName", required=true) private Output claimName; + /** + * @return The name of the claim to insert into a token. + * + */ public Output claimName() { return this.claimName; } /** - * Claim type used when serializing tokens. + * The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * */ @Import(name="claimValueType") private @Nullable Output claimValueType; /** - * @return Claim type used when serializing tokens. + * @return The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * */ public Optional> claimValueType() { @@ -100,14 +108,14 @@ public Optional> claimValueType() { } /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Import(name="clientId") private @Nullable Output clientId; /** - * @return The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Optional> clientId() { @@ -115,14 +123,14 @@ public Optional> clientId() { } /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Import(name="clientScopeId") private @Nullable Output clientScopeId; /** - * @return The mapper's associated client scope. Cannot be used at the same time as client_id. + * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Optional> clientScopeId() { @@ -130,14 +138,14 @@ public Optional> clientScopeId() { } /** - * Indicates whether this attribute is a single value or an array of values. + * Indicates whether this attribute is a single value or an array of values. Defaults to `false`. * */ @Import(name="multivalued") private @Nullable Output multivalued; /** - * @return Indicates whether this attribute is a single value or an array of values. + * @return Indicates whether this attribute is a single value or an array of values. Defaults to `false`. * */ public Optional> multivalued() { @@ -145,14 +153,14 @@ public Optional> multivalued() { } /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. * */ @Import(name="name") private @Nullable Output name; /** - * @return A human-friendly name that will appear in the Keycloak console. + * @return The display name of this protocol mapper in the GUI. * */ public Optional> name() { @@ -160,23 +168,31 @@ public Optional> name() { } /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. * */ @Import(name="realmId", required=true) private Output realmId; /** - * @return The realm id where the associated client or client scope exists. + * @return The realm this protocol mapper exists within. * */ public Output realmId() { return this.realmId; } + /** + * The custom user attribute to map a claim for. + * + */ @Import(name="userAttribute", required=true) private Output userAttribute; + /** + * @return The custom user attribute to map a claim for. + * + */ public Output userAttribute() { return this.userAttribute; } @@ -217,7 +233,7 @@ public Builder(UserAttributeProtocolMapperArgs defaults) { } /** - * @param addToAccessToken Indicates if the attribute should be a claim in the access token. + * @param addToAccessToken Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. * * @return builder * @@ -228,7 +244,7 @@ public Builder addToAccessToken(@Nullable Output addToAccessToken) { } /** - * @param addToAccessToken Indicates if the attribute should be a claim in the access token. + * @param addToAccessToken Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. * * @return builder * @@ -238,7 +254,7 @@ public Builder addToAccessToken(Boolean addToAccessToken) { } /** - * @param addToIdToken Indicates if the attribute should be a claim in the id token. + * @param addToIdToken Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. * * @return builder * @@ -249,7 +265,7 @@ public Builder addToIdToken(@Nullable Output addToIdToken) { } /** - * @param addToIdToken Indicates if the attribute should be a claim in the id token. + * @param addToIdToken Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. * * @return builder * @@ -259,7 +275,7 @@ public Builder addToIdToken(Boolean addToIdToken) { } /** - * @param addToUserinfo Indicates if the attribute should appear in the userinfo response body. + * @param addToUserinfo Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. * * @return builder * @@ -270,7 +286,7 @@ public Builder addToUserinfo(@Nullable Output addToUserinfo) { } /** - * @param addToUserinfo Indicates if the attribute should appear in the userinfo response body. + * @param addToUserinfo Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. * * @return builder * @@ -280,7 +296,7 @@ public Builder addToUserinfo(Boolean addToUserinfo) { } /** - * @param aggregateAttributes Indicates if attribute values should be aggregated within the group attributes + * @param aggregateAttributes Indicates whether this attribute is a single value or an array of values. Defaults to `false`. * * @return builder * @@ -291,7 +307,7 @@ public Builder aggregateAttributes(@Nullable Output aggregateAttributes } /** - * @param aggregateAttributes Indicates if attribute values should be aggregated within the group attributes + * @param aggregateAttributes Indicates whether this attribute is a single value or an array of values. Defaults to `false`. * * @return builder * @@ -300,17 +316,29 @@ public Builder aggregateAttributes(Boolean aggregateAttributes) { return aggregateAttributes(Output.of(aggregateAttributes)); } + /** + * @param claimName The name of the claim to insert into a token. + * + * @return builder + * + */ public Builder claimName(Output claimName) { $.claimName = claimName; return this; } + /** + * @param claimName The name of the claim to insert into a token. + * + * @return builder + * + */ public Builder claimName(String claimName) { return claimName(Output.of(claimName)); } /** - * @param claimValueType Claim type used when serializing tokens. + * @param claimValueType The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * * @return builder * @@ -321,7 +349,7 @@ public Builder claimValueType(@Nullable Output claimValueType) { } /** - * @param claimValueType Claim type used when serializing tokens. + * @param claimValueType The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * * @return builder * @@ -331,7 +359,7 @@ public Builder claimValueType(String claimValueType) { } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -342,7 +370,7 @@ public Builder clientId(@Nullable Output clientId) { } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -352,7 +380,7 @@ public Builder clientId(String clientId) { } /** - * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -363,7 +391,7 @@ public Builder clientScopeId(@Nullable Output clientScopeId) { } /** - * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -373,7 +401,7 @@ public Builder clientScopeId(String clientScopeId) { } /** - * @param multivalued Indicates whether this attribute is a single value or an array of values. + * @param multivalued Indicates whether this attribute is a single value or an array of values. Defaults to `false`. * * @return builder * @@ -384,7 +412,7 @@ public Builder multivalued(@Nullable Output multivalued) { } /** - * @param multivalued Indicates whether this attribute is a single value or an array of values. + * @param multivalued Indicates whether this attribute is a single value or an array of values. Defaults to `false`. * * @return builder * @@ -394,7 +422,7 @@ public Builder multivalued(Boolean multivalued) { } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -405,7 +433,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -415,7 +443,7 @@ public Builder name(String name) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * @@ -426,7 +454,7 @@ public Builder realmId(Output realmId) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * @@ -435,11 +463,23 @@ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } + /** + * @param userAttribute The custom user attribute to map a claim for. + * + * @return builder + * + */ public Builder userAttribute(Output userAttribute) { $.userAttribute = userAttribute; return this; } + /** + * @param userAttribute The custom user attribute to map a claim for. + * + * @return builder + * + */ public Builder userAttribute(String userAttribute) { return userAttribute(Output.of(userAttribute)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/UserPropertyProtocolMapper.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/UserPropertyProtocolMapper.java index cc5be652..dbd8f87b 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/UserPropertyProtocolMapper.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/UserPropertyProtocolMapper.java @@ -16,17 +16,17 @@ import javax.annotation.Nullable; /** - * ## # keycloak.openid.UserPropertyProtocolMapper + * Allows for creating and managing user property protocol mappers within Keycloak. * - * Allows for creating and managing user property protocol mappers within - * Keycloak. + * User property protocol mappers allow you to map built in properties defined on the Keycloak user interface to a claim in + * a token. * - * User property protocol mappers allow you to map built in properties defined - * on the Keycloak user interface to a claim in a token. Protocol mappers can be - * defined for a single client, or they can be defined for a client scope which - * can be shared between multiple different clients. + * Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + * multiple different clients. * - * ### Example Usage (Client) + * ## Example Usage + * + * ### Client) * * <!--Start PulumiCodeChooser --> *
@@ -62,8 +62,8 @@
  * 
  *         var openidClient = new Client("openidClient", ClientArgs.builder()
  *             .realmId(realm.id())
- *             .clientId("test-client")
- *             .name("test client")
+ *             .clientId("client")
+ *             .name("client")
  *             .enabled(true)
  *             .accessType("CONFIDENTIAL")
  *             .validRedirectUris("http://localhost:8080/openid-callback")
@@ -72,7 +72,7 @@
  *         var userPropertyMapper = new UserPropertyProtocolMapper("userPropertyMapper", UserPropertyProtocolMapperArgs.builder()
  *             .realmId(realm.id())
  *             .clientId(openidClient.id())
- *             .name("test-mapper")
+ *             .name("user-property-mapper")
  *             .userProperty("email")
  *             .claimName("email")
  *             .build());
@@ -83,7 +83,7 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Example Usage (Client Scope) + * ### Client Scope) * * <!--Start PulumiCodeChooser --> *
@@ -119,7 +119,7 @@
  * 
  *         var clientScope = new ClientScope("clientScope", ClientScopeArgs.builder()
  *             .realmId(realm.id())
- *             .name("test-client-scope")
+ *             .name("client-scope")
  *             .build());
  * 
  *         var userPropertyMapper = new UserPropertyProtocolMapper("userPropertyMapper", UserPropertyProtocolMapperArgs.builder()
@@ -136,153 +136,166 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realm_id` - (Required) The realm this protocol mapper exists within. - * - `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. - * - `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. - * - `name` - (Required) The display name of this protocol mapper in the GUI. - * - `user_property` - (Required) The built in user property (such as email) to map a claim for. - * - `claim_name` - (Required) The name of the claim to insert into a token. - * - `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`. - * - `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. - * - `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. - * - `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. - * - * ### Import + * ## Import * * Protocol mappers can be imported using one of the following formats: + * * - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + * * - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` * * Example: * + * bash + * + * ```sh + * $ pulumi import keycloak:openid/userPropertyProtocolMapper:UserPropertyProtocolMapper user_property_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` + * + * ```sh + * $ pulumi import keycloak:openid/userPropertyProtocolMapper:UserPropertyProtocolMapper user_property_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` + * */ @ResourceType(type="keycloak:openid/userPropertyProtocolMapper:UserPropertyProtocolMapper") public class UserPropertyProtocolMapper extends com.pulumi.resources.CustomResource { /** - * Indicates if the property should be a claim in the access token. + * Indicates if the property should be added as a claim to the access token. Defaults to `true`. * */ @Export(name="addToAccessToken", refs={Boolean.class}, tree="[0]") private Output addToAccessToken; /** - * @return Indicates if the property should be a claim in the access token. + * @return Indicates if the property should be added as a claim to the access token. Defaults to `true`. * */ public Output> addToAccessToken() { return Codegen.optional(this.addToAccessToken); } /** - * Indicates if the property should be a claim in the id token. + * Indicates if the property should be added as a claim to the id token. Defaults to `true`. * */ @Export(name="addToIdToken", refs={Boolean.class}, tree="[0]") private Output addToIdToken; /** - * @return Indicates if the property should be a claim in the id token. + * @return Indicates if the property should be added as a claim to the id token. Defaults to `true`. * */ public Output> addToIdToken() { return Codegen.optional(this.addToIdToken); } /** - * Indicates if the property should appear in the userinfo response body. + * Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. * */ @Export(name="addToUserinfo", refs={Boolean.class}, tree="[0]") private Output addToUserinfo; /** - * @return Indicates if the property should appear in the userinfo response body. + * @return Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. * */ public Output> addToUserinfo() { return Codegen.optional(this.addToUserinfo); } + /** + * The name of the claim to insert into a token. + * + */ @Export(name="claimName", refs={String.class}, tree="[0]") private Output claimName; + /** + * @return The name of the claim to insert into a token. + * + */ public Output claimName() { return this.claimName; } /** - * Claim type used when serializing tokens. + * The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * */ @Export(name="claimValueType", refs={String.class}, tree="[0]") private Output claimValueType; /** - * @return Claim type used when serializing tokens. + * @return The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * */ public Output> claimValueType() { return Codegen.optional(this.claimValueType); } /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Export(name="clientId", refs={String.class}, tree="[0]") private Output clientId; /** - * @return The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Output> clientId() { return Codegen.optional(this.clientId); } /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. * */ @Export(name="clientScopeId", refs={String.class}, tree="[0]") private Output clientScopeId; /** - * @return The mapper's associated client scope. Cannot be used at the same time as client_id. + * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. * */ public Output> clientScopeId() { return Codegen.optional(this.clientScopeId); } /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. * */ @Export(name="name", refs={String.class}, tree="[0]") private Output name; /** - * @return A human-friendly name that will appear in the Keycloak console. + * @return The display name of this protocol mapper in the GUI. * */ public Output name() { return this.name; } /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. * */ @Export(name="realmId", refs={String.class}, tree="[0]") private Output realmId; /** - * @return The realm id where the associated client or client scope exists. + * @return The realm this protocol mapper exists within. * */ public Output realmId() { return this.realmId; } + /** + * The built in user property (such as email) to map a claim for. + * + */ @Export(name="userProperty", refs={String.class}, tree="[0]") private Output userProperty; + /** + * @return The built in user property (such as email) to map a claim for. + * + */ public Output userProperty() { return this.userProperty; } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/UserPropertyProtocolMapperArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/UserPropertyProtocolMapperArgs.java index d8dff641..b3fa6ace 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/UserPropertyProtocolMapperArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/UserPropertyProtocolMapperArgs.java @@ -18,14 +18,14 @@ public final class UserPropertyProtocolMapperArgs extends com.pulumi.resources.R public static final UserPropertyProtocolMapperArgs Empty = new UserPropertyProtocolMapperArgs(); /** - * Indicates if the property should be a claim in the access token. + * Indicates if the property should be added as a claim to the access token. Defaults to `true`. * */ @Import(name="addToAccessToken") private @Nullable Output addToAccessToken; /** - * @return Indicates if the property should be a claim in the access token. + * @return Indicates if the property should be added as a claim to the access token. Defaults to `true`. * */ public Optional> addToAccessToken() { @@ -33,14 +33,14 @@ public Optional> addToAccessToken() { } /** - * Indicates if the property should be a claim in the id token. + * Indicates if the property should be added as a claim to the id token. Defaults to `true`. * */ @Import(name="addToIdToken") private @Nullable Output addToIdToken; /** - * @return Indicates if the property should be a claim in the id token. + * @return Indicates if the property should be added as a claim to the id token. Defaults to `true`. * */ public Optional> addToIdToken() { @@ -48,36 +48,44 @@ public Optional> addToIdToken() { } /** - * Indicates if the property should appear in the userinfo response body. + * Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. * */ @Import(name="addToUserinfo") private @Nullable Output addToUserinfo; /** - * @return Indicates if the property should appear in the userinfo response body. + * @return Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. * */ public Optional> addToUserinfo() { return Optional.ofNullable(this.addToUserinfo); } + /** + * The name of the claim to insert into a token. + * + */ @Import(name="claimName", required=true) private Output claimName; + /** + * @return The name of the claim to insert into a token. + * + */ public Output claimName() { return this.claimName; } /** - * Claim type used when serializing tokens. + * The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * */ @Import(name="claimValueType") private @Nullable Output claimValueType; /** - * @return Claim type used when serializing tokens. + * @return The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * */ public Optional> claimValueType() { @@ -85,14 +93,14 @@ public Optional> claimValueType() { } /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Import(name="clientId") private @Nullable Output clientId; /** - * @return The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Optional> clientId() { @@ -100,14 +108,14 @@ public Optional> clientId() { } /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. * */ @Import(name="clientScopeId") private @Nullable Output clientScopeId; /** - * @return The mapper's associated client scope. Cannot be used at the same time as client_id. + * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. * */ public Optional> clientScopeId() { @@ -115,14 +123,14 @@ public Optional> clientScopeId() { } /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. * */ @Import(name="name") private @Nullable Output name; /** - * @return A human-friendly name that will appear in the Keycloak console. + * @return The display name of this protocol mapper in the GUI. * */ public Optional> name() { @@ -130,23 +138,31 @@ public Optional> name() { } /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. * */ @Import(name="realmId", required=true) private Output realmId; /** - * @return The realm id where the associated client or client scope exists. + * @return The realm this protocol mapper exists within. * */ public Output realmId() { return this.realmId; } + /** + * The built in user property (such as email) to map a claim for. + * + */ @Import(name="userProperty", required=true) private Output userProperty; + /** + * @return The built in user property (such as email) to map a claim for. + * + */ public Output userProperty() { return this.userProperty; } @@ -185,7 +201,7 @@ public Builder(UserPropertyProtocolMapperArgs defaults) { } /** - * @param addToAccessToken Indicates if the property should be a claim in the access token. + * @param addToAccessToken Indicates if the property should be added as a claim to the access token. Defaults to `true`. * * @return builder * @@ -196,7 +212,7 @@ public Builder addToAccessToken(@Nullable Output addToAccessToken) { } /** - * @param addToAccessToken Indicates if the property should be a claim in the access token. + * @param addToAccessToken Indicates if the property should be added as a claim to the access token. Defaults to `true`. * * @return builder * @@ -206,7 +222,7 @@ public Builder addToAccessToken(Boolean addToAccessToken) { } /** - * @param addToIdToken Indicates if the property should be a claim in the id token. + * @param addToIdToken Indicates if the property should be added as a claim to the id token. Defaults to `true`. * * @return builder * @@ -217,7 +233,7 @@ public Builder addToIdToken(@Nullable Output addToIdToken) { } /** - * @param addToIdToken Indicates if the property should be a claim in the id token. + * @param addToIdToken Indicates if the property should be added as a claim to the id token. Defaults to `true`. * * @return builder * @@ -227,7 +243,7 @@ public Builder addToIdToken(Boolean addToIdToken) { } /** - * @param addToUserinfo Indicates if the property should appear in the userinfo response body. + * @param addToUserinfo Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. * * @return builder * @@ -238,7 +254,7 @@ public Builder addToUserinfo(@Nullable Output addToUserinfo) { } /** - * @param addToUserinfo Indicates if the property should appear in the userinfo response body. + * @param addToUserinfo Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. * * @return builder * @@ -247,17 +263,29 @@ public Builder addToUserinfo(Boolean addToUserinfo) { return addToUserinfo(Output.of(addToUserinfo)); } + /** + * @param claimName The name of the claim to insert into a token. + * + * @return builder + * + */ public Builder claimName(Output claimName) { $.claimName = claimName; return this; } + /** + * @param claimName The name of the claim to insert into a token. + * + * @return builder + * + */ public Builder claimName(String claimName) { return claimName(Output.of(claimName)); } /** - * @param claimValueType Claim type used when serializing tokens. + * @param claimValueType The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * * @return builder * @@ -268,7 +296,7 @@ public Builder claimValueType(@Nullable Output claimValueType) { } /** - * @param claimValueType Claim type used when serializing tokens. + * @param claimValueType The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * * @return builder * @@ -278,7 +306,7 @@ public Builder claimValueType(String claimValueType) { } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -289,7 +317,7 @@ public Builder clientId(@Nullable Output clientId) { } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -299,7 +327,7 @@ public Builder clientId(String clientId) { } /** - * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. * * @return builder * @@ -310,7 +338,7 @@ public Builder clientScopeId(@Nullable Output clientScopeId) { } /** - * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. * * @return builder * @@ -320,7 +348,7 @@ public Builder clientScopeId(String clientScopeId) { } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -331,7 +359,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -341,7 +369,7 @@ public Builder name(String name) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * @@ -352,7 +380,7 @@ public Builder realmId(Output realmId) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * @@ -361,11 +389,23 @@ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } + /** + * @param userProperty The built in user property (such as email) to map a claim for. + * + * @return builder + * + */ public Builder userProperty(Output userProperty) { $.userProperty = userProperty; return this; } + /** + * @param userProperty The built in user property (such as email) to map a claim for. + * + * @return builder + * + */ public Builder userProperty(String userProperty) { return userProperty(Output.of(userProperty)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/UserRealmRoleProtocolMapper.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/UserRealmRoleProtocolMapper.java index 568b30f0..0edc455e 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/UserRealmRoleProtocolMapper.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/UserRealmRoleProtocolMapper.java @@ -16,17 +16,16 @@ import javax.annotation.Nullable; /** - * ## # keycloak.openid.UserRealmRoleProtocolMapper - * - * Allows for creating and managing user realm role protocol mappers within - * Keycloak. + * Allows for creating and managing user realm role protocol mappers within Keycloak. * * User realm role protocol mappers allow you to define a claim containing the list of the realm roles. - * Protocol mappers can be defined for a single client, or they can - * be defined for a client scope which can be shared between multiple different - * clients. * - * ### Example Usage (Client) + * Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + * multiple different clients. + * + * ## Example Usage + * + * ### Client) * * <!--Start PulumiCodeChooser --> *
@@ -62,8 +61,8 @@
  * 
  *         var openidClient = new Client("openidClient", ClientArgs.builder()
  *             .realmId(realm.id())
- *             .clientId("test-client")
- *             .name("test client")
+ *             .clientId("client")
+ *             .name("client")
  *             .enabled(true)
  *             .accessType("CONFIDENTIAL")
  *             .validRedirectUris("http://localhost:8080/openid-callback")
@@ -82,7 +81,7 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Example Usage (Client Scope) + * ### Client Scope) * * <!--Start PulumiCodeChooser --> *
@@ -134,174 +133,178 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realm_id` - (Required) The realm this protocol mapper exists within. - * - `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. - * - `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. - * - `name` - (Required) The display name of this protocol mapper in the GUI. - * - `claim_name` - (Required) The name of the claim to insert into a token. - * - `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`. - * - `multivalued` - (Optional) Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `true`. - * - `realm_role_prefix` - (Optional) A prefix for each Realm Role. - * - `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. - * - `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. - * - `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. - * - * ### Import + * ## Import * * Protocol mappers can be imported using one of the following formats: + * * - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + * * - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` * * Example: * + * bash + * + * ```sh + * $ pulumi import keycloak:openid/userRealmRoleProtocolMapper:UserRealmRoleProtocolMapper user_realm_role_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` + * + * ```sh + * $ pulumi import keycloak:openid/userRealmRoleProtocolMapper:UserRealmRoleProtocolMapper user_realm_role_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` + * */ @ResourceType(type="keycloak:openid/userRealmRoleProtocolMapper:UserRealmRoleProtocolMapper") public class UserRealmRoleProtocolMapper extends com.pulumi.resources.CustomResource { /** - * Indicates if the attribute should be a claim in the access token. + * Indicates if the property should be added as a claim to the access token. Defaults to `true`. * */ @Export(name="addToAccessToken", refs={Boolean.class}, tree="[0]") private Output addToAccessToken; /** - * @return Indicates if the attribute should be a claim in the access token. + * @return Indicates if the property should be added as a claim to the access token. Defaults to `true`. * */ public Output> addToAccessToken() { return Codegen.optional(this.addToAccessToken); } /** - * Indicates if the attribute should be a claim in the id token. + * Indicates if the property should be added as a claim to the id token. Defaults to `true`. * */ @Export(name="addToIdToken", refs={Boolean.class}, tree="[0]") private Output addToIdToken; /** - * @return Indicates if the attribute should be a claim in the id token. + * @return Indicates if the property should be added as a claim to the id token. Defaults to `true`. * */ public Output> addToIdToken() { return Codegen.optional(this.addToIdToken); } /** - * Indicates if the attribute should appear in the userinfo response body. + * Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. * */ @Export(name="addToUserinfo", refs={Boolean.class}, tree="[0]") private Output addToUserinfo; /** - * @return Indicates if the attribute should appear in the userinfo response body. + * @return Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. * */ public Output> addToUserinfo() { return Codegen.optional(this.addToUserinfo); } + /** + * The name of the claim to insert into a token. + * + */ @Export(name="claimName", refs={String.class}, tree="[0]") private Output claimName; + /** + * @return The name of the claim to insert into a token. + * + */ public Output claimName() { return this.claimName; } /** - * Claim type used when serializing tokens. + * The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * */ @Export(name="claimValueType", refs={String.class}, tree="[0]") private Output claimValueType; /** - * @return Claim type used when serializing tokens. + * @return The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * */ public Output> claimValueType() { return Codegen.optional(this.claimValueType); } /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Export(name="clientId", refs={String.class}, tree="[0]") private Output clientId; /** - * @return The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Output> clientId() { return Codegen.optional(this.clientId); } /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Export(name="clientScopeId", refs={String.class}, tree="[0]") private Output clientScopeId; /** - * @return The mapper's associated client scope. Cannot be used at the same time as client_id. + * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Output> clientScopeId() { return Codegen.optional(this.clientScopeId); } /** - * Indicates whether this attribute is a single value or an array of values. + * Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`. * */ @Export(name="multivalued", refs={Boolean.class}, tree="[0]") private Output multivalued; /** - * @return Indicates whether this attribute is a single value or an array of values. + * @return Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`. * */ public Output> multivalued() { return Codegen.optional(this.multivalued); } /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. * */ @Export(name="name", refs={String.class}, tree="[0]") private Output name; /** - * @return A human-friendly name that will appear in the Keycloak console. + * @return The display name of this protocol mapper in the GUI. * */ public Output name() { return this.name; } /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. * */ @Export(name="realmId", refs={String.class}, tree="[0]") private Output realmId; /** - * @return The realm id where the associated client or client scope exists. + * @return The realm this protocol mapper exists within. * */ public Output realmId() { return this.realmId; } /** - * Prefix that will be added to each realm role. + * A prefix for each Realm Role. * */ @Export(name="realmRolePrefix", refs={String.class}, tree="[0]") private Output realmRolePrefix; /** - * @return Prefix that will be added to each realm role. + * @return A prefix for each Realm Role. * */ public Output> realmRolePrefix() { diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/UserRealmRoleProtocolMapperArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/UserRealmRoleProtocolMapperArgs.java index 1cd94b81..51a5cf0a 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/UserRealmRoleProtocolMapperArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/UserRealmRoleProtocolMapperArgs.java @@ -18,14 +18,14 @@ public final class UserRealmRoleProtocolMapperArgs extends com.pulumi.resources. public static final UserRealmRoleProtocolMapperArgs Empty = new UserRealmRoleProtocolMapperArgs(); /** - * Indicates if the attribute should be a claim in the access token. + * Indicates if the property should be added as a claim to the access token. Defaults to `true`. * */ @Import(name="addToAccessToken") private @Nullable Output addToAccessToken; /** - * @return Indicates if the attribute should be a claim in the access token. + * @return Indicates if the property should be added as a claim to the access token. Defaults to `true`. * */ public Optional> addToAccessToken() { @@ -33,14 +33,14 @@ public Optional> addToAccessToken() { } /** - * Indicates if the attribute should be a claim in the id token. + * Indicates if the property should be added as a claim to the id token. Defaults to `true`. * */ @Import(name="addToIdToken") private @Nullable Output addToIdToken; /** - * @return Indicates if the attribute should be a claim in the id token. + * @return Indicates if the property should be added as a claim to the id token. Defaults to `true`. * */ public Optional> addToIdToken() { @@ -48,36 +48,44 @@ public Optional> addToIdToken() { } /** - * Indicates if the attribute should appear in the userinfo response body. + * Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. * */ @Import(name="addToUserinfo") private @Nullable Output addToUserinfo; /** - * @return Indicates if the attribute should appear in the userinfo response body. + * @return Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. * */ public Optional> addToUserinfo() { return Optional.ofNullable(this.addToUserinfo); } + /** + * The name of the claim to insert into a token. + * + */ @Import(name="claimName", required=true) private Output claimName; + /** + * @return The name of the claim to insert into a token. + * + */ public Output claimName() { return this.claimName; } /** - * Claim type used when serializing tokens. + * The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * */ @Import(name="claimValueType") private @Nullable Output claimValueType; /** - * @return Claim type used when serializing tokens. + * @return The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * */ public Optional> claimValueType() { @@ -85,14 +93,14 @@ public Optional> claimValueType() { } /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Import(name="clientId") private @Nullable Output clientId; /** - * @return The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Optional> clientId() { @@ -100,14 +108,14 @@ public Optional> clientId() { } /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Import(name="clientScopeId") private @Nullable Output clientScopeId; /** - * @return The mapper's associated client scope. Cannot be used at the same time as client_id. + * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Optional> clientScopeId() { @@ -115,14 +123,14 @@ public Optional> clientScopeId() { } /** - * Indicates whether this attribute is a single value or an array of values. + * Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`. * */ @Import(name="multivalued") private @Nullable Output multivalued; /** - * @return Indicates whether this attribute is a single value or an array of values. + * @return Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`. * */ public Optional> multivalued() { @@ -130,14 +138,14 @@ public Optional> multivalued() { } /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. * */ @Import(name="name") private @Nullable Output name; /** - * @return A human-friendly name that will appear in the Keycloak console. + * @return The display name of this protocol mapper in the GUI. * */ public Optional> name() { @@ -145,14 +153,14 @@ public Optional> name() { } /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. * */ @Import(name="realmId", required=true) private Output realmId; /** - * @return The realm id where the associated client or client scope exists. + * @return The realm this protocol mapper exists within. * */ public Output realmId() { @@ -160,14 +168,14 @@ public Output realmId() { } /** - * Prefix that will be added to each realm role. + * A prefix for each Realm Role. * */ @Import(name="realmRolePrefix") private @Nullable Output realmRolePrefix; /** - * @return Prefix that will be added to each realm role. + * @return A prefix for each Realm Role. * */ public Optional> realmRolePrefix() { @@ -209,7 +217,7 @@ public Builder(UserRealmRoleProtocolMapperArgs defaults) { } /** - * @param addToAccessToken Indicates if the attribute should be a claim in the access token. + * @param addToAccessToken Indicates if the property should be added as a claim to the access token. Defaults to `true`. * * @return builder * @@ -220,7 +228,7 @@ public Builder addToAccessToken(@Nullable Output addToAccessToken) { } /** - * @param addToAccessToken Indicates if the attribute should be a claim in the access token. + * @param addToAccessToken Indicates if the property should be added as a claim to the access token. Defaults to `true`. * * @return builder * @@ -230,7 +238,7 @@ public Builder addToAccessToken(Boolean addToAccessToken) { } /** - * @param addToIdToken Indicates if the attribute should be a claim in the id token. + * @param addToIdToken Indicates if the property should be added as a claim to the id token. Defaults to `true`. * * @return builder * @@ -241,7 +249,7 @@ public Builder addToIdToken(@Nullable Output addToIdToken) { } /** - * @param addToIdToken Indicates if the attribute should be a claim in the id token. + * @param addToIdToken Indicates if the property should be added as a claim to the id token. Defaults to `true`. * * @return builder * @@ -251,7 +259,7 @@ public Builder addToIdToken(Boolean addToIdToken) { } /** - * @param addToUserinfo Indicates if the attribute should appear in the userinfo response body. + * @param addToUserinfo Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. * * @return builder * @@ -262,7 +270,7 @@ public Builder addToUserinfo(@Nullable Output addToUserinfo) { } /** - * @param addToUserinfo Indicates if the attribute should appear in the userinfo response body. + * @param addToUserinfo Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. * * @return builder * @@ -271,17 +279,29 @@ public Builder addToUserinfo(Boolean addToUserinfo) { return addToUserinfo(Output.of(addToUserinfo)); } + /** + * @param claimName The name of the claim to insert into a token. + * + * @return builder + * + */ public Builder claimName(Output claimName) { $.claimName = claimName; return this; } + /** + * @param claimName The name of the claim to insert into a token. + * + * @return builder + * + */ public Builder claimName(String claimName) { return claimName(Output.of(claimName)); } /** - * @param claimValueType Claim type used when serializing tokens. + * @param claimValueType The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * * @return builder * @@ -292,7 +312,7 @@ public Builder claimValueType(@Nullable Output claimValueType) { } /** - * @param claimValueType Claim type used when serializing tokens. + * @param claimValueType The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * * @return builder * @@ -302,7 +322,7 @@ public Builder claimValueType(String claimValueType) { } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -313,7 +333,7 @@ public Builder clientId(@Nullable Output clientId) { } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -323,7 +343,7 @@ public Builder clientId(String clientId) { } /** - * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -334,7 +354,7 @@ public Builder clientScopeId(@Nullable Output clientScopeId) { } /** - * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -344,7 +364,7 @@ public Builder clientScopeId(String clientScopeId) { } /** - * @param multivalued Indicates whether this attribute is a single value or an array of values. + * @param multivalued Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`. * * @return builder * @@ -355,7 +375,7 @@ public Builder multivalued(@Nullable Output multivalued) { } /** - * @param multivalued Indicates whether this attribute is a single value or an array of values. + * @param multivalued Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`. * * @return builder * @@ -365,7 +385,7 @@ public Builder multivalued(Boolean multivalued) { } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -376,7 +396,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -386,7 +406,7 @@ public Builder name(String name) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * @@ -397,7 +417,7 @@ public Builder realmId(Output realmId) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * @@ -407,7 +427,7 @@ public Builder realmId(String realmId) { } /** - * @param realmRolePrefix Prefix that will be added to each realm role. + * @param realmRolePrefix A prefix for each Realm Role. * * @return builder * @@ -418,7 +438,7 @@ public Builder realmRolePrefix(@Nullable Output realmRolePrefix) { } /** - * @param realmRolePrefix Prefix that will be added to each realm role. + * @param realmRolePrefix A prefix for each Realm Role. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/AudienceProtocolMapperState.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/AudienceProtocolMapperState.java index b47fd6f4..cb1f87f1 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/AudienceProtocolMapperState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/AudienceProtocolMapperState.java @@ -17,14 +17,14 @@ public final class AudienceProtocolMapperState extends com.pulumi.resources.Reso public static final AudienceProtocolMapperState Empty = new AudienceProtocolMapperState(); /** - * Indicates if this claim should be added to the access token. + * Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. * */ @Import(name="addToAccessToken") private @Nullable Output addToAccessToken; /** - * @return Indicates if this claim should be added to the access token. + * @return Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. * */ public Optional> addToAccessToken() { @@ -32,14 +32,14 @@ public Optional> addToAccessToken() { } /** - * Indicates if this claim should be added to the id token. + * Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. * */ @Import(name="addToIdToken") private @Nullable Output addToIdToken; /** - * @return Indicates if this claim should be added to the id token. + * @return Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. * */ public Optional> addToIdToken() { @@ -47,14 +47,14 @@ public Optional> addToIdToken() { } /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Import(name="clientId") private @Nullable Output clientId; /** - * @return The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Optional> clientId() { @@ -62,14 +62,14 @@ public Optional> clientId() { } /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Import(name="clientScopeId") private @Nullable Output clientScopeId; /** - * @return The mapper's associated client scope. Cannot be used at the same time as client_id. + * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Optional> clientScopeId() { @@ -77,14 +77,14 @@ public Optional> clientScopeId() { } /** - * A client ID to include within the token's `aud` claim. Cannot be used with included_custom_audience + * A client ID to include within the token's `aud` claim. Conflicts with `included_custom_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. * */ @Import(name="includedClientAudience") private @Nullable Output includedClientAudience; /** - * @return A client ID to include within the token's `aud` claim. Cannot be used with included_custom_audience + * @return A client ID to include within the token's `aud` claim. Conflicts with `included_custom_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. * */ public Optional> includedClientAudience() { @@ -92,14 +92,14 @@ public Optional> includedClientAudience() { } /** - * A custom audience to include within the token's `aud` claim. Cannot be used with included_custom_audience + * A custom audience to include within the token's `aud` claim. Conflicts with `included_client_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. * */ @Import(name="includedCustomAudience") private @Nullable Output includedCustomAudience; /** - * @return A custom audience to include within the token's `aud` claim. Cannot be used with included_custom_audience + * @return A custom audience to include within the token's `aud` claim. Conflicts with `included_client_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. * */ public Optional> includedCustomAudience() { @@ -107,14 +107,14 @@ public Optional> includedCustomAudience() { } /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. * */ @Import(name="name") private @Nullable Output name; /** - * @return A human-friendly name that will appear in the Keycloak console. + * @return The display name of this protocol mapper in the GUI. * */ public Optional> name() { @@ -122,14 +122,14 @@ public Optional> name() { } /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. * */ @Import(name="realmId") private @Nullable Output realmId; /** - * @return The realm id where the associated client or client scope exists. + * @return The realm this protocol mapper exists within. * */ public Optional> realmId() { @@ -168,7 +168,7 @@ public Builder(AudienceProtocolMapperState defaults) { } /** - * @param addToAccessToken Indicates if this claim should be added to the access token. + * @param addToAccessToken Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. * * @return builder * @@ -179,7 +179,7 @@ public Builder addToAccessToken(@Nullable Output addToAccessToken) { } /** - * @param addToAccessToken Indicates if this claim should be added to the access token. + * @param addToAccessToken Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. * * @return builder * @@ -189,7 +189,7 @@ public Builder addToAccessToken(Boolean addToAccessToken) { } /** - * @param addToIdToken Indicates if this claim should be added to the id token. + * @param addToIdToken Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. * * @return builder * @@ -200,7 +200,7 @@ public Builder addToIdToken(@Nullable Output addToIdToken) { } /** - * @param addToIdToken Indicates if this claim should be added to the id token. + * @param addToIdToken Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. * * @return builder * @@ -210,7 +210,7 @@ public Builder addToIdToken(Boolean addToIdToken) { } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -221,7 +221,7 @@ public Builder clientId(@Nullable Output clientId) { } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -231,7 +231,7 @@ public Builder clientId(String clientId) { } /** - * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -242,7 +242,7 @@ public Builder clientScopeId(@Nullable Output clientScopeId) { } /** - * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -252,7 +252,7 @@ public Builder clientScopeId(String clientScopeId) { } /** - * @param includedClientAudience A client ID to include within the token's `aud` claim. Cannot be used with included_custom_audience + * @param includedClientAudience A client ID to include within the token's `aud` claim. Conflicts with `included_custom_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. * * @return builder * @@ -263,7 +263,7 @@ public Builder includedClientAudience(@Nullable Output includedClientAud } /** - * @param includedClientAudience A client ID to include within the token's `aud` claim. Cannot be used with included_custom_audience + * @param includedClientAudience A client ID to include within the token's `aud` claim. Conflicts with `included_custom_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. * * @return builder * @@ -273,7 +273,7 @@ public Builder includedClientAudience(String includedClientAudience) { } /** - * @param includedCustomAudience A custom audience to include within the token's `aud` claim. Cannot be used with included_custom_audience + * @param includedCustomAudience A custom audience to include within the token's `aud` claim. Conflicts with `included_client_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. * * @return builder * @@ -284,7 +284,7 @@ public Builder includedCustomAudience(@Nullable Output includedCustomAud } /** - * @param includedCustomAudience A custom audience to include within the token's `aud` claim. Cannot be used with included_custom_audience + * @param includedCustomAudience A custom audience to include within the token's `aud` claim. Conflicts with `included_client_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. * * @return builder * @@ -294,7 +294,7 @@ public Builder includedCustomAudience(String includedCustomAudience) { } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -305,7 +305,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -315,7 +315,7 @@ public Builder name(String name) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * @@ -326,7 +326,7 @@ public Builder realmId(@Nullable Output realmId) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/ClientAuthenticationFlowBindingOverridesArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/ClientAuthenticationFlowBindingOverridesArgs.java index 0935aa54..3913ab6d 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/ClientAuthenticationFlowBindingOverridesArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/ClientAuthenticationFlowBindingOverridesArgs.java @@ -15,16 +15,32 @@ public final class ClientAuthenticationFlowBindingOverridesArgs extends com.pulu public static final ClientAuthenticationFlowBindingOverridesArgs Empty = new ClientAuthenticationFlowBindingOverridesArgs(); + /** + * Browser flow id, (flow needs to exist) + * + */ @Import(name="browserId") private @Nullable Output browserId; + /** + * @return Browser flow id, (flow needs to exist) + * + */ public Optional> browserId() { return Optional.ofNullable(this.browserId); } + /** + * Direct grant flow id (flow needs to exist) + * + */ @Import(name="directGrantId") private @Nullable Output directGrantId; + /** + * @return Direct grant flow id (flow needs to exist) + * + */ public Optional> directGrantId() { return Optional.ofNullable(this.directGrantId); } @@ -54,20 +70,44 @@ public Builder(ClientAuthenticationFlowBindingOverridesArgs defaults) { $ = new ClientAuthenticationFlowBindingOverridesArgs(Objects.requireNonNull(defaults)); } + /** + * @param browserId Browser flow id, (flow needs to exist) + * + * @return builder + * + */ public Builder browserId(@Nullable Output browserId) { $.browserId = browserId; return this; } + /** + * @param browserId Browser flow id, (flow needs to exist) + * + * @return builder + * + */ public Builder browserId(String browserId) { return browserId(Output.of(browserId)); } + /** + * @param directGrantId Direct grant flow id (flow needs to exist) + * + * @return builder + * + */ public Builder directGrantId(@Nullable Output directGrantId) { $.directGrantId = directGrantId; return this; } + /** + * @param directGrantId Direct grant flow id (flow needs to exist) + * + * @return builder + * + */ public Builder directGrantId(String directGrantId) { return directGrantId(Output.of(directGrantId)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/ClientAuthorizationArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/ClientAuthorizationArgs.java index f584a151..a9d13853 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/ClientAuthorizationArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/ClientAuthorizationArgs.java @@ -17,30 +17,62 @@ public final class ClientAuthorizationArgs extends com.pulumi.resources.Resource public static final ClientAuthorizationArgs Empty = new ClientAuthorizationArgs(); + /** + * When `true`, resources can be managed remotely by the resource server. Defaults to `false`. + * + */ @Import(name="allowRemoteResourceManagement") private @Nullable Output allowRemoteResourceManagement; + /** + * @return When `true`, resources can be managed remotely by the resource server. Defaults to `false`. + * + */ public Optional> allowRemoteResourceManagement() { return Optional.ofNullable(this.allowRemoteResourceManagement); } + /** + * Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of `AFFIRMATIVE`, `CONSENSUS`, or `UNANIMOUS`. Applies to permissions. + * + */ @Import(name="decisionStrategy") private @Nullable Output decisionStrategy; + /** + * @return Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of `AFFIRMATIVE`, `CONSENSUS`, or `UNANIMOUS`. Applies to permissions. + * + */ public Optional> decisionStrategy() { return Optional.ofNullable(this.decisionStrategy); } + /** + * When `true`, defaults set by Keycloak will be respected. Defaults to `false`. + * + */ @Import(name="keepDefaults") private @Nullable Output keepDefaults; + /** + * @return When `true`, defaults set by Keycloak will be respected. Defaults to `false`. + * + */ public Optional> keepDefaults() { return Optional.ofNullable(this.keepDefaults); } + /** + * Dictates how policies are enforced when evaluating authorization requests. Can be one of `ENFORCING`, `PERMISSIVE`, or `DISABLED`. + * + */ @Import(name="policyEnforcementMode", required=true) private Output policyEnforcementMode; + /** + * @return Dictates how policies are enforced when evaluating authorization requests. Can be one of `ENFORCING`, `PERMISSIVE`, or `DISABLED`. + * + */ public Output policyEnforcementMode() { return this.policyEnforcementMode; } @@ -72,38 +104,86 @@ public Builder(ClientAuthorizationArgs defaults) { $ = new ClientAuthorizationArgs(Objects.requireNonNull(defaults)); } + /** + * @param allowRemoteResourceManagement When `true`, resources can be managed remotely by the resource server. Defaults to `false`. + * + * @return builder + * + */ public Builder allowRemoteResourceManagement(@Nullable Output allowRemoteResourceManagement) { $.allowRemoteResourceManagement = allowRemoteResourceManagement; return this; } + /** + * @param allowRemoteResourceManagement When `true`, resources can be managed remotely by the resource server. Defaults to `false`. + * + * @return builder + * + */ public Builder allowRemoteResourceManagement(Boolean allowRemoteResourceManagement) { return allowRemoteResourceManagement(Output.of(allowRemoteResourceManagement)); } + /** + * @param decisionStrategy Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of `AFFIRMATIVE`, `CONSENSUS`, or `UNANIMOUS`. Applies to permissions. + * + * @return builder + * + */ public Builder decisionStrategy(@Nullable Output decisionStrategy) { $.decisionStrategy = decisionStrategy; return this; } + /** + * @param decisionStrategy Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of `AFFIRMATIVE`, `CONSENSUS`, or `UNANIMOUS`. Applies to permissions. + * + * @return builder + * + */ public Builder decisionStrategy(String decisionStrategy) { return decisionStrategy(Output.of(decisionStrategy)); } + /** + * @param keepDefaults When `true`, defaults set by Keycloak will be respected. Defaults to `false`. + * + * @return builder + * + */ public Builder keepDefaults(@Nullable Output keepDefaults) { $.keepDefaults = keepDefaults; return this; } + /** + * @param keepDefaults When `true`, defaults set by Keycloak will be respected. Defaults to `false`. + * + * @return builder + * + */ public Builder keepDefaults(Boolean keepDefaults) { return keepDefaults(Output.of(keepDefaults)); } + /** + * @param policyEnforcementMode Dictates how policies are enforced when evaluating authorization requests. Can be one of `ENFORCING`, `PERMISSIVE`, or `DISABLED`. + * + * @return builder + * + */ public Builder policyEnforcementMode(Output policyEnforcementMode) { $.policyEnforcementMode = policyEnforcementMode; return this; } + /** + * @param policyEnforcementMode Dictates how policies are enforced when evaluating authorization requests. Can be one of `ENFORCING`, `PERMISSIVE`, or `DISABLED`. + * + * @return builder + * + */ public Builder policyEnforcementMode(String policyEnforcementMode) { return policyEnforcementMode(Output.of(policyEnforcementMode)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/ClientDefaultScopesState.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/ClientDefaultScopesState.java index b8e00334..eb64c596 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/ClientDefaultScopesState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/ClientDefaultScopesState.java @@ -16,23 +16,47 @@ public final class ClientDefaultScopesState extends com.pulumi.resources.Resourc public static final ClientDefaultScopesState Empty = new ClientDefaultScopesState(); + /** + * The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. + * + */ @Import(name="clientId") private @Nullable Output clientId; + /** + * @return The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. + * + */ public Optional> clientId() { return Optional.ofNullable(this.clientId); } + /** + * An array of client scope names to attach to this client. + * + */ @Import(name="defaultScopes") private @Nullable Output> defaultScopes; + /** + * @return An array of client scope names to attach to this client. + * + */ public Optional>> defaultScopes() { return Optional.ofNullable(this.defaultScopes); } + /** + * The realm this client and scopes exists in. + * + */ @Import(name="realmId") private @Nullable Output realmId; + /** + * @return The realm this client and scopes exists in. + * + */ public Optional> realmId() { return Optional.ofNullable(this.realmId); } @@ -63,33 +87,75 @@ public Builder(ClientDefaultScopesState defaults) { $ = new ClientDefaultScopesState(Objects.requireNonNull(defaults)); } + /** + * @param clientId The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. + * + * @return builder + * + */ public Builder clientId(@Nullable Output clientId) { $.clientId = clientId; return this; } + /** + * @param clientId The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. + * + * @return builder + * + */ public Builder clientId(String clientId) { return clientId(Output.of(clientId)); } + /** + * @param defaultScopes An array of client scope names to attach to this client. + * + * @return builder + * + */ public Builder defaultScopes(@Nullable Output> defaultScopes) { $.defaultScopes = defaultScopes; return this; } + /** + * @param defaultScopes An array of client scope names to attach to this client. + * + * @return builder + * + */ public Builder defaultScopes(List defaultScopes) { return defaultScopes(Output.of(defaultScopes)); } + /** + * @param defaultScopes An array of client scope names to attach to this client. + * + * @return builder + * + */ public Builder defaultScopes(String... defaultScopes) { return defaultScopes(List.of(defaultScopes)); } + /** + * @param realmId The realm this client and scopes exists in. + * + * @return builder + * + */ public Builder realmId(@Nullable Output realmId) { $.realmId = realmId; return this; } + /** + * @param realmId The realm this client and scopes exists in. + * + * @return builder + * + */ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/ClientOptionalScopesState.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/ClientOptionalScopesState.java index b769d2ce..2fd783a6 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/ClientOptionalScopesState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/ClientOptionalScopesState.java @@ -16,23 +16,47 @@ public final class ClientOptionalScopesState extends com.pulumi.resources.Resour public static final ClientOptionalScopesState Empty = new ClientOptionalScopesState(); + /** + * The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. + * + */ @Import(name="clientId") private @Nullable Output clientId; + /** + * @return The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. + * + */ public Optional> clientId() { return Optional.ofNullable(this.clientId); } + /** + * An array of client scope names to attach to this client as optional scopes. + * + */ @Import(name="optionalScopes") private @Nullable Output> optionalScopes; + /** + * @return An array of client scope names to attach to this client as optional scopes. + * + */ public Optional>> optionalScopes() { return Optional.ofNullable(this.optionalScopes); } + /** + * The realm this client and scopes exists in. + * + */ @Import(name="realmId") private @Nullable Output realmId; + /** + * @return The realm this client and scopes exists in. + * + */ public Optional> realmId() { return Optional.ofNullable(this.realmId); } @@ -63,33 +87,75 @@ public Builder(ClientOptionalScopesState defaults) { $ = new ClientOptionalScopesState(Objects.requireNonNull(defaults)); } + /** + * @param clientId The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. + * + * @return builder + * + */ public Builder clientId(@Nullable Output clientId) { $.clientId = clientId; return this; } + /** + * @param clientId The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. + * + * @return builder + * + */ public Builder clientId(String clientId) { return clientId(Output.of(clientId)); } + /** + * @param optionalScopes An array of client scope names to attach to this client as optional scopes. + * + * @return builder + * + */ public Builder optionalScopes(@Nullable Output> optionalScopes) { $.optionalScopes = optionalScopes; return this; } + /** + * @param optionalScopes An array of client scope names to attach to this client as optional scopes. + * + * @return builder + * + */ public Builder optionalScopes(List optionalScopes) { return optionalScopes(Output.of(optionalScopes)); } + /** + * @param optionalScopes An array of client scope names to attach to this client as optional scopes. + * + * @return builder + * + */ public Builder optionalScopes(String... optionalScopes) { return optionalScopes(List.of(optionalScopes)); } + /** + * @param realmId The realm this client and scopes exists in. + * + * @return builder + * + */ public Builder realmId(@Nullable Output realmId) { $.realmId = realmId; return this; } + /** + * @param realmId The realm this client and scopes exists in. + * + * @return builder + * + */ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/ClientScopeState.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/ClientScopeState.java index 8a34e9ba..f11fec55 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/ClientScopeState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/ClientScopeState.java @@ -17,44 +17,92 @@ public final class ClientScopeState extends com.pulumi.resources.ResourceArgs { public static final ClientScopeState Empty = new ClientScopeState(); + /** + * When set, a consent screen will be displayed to users authenticating to clients with this scope attached. The consent screen will display the string value of this attribute. + * + */ @Import(name="consentScreenText") private @Nullable Output consentScreenText; + /** + * @return When set, a consent screen will be displayed to users authenticating to clients with this scope attached. The consent screen will display the string value of this attribute. + * + */ public Optional> consentScreenText() { return Optional.ofNullable(this.consentScreenText); } + /** + * The description of this client scope in the GUI. + * + */ @Import(name="description") private @Nullable Output description; + /** + * @return The description of this client scope in the GUI. + * + */ public Optional> description() { return Optional.ofNullable(this.description); } + /** + * Specify order of the client scope in GUI (such as in Consent page) as integer. + * + */ @Import(name="guiOrder") private @Nullable Output guiOrder; + /** + * @return Specify order of the client scope in GUI (such as in Consent page) as integer. + * + */ public Optional> guiOrder() { return Optional.ofNullable(this.guiOrder); } + /** + * When `true`, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response. + * + */ @Import(name="includeInTokenScope") private @Nullable Output includeInTokenScope; + /** + * @return When `true`, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response. + * + */ public Optional> includeInTokenScope() { return Optional.ofNullable(this.includeInTokenScope); } + /** + * The display name of this client scope in the GUI. + * + */ @Import(name="name") private @Nullable Output name; + /** + * @return The display name of this client scope in the GUI. + * + */ public Optional> name() { return Optional.ofNullable(this.name); } + /** + * The realm this client scope belongs to. + * + */ @Import(name="realmId") private @Nullable Output realmId; + /** + * @return The realm this client scope belongs to. + * + */ public Optional> realmId() { return Optional.ofNullable(this.realmId); } @@ -88,56 +136,128 @@ public Builder(ClientScopeState defaults) { $ = new ClientScopeState(Objects.requireNonNull(defaults)); } + /** + * @param consentScreenText When set, a consent screen will be displayed to users authenticating to clients with this scope attached. The consent screen will display the string value of this attribute. + * + * @return builder + * + */ public Builder consentScreenText(@Nullable Output consentScreenText) { $.consentScreenText = consentScreenText; return this; } + /** + * @param consentScreenText When set, a consent screen will be displayed to users authenticating to clients with this scope attached. The consent screen will display the string value of this attribute. + * + * @return builder + * + */ public Builder consentScreenText(String consentScreenText) { return consentScreenText(Output.of(consentScreenText)); } + /** + * @param description The description of this client scope in the GUI. + * + * @return builder + * + */ public Builder description(@Nullable Output description) { $.description = description; return this; } + /** + * @param description The description of this client scope in the GUI. + * + * @return builder + * + */ public Builder description(String description) { return description(Output.of(description)); } + /** + * @param guiOrder Specify order of the client scope in GUI (such as in Consent page) as integer. + * + * @return builder + * + */ public Builder guiOrder(@Nullable Output guiOrder) { $.guiOrder = guiOrder; return this; } + /** + * @param guiOrder Specify order of the client scope in GUI (such as in Consent page) as integer. + * + * @return builder + * + */ public Builder guiOrder(Integer guiOrder) { return guiOrder(Output.of(guiOrder)); } + /** + * @param includeInTokenScope When `true`, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response. + * + * @return builder + * + */ public Builder includeInTokenScope(@Nullable Output includeInTokenScope) { $.includeInTokenScope = includeInTokenScope; return this; } + /** + * @param includeInTokenScope When `true`, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response. + * + * @return builder + * + */ public Builder includeInTokenScope(Boolean includeInTokenScope) { return includeInTokenScope(Output.of(includeInTokenScope)); } + /** + * @param name The display name of this client scope in the GUI. + * + * @return builder + * + */ public Builder name(@Nullable Output name) { $.name = name; return this; } + /** + * @param name The display name of this client scope in the GUI. + * + * @return builder + * + */ public Builder name(String name) { return name(Output.of(name)); } + /** + * @param realmId The realm this client scope belongs to. + * + * @return builder + * + */ public Builder realmId(@Nullable Output realmId) { $.realmId = realmId; return this; } + /** + * @param realmId The realm this client scope belongs to. + * + * @return builder + * + */ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/ClientState.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/ClientState.java index 7f3c2bb0..61aac3b3 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/ClientState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/ClientState.java @@ -20,163 +20,365 @@ public final class ClientState extends com.pulumi.resources.ResourceArgs { public static final ClientState Empty = new ClientState(); + /** + * The amount of time in seconds before an access token expires. This will override the default for the realm. + * + */ @Import(name="accessTokenLifespan") private @Nullable Output accessTokenLifespan; + /** + * @return The amount of time in seconds before an access token expires. This will override the default for the realm. + * + */ public Optional> accessTokenLifespan() { return Optional.ofNullable(this.accessTokenLifespan); } + /** + * Specifies the type of client, which can be one of the following: + * - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. + * This client should be used for applications using the Authorization Code or Client Credentials grant flows. + * - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect + * URIs for security. This client should be used for applications using the Implicit grant flow. + * - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. + * + */ @Import(name="accessType") private @Nullable Output accessType; + /** + * @return Specifies the type of client, which can be one of the following: + * - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. + * This client should be used for applications using the Authorization Code or Client Credentials grant flows. + * - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect + * URIs for security. This client should be used for applications using the Implicit grant flow. + * - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. + * + */ public Optional> accessType() { return Optional.ofNullable(this.accessType); } + /** + * URL to the admin interface of the client. + * + */ @Import(name="adminUrl") private @Nullable Output adminUrl; + /** + * @return URL to the admin interface of the client. + * + */ public Optional> adminUrl() { return Optional.ofNullable(this.adminUrl); } + /** + * Override realm authentication flow bindings + * + */ @Import(name="authenticationFlowBindingOverrides") private @Nullable Output authenticationFlowBindingOverrides; + /** + * @return Override realm authentication flow bindings + * + */ public Optional> authenticationFlowBindingOverrides() { return Optional.ofNullable(this.authenticationFlowBindingOverrides); } + /** + * When this block is present, fine-grained authorization will be enabled for this client. The client's `access_type` must be `CONFIDENTIAL`, and `service_accounts_enabled` must be `true`. This block has the following arguments: + * + */ @Import(name="authorization") private @Nullable Output authorization; + /** + * @return When this block is present, fine-grained authorization will be enabled for this client. The client's `access_type` must be `CONFIDENTIAL`, and `service_accounts_enabled` must be `true`. This block has the following arguments: + * + */ public Optional> authorization() { return Optional.ofNullable(this.authorization); } + /** + * Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event. + * + */ @Import(name="backchannelLogoutRevokeOfflineSessions") private @Nullable Output backchannelLogoutRevokeOfflineSessions; + /** + * @return Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event. + * + */ public Optional> backchannelLogoutRevokeOfflineSessions() { return Optional.ofNullable(this.backchannelLogoutRevokeOfflineSessions); } + /** + * When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`. + * + */ @Import(name="backchannelLogoutSessionRequired") private @Nullable Output backchannelLogoutSessionRequired; + /** + * @return When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`. + * + */ public Optional> backchannelLogoutSessionRequired() { return Optional.ofNullable(this.backchannelLogoutSessionRequired); } + /** + * The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case. + * + */ @Import(name="backchannelLogoutUrl") private @Nullable Output backchannelLogoutUrl; + /** + * @return The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case. + * + */ public Optional> backchannelLogoutUrl() { return Optional.ofNullable(this.backchannelLogoutUrl); } + /** + * Default URL to use when the auth server needs to redirect or link back to the client. + * + */ @Import(name="baseUrl") private @Nullable Output baseUrl; + /** + * @return Default URL to use when the auth server needs to redirect or link back to the client. + * + */ public Optional> baseUrl() { return Optional.ofNullable(this.baseUrl); } + /** + * Defaults to `client-secret`. The authenticator type for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types: + * - `client-secret` (Default) Use client id and client secret to authenticate client. + * - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = <alg>` + * - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extra_config` with `attributes.x509.subjectdn = <subjectDn>` + * - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = <alg>` + * + */ @Import(name="clientAuthenticatorType") private @Nullable Output clientAuthenticatorType; + /** + * @return Defaults to `client-secret`. The authenticator type for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types: + * - `client-secret` (Default) Use client id and client secret to authenticate client. + * - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = <alg>` + * - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extra_config` with `attributes.x509.subjectdn = <subjectDn>` + * - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = <alg>` + * + */ public Optional> clientAuthenticatorType() { return Optional.ofNullable(this.clientAuthenticatorType); } + /** + * The Client ID for this client, referenced in the URI during authentication and in issued tokens. + * + */ @Import(name="clientId") private @Nullable Output clientId; + /** + * @return The Client ID for this client, referenced in the URI during authentication and in issued tokens. + * + */ public Optional> clientId() { return Optional.ofNullable(this.clientId); } + /** + * Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value. + * + */ @Import(name="clientOfflineSessionIdleTimeout") private @Nullable Output clientOfflineSessionIdleTimeout; + /** + * @return Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value. + * + */ public Optional> clientOfflineSessionIdleTimeout() { return Optional.ofNullable(this.clientOfflineSessionIdleTimeout); } + /** + * Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value. + * + */ @Import(name="clientOfflineSessionMaxLifespan") private @Nullable Output clientOfflineSessionMaxLifespan; + /** + * @return Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value. + * + */ public Optional> clientOfflineSessionMaxLifespan() { return Optional.ofNullable(this.clientOfflineSessionMaxLifespan); } + /** + * The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. + * + */ @Import(name="clientSecret") private @Nullable Output clientSecret; + /** + * @return The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. + * + */ public Optional> clientSecret() { return Optional.ofNullable(this.clientSecret); } + /** + * Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value. + * + */ @Import(name="clientSessionIdleTimeout") private @Nullable Output clientSessionIdleTimeout; + /** + * @return Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value. + * + */ public Optional> clientSessionIdleTimeout() { return Optional.ofNullable(this.clientSessionIdleTimeout); } + /** + * Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value. + * + */ @Import(name="clientSessionMaxLifespan") private @Nullable Output clientSessionMaxLifespan; + /** + * @return Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value. + * + */ public Optional> clientSessionMaxLifespan() { return Optional.ofNullable(this.clientSessionMaxLifespan); } + /** + * When `true`, users have to consent to client access. Defaults to `false`. + * + */ @Import(name="consentRequired") private @Nullable Output consentRequired; + /** + * @return When `true`, users have to consent to client access. Defaults to `false`. + * + */ public Optional> consentRequired() { return Optional.ofNullable(this.consentRequired); } + /** + * The text to display on the consent screen about permissions specific to this client. This is applicable only when `display_on_consent_screen` is `true`. + * + */ @Import(name="consentScreenText") private @Nullable Output consentScreenText; + /** + * @return The text to display on the consent screen about permissions specific to this client. This is applicable only when `display_on_consent_screen` is `true`. + * + */ public Optional> consentScreenText() { return Optional.ofNullable(this.consentScreenText); } + /** + * The description of this client in the GUI. + * + */ @Import(name="description") private @Nullable Output description; + /** + * @return The description of this client in the GUI. + * + */ public Optional> description() { return Optional.ofNullable(this.description); } + /** + * When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. + * + */ @Import(name="directAccessGrantsEnabled") private @Nullable Output directAccessGrantsEnabled; + /** + * @return When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. + * + */ public Optional> directAccessGrantsEnabled() { return Optional.ofNullable(this.directAccessGrantsEnabled); } + /** + * When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consent_required` is `true`. + * + */ @Import(name="displayOnConsentScreen") private @Nullable Output displayOnConsentScreen; + /** + * @return When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consent_required` is `true`. + * + */ public Optional> displayOnConsentScreen() { return Optional.ofNullable(this.displayOnConsentScreen); } + /** + * When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + * + */ @Import(name="enabled") private @Nullable Output enabled; + /** + * @return When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + * + */ public Optional> enabled() { return Optional.ofNullable(this.enabled); } + /** + * When `true`, the parameter `session_state` will not be included in OpenID Connect Authentication Response. + * + */ @Import(name="excludeSessionStateFromAuthResponse") private @Nullable Output excludeSessionStateFromAuthResponse; + /** + * @return When `true`, the parameter `session_state` will not be included in OpenID Connect Authentication Response. + * + */ public Optional> excludeSessionStateFromAuthResponse() { return Optional.ofNullable(this.excludeSessionStateFromAuthResponse); } @@ -188,156 +390,336 @@ public Optional>> extraConfig() { return Optional.ofNullable(this.extraConfig); } + /** + * When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannel_logout_url`. Defaults to `false`. + * + */ @Import(name="frontchannelLogoutEnabled") private @Nullable Output frontchannelLogoutEnabled; + /** + * @return When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannel_logout_url`. Defaults to `false`. + * + */ public Optional> frontchannelLogoutEnabled() { return Optional.ofNullable(this.frontchannelLogoutEnabled); } + /** + * The frontchannel logout url. This is applicable only when `frontchannel_logout_enabled` is `true`. + * + */ @Import(name="frontchannelLogoutUrl") private @Nullable Output frontchannelLogoutUrl; + /** + * @return The frontchannel logout url. This is applicable only when `frontchannel_logout_enabled` is `true`. + * + */ public Optional> frontchannelLogoutUrl() { return Optional.ofNullable(this.frontchannelLogoutUrl); } + /** + * Allow to include all roles mappings in the access token. + * + */ @Import(name="fullScopeAllowed") private @Nullable Output fullScopeAllowed; + /** + * @return Allow to include all roles mappings in the access token. + * + */ public Optional> fullScopeAllowed() { return Optional.ofNullable(this.fullScopeAllowed); } + /** + * When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. + * + */ @Import(name="implicitFlowEnabled") private @Nullable Output implicitFlowEnabled; + /** + * @return When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. + * + */ public Optional> implicitFlowEnabled() { return Optional.ofNullable(this.implicitFlowEnabled); } + /** + * When `true`, the client with the specified `client_id` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`. + * + */ @Import(name="import") private @Nullable Output import_; + /** + * @return When `true`, the client with the specified `client_id` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`. + * + */ public Optional> import_() { return Optional.ofNullable(this.import_); } + /** + * The client login theme. This will override the default theme for the realm. + * + */ @Import(name="loginTheme") private @Nullable Output loginTheme; + /** + * @return The client login theme. This will override the default theme for the realm. + * + */ public Optional> loginTheme() { return Optional.ofNullable(this.loginTheme); } + /** + * The display name of this client in the GUI. + * + */ @Import(name="name") private @Nullable Output name; + /** + * @return The display name of this client in the GUI. + * + */ public Optional> name() { return Optional.ofNullable(this.name); } + /** + * Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser. + * + */ @Import(name="oauth2DeviceAuthorizationGrantEnabled") private @Nullable Output oauth2DeviceAuthorizationGrantEnabled; + /** + * @return Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser. + * + */ public Optional> oauth2DeviceAuthorizationGrantEnabled() { return Optional.ofNullable(this.oauth2DeviceAuthorizationGrantEnabled); } + /** + * The maximum amount of time a client has to finish the device code flow before it expires. + * + */ @Import(name="oauth2DeviceCodeLifespan") private @Nullable Output oauth2DeviceCodeLifespan; + /** + * @return The maximum amount of time a client has to finish the device code flow before it expires. + * + */ public Optional> oauth2DeviceCodeLifespan() { return Optional.ofNullable(this.oauth2DeviceCodeLifespan); } + /** + * The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint. + * + */ @Import(name="oauth2DevicePollingInterval") private @Nullable Output oauth2DevicePollingInterval; + /** + * @return The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint. + * + */ public Optional> oauth2DevicePollingInterval() { return Optional.ofNullable(this.oauth2DevicePollingInterval); } + /** + * The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. + * + */ @Import(name="pkceCodeChallengeMethod") private @Nullable Output pkceCodeChallengeMethod; + /** + * @return The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. + * + */ public Optional> pkceCodeChallengeMethod() { return Optional.ofNullable(this.pkceCodeChallengeMethod); } + /** + * The realm this client is attached to. + * + */ @Import(name="realmId") private @Nullable Output realmId; + /** + * @return The realm this client is attached to. + * + */ public Optional> realmId() { return Optional.ofNullable(this.realmId); } + /** + * (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the `.id` attribute). + * + */ @Import(name="resourceServerId") private @Nullable Output resourceServerId; + /** + * @return (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the `.id` attribute). + * + */ public Optional> resourceServerId() { return Optional.ofNullable(this.resourceServerId); } + /** + * When specified, this URL is prepended to any relative URLs found within `valid_redirect_uris`, `web_origins`, and `admin_url`. NOTE: Due to limitations in the Keycloak API, when the `root_url` attribute is used, the `valid_redirect_uris`, `web_origins`, and `admin_url` attributes will be required. + * + */ @Import(name="rootUrl") private @Nullable Output rootUrl; + /** + * @return When specified, this URL is prepended to any relative URLs found within `valid_redirect_uris`, `web_origins`, and `admin_url`. NOTE: Due to limitations in the Keycloak API, when the `root_url` attribute is used, the `valid_redirect_uris`, `web_origins`, and `admin_url` attributes will be required. + * + */ public Optional> rootUrl() { return Optional.ofNullable(this.rootUrl); } + /** + * (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account. + * + */ @Import(name="serviceAccountUserId") private @Nullable Output serviceAccountUserId; + /** + * @return (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account. + * + */ public Optional> serviceAccountUserId() { return Optional.ofNullable(this.serviceAccountUserId); } + /** + * When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. + * + */ @Import(name="serviceAccountsEnabled") private @Nullable Output serviceAccountsEnabled; + /** + * @return When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. + * + */ public Optional> serviceAccountsEnabled() { return Optional.ofNullable(this.serviceAccountsEnabled); } + /** + * When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. + * + */ @Import(name="standardFlowEnabled") private @Nullable Output standardFlowEnabled; + /** + * @return When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. + * + */ public Optional> standardFlowEnabled() { return Optional.ofNullable(this.standardFlowEnabled); } + /** + * If this is `true`, a refresh_token will be created and added to the token response. If this is `false` then no refresh_token will be generated. Defaults to `true`. + * + */ @Import(name="useRefreshTokens") private @Nullable Output useRefreshTokens; + /** + * @return If this is `true`, a refresh_token will be created and added to the token response. If this is `false` then no refresh_token will be generated. Defaults to `true`. + * + */ public Optional> useRefreshTokens() { return Optional.ofNullable(this.useRefreshTokens); } + /** + * If this is `true`, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is `false` then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`. + * + */ @Import(name="useRefreshTokensClientCredentials") private @Nullable Output useRefreshTokensClientCredentials; + /** + * @return If this is `true`, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is `false` then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`. + * + */ public Optional> useRefreshTokensClientCredentials() { return Optional.ofNullable(this.useRefreshTokensClientCredentials); } + /** + * A list of valid URIs a browser is permitted to redirect to after a successful logout. + * + */ @Import(name="validPostLogoutRedirectUris") private @Nullable Output> validPostLogoutRedirectUris; + /** + * @return A list of valid URIs a browser is permitted to redirect to after a successful logout. + * + */ public Optional>> validPostLogoutRedirectUris() { return Optional.ofNullable(this.validPostLogoutRedirectUris); } + /** + * A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple + * wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled` + * is set to `true`. + * + */ @Import(name="validRedirectUris") private @Nullable Output> validRedirectUris; + /** + * @return A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple + * wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled` + * is set to `true`. + * + */ public Optional>> validRedirectUris() { return Optional.ofNullable(this.validRedirectUris); } + /** + * A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`." + * + */ @Import(name="webOrigins") private @Nullable Output> webOrigins; + /** + * @return A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`." + * + */ public Optional>> webOrigins() { return Optional.ofNullable(this.webOrigins); } @@ -411,209 +793,503 @@ public Builder(ClientState defaults) { $ = new ClientState(Objects.requireNonNull(defaults)); } + /** + * @param accessTokenLifespan The amount of time in seconds before an access token expires. This will override the default for the realm. + * + * @return builder + * + */ public Builder accessTokenLifespan(@Nullable Output accessTokenLifespan) { $.accessTokenLifespan = accessTokenLifespan; return this; } + /** + * @param accessTokenLifespan The amount of time in seconds before an access token expires. This will override the default for the realm. + * + * @return builder + * + */ public Builder accessTokenLifespan(String accessTokenLifespan) { return accessTokenLifespan(Output.of(accessTokenLifespan)); } + /** + * @param accessType Specifies the type of client, which can be one of the following: + * - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. + * This client should be used for applications using the Authorization Code or Client Credentials grant flows. + * - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect + * URIs for security. This client should be used for applications using the Implicit grant flow. + * - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. + * + * @return builder + * + */ public Builder accessType(@Nullable Output accessType) { $.accessType = accessType; return this; } + /** + * @param accessType Specifies the type of client, which can be one of the following: + * - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. + * This client should be used for applications using the Authorization Code or Client Credentials grant flows. + * - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect + * URIs for security. This client should be used for applications using the Implicit grant flow. + * - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. + * + * @return builder + * + */ public Builder accessType(String accessType) { return accessType(Output.of(accessType)); } + /** + * @param adminUrl URL to the admin interface of the client. + * + * @return builder + * + */ public Builder adminUrl(@Nullable Output adminUrl) { $.adminUrl = adminUrl; return this; } + /** + * @param adminUrl URL to the admin interface of the client. + * + * @return builder + * + */ public Builder adminUrl(String adminUrl) { return adminUrl(Output.of(adminUrl)); } + /** + * @param authenticationFlowBindingOverrides Override realm authentication flow bindings + * + * @return builder + * + */ public Builder authenticationFlowBindingOverrides(@Nullable Output authenticationFlowBindingOverrides) { $.authenticationFlowBindingOverrides = authenticationFlowBindingOverrides; return this; } + /** + * @param authenticationFlowBindingOverrides Override realm authentication flow bindings + * + * @return builder + * + */ public Builder authenticationFlowBindingOverrides(ClientAuthenticationFlowBindingOverridesArgs authenticationFlowBindingOverrides) { return authenticationFlowBindingOverrides(Output.of(authenticationFlowBindingOverrides)); } + /** + * @param authorization When this block is present, fine-grained authorization will be enabled for this client. The client's `access_type` must be `CONFIDENTIAL`, and `service_accounts_enabled` must be `true`. This block has the following arguments: + * + * @return builder + * + */ public Builder authorization(@Nullable Output authorization) { $.authorization = authorization; return this; } + /** + * @param authorization When this block is present, fine-grained authorization will be enabled for this client. The client's `access_type` must be `CONFIDENTIAL`, and `service_accounts_enabled` must be `true`. This block has the following arguments: + * + * @return builder + * + */ public Builder authorization(ClientAuthorizationArgs authorization) { return authorization(Output.of(authorization)); } + /** + * @param backchannelLogoutRevokeOfflineSessions Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event. + * + * @return builder + * + */ public Builder backchannelLogoutRevokeOfflineSessions(@Nullable Output backchannelLogoutRevokeOfflineSessions) { $.backchannelLogoutRevokeOfflineSessions = backchannelLogoutRevokeOfflineSessions; return this; } + /** + * @param backchannelLogoutRevokeOfflineSessions Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event. + * + * @return builder + * + */ public Builder backchannelLogoutRevokeOfflineSessions(Boolean backchannelLogoutRevokeOfflineSessions) { return backchannelLogoutRevokeOfflineSessions(Output.of(backchannelLogoutRevokeOfflineSessions)); } + /** + * @param backchannelLogoutSessionRequired When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`. + * + * @return builder + * + */ public Builder backchannelLogoutSessionRequired(@Nullable Output backchannelLogoutSessionRequired) { $.backchannelLogoutSessionRequired = backchannelLogoutSessionRequired; return this; } + /** + * @param backchannelLogoutSessionRequired When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`. + * + * @return builder + * + */ public Builder backchannelLogoutSessionRequired(Boolean backchannelLogoutSessionRequired) { return backchannelLogoutSessionRequired(Output.of(backchannelLogoutSessionRequired)); } + /** + * @param backchannelLogoutUrl The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case. + * + * @return builder + * + */ public Builder backchannelLogoutUrl(@Nullable Output backchannelLogoutUrl) { $.backchannelLogoutUrl = backchannelLogoutUrl; return this; } + /** + * @param backchannelLogoutUrl The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case. + * + * @return builder + * + */ public Builder backchannelLogoutUrl(String backchannelLogoutUrl) { return backchannelLogoutUrl(Output.of(backchannelLogoutUrl)); } + /** + * @param baseUrl Default URL to use when the auth server needs to redirect or link back to the client. + * + * @return builder + * + */ public Builder baseUrl(@Nullable Output baseUrl) { $.baseUrl = baseUrl; return this; } + /** + * @param baseUrl Default URL to use when the auth server needs to redirect or link back to the client. + * + * @return builder + * + */ public Builder baseUrl(String baseUrl) { return baseUrl(Output.of(baseUrl)); } + /** + * @param clientAuthenticatorType Defaults to `client-secret`. The authenticator type for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types: + * - `client-secret` (Default) Use client id and client secret to authenticate client. + * - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = <alg>` + * - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extra_config` with `attributes.x509.subjectdn = <subjectDn>` + * - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = <alg>` + * + * @return builder + * + */ public Builder clientAuthenticatorType(@Nullable Output clientAuthenticatorType) { $.clientAuthenticatorType = clientAuthenticatorType; return this; } + /** + * @param clientAuthenticatorType Defaults to `client-secret`. The authenticator type for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types: + * - `client-secret` (Default) Use client id and client secret to authenticate client. + * - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = <alg>` + * - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extra_config` with `attributes.x509.subjectdn = <subjectDn>` + * - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = <alg>` + * + * @return builder + * + */ public Builder clientAuthenticatorType(String clientAuthenticatorType) { return clientAuthenticatorType(Output.of(clientAuthenticatorType)); } + /** + * @param clientId The Client ID for this client, referenced in the URI during authentication and in issued tokens. + * + * @return builder + * + */ public Builder clientId(@Nullable Output clientId) { $.clientId = clientId; return this; } + /** + * @param clientId The Client ID for this client, referenced in the URI during authentication and in issued tokens. + * + * @return builder + * + */ public Builder clientId(String clientId) { return clientId(Output.of(clientId)); } + /** + * @param clientOfflineSessionIdleTimeout Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value. + * + * @return builder + * + */ public Builder clientOfflineSessionIdleTimeout(@Nullable Output clientOfflineSessionIdleTimeout) { $.clientOfflineSessionIdleTimeout = clientOfflineSessionIdleTimeout; return this; } + /** + * @param clientOfflineSessionIdleTimeout Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value. + * + * @return builder + * + */ public Builder clientOfflineSessionIdleTimeout(String clientOfflineSessionIdleTimeout) { return clientOfflineSessionIdleTimeout(Output.of(clientOfflineSessionIdleTimeout)); } + /** + * @param clientOfflineSessionMaxLifespan Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value. + * + * @return builder + * + */ public Builder clientOfflineSessionMaxLifespan(@Nullable Output clientOfflineSessionMaxLifespan) { $.clientOfflineSessionMaxLifespan = clientOfflineSessionMaxLifespan; return this; } + /** + * @param clientOfflineSessionMaxLifespan Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value. + * + * @return builder + * + */ public Builder clientOfflineSessionMaxLifespan(String clientOfflineSessionMaxLifespan) { return clientOfflineSessionMaxLifespan(Output.of(clientOfflineSessionMaxLifespan)); } + /** + * @param clientSecret The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. + * + * @return builder + * + */ public Builder clientSecret(@Nullable Output clientSecret) { $.clientSecret = clientSecret; return this; } + /** + * @param clientSecret The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. + * + * @return builder + * + */ public Builder clientSecret(String clientSecret) { return clientSecret(Output.of(clientSecret)); } + /** + * @param clientSessionIdleTimeout Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value. + * + * @return builder + * + */ public Builder clientSessionIdleTimeout(@Nullable Output clientSessionIdleTimeout) { $.clientSessionIdleTimeout = clientSessionIdleTimeout; return this; } + /** + * @param clientSessionIdleTimeout Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value. + * + * @return builder + * + */ public Builder clientSessionIdleTimeout(String clientSessionIdleTimeout) { return clientSessionIdleTimeout(Output.of(clientSessionIdleTimeout)); } + /** + * @param clientSessionMaxLifespan Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value. + * + * @return builder + * + */ public Builder clientSessionMaxLifespan(@Nullable Output clientSessionMaxLifespan) { $.clientSessionMaxLifespan = clientSessionMaxLifespan; return this; } + /** + * @param clientSessionMaxLifespan Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value. + * + * @return builder + * + */ public Builder clientSessionMaxLifespan(String clientSessionMaxLifespan) { return clientSessionMaxLifespan(Output.of(clientSessionMaxLifespan)); } + /** + * @param consentRequired When `true`, users have to consent to client access. Defaults to `false`. + * + * @return builder + * + */ public Builder consentRequired(@Nullable Output consentRequired) { $.consentRequired = consentRequired; return this; } + /** + * @param consentRequired When `true`, users have to consent to client access. Defaults to `false`. + * + * @return builder + * + */ public Builder consentRequired(Boolean consentRequired) { return consentRequired(Output.of(consentRequired)); } + /** + * @param consentScreenText The text to display on the consent screen about permissions specific to this client. This is applicable only when `display_on_consent_screen` is `true`. + * + * @return builder + * + */ public Builder consentScreenText(@Nullable Output consentScreenText) { $.consentScreenText = consentScreenText; return this; } + /** + * @param consentScreenText The text to display on the consent screen about permissions specific to this client. This is applicable only when `display_on_consent_screen` is `true`. + * + * @return builder + * + */ public Builder consentScreenText(String consentScreenText) { return consentScreenText(Output.of(consentScreenText)); } + /** + * @param description The description of this client in the GUI. + * + * @return builder + * + */ public Builder description(@Nullable Output description) { $.description = description; return this; } + /** + * @param description The description of this client in the GUI. + * + * @return builder + * + */ public Builder description(String description) { return description(Output.of(description)); } + /** + * @param directAccessGrantsEnabled When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. + * + * @return builder + * + */ public Builder directAccessGrantsEnabled(@Nullable Output directAccessGrantsEnabled) { $.directAccessGrantsEnabled = directAccessGrantsEnabled; return this; } + /** + * @param directAccessGrantsEnabled When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. + * + * @return builder + * + */ public Builder directAccessGrantsEnabled(Boolean directAccessGrantsEnabled) { return directAccessGrantsEnabled(Output.of(directAccessGrantsEnabled)); } + /** + * @param displayOnConsentScreen When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consent_required` is `true`. + * + * @return builder + * + */ public Builder displayOnConsentScreen(@Nullable Output displayOnConsentScreen) { $.displayOnConsentScreen = displayOnConsentScreen; return this; } + /** + * @param displayOnConsentScreen When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consent_required` is `true`. + * + * @return builder + * + */ public Builder displayOnConsentScreen(Boolean displayOnConsentScreen) { return displayOnConsentScreen(Output.of(displayOnConsentScreen)); } + /** + * @param enabled When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + * + * @return builder + * + */ public Builder enabled(@Nullable Output enabled) { $.enabled = enabled; return this; } + /** + * @param enabled When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + * + * @return builder + * + */ public Builder enabled(Boolean enabled) { return enabled(Output.of(enabled)); } + /** + * @param excludeSessionStateFromAuthResponse When `true`, the parameter `session_state` will not be included in OpenID Connect Authentication Response. + * + * @return builder + * + */ public Builder excludeSessionStateFromAuthResponse(@Nullable Output excludeSessionStateFromAuthResponse) { $.excludeSessionStateFromAuthResponse = excludeSessionStateFromAuthResponse; return this; } + /** + * @param excludeSessionStateFromAuthResponse When `true`, the parameter `session_state` will not be included in OpenID Connect Authentication Response. + * + * @return builder + * + */ public Builder excludeSessionStateFromAuthResponse(Boolean excludeSessionStateFromAuthResponse) { return excludeSessionStateFromAuthResponse(Output.of(excludeSessionStateFromAuthResponse)); } @@ -627,212 +1303,500 @@ public Builder extraConfig(Map extraConfig) { return extraConfig(Output.of(extraConfig)); } + /** + * @param frontchannelLogoutEnabled When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannel_logout_url`. Defaults to `false`. + * + * @return builder + * + */ public Builder frontchannelLogoutEnabled(@Nullable Output frontchannelLogoutEnabled) { $.frontchannelLogoutEnabled = frontchannelLogoutEnabled; return this; } + /** + * @param frontchannelLogoutEnabled When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannel_logout_url`. Defaults to `false`. + * + * @return builder + * + */ public Builder frontchannelLogoutEnabled(Boolean frontchannelLogoutEnabled) { return frontchannelLogoutEnabled(Output.of(frontchannelLogoutEnabled)); } + /** + * @param frontchannelLogoutUrl The frontchannel logout url. This is applicable only when `frontchannel_logout_enabled` is `true`. + * + * @return builder + * + */ public Builder frontchannelLogoutUrl(@Nullable Output frontchannelLogoutUrl) { $.frontchannelLogoutUrl = frontchannelLogoutUrl; return this; } + /** + * @param frontchannelLogoutUrl The frontchannel logout url. This is applicable only when `frontchannel_logout_enabled` is `true`. + * + * @return builder + * + */ public Builder frontchannelLogoutUrl(String frontchannelLogoutUrl) { return frontchannelLogoutUrl(Output.of(frontchannelLogoutUrl)); } + /** + * @param fullScopeAllowed Allow to include all roles mappings in the access token. + * + * @return builder + * + */ public Builder fullScopeAllowed(@Nullable Output fullScopeAllowed) { $.fullScopeAllowed = fullScopeAllowed; return this; } + /** + * @param fullScopeAllowed Allow to include all roles mappings in the access token. + * + * @return builder + * + */ public Builder fullScopeAllowed(Boolean fullScopeAllowed) { return fullScopeAllowed(Output.of(fullScopeAllowed)); } + /** + * @param implicitFlowEnabled When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. + * + * @return builder + * + */ public Builder implicitFlowEnabled(@Nullable Output implicitFlowEnabled) { $.implicitFlowEnabled = implicitFlowEnabled; return this; } + /** + * @param implicitFlowEnabled When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. + * + * @return builder + * + */ public Builder implicitFlowEnabled(Boolean implicitFlowEnabled) { return implicitFlowEnabled(Output.of(implicitFlowEnabled)); } + /** + * @param import_ When `true`, the client with the specified `client_id` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`. + * + * @return builder + * + */ public Builder import_(@Nullable Output import_) { $.import_ = import_; return this; } + /** + * @param import_ When `true`, the client with the specified `client_id` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`. + * + * @return builder + * + */ public Builder import_(Boolean import_) { return import_(Output.of(import_)); } + /** + * @param loginTheme The client login theme. This will override the default theme for the realm. + * + * @return builder + * + */ public Builder loginTheme(@Nullable Output loginTheme) { $.loginTheme = loginTheme; return this; } + /** + * @param loginTheme The client login theme. This will override the default theme for the realm. + * + * @return builder + * + */ public Builder loginTheme(String loginTheme) { return loginTheme(Output.of(loginTheme)); } + /** + * @param name The display name of this client in the GUI. + * + * @return builder + * + */ public Builder name(@Nullable Output name) { $.name = name; return this; } + /** + * @param name The display name of this client in the GUI. + * + * @return builder + * + */ public Builder name(String name) { return name(Output.of(name)); } + /** + * @param oauth2DeviceAuthorizationGrantEnabled Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser. + * + * @return builder + * + */ public Builder oauth2DeviceAuthorizationGrantEnabled(@Nullable Output oauth2DeviceAuthorizationGrantEnabled) { $.oauth2DeviceAuthorizationGrantEnabled = oauth2DeviceAuthorizationGrantEnabled; return this; } + /** + * @param oauth2DeviceAuthorizationGrantEnabled Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser. + * + * @return builder + * + */ public Builder oauth2DeviceAuthorizationGrantEnabled(Boolean oauth2DeviceAuthorizationGrantEnabled) { return oauth2DeviceAuthorizationGrantEnabled(Output.of(oauth2DeviceAuthorizationGrantEnabled)); } + /** + * @param oauth2DeviceCodeLifespan The maximum amount of time a client has to finish the device code flow before it expires. + * + * @return builder + * + */ public Builder oauth2DeviceCodeLifespan(@Nullable Output oauth2DeviceCodeLifespan) { $.oauth2DeviceCodeLifespan = oauth2DeviceCodeLifespan; return this; } + /** + * @param oauth2DeviceCodeLifespan The maximum amount of time a client has to finish the device code flow before it expires. + * + * @return builder + * + */ public Builder oauth2DeviceCodeLifespan(String oauth2DeviceCodeLifespan) { return oauth2DeviceCodeLifespan(Output.of(oauth2DeviceCodeLifespan)); } + /** + * @param oauth2DevicePollingInterval The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint. + * + * @return builder + * + */ public Builder oauth2DevicePollingInterval(@Nullable Output oauth2DevicePollingInterval) { $.oauth2DevicePollingInterval = oauth2DevicePollingInterval; return this; } + /** + * @param oauth2DevicePollingInterval The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint. + * + * @return builder + * + */ public Builder oauth2DevicePollingInterval(String oauth2DevicePollingInterval) { return oauth2DevicePollingInterval(Output.of(oauth2DevicePollingInterval)); } + /** + * @param pkceCodeChallengeMethod The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. + * + * @return builder + * + */ public Builder pkceCodeChallengeMethod(@Nullable Output pkceCodeChallengeMethod) { $.pkceCodeChallengeMethod = pkceCodeChallengeMethod; return this; } + /** + * @param pkceCodeChallengeMethod The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. + * + * @return builder + * + */ public Builder pkceCodeChallengeMethod(String pkceCodeChallengeMethod) { return pkceCodeChallengeMethod(Output.of(pkceCodeChallengeMethod)); } + /** + * @param realmId The realm this client is attached to. + * + * @return builder + * + */ public Builder realmId(@Nullable Output realmId) { $.realmId = realmId; return this; } + /** + * @param realmId The realm this client is attached to. + * + * @return builder + * + */ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } + /** + * @param resourceServerId (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the `.id` attribute). + * + * @return builder + * + */ public Builder resourceServerId(@Nullable Output resourceServerId) { $.resourceServerId = resourceServerId; return this; } + /** + * @param resourceServerId (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the `.id` attribute). + * + * @return builder + * + */ public Builder resourceServerId(String resourceServerId) { return resourceServerId(Output.of(resourceServerId)); } + /** + * @param rootUrl When specified, this URL is prepended to any relative URLs found within `valid_redirect_uris`, `web_origins`, and `admin_url`. NOTE: Due to limitations in the Keycloak API, when the `root_url` attribute is used, the `valid_redirect_uris`, `web_origins`, and `admin_url` attributes will be required. + * + * @return builder + * + */ public Builder rootUrl(@Nullable Output rootUrl) { $.rootUrl = rootUrl; return this; } + /** + * @param rootUrl When specified, this URL is prepended to any relative URLs found within `valid_redirect_uris`, `web_origins`, and `admin_url`. NOTE: Due to limitations in the Keycloak API, when the `root_url` attribute is used, the `valid_redirect_uris`, `web_origins`, and `admin_url` attributes will be required. + * + * @return builder + * + */ public Builder rootUrl(String rootUrl) { return rootUrl(Output.of(rootUrl)); } + /** + * @param serviceAccountUserId (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account. + * + * @return builder + * + */ public Builder serviceAccountUserId(@Nullable Output serviceAccountUserId) { $.serviceAccountUserId = serviceAccountUserId; return this; } + /** + * @param serviceAccountUserId (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account. + * + * @return builder + * + */ public Builder serviceAccountUserId(String serviceAccountUserId) { return serviceAccountUserId(Output.of(serviceAccountUserId)); } + /** + * @param serviceAccountsEnabled When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. + * + * @return builder + * + */ public Builder serviceAccountsEnabled(@Nullable Output serviceAccountsEnabled) { $.serviceAccountsEnabled = serviceAccountsEnabled; return this; } + /** + * @param serviceAccountsEnabled When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. + * + * @return builder + * + */ public Builder serviceAccountsEnabled(Boolean serviceAccountsEnabled) { return serviceAccountsEnabled(Output.of(serviceAccountsEnabled)); } + /** + * @param standardFlowEnabled When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. + * + * @return builder + * + */ public Builder standardFlowEnabled(@Nullable Output standardFlowEnabled) { $.standardFlowEnabled = standardFlowEnabled; return this; } + /** + * @param standardFlowEnabled When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. + * + * @return builder + * + */ public Builder standardFlowEnabled(Boolean standardFlowEnabled) { return standardFlowEnabled(Output.of(standardFlowEnabled)); } + /** + * @param useRefreshTokens If this is `true`, a refresh_token will be created and added to the token response. If this is `false` then no refresh_token will be generated. Defaults to `true`. + * + * @return builder + * + */ public Builder useRefreshTokens(@Nullable Output useRefreshTokens) { $.useRefreshTokens = useRefreshTokens; return this; } + /** + * @param useRefreshTokens If this is `true`, a refresh_token will be created and added to the token response. If this is `false` then no refresh_token will be generated. Defaults to `true`. + * + * @return builder + * + */ public Builder useRefreshTokens(Boolean useRefreshTokens) { return useRefreshTokens(Output.of(useRefreshTokens)); } + /** + * @param useRefreshTokensClientCredentials If this is `true`, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is `false` then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`. + * + * @return builder + * + */ public Builder useRefreshTokensClientCredentials(@Nullable Output useRefreshTokensClientCredentials) { $.useRefreshTokensClientCredentials = useRefreshTokensClientCredentials; return this; } + /** + * @param useRefreshTokensClientCredentials If this is `true`, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is `false` then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`. + * + * @return builder + * + */ public Builder useRefreshTokensClientCredentials(Boolean useRefreshTokensClientCredentials) { return useRefreshTokensClientCredentials(Output.of(useRefreshTokensClientCredentials)); } + /** + * @param validPostLogoutRedirectUris A list of valid URIs a browser is permitted to redirect to after a successful logout. + * + * @return builder + * + */ public Builder validPostLogoutRedirectUris(@Nullable Output> validPostLogoutRedirectUris) { $.validPostLogoutRedirectUris = validPostLogoutRedirectUris; return this; } + /** + * @param validPostLogoutRedirectUris A list of valid URIs a browser is permitted to redirect to after a successful logout. + * + * @return builder + * + */ public Builder validPostLogoutRedirectUris(List validPostLogoutRedirectUris) { return validPostLogoutRedirectUris(Output.of(validPostLogoutRedirectUris)); } + /** + * @param validPostLogoutRedirectUris A list of valid URIs a browser is permitted to redirect to after a successful logout. + * + * @return builder + * + */ public Builder validPostLogoutRedirectUris(String... validPostLogoutRedirectUris) { return validPostLogoutRedirectUris(List.of(validPostLogoutRedirectUris)); } + /** + * @param validRedirectUris A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple + * wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled` + * is set to `true`. + * + * @return builder + * + */ public Builder validRedirectUris(@Nullable Output> validRedirectUris) { $.validRedirectUris = validRedirectUris; return this; } + /** + * @param validRedirectUris A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple + * wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled` + * is set to `true`. + * + * @return builder + * + */ public Builder validRedirectUris(List validRedirectUris) { return validRedirectUris(Output.of(validRedirectUris)); } + /** + * @param validRedirectUris A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple + * wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled` + * is set to `true`. + * + * @return builder + * + */ public Builder validRedirectUris(String... validRedirectUris) { return validRedirectUris(List.of(validRedirectUris)); } + /** + * @param webOrigins A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`." + * + * @return builder + * + */ public Builder webOrigins(@Nullable Output> webOrigins) { $.webOrigins = webOrigins; return this; } + /** + * @param webOrigins A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`." + * + * @return builder + * + */ public Builder webOrigins(List webOrigins) { return webOrigins(Output.of(webOrigins)); } + /** + * @param webOrigins A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`." + * + * @return builder + * + */ public Builder webOrigins(String... webOrigins) { return webOrigins(List.of(webOrigins)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/FullNameProtocolMapperState.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/FullNameProtocolMapperState.java index 60924624..9a795784 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/FullNameProtocolMapperState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/FullNameProtocolMapperState.java @@ -16,36 +16,60 @@ public final class FullNameProtocolMapperState extends com.pulumi.resources.Reso public static final FullNameProtocolMapperState Empty = new FullNameProtocolMapperState(); + /** + * Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. + * + */ @Import(name="addToAccessToken") private @Nullable Output addToAccessToken; + /** + * @return Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. + * + */ public Optional> addToAccessToken() { return Optional.ofNullable(this.addToAccessToken); } + /** + * Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. + * + */ @Import(name="addToIdToken") private @Nullable Output addToIdToken; + /** + * @return Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. + * + */ public Optional> addToIdToken() { return Optional.ofNullable(this.addToIdToken); } + /** + * Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. + * + */ @Import(name="addToUserinfo") private @Nullable Output addToUserinfo; + /** + * @return Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. + * + */ public Optional> addToUserinfo() { return Optional.ofNullable(this.addToUserinfo); } /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Import(name="clientId") private @Nullable Output clientId; /** - * @return The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Optional> clientId() { @@ -53,14 +77,14 @@ public Optional> clientId() { } /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Import(name="clientScopeId") private @Nullable Output clientScopeId; /** - * @return The mapper's associated client scope. Cannot be used at the same time as client_id. + * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Optional> clientScopeId() { @@ -68,14 +92,14 @@ public Optional> clientScopeId() { } /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. * */ @Import(name="name") private @Nullable Output name; /** - * @return A human-friendly name that will appear in the Keycloak console. + * @return The display name of this protocol mapper in the GUI. * */ public Optional> name() { @@ -83,14 +107,14 @@ public Optional> name() { } /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. * */ @Import(name="realmId") private @Nullable Output realmId; /** - * @return The realm id where the associated client or client scope exists. + * @return The realm this protocol mapper exists within. * */ public Optional> realmId() { @@ -127,35 +151,71 @@ public Builder(FullNameProtocolMapperState defaults) { $ = new FullNameProtocolMapperState(Objects.requireNonNull(defaults)); } + /** + * @param addToAccessToken Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. + * + * @return builder + * + */ public Builder addToAccessToken(@Nullable Output addToAccessToken) { $.addToAccessToken = addToAccessToken; return this; } + /** + * @param addToAccessToken Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. + * + * @return builder + * + */ public Builder addToAccessToken(Boolean addToAccessToken) { return addToAccessToken(Output.of(addToAccessToken)); } + /** + * @param addToIdToken Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. + * + * @return builder + * + */ public Builder addToIdToken(@Nullable Output addToIdToken) { $.addToIdToken = addToIdToken; return this; } + /** + * @param addToIdToken Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. + * + * @return builder + * + */ public Builder addToIdToken(Boolean addToIdToken) { return addToIdToken(Output.of(addToIdToken)); } + /** + * @param addToUserinfo Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. + * + * @return builder + * + */ public Builder addToUserinfo(@Nullable Output addToUserinfo) { $.addToUserinfo = addToUserinfo; return this; } + /** + * @param addToUserinfo Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. + * + * @return builder + * + */ public Builder addToUserinfo(Boolean addToUserinfo) { return addToUserinfo(Output.of(addToUserinfo)); } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -166,7 +226,7 @@ public Builder clientId(@Nullable Output clientId) { } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -176,7 +236,7 @@ public Builder clientId(String clientId) { } /** - * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -187,7 +247,7 @@ public Builder clientScopeId(@Nullable Output clientScopeId) { } /** - * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -197,7 +257,7 @@ public Builder clientScopeId(String clientScopeId) { } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -208,7 +268,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -218,7 +278,7 @@ public Builder name(String name) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * @@ -229,7 +289,7 @@ public Builder realmId(@Nullable Output realmId) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/GetClientArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/GetClientArgs.java index 46db7cd4..6fd902a8 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/GetClientArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/GetClientArgs.java @@ -18,9 +18,17 @@ public final class GetClientArgs extends com.pulumi.resources.InvokeArgs { public static final GetClientArgs Empty = new GetClientArgs(); + /** + * The client id (not its unique ID). + * + */ @Import(name="clientId", required=true) private Output clientId; + /** + * @return The client id (not its unique ID). + * + */ public Output clientId() { return this.clientId; } @@ -67,9 +75,17 @@ public Optional> oauth2DevicePollingInterval() { return Optional.ofNullable(this.oauth2DevicePollingInterval); } + /** + * The realm id. + * + */ @Import(name="realmId", required=true) private Output realmId; + /** + * @return The realm id. + * + */ public Output realmId() { return this.realmId; } @@ -105,11 +121,23 @@ public Builder(GetClientArgs defaults) { $ = new GetClientArgs(Objects.requireNonNull(defaults)); } + /** + * @param clientId The client id (not its unique ID). + * + * @return builder + * + */ public Builder clientId(Output clientId) { $.clientId = clientId; return this; } + /** + * @param clientId The client id (not its unique ID). + * + * @return builder + * + */ public Builder clientId(String clientId) { return clientId(Output.of(clientId)); } @@ -168,11 +196,23 @@ public Builder oauth2DevicePollingInterval(String oauth2DevicePollingInterval) { return oauth2DevicePollingInterval(Output.of(oauth2DevicePollingInterval)); } + /** + * @param realmId The realm id. + * + * @return builder + * + */ public Builder realmId(Output realmId) { $.realmId = realmId; return this; } + /** + * @param realmId The realm id. + * + * @return builder + * + */ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/GetClientPlainArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/GetClientPlainArgs.java index 4c2112b2..3b3cd6da 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/GetClientPlainArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/GetClientPlainArgs.java @@ -17,9 +17,17 @@ public final class GetClientPlainArgs extends com.pulumi.resources.InvokeArgs { public static final GetClientPlainArgs Empty = new GetClientPlainArgs(); + /** + * The client id (not its unique ID). + * + */ @Import(name="clientId", required=true) private String clientId; + /** + * @return The client id (not its unique ID). + * + */ public String clientId() { return this.clientId; } @@ -66,9 +74,17 @@ public Optional oauth2DevicePollingInterval() { return Optional.ofNullable(this.oauth2DevicePollingInterval); } + /** + * The realm id. + * + */ @Import(name="realmId", required=true) private String realmId; + /** + * @return The realm id. + * + */ public String realmId() { return this.realmId; } @@ -104,6 +120,12 @@ public Builder(GetClientPlainArgs defaults) { $ = new GetClientPlainArgs(Objects.requireNonNull(defaults)); } + /** + * @param clientId The client id (not its unique ID). + * + * @return builder + * + */ public Builder clientId(String clientId) { $.clientId = clientId; return this; @@ -139,6 +161,12 @@ public Builder oauth2DevicePollingInterval(@Nullable String oauth2DevicePollingI return this; } + /** + * @param realmId The realm id. + * + * @return builder + * + */ public Builder realmId(String realmId) { $.realmId = realmId; return this; diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/GroupMembershipProtocolMapperState.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/GroupMembershipProtocolMapperState.java index 14a1a5c1..f9a3e548 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/GroupMembershipProtocolMapperState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/GroupMembershipProtocolMapperState.java @@ -16,43 +16,75 @@ public final class GroupMembershipProtocolMapperState extends com.pulumi.resourc public static final GroupMembershipProtocolMapperState Empty = new GroupMembershipProtocolMapperState(); + /** + * Indicates if the property should be added as a claim to the access token. Defaults to `true`. + * + */ @Import(name="addToAccessToken") private @Nullable Output addToAccessToken; + /** + * @return Indicates if the property should be added as a claim to the access token. Defaults to `true`. + * + */ public Optional> addToAccessToken() { return Optional.ofNullable(this.addToAccessToken); } + /** + * Indicates if the property should be added as a claim to the id token. Defaults to `true`. + * + */ @Import(name="addToIdToken") private @Nullable Output addToIdToken; + /** + * @return Indicates if the property should be added as a claim to the id token. Defaults to `true`. + * + */ public Optional> addToIdToken() { return Optional.ofNullable(this.addToIdToken); } + /** + * Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + * + */ @Import(name="addToUserinfo") private @Nullable Output addToUserinfo; + /** + * @return Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + * + */ public Optional> addToUserinfo() { return Optional.ofNullable(this.addToUserinfo); } + /** + * The name of the claim to insert into a token. + * + */ @Import(name="claimName") private @Nullable Output claimName; + /** + * @return The name of the claim to insert into a token. + * + */ public Optional> claimName() { return Optional.ofNullable(this.claimName); } /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Import(name="clientId") private @Nullable Output clientId; /** - * @return The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Optional> clientId() { @@ -60,36 +92,44 @@ public Optional> clientId() { } /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Import(name="clientScopeId") private @Nullable Output clientScopeId; /** - * @return The mapper's associated client scope. Cannot be used at the same time as client_id. + * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Optional> clientScopeId() { return Optional.ofNullable(this.clientScopeId); } + /** + * Indicates whether the full path of the group including its parents will be used. Defaults to `true`. + * + */ @Import(name="fullPath") private @Nullable Output fullPath; + /** + * @return Indicates whether the full path of the group including its parents will be used. Defaults to `true`. + * + */ public Optional> fullPath() { return Optional.ofNullable(this.fullPath); } /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. * */ @Import(name="name") private @Nullable Output name; /** - * @return A human-friendly name that will appear in the Keycloak console. + * @return The display name of this protocol mapper in the GUI. * */ public Optional> name() { @@ -97,14 +137,14 @@ public Optional> name() { } /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. * */ @Import(name="realmId") private @Nullable Output realmId; /** - * @return The realm id where the associated client or client scope exists. + * @return The realm this protocol mapper exists within. * */ public Optional> realmId() { @@ -143,44 +183,92 @@ public Builder(GroupMembershipProtocolMapperState defaults) { $ = new GroupMembershipProtocolMapperState(Objects.requireNonNull(defaults)); } + /** + * @param addToAccessToken Indicates if the property should be added as a claim to the access token. Defaults to `true`. + * + * @return builder + * + */ public Builder addToAccessToken(@Nullable Output addToAccessToken) { $.addToAccessToken = addToAccessToken; return this; } + /** + * @param addToAccessToken Indicates if the property should be added as a claim to the access token. Defaults to `true`. + * + * @return builder + * + */ public Builder addToAccessToken(Boolean addToAccessToken) { return addToAccessToken(Output.of(addToAccessToken)); } + /** + * @param addToIdToken Indicates if the property should be added as a claim to the id token. Defaults to `true`. + * + * @return builder + * + */ public Builder addToIdToken(@Nullable Output addToIdToken) { $.addToIdToken = addToIdToken; return this; } + /** + * @param addToIdToken Indicates if the property should be added as a claim to the id token. Defaults to `true`. + * + * @return builder + * + */ public Builder addToIdToken(Boolean addToIdToken) { return addToIdToken(Output.of(addToIdToken)); } + /** + * @param addToUserinfo Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + * + * @return builder + * + */ public Builder addToUserinfo(@Nullable Output addToUserinfo) { $.addToUserinfo = addToUserinfo; return this; } + /** + * @param addToUserinfo Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + * + * @return builder + * + */ public Builder addToUserinfo(Boolean addToUserinfo) { return addToUserinfo(Output.of(addToUserinfo)); } + /** + * @param claimName The name of the claim to insert into a token. + * + * @return builder + * + */ public Builder claimName(@Nullable Output claimName) { $.claimName = claimName; return this; } + /** + * @param claimName The name of the claim to insert into a token. + * + * @return builder + * + */ public Builder claimName(String claimName) { return claimName(Output.of(claimName)); } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -191,7 +279,7 @@ public Builder clientId(@Nullable Output clientId) { } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -201,7 +289,7 @@ public Builder clientId(String clientId) { } /** - * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -212,7 +300,7 @@ public Builder clientScopeId(@Nullable Output clientScopeId) { } /** - * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -221,17 +309,29 @@ public Builder clientScopeId(String clientScopeId) { return clientScopeId(Output.of(clientScopeId)); } + /** + * @param fullPath Indicates whether the full path of the group including its parents will be used. Defaults to `true`. + * + * @return builder + * + */ public Builder fullPath(@Nullable Output fullPath) { $.fullPath = fullPath; return this; } + /** + * @param fullPath Indicates whether the full path of the group including its parents will be used. Defaults to `true`. + * + * @return builder + * + */ public Builder fullPath(Boolean fullPath) { return fullPath(Output.of(fullPath)); } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -242,7 +342,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -252,7 +352,7 @@ public Builder name(String name) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * @@ -263,7 +363,7 @@ public Builder realmId(@Nullable Output realmId) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/HardcodedClaimProtocolMapperState.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/HardcodedClaimProtocolMapperState.java index 06823d00..49774631 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/HardcodedClaimProtocolMapperState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/HardcodedClaimProtocolMapperState.java @@ -17,14 +17,14 @@ public final class HardcodedClaimProtocolMapperState extends com.pulumi.resource public static final HardcodedClaimProtocolMapperState Empty = new HardcodedClaimProtocolMapperState(); /** - * Indicates if the attribute should be a claim in the access token. + * Indicates if the property should be added as a claim to the access token. Defaults to `true`. * */ @Import(name="addToAccessToken") private @Nullable Output addToAccessToken; /** - * @return Indicates if the attribute should be a claim in the access token. + * @return Indicates if the property should be added as a claim to the access token. Defaults to `true`. * */ public Optional> addToAccessToken() { @@ -32,14 +32,14 @@ public Optional> addToAccessToken() { } /** - * Indicates if the attribute should be a claim in the id token. + * Indicates if the property should be added as a claim to the id token. Defaults to `true`. * */ @Import(name="addToIdToken") private @Nullable Output addToIdToken; /** - * @return Indicates if the attribute should be a claim in the id token. + * @return Indicates if the property should be added as a claim to the id token. Defaults to `true`. * */ public Optional> addToIdToken() { @@ -47,43 +47,59 @@ public Optional> addToIdToken() { } /** - * Indicates if the attribute should appear in the userinfo response body. + * Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. * */ @Import(name="addToUserinfo") private @Nullable Output addToUserinfo; /** - * @return Indicates if the attribute should appear in the userinfo response body. + * @return Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. * */ public Optional> addToUserinfo() { return Optional.ofNullable(this.addToUserinfo); } + /** + * The name of the claim to insert into a token. + * + */ @Import(name="claimName") private @Nullable Output claimName; + /** + * @return The name of the claim to insert into a token. + * + */ public Optional> claimName() { return Optional.ofNullable(this.claimName); } + /** + * The hardcoded value of the claim. + * + */ @Import(name="claimValue") private @Nullable Output claimValue; + /** + * @return The hardcoded value of the claim. + * + */ public Optional> claimValue() { return Optional.ofNullable(this.claimValue); } /** - * Claim type used when serializing tokens. + * The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * */ @Import(name="claimValueType") private @Nullable Output claimValueType; /** - * @return Claim type used when serializing tokens. + * @return The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * */ public Optional> claimValueType() { @@ -91,14 +107,14 @@ public Optional> claimValueType() { } /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Import(name="clientId") private @Nullable Output clientId; /** - * @return The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Optional> clientId() { @@ -106,14 +122,14 @@ public Optional> clientId() { } /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Import(name="clientScopeId") private @Nullable Output clientScopeId; /** - * @return The mapper's associated client scope. Cannot be used at the same time as client_id. + * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Optional> clientScopeId() { @@ -121,14 +137,14 @@ public Optional> clientScopeId() { } /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. * */ @Import(name="name") private @Nullable Output name; /** - * @return A human-friendly name that will appear in the Keycloak console. + * @return The display name of this protocol mapper in the GUI. * */ public Optional> name() { @@ -136,14 +152,14 @@ public Optional> name() { } /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. * */ @Import(name="realmId") private @Nullable Output realmId; /** - * @return The realm id where the associated client or client scope exists. + * @return The realm this protocol mapper exists within. * */ public Optional> realmId() { @@ -184,7 +200,7 @@ public Builder(HardcodedClaimProtocolMapperState defaults) { } /** - * @param addToAccessToken Indicates if the attribute should be a claim in the access token. + * @param addToAccessToken Indicates if the property should be added as a claim to the access token. Defaults to `true`. * * @return builder * @@ -195,7 +211,7 @@ public Builder addToAccessToken(@Nullable Output addToAccessToken) { } /** - * @param addToAccessToken Indicates if the attribute should be a claim in the access token. + * @param addToAccessToken Indicates if the property should be added as a claim to the access token. Defaults to `true`. * * @return builder * @@ -205,7 +221,7 @@ public Builder addToAccessToken(Boolean addToAccessToken) { } /** - * @param addToIdToken Indicates if the attribute should be a claim in the id token. + * @param addToIdToken Indicates if the property should be added as a claim to the id token. Defaults to `true`. * * @return builder * @@ -216,7 +232,7 @@ public Builder addToIdToken(@Nullable Output addToIdToken) { } /** - * @param addToIdToken Indicates if the attribute should be a claim in the id token. + * @param addToIdToken Indicates if the property should be added as a claim to the id token. Defaults to `true`. * * @return builder * @@ -226,7 +242,7 @@ public Builder addToIdToken(Boolean addToIdToken) { } /** - * @param addToUserinfo Indicates if the attribute should appear in the userinfo response body. + * @param addToUserinfo Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. * * @return builder * @@ -237,7 +253,7 @@ public Builder addToUserinfo(@Nullable Output addToUserinfo) { } /** - * @param addToUserinfo Indicates if the attribute should appear in the userinfo response body. + * @param addToUserinfo Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. * * @return builder * @@ -246,26 +262,50 @@ public Builder addToUserinfo(Boolean addToUserinfo) { return addToUserinfo(Output.of(addToUserinfo)); } + /** + * @param claimName The name of the claim to insert into a token. + * + * @return builder + * + */ public Builder claimName(@Nullable Output claimName) { $.claimName = claimName; return this; } + /** + * @param claimName The name of the claim to insert into a token. + * + * @return builder + * + */ public Builder claimName(String claimName) { return claimName(Output.of(claimName)); } + /** + * @param claimValue The hardcoded value of the claim. + * + * @return builder + * + */ public Builder claimValue(@Nullable Output claimValue) { $.claimValue = claimValue; return this; } + /** + * @param claimValue The hardcoded value of the claim. + * + * @return builder + * + */ public Builder claimValue(String claimValue) { return claimValue(Output.of(claimValue)); } /** - * @param claimValueType Claim type used when serializing tokens. + * @param claimValueType The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * * @return builder * @@ -276,7 +316,7 @@ public Builder claimValueType(@Nullable Output claimValueType) { } /** - * @param claimValueType Claim type used when serializing tokens. + * @param claimValueType The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * * @return builder * @@ -286,7 +326,7 @@ public Builder claimValueType(String claimValueType) { } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -297,7 +337,7 @@ public Builder clientId(@Nullable Output clientId) { } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -307,7 +347,7 @@ public Builder clientId(String clientId) { } /** - * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -318,7 +358,7 @@ public Builder clientScopeId(@Nullable Output clientScopeId) { } /** - * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -328,7 +368,7 @@ public Builder clientScopeId(String clientScopeId) { } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -339,7 +379,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -349,7 +389,7 @@ public Builder name(String name) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * @@ -360,7 +400,7 @@ public Builder realmId(@Nullable Output realmId) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/HardcodedRoleProtocolMapperState.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/HardcodedRoleProtocolMapperState.java index 3fb63899..5ea791d7 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/HardcodedRoleProtocolMapperState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/HardcodedRoleProtocolMapperState.java @@ -16,14 +16,14 @@ public final class HardcodedRoleProtocolMapperState extends com.pulumi.resources public static final HardcodedRoleProtocolMapperState Empty = new HardcodedRoleProtocolMapperState(); /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Import(name="clientId") private @Nullable Output clientId; /** - * @return The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Optional> clientId() { @@ -31,14 +31,14 @@ public Optional> clientId() { } /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Import(name="clientScopeId") private @Nullable Output clientScopeId; /** - * @return The mapper's associated client scope. Cannot be used at the same time as client_id. + * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Optional> clientScopeId() { @@ -46,14 +46,14 @@ public Optional> clientScopeId() { } /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. * */ @Import(name="name") private @Nullable Output name; /** - * @return A human-friendly name that will appear in the Keycloak console. + * @return The display name of this protocol mapper in the GUI. * */ public Optional> name() { @@ -61,23 +61,31 @@ public Optional> name() { } /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. * */ @Import(name="realmId") private @Nullable Output realmId; /** - * @return The realm id where the associated client or client scope exists. + * @return The realm this protocol mapper exists within. * */ public Optional> realmId() { return Optional.ofNullable(this.realmId); } + /** + * The ID of the role to map to an access token. + * + */ @Import(name="roleId") private @Nullable Output roleId; + /** + * @return The ID of the role to map to an access token. + * + */ public Optional> roleId() { return Optional.ofNullable(this.roleId); } @@ -111,7 +119,7 @@ public Builder(HardcodedRoleProtocolMapperState defaults) { } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -122,7 +130,7 @@ public Builder clientId(@Nullable Output clientId) { } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -132,7 +140,7 @@ public Builder clientId(String clientId) { } /** - * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -143,7 +151,7 @@ public Builder clientScopeId(@Nullable Output clientScopeId) { } /** - * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -153,7 +161,7 @@ public Builder clientScopeId(String clientScopeId) { } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -164,7 +172,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -174,7 +182,7 @@ public Builder name(String name) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * @@ -185,7 +193,7 @@ public Builder realmId(@Nullable Output realmId) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * @@ -194,11 +202,23 @@ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } + /** + * @param roleId The ID of the role to map to an access token. + * + * @return builder + * + */ public Builder roleId(@Nullable Output roleId) { $.roleId = roleId; return this; } + /** + * @param roleId The ID of the role to map to an access token. + * + * @return builder + * + */ public Builder roleId(String roleId) { return roleId(Output.of(roleId)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/UserAttributeProtocolMapperState.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/UserAttributeProtocolMapperState.java index 6ee98001..f441032a 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/UserAttributeProtocolMapperState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/UserAttributeProtocolMapperState.java @@ -17,14 +17,14 @@ public final class UserAttributeProtocolMapperState extends com.pulumi.resources public static final UserAttributeProtocolMapperState Empty = new UserAttributeProtocolMapperState(); /** - * Indicates if the attribute should be a claim in the access token. + * Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. * */ @Import(name="addToAccessToken") private @Nullable Output addToAccessToken; /** - * @return Indicates if the attribute should be a claim in the access token. + * @return Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. * */ public Optional> addToAccessToken() { @@ -32,14 +32,14 @@ public Optional> addToAccessToken() { } /** - * Indicates if the attribute should be a claim in the id token. + * Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. * */ @Import(name="addToIdToken") private @Nullable Output addToIdToken; /** - * @return Indicates if the attribute should be a claim in the id token. + * @return Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. * */ public Optional> addToIdToken() { @@ -47,14 +47,14 @@ public Optional> addToIdToken() { } /** - * Indicates if the attribute should appear in the userinfo response body. + * Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. * */ @Import(name="addToUserinfo") private @Nullable Output addToUserinfo; /** - * @return Indicates if the attribute should appear in the userinfo response body. + * @return Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. * */ public Optional> addToUserinfo() { @@ -62,36 +62,44 @@ public Optional> addToUserinfo() { } /** - * Indicates if attribute values should be aggregated within the group attributes + * Indicates whether this attribute is a single value or an array of values. Defaults to `false`. * */ @Import(name="aggregateAttributes") private @Nullable Output aggregateAttributes; /** - * @return Indicates if attribute values should be aggregated within the group attributes + * @return Indicates whether this attribute is a single value or an array of values. Defaults to `false`. * */ public Optional> aggregateAttributes() { return Optional.ofNullable(this.aggregateAttributes); } + /** + * The name of the claim to insert into a token. + * + */ @Import(name="claimName") private @Nullable Output claimName; + /** + * @return The name of the claim to insert into a token. + * + */ public Optional> claimName() { return Optional.ofNullable(this.claimName); } /** - * Claim type used when serializing tokens. + * The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * */ @Import(name="claimValueType") private @Nullable Output claimValueType; /** - * @return Claim type used when serializing tokens. + * @return The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * */ public Optional> claimValueType() { @@ -99,14 +107,14 @@ public Optional> claimValueType() { } /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Import(name="clientId") private @Nullable Output clientId; /** - * @return The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Optional> clientId() { @@ -114,14 +122,14 @@ public Optional> clientId() { } /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Import(name="clientScopeId") private @Nullable Output clientScopeId; /** - * @return The mapper's associated client scope. Cannot be used at the same time as client_id. + * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Optional> clientScopeId() { @@ -129,14 +137,14 @@ public Optional> clientScopeId() { } /** - * Indicates whether this attribute is a single value or an array of values. + * Indicates whether this attribute is a single value or an array of values. Defaults to `false`. * */ @Import(name="multivalued") private @Nullable Output multivalued; /** - * @return Indicates whether this attribute is a single value or an array of values. + * @return Indicates whether this attribute is a single value or an array of values. Defaults to `false`. * */ public Optional> multivalued() { @@ -144,14 +152,14 @@ public Optional> multivalued() { } /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. * */ @Import(name="name") private @Nullable Output name; /** - * @return A human-friendly name that will appear in the Keycloak console. + * @return The display name of this protocol mapper in the GUI. * */ public Optional> name() { @@ -159,23 +167,31 @@ public Optional> name() { } /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. * */ @Import(name="realmId") private @Nullable Output realmId; /** - * @return The realm id where the associated client or client scope exists. + * @return The realm this protocol mapper exists within. * */ public Optional> realmId() { return Optional.ofNullable(this.realmId); } + /** + * The custom user attribute to map a claim for. + * + */ @Import(name="userAttribute") private @Nullable Output userAttribute; + /** + * @return The custom user attribute to map a claim for. + * + */ public Optional> userAttribute() { return Optional.ofNullable(this.userAttribute); } @@ -216,7 +232,7 @@ public Builder(UserAttributeProtocolMapperState defaults) { } /** - * @param addToAccessToken Indicates if the attribute should be a claim in the access token. + * @param addToAccessToken Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. * * @return builder * @@ -227,7 +243,7 @@ public Builder addToAccessToken(@Nullable Output addToAccessToken) { } /** - * @param addToAccessToken Indicates if the attribute should be a claim in the access token. + * @param addToAccessToken Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. * * @return builder * @@ -237,7 +253,7 @@ public Builder addToAccessToken(Boolean addToAccessToken) { } /** - * @param addToIdToken Indicates if the attribute should be a claim in the id token. + * @param addToIdToken Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. * * @return builder * @@ -248,7 +264,7 @@ public Builder addToIdToken(@Nullable Output addToIdToken) { } /** - * @param addToIdToken Indicates if the attribute should be a claim in the id token. + * @param addToIdToken Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. * * @return builder * @@ -258,7 +274,7 @@ public Builder addToIdToken(Boolean addToIdToken) { } /** - * @param addToUserinfo Indicates if the attribute should appear in the userinfo response body. + * @param addToUserinfo Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. * * @return builder * @@ -269,7 +285,7 @@ public Builder addToUserinfo(@Nullable Output addToUserinfo) { } /** - * @param addToUserinfo Indicates if the attribute should appear in the userinfo response body. + * @param addToUserinfo Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. * * @return builder * @@ -279,7 +295,7 @@ public Builder addToUserinfo(Boolean addToUserinfo) { } /** - * @param aggregateAttributes Indicates if attribute values should be aggregated within the group attributes + * @param aggregateAttributes Indicates whether this attribute is a single value or an array of values. Defaults to `false`. * * @return builder * @@ -290,7 +306,7 @@ public Builder aggregateAttributes(@Nullable Output aggregateAttributes } /** - * @param aggregateAttributes Indicates if attribute values should be aggregated within the group attributes + * @param aggregateAttributes Indicates whether this attribute is a single value or an array of values. Defaults to `false`. * * @return builder * @@ -299,17 +315,29 @@ public Builder aggregateAttributes(Boolean aggregateAttributes) { return aggregateAttributes(Output.of(aggregateAttributes)); } + /** + * @param claimName The name of the claim to insert into a token. + * + * @return builder + * + */ public Builder claimName(@Nullable Output claimName) { $.claimName = claimName; return this; } + /** + * @param claimName The name of the claim to insert into a token. + * + * @return builder + * + */ public Builder claimName(String claimName) { return claimName(Output.of(claimName)); } /** - * @param claimValueType Claim type used when serializing tokens. + * @param claimValueType The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * * @return builder * @@ -320,7 +348,7 @@ public Builder claimValueType(@Nullable Output claimValueType) { } /** - * @param claimValueType Claim type used when serializing tokens. + * @param claimValueType The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * * @return builder * @@ -330,7 +358,7 @@ public Builder claimValueType(String claimValueType) { } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -341,7 +369,7 @@ public Builder clientId(@Nullable Output clientId) { } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -351,7 +379,7 @@ public Builder clientId(String clientId) { } /** - * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -362,7 +390,7 @@ public Builder clientScopeId(@Nullable Output clientScopeId) { } /** - * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -372,7 +400,7 @@ public Builder clientScopeId(String clientScopeId) { } /** - * @param multivalued Indicates whether this attribute is a single value or an array of values. + * @param multivalued Indicates whether this attribute is a single value or an array of values. Defaults to `false`. * * @return builder * @@ -383,7 +411,7 @@ public Builder multivalued(@Nullable Output multivalued) { } /** - * @param multivalued Indicates whether this attribute is a single value or an array of values. + * @param multivalued Indicates whether this attribute is a single value or an array of values. Defaults to `false`. * * @return builder * @@ -393,7 +421,7 @@ public Builder multivalued(Boolean multivalued) { } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -404,7 +432,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -414,7 +442,7 @@ public Builder name(String name) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * @@ -425,7 +453,7 @@ public Builder realmId(@Nullable Output realmId) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * @@ -434,11 +462,23 @@ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } + /** + * @param userAttribute The custom user attribute to map a claim for. + * + * @return builder + * + */ public Builder userAttribute(@Nullable Output userAttribute) { $.userAttribute = userAttribute; return this; } + /** + * @param userAttribute The custom user attribute to map a claim for. + * + * @return builder + * + */ public Builder userAttribute(String userAttribute) { return userAttribute(Output.of(userAttribute)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/UserPropertyProtocolMapperState.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/UserPropertyProtocolMapperState.java index a489adb1..8ad253ce 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/UserPropertyProtocolMapperState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/UserPropertyProtocolMapperState.java @@ -17,14 +17,14 @@ public final class UserPropertyProtocolMapperState extends com.pulumi.resources. public static final UserPropertyProtocolMapperState Empty = new UserPropertyProtocolMapperState(); /** - * Indicates if the property should be a claim in the access token. + * Indicates if the property should be added as a claim to the access token. Defaults to `true`. * */ @Import(name="addToAccessToken") private @Nullable Output addToAccessToken; /** - * @return Indicates if the property should be a claim in the access token. + * @return Indicates if the property should be added as a claim to the access token. Defaults to `true`. * */ public Optional> addToAccessToken() { @@ -32,14 +32,14 @@ public Optional> addToAccessToken() { } /** - * Indicates if the property should be a claim in the id token. + * Indicates if the property should be added as a claim to the id token. Defaults to `true`. * */ @Import(name="addToIdToken") private @Nullable Output addToIdToken; /** - * @return Indicates if the property should be a claim in the id token. + * @return Indicates if the property should be added as a claim to the id token. Defaults to `true`. * */ public Optional> addToIdToken() { @@ -47,36 +47,44 @@ public Optional> addToIdToken() { } /** - * Indicates if the property should appear in the userinfo response body. + * Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. * */ @Import(name="addToUserinfo") private @Nullable Output addToUserinfo; /** - * @return Indicates if the property should appear in the userinfo response body. + * @return Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. * */ public Optional> addToUserinfo() { return Optional.ofNullable(this.addToUserinfo); } + /** + * The name of the claim to insert into a token. + * + */ @Import(name="claimName") private @Nullable Output claimName; + /** + * @return The name of the claim to insert into a token. + * + */ public Optional> claimName() { return Optional.ofNullable(this.claimName); } /** - * Claim type used when serializing tokens. + * The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * */ @Import(name="claimValueType") private @Nullable Output claimValueType; /** - * @return Claim type used when serializing tokens. + * @return The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * */ public Optional> claimValueType() { @@ -84,14 +92,14 @@ public Optional> claimValueType() { } /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Import(name="clientId") private @Nullable Output clientId; /** - * @return The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Optional> clientId() { @@ -99,14 +107,14 @@ public Optional> clientId() { } /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. * */ @Import(name="clientScopeId") private @Nullable Output clientScopeId; /** - * @return The mapper's associated client scope. Cannot be used at the same time as client_id. + * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. * */ public Optional> clientScopeId() { @@ -114,14 +122,14 @@ public Optional> clientScopeId() { } /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. * */ @Import(name="name") private @Nullable Output name; /** - * @return A human-friendly name that will appear in the Keycloak console. + * @return The display name of this protocol mapper in the GUI. * */ public Optional> name() { @@ -129,23 +137,31 @@ public Optional> name() { } /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. * */ @Import(name="realmId") private @Nullable Output realmId; /** - * @return The realm id where the associated client or client scope exists. + * @return The realm this protocol mapper exists within. * */ public Optional> realmId() { return Optional.ofNullable(this.realmId); } + /** + * The built in user property (such as email) to map a claim for. + * + */ @Import(name="userProperty") private @Nullable Output userProperty; + /** + * @return The built in user property (such as email) to map a claim for. + * + */ public Optional> userProperty() { return Optional.ofNullable(this.userProperty); } @@ -184,7 +200,7 @@ public Builder(UserPropertyProtocolMapperState defaults) { } /** - * @param addToAccessToken Indicates if the property should be a claim in the access token. + * @param addToAccessToken Indicates if the property should be added as a claim to the access token. Defaults to `true`. * * @return builder * @@ -195,7 +211,7 @@ public Builder addToAccessToken(@Nullable Output addToAccessToken) { } /** - * @param addToAccessToken Indicates if the property should be a claim in the access token. + * @param addToAccessToken Indicates if the property should be added as a claim to the access token. Defaults to `true`. * * @return builder * @@ -205,7 +221,7 @@ public Builder addToAccessToken(Boolean addToAccessToken) { } /** - * @param addToIdToken Indicates if the property should be a claim in the id token. + * @param addToIdToken Indicates if the property should be added as a claim to the id token. Defaults to `true`. * * @return builder * @@ -216,7 +232,7 @@ public Builder addToIdToken(@Nullable Output addToIdToken) { } /** - * @param addToIdToken Indicates if the property should be a claim in the id token. + * @param addToIdToken Indicates if the property should be added as a claim to the id token. Defaults to `true`. * * @return builder * @@ -226,7 +242,7 @@ public Builder addToIdToken(Boolean addToIdToken) { } /** - * @param addToUserinfo Indicates if the property should appear in the userinfo response body. + * @param addToUserinfo Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. * * @return builder * @@ -237,7 +253,7 @@ public Builder addToUserinfo(@Nullable Output addToUserinfo) { } /** - * @param addToUserinfo Indicates if the property should appear in the userinfo response body. + * @param addToUserinfo Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. * * @return builder * @@ -246,17 +262,29 @@ public Builder addToUserinfo(Boolean addToUserinfo) { return addToUserinfo(Output.of(addToUserinfo)); } + /** + * @param claimName The name of the claim to insert into a token. + * + * @return builder + * + */ public Builder claimName(@Nullable Output claimName) { $.claimName = claimName; return this; } + /** + * @param claimName The name of the claim to insert into a token. + * + * @return builder + * + */ public Builder claimName(String claimName) { return claimName(Output.of(claimName)); } /** - * @param claimValueType Claim type used when serializing tokens. + * @param claimValueType The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * * @return builder * @@ -267,7 +295,7 @@ public Builder claimValueType(@Nullable Output claimValueType) { } /** - * @param claimValueType Claim type used when serializing tokens. + * @param claimValueType The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * * @return builder * @@ -277,7 +305,7 @@ public Builder claimValueType(String claimValueType) { } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -288,7 +316,7 @@ public Builder clientId(@Nullable Output clientId) { } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -298,7 +326,7 @@ public Builder clientId(String clientId) { } /** - * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. * * @return builder * @@ -309,7 +337,7 @@ public Builder clientScopeId(@Nullable Output clientScopeId) { } /** - * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. * * @return builder * @@ -319,7 +347,7 @@ public Builder clientScopeId(String clientScopeId) { } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -330,7 +358,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -340,7 +368,7 @@ public Builder name(String name) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * @@ -351,7 +379,7 @@ public Builder realmId(@Nullable Output realmId) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * @@ -360,11 +388,23 @@ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } + /** + * @param userProperty The built in user property (such as email) to map a claim for. + * + * @return builder + * + */ public Builder userProperty(@Nullable Output userProperty) { $.userProperty = userProperty; return this; } + /** + * @param userProperty The built in user property (such as email) to map a claim for. + * + * @return builder + * + */ public Builder userProperty(String userProperty) { return userProperty(Output.of(userProperty)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/UserRealmRoleProtocolMapperState.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/UserRealmRoleProtocolMapperState.java index f6a701c3..59d87e23 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/UserRealmRoleProtocolMapperState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/UserRealmRoleProtocolMapperState.java @@ -17,14 +17,14 @@ public final class UserRealmRoleProtocolMapperState extends com.pulumi.resources public static final UserRealmRoleProtocolMapperState Empty = new UserRealmRoleProtocolMapperState(); /** - * Indicates if the attribute should be a claim in the access token. + * Indicates if the property should be added as a claim to the access token. Defaults to `true`. * */ @Import(name="addToAccessToken") private @Nullable Output addToAccessToken; /** - * @return Indicates if the attribute should be a claim in the access token. + * @return Indicates if the property should be added as a claim to the access token. Defaults to `true`. * */ public Optional> addToAccessToken() { @@ -32,14 +32,14 @@ public Optional> addToAccessToken() { } /** - * Indicates if the attribute should be a claim in the id token. + * Indicates if the property should be added as a claim to the id token. Defaults to `true`. * */ @Import(name="addToIdToken") private @Nullable Output addToIdToken; /** - * @return Indicates if the attribute should be a claim in the id token. + * @return Indicates if the property should be added as a claim to the id token. Defaults to `true`. * */ public Optional> addToIdToken() { @@ -47,36 +47,44 @@ public Optional> addToIdToken() { } /** - * Indicates if the attribute should appear in the userinfo response body. + * Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. * */ @Import(name="addToUserinfo") private @Nullable Output addToUserinfo; /** - * @return Indicates if the attribute should appear in the userinfo response body. + * @return Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. * */ public Optional> addToUserinfo() { return Optional.ofNullable(this.addToUserinfo); } + /** + * The name of the claim to insert into a token. + * + */ @Import(name="claimName") private @Nullable Output claimName; + /** + * @return The name of the claim to insert into a token. + * + */ public Optional> claimName() { return Optional.ofNullable(this.claimName); } /** - * Claim type used when serializing tokens. + * The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * */ @Import(name="claimValueType") private @Nullable Output claimValueType; /** - * @return Claim type used when serializing tokens. + * @return The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * */ public Optional> claimValueType() { @@ -84,14 +92,14 @@ public Optional> claimValueType() { } /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Import(name="clientId") private @Nullable Output clientId; /** - * @return The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Optional> clientId() { @@ -99,14 +107,14 @@ public Optional> clientId() { } /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ @Import(name="clientScopeId") private @Nullable Output clientScopeId; /** - * @return The mapper's associated client scope. Cannot be used at the same time as client_id. + * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * */ public Optional> clientScopeId() { @@ -114,14 +122,14 @@ public Optional> clientScopeId() { } /** - * Indicates whether this attribute is a single value or an array of values. + * Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`. * */ @Import(name="multivalued") private @Nullable Output multivalued; /** - * @return Indicates whether this attribute is a single value or an array of values. + * @return Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`. * */ public Optional> multivalued() { @@ -129,14 +137,14 @@ public Optional> multivalued() { } /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. * */ @Import(name="name") private @Nullable Output name; /** - * @return A human-friendly name that will appear in the Keycloak console. + * @return The display name of this protocol mapper in the GUI. * */ public Optional> name() { @@ -144,14 +152,14 @@ public Optional> name() { } /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. * */ @Import(name="realmId") private @Nullable Output realmId; /** - * @return The realm id where the associated client or client scope exists. + * @return The realm this protocol mapper exists within. * */ public Optional> realmId() { @@ -159,14 +167,14 @@ public Optional> realmId() { } /** - * Prefix that will be added to each realm role. + * A prefix for each Realm Role. * */ @Import(name="realmRolePrefix") private @Nullable Output realmRolePrefix; /** - * @return Prefix that will be added to each realm role. + * @return A prefix for each Realm Role. * */ public Optional> realmRolePrefix() { @@ -208,7 +216,7 @@ public Builder(UserRealmRoleProtocolMapperState defaults) { } /** - * @param addToAccessToken Indicates if the attribute should be a claim in the access token. + * @param addToAccessToken Indicates if the property should be added as a claim to the access token. Defaults to `true`. * * @return builder * @@ -219,7 +227,7 @@ public Builder addToAccessToken(@Nullable Output addToAccessToken) { } /** - * @param addToAccessToken Indicates if the attribute should be a claim in the access token. + * @param addToAccessToken Indicates if the property should be added as a claim to the access token. Defaults to `true`. * * @return builder * @@ -229,7 +237,7 @@ public Builder addToAccessToken(Boolean addToAccessToken) { } /** - * @param addToIdToken Indicates if the attribute should be a claim in the id token. + * @param addToIdToken Indicates if the property should be added as a claim to the id token. Defaults to `true`. * * @return builder * @@ -240,7 +248,7 @@ public Builder addToIdToken(@Nullable Output addToIdToken) { } /** - * @param addToIdToken Indicates if the attribute should be a claim in the id token. + * @param addToIdToken Indicates if the property should be added as a claim to the id token. Defaults to `true`. * * @return builder * @@ -250,7 +258,7 @@ public Builder addToIdToken(Boolean addToIdToken) { } /** - * @param addToUserinfo Indicates if the attribute should appear in the userinfo response body. + * @param addToUserinfo Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. * * @return builder * @@ -261,7 +269,7 @@ public Builder addToUserinfo(@Nullable Output addToUserinfo) { } /** - * @param addToUserinfo Indicates if the attribute should appear in the userinfo response body. + * @param addToUserinfo Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. * * @return builder * @@ -270,17 +278,29 @@ public Builder addToUserinfo(Boolean addToUserinfo) { return addToUserinfo(Output.of(addToUserinfo)); } + /** + * @param claimName The name of the claim to insert into a token. + * + * @return builder + * + */ public Builder claimName(@Nullable Output claimName) { $.claimName = claimName; return this; } + /** + * @param claimName The name of the claim to insert into a token. + * + * @return builder + * + */ public Builder claimName(String claimName) { return claimName(Output.of(claimName)); } /** - * @param claimValueType Claim type used when serializing tokens. + * @param claimValueType The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * * @return builder * @@ -291,7 +311,7 @@ public Builder claimValueType(@Nullable Output claimValueType) { } /** - * @param claimValueType Claim type used when serializing tokens. + * @param claimValueType The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. * * @return builder * @@ -301,7 +321,7 @@ public Builder claimValueType(String claimValueType) { } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -312,7 +332,7 @@ public Builder clientId(@Nullable Output clientId) { } /** - * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -322,7 +342,7 @@ public Builder clientId(String clientId) { } /** - * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -333,7 +353,7 @@ public Builder clientScopeId(@Nullable Output clientScopeId) { } /** - * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. * * @return builder * @@ -343,7 +363,7 @@ public Builder clientScopeId(String clientScopeId) { } /** - * @param multivalued Indicates whether this attribute is a single value or an array of values. + * @param multivalued Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`. * * @return builder * @@ -354,7 +374,7 @@ public Builder multivalued(@Nullable Output multivalued) { } /** - * @param multivalued Indicates whether this attribute is a single value or an array of values. + * @param multivalued Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`. * * @return builder * @@ -364,7 +384,7 @@ public Builder multivalued(Boolean multivalued) { } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -375,7 +395,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name A human-friendly name that will appear in the Keycloak console. + * @param name The display name of this protocol mapper in the GUI. * * @return builder * @@ -385,7 +405,7 @@ public Builder name(String name) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * @@ -396,7 +416,7 @@ public Builder realmId(@Nullable Output realmId) { } /** - * @param realmId The realm id where the associated client or client scope exists. + * @param realmId The realm this protocol mapper exists within. * * @return builder * @@ -406,7 +426,7 @@ public Builder realmId(String realmId) { } /** - * @param realmRolePrefix Prefix that will be added to each realm role. + * @param realmRolePrefix A prefix for each Realm Role. * * @return builder * @@ -417,7 +437,7 @@ public Builder realmRolePrefix(@Nullable Output realmRolePrefix) { } /** - * @param realmRolePrefix Prefix that will be added to each realm role. + * @param realmRolePrefix A prefix for each Realm Role. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/outputs/ClientAuthenticationFlowBindingOverrides.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/outputs/ClientAuthenticationFlowBindingOverrides.java index 0cf71a45..d959cb65 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/outputs/ClientAuthenticationFlowBindingOverrides.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/outputs/ClientAuthenticationFlowBindingOverrides.java @@ -11,13 +11,29 @@ @CustomType public final class ClientAuthenticationFlowBindingOverrides { + /** + * @return Browser flow id, (flow needs to exist) + * + */ private @Nullable String browserId; + /** + * @return Direct grant flow id (flow needs to exist) + * + */ private @Nullable String directGrantId; private ClientAuthenticationFlowBindingOverrides() {} + /** + * @return Browser flow id, (flow needs to exist) + * + */ public Optional browserId() { return Optional.ofNullable(this.browserId); } + /** + * @return Direct grant flow id (flow needs to exist) + * + */ public Optional directGrantId() { return Optional.ofNullable(this.directGrantId); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/outputs/ClientAuthorization.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/outputs/ClientAuthorization.java index c47bdcaf..20de5486 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/outputs/ClientAuthorization.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/outputs/ClientAuthorization.java @@ -13,21 +13,53 @@ @CustomType public final class ClientAuthorization { + /** + * @return When `true`, resources can be managed remotely by the resource server. Defaults to `false`. + * + */ private @Nullable Boolean allowRemoteResourceManagement; + /** + * @return Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of `AFFIRMATIVE`, `CONSENSUS`, or `UNANIMOUS`. Applies to permissions. + * + */ private @Nullable String decisionStrategy; + /** + * @return When `true`, defaults set by Keycloak will be respected. Defaults to `false`. + * + */ private @Nullable Boolean keepDefaults; + /** + * @return Dictates how policies are enforced when evaluating authorization requests. Can be one of `ENFORCING`, `PERMISSIVE`, or `DISABLED`. + * + */ private String policyEnforcementMode; private ClientAuthorization() {} + /** + * @return When `true`, resources can be managed remotely by the resource server. Defaults to `false`. + * + */ public Optional allowRemoteResourceManagement() { return Optional.ofNullable(this.allowRemoteResourceManagement); } + /** + * @return Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of `AFFIRMATIVE`, `CONSENSUS`, or `UNANIMOUS`. Applies to permissions. + * + */ public Optional decisionStrategy() { return Optional.ofNullable(this.decisionStrategy); } + /** + * @return When `true`, defaults set by Keycloak will be respected. Defaults to `false`. + * + */ public Optional keepDefaults() { return Optional.ofNullable(this.keepDefaults); } + /** + * @return Dictates how policies are enforced when evaluating authorization requests. Can be one of `ENFORCING`, `PERMISSIVE`, or `DISABLED`. + * + */ public String policyEnforcementMode() { return this.policyEnforcementMode; } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/outputs/GetRealmKeysKey.java b/sdk/java/src/main/java/com/pulumi/keycloak/outputs/GetRealmKeysKey.java index 81552caf..2b083df5 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/outputs/GetRealmKeysKey.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/outputs/GetRealmKeysKey.java @@ -11,37 +11,101 @@ @CustomType public final class GetRealmKeysKey { + /** + * @return Key algorithm (string) + * + */ private String algorithm; + /** + * @return Key certificate (string) + * + */ private String certificate; + /** + * @return Key ID (string) + * + */ private String kid; + /** + * @return Key provider ID (string) + * + */ private String providerId; + /** + * @return Key provider priority (int64) + * + */ private Integer providerPriority; + /** + * @return Key public key (string) + * + */ private String publicKey; + /** + * @return When specified, keys will be filtered by status. The statuses can be any of `ACTIVE`, `DISABLED` and `PASSIVE`. + * + */ private String status; + /** + * @return Key type (string) + * + */ private String type; private GetRealmKeysKey() {} + /** + * @return Key algorithm (string) + * + */ public String algorithm() { return this.algorithm; } + /** + * @return Key certificate (string) + * + */ public String certificate() { return this.certificate; } + /** + * @return Key ID (string) + * + */ public String kid() { return this.kid; } + /** + * @return Key provider ID (string) + * + */ public String providerId() { return this.providerId; } + /** + * @return Key provider priority (int64) + * + */ public Integer providerPriority() { return this.providerPriority; } + /** + * @return Key public key (string) + * + */ public String publicKey() { return this.publicKey; } + /** + * @return When specified, keys will be filtered by status. The statuses can be any of `ACTIVE`, `DISABLED` and `PASSIVE`. + * + */ public String status() { return this.status; } + /** + * @return Key type (string) + * + */ public String type() { return this.type; } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/outputs/GetRealmKeysResult.java b/sdk/java/src/main/java/com/pulumi/keycloak/outputs/GetRealmKeysResult.java index c2a2d8a4..20e588ca 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/outputs/GetRealmKeysResult.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/outputs/GetRealmKeysResult.java @@ -19,8 +19,16 @@ public final class GetRealmKeysResult { * */ private String id; + /** + * @return (Computed) A list of keys that match the filter criteria. Each key has the following attributes: + * + */ private List keys; private String realmId; + /** + * @return Key status (string) + * + */ private @Nullable List statuses; private GetRealmKeysResult() {} @@ -34,12 +42,20 @@ public List algorithms() { public String id() { return this.id; } + /** + * @return (Computed) A list of keys that match the filter criteria. Each key has the following attributes: + * + */ public List keys() { return this.keys; } public String realmId() { return this.realmId; } + /** + * @return Key status (string) + * + */ public List statuses() { return this.statuses == null ? List.of() : this.statuses; } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/outputs/GetRoleResult.java b/sdk/java/src/main/java/com/pulumi/keycloak/outputs/GetRoleResult.java index 8b0dfe53..59b9b528 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/outputs/GetRoleResult.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/outputs/GetRoleResult.java @@ -17,6 +17,10 @@ public final class GetRoleResult { private Map attributes; private @Nullable String clientId; private List compositeRoles; + /** + * @return (Computed) The description of the role. + * + */ private String description; /** * @return The provider-assigned unique ID for this managed resource. @@ -36,6 +40,10 @@ public Optional clientId() { public List compositeRoles() { return this.compositeRoles; } + /** + * @return (Computed) The description of the role. + * + */ public String description() { return this.description; } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/outputs/RealmInternationalization.java b/sdk/java/src/main/java/com/pulumi/keycloak/outputs/RealmInternationalization.java index f15c4baf..e3e8efcd 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/outputs/RealmInternationalization.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/outputs/RealmInternationalization.java @@ -11,13 +11,29 @@ @CustomType public final class RealmInternationalization { + /** + * @return The locale to use by default. This locale code must be present within the `supported_locales` list. + * + */ private String defaultLocale; + /** + * @return A list of [ISO 639-1](https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes) locale codes that the realm should support. + * + */ private List supportedLocales; private RealmInternationalization() {} + /** + * @return The locale to use by default. This locale code must be present within the `supported_locales` list. + * + */ public String defaultLocale() { return this.defaultLocale; } + /** + * @return A list of [ISO 639-1](https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes) locale codes that the realm should support. + * + */ public List supportedLocales() { return this.supportedLocales; } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/outputs/RealmOtpPolicy.java b/sdk/java/src/main/java/com/pulumi/keycloak/outputs/RealmOtpPolicy.java index 30d34134..362c13f2 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/outputs/RealmOtpPolicy.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/outputs/RealmOtpPolicy.java @@ -13,42 +13,74 @@ @CustomType public final class RealmOtpPolicy { /** - * @return What hashing algorithm should be used to generate the OTP. + * @return What hashing algorithm should be used to generate the OTP, Valid options are `HmacSHA1`,`HmacSHA256` and `HmacSHA512`. Defaults to `HmacSHA1`. * */ private @Nullable String algorithm; + /** + * @return How many digits the OTP have. Defaults to `6`. + * + */ private @Nullable Integer digits; + /** + * @return What should the initial counter value be. Defaults to `2`. + * + */ private @Nullable Integer initialCounter; + /** + * @return How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to `1`. + * + */ private @Nullable Integer lookAheadWindow; + /** + * @return How many seconds should an OTP token be valid. Defaults to `30`. + * + */ private @Nullable Integer period; /** - * @return OTP Type, totp for Time-Based One Time Password or hotp for counter base one time password + * @return One Time Password Type, supported Values are `totp` for Time-Based One Time Password and `hotp` for Counter Based. Defaults to `totp`. * */ private @Nullable String type; private RealmOtpPolicy() {} /** - * @return What hashing algorithm should be used to generate the OTP. + * @return What hashing algorithm should be used to generate the OTP, Valid options are `HmacSHA1`,`HmacSHA256` and `HmacSHA512`. Defaults to `HmacSHA1`. * */ public Optional algorithm() { return Optional.ofNullable(this.algorithm); } + /** + * @return How many digits the OTP have. Defaults to `6`. + * + */ public Optional digits() { return Optional.ofNullable(this.digits); } + /** + * @return What should the initial counter value be. Defaults to `2`. + * + */ public Optional initialCounter() { return Optional.ofNullable(this.initialCounter); } + /** + * @return How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to `1`. + * + */ public Optional lookAheadWindow() { return Optional.ofNullable(this.lookAheadWindow); } + /** + * @return How many seconds should an OTP token be valid. Defaults to `30`. + * + */ public Optional period() { return Optional.ofNullable(this.period); } /** - * @return OTP Type, totp for Time-Based One Time Password or hotp for counter base one time password + * @return One Time Password Type, supported Values are `totp` for Time-Based One Time Password and `hotp` for Counter Based. Defaults to `totp`. * */ public Optional type() { diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/outputs/RealmSecurityDefensesBruteForceDetection.java b/sdk/java/src/main/java/com/pulumi/keycloak/outputs/RealmSecurityDefensesBruteForceDetection.java index 3af35deb..9cf20d7d 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/outputs/RealmSecurityDefensesBruteForceDetection.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/outputs/RealmSecurityDefensesBruteForceDetection.java @@ -12,33 +12,83 @@ @CustomType public final class RealmSecurityDefensesBruteForceDetection { + /** + * @return When will failure count be reset? + * + */ private @Nullable Integer failureResetTimeSeconds; private @Nullable Integer maxFailureWaitSeconds; + /** + * @return How many failures before wait is triggered. + * + */ private @Nullable Integer maxLoginFailures; + /** + * @return How long to wait after a quick login failure. + * - ` max_failure_wait_seconds ` - (Optional) Max. time a user will be locked out. + * + */ private @Nullable Integer minimumQuickLoginWaitSeconds; + /** + * @return When `true`, this will lock the user permanently when the user exceeds the maximum login failures. + * + */ private @Nullable Boolean permanentLockout; + /** + * @return Configures the amount of time, in milliseconds, for consecutive failures to lock a user out. + * + */ private @Nullable Integer quickLoginCheckMilliSeconds; + /** + * @return This represents the amount of time a user should be locked out when the login failure threshold has been met. + * + */ private @Nullable Integer waitIncrementSeconds; private RealmSecurityDefensesBruteForceDetection() {} + /** + * @return When will failure count be reset? + * + */ public Optional failureResetTimeSeconds() { return Optional.ofNullable(this.failureResetTimeSeconds); } public Optional maxFailureWaitSeconds() { return Optional.ofNullable(this.maxFailureWaitSeconds); } + /** + * @return How many failures before wait is triggered. + * + */ public Optional maxLoginFailures() { return Optional.ofNullable(this.maxLoginFailures); } + /** + * @return How long to wait after a quick login failure. + * - ` max_failure_wait_seconds ` - (Optional) Max. time a user will be locked out. + * + */ public Optional minimumQuickLoginWaitSeconds() { return Optional.ofNullable(this.minimumQuickLoginWaitSeconds); } + /** + * @return When `true`, this will lock the user permanently when the user exceeds the maximum login failures. + * + */ public Optional permanentLockout() { return Optional.ofNullable(this.permanentLockout); } + /** + * @return Configures the amount of time, in milliseconds, for consecutive failures to lock a user out. + * + */ public Optional quickLoginCheckMilliSeconds() { return Optional.ofNullable(this.quickLoginCheckMilliSeconds); } + /** + * @return This represents the amount of time a user should be locked out when the login failure threshold has been met. + * + */ public Optional waitIncrementSeconds() { return Optional.ofNullable(this.waitIncrementSeconds); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/outputs/RealmSecurityDefensesHeaders.java b/sdk/java/src/main/java/com/pulumi/keycloak/outputs/RealmSecurityDefensesHeaders.java index 9164d31f..e170b713 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/outputs/RealmSecurityDefensesHeaders.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/outputs/RealmSecurityDefensesHeaders.java @@ -11,37 +11,101 @@ @CustomType public final class RealmSecurityDefensesHeaders { + /** + * @return Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the [W3C-CSP](https://www.w3.org/TR/CSP/) Abstract. + * + */ private @Nullable String contentSecurityPolicy; + /** + * @return Used for testing Content Security Policies. + * + */ private @Nullable String contentSecurityPolicyReportOnly; + /** + * @return The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests. + * + */ private @Nullable String referrerPolicy; + /** + * @return The Script-Transport-Security HTTP header tells browsers to always use HTTPS. + * + */ private @Nullable String strictTransportSecurity; + /** + * @return Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type + * + */ private @Nullable String xContentTypeOptions; + /** + * @return Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the [RFC7034](https://tools.ietf.org/html/rfc7034) + * + */ private @Nullable String xFrameOptions; + /** + * @return Prevent pages from appearing in search engines. + * + */ private @Nullable String xRobotsTag; + /** + * @return This header configures the Cross-site scripting (XSS) filter in your browser. + * + */ private @Nullable String xXssProtection; private RealmSecurityDefensesHeaders() {} + /** + * @return Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the [W3C-CSP](https://www.w3.org/TR/CSP/) Abstract. + * + */ public Optional contentSecurityPolicy() { return Optional.ofNullable(this.contentSecurityPolicy); } + /** + * @return Used for testing Content Security Policies. + * + */ public Optional contentSecurityPolicyReportOnly() { return Optional.ofNullable(this.contentSecurityPolicyReportOnly); } + /** + * @return The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests. + * + */ public Optional referrerPolicy() { return Optional.ofNullable(this.referrerPolicy); } + /** + * @return The Script-Transport-Security HTTP header tells browsers to always use HTTPS. + * + */ public Optional strictTransportSecurity() { return Optional.ofNullable(this.strictTransportSecurity); } + /** + * @return Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type + * + */ public Optional xContentTypeOptions() { return Optional.ofNullable(this.xContentTypeOptions); } + /** + * @return Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the [RFC7034](https://tools.ietf.org/html/rfc7034) + * + */ public Optional xFrameOptions() { return Optional.ofNullable(this.xFrameOptions); } + /** + * @return Prevent pages from appearing in search engines. + * + */ public Optional xRobotsTag() { return Optional.ofNullable(this.xRobotsTag); } + /** + * @return This header configures the Cross-site scripting (XSS) filter in your browser. + * + */ public Optional xXssProtection() { return Optional.ofNullable(this.xXssProtection); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/outputs/RealmSmtpServer.java b/sdk/java/src/main/java/com/pulumi/keycloak/outputs/RealmSmtpServer.java index 5c921116..7319a46b 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/outputs/RealmSmtpServer.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/outputs/RealmSmtpServer.java @@ -14,45 +14,125 @@ @CustomType public final class RealmSmtpServer { + /** + * @return Enables authentication to the SMTP server. This block supports the following arguments: + * + */ private @Nullable RealmSmtpServerAuth auth; + /** + * @return The email address uses for bounces. + * + */ private @Nullable String envelopeFrom; + /** + * @return The email address for the sender. + * + */ private String from; + /** + * @return The display name of the sender email address. + * + */ private @Nullable String fromDisplayName; + /** + * @return The host of the SMTP server. + * + */ private String host; + /** + * @return The port of the SMTP server (defaults to 25). + * + */ private @Nullable String port; + /** + * @return The "reply to" email address. + * + */ private @Nullable String replyTo; + /** + * @return The display name of the "reply to" email address. + * + */ private @Nullable String replyToDisplayName; + /** + * @return When `true`, enables SSL. Defaults to `false`. + * + */ private @Nullable Boolean ssl; + /** + * @return When `true`, enables StartTLS. Defaults to `false`. + * + */ private @Nullable Boolean starttls; private RealmSmtpServer() {} + /** + * @return Enables authentication to the SMTP server. This block supports the following arguments: + * + */ public Optional auth() { return Optional.ofNullable(this.auth); } + /** + * @return The email address uses for bounces. + * + */ public Optional envelopeFrom() { return Optional.ofNullable(this.envelopeFrom); } + /** + * @return The email address for the sender. + * + */ public String from() { return this.from; } + /** + * @return The display name of the sender email address. + * + */ public Optional fromDisplayName() { return Optional.ofNullable(this.fromDisplayName); } + /** + * @return The host of the SMTP server. + * + */ public String host() { return this.host; } + /** + * @return The port of the SMTP server (defaults to 25). + * + */ public Optional port() { return Optional.ofNullable(this.port); } + /** + * @return The "reply to" email address. + * + */ public Optional replyTo() { return Optional.ofNullable(this.replyTo); } + /** + * @return The display name of the "reply to" email address. + * + */ public Optional replyToDisplayName() { return Optional.ofNullable(this.replyToDisplayName); } + /** + * @return When `true`, enables SSL. Defaults to `false`. + * + */ public Optional ssl() { return Optional.ofNullable(this.ssl); } + /** + * @return When `true`, enables StartTLS. Defaults to `false`. + * + */ public Optional starttls() { return Optional.ofNullable(this.starttls); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/outputs/RealmSmtpServerAuth.java b/sdk/java/src/main/java/com/pulumi/keycloak/outputs/RealmSmtpServerAuth.java index 3e653fb3..eaf7a4d5 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/outputs/RealmSmtpServerAuth.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/outputs/RealmSmtpServerAuth.java @@ -10,13 +10,29 @@ @CustomType public final class RealmSmtpServerAuth { + /** + * @return The SMTP server password. + * + */ private String password; + /** + * @return The SMTP server username. + * + */ private String username; private RealmSmtpServerAuth() {} + /** + * @return The SMTP server password. + * + */ public String password() { return this.password; } + /** + * @return The SMTP server username. + * + */ public String username() { return this.username; } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/outputs/RealmWebAuthnPasswordlessPolicy.java b/sdk/java/src/main/java/com/pulumi/keycloak/outputs/RealmWebAuthnPasswordlessPolicy.java index 25a7cf81..060381b6 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/outputs/RealmWebAuthnPasswordlessPolicy.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/outputs/RealmWebAuthnPasswordlessPolicy.java @@ -14,6 +14,10 @@ @CustomType public final class RealmWebAuthnPasswordlessPolicy { + /** + * @return A set of AAGUIDs for which an authenticator can be registered. + * + */ private @Nullable List acceptableAaguids; /** * @return Either none, indirect or direct @@ -25,9 +29,25 @@ public final class RealmWebAuthnPasswordlessPolicy { * */ private @Nullable String authenticatorAttachment; + /** + * @return When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + * + */ private @Nullable Boolean avoidSameAuthenticatorRegister; + /** + * @return The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + * + */ private @Nullable Integer createTimeout; + /** + * @return A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + * + */ private @Nullable String relyingPartyEntityName; + /** + * @return The WebAuthn relying party ID. + * + */ private @Nullable String relyingPartyId; /** * @return Either Yes or No @@ -46,6 +66,10 @@ public final class RealmWebAuthnPasswordlessPolicy { private @Nullable String userVerificationRequirement; private RealmWebAuthnPasswordlessPolicy() {} + /** + * @return A set of AAGUIDs for which an authenticator can be registered. + * + */ public List acceptableAaguids() { return this.acceptableAaguids == null ? List.of() : this.acceptableAaguids; } @@ -63,15 +87,31 @@ public Optional attestationConveyancePreference() { public Optional authenticatorAttachment() { return Optional.ofNullable(this.authenticatorAttachment); } + /** + * @return When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + * + */ public Optional avoidSameAuthenticatorRegister() { return Optional.ofNullable(this.avoidSameAuthenticatorRegister); } + /** + * @return The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + * + */ public Optional createTimeout() { return Optional.ofNullable(this.createTimeout); } + /** + * @return A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + * + */ public Optional relyingPartyEntityName() { return Optional.ofNullable(this.relyingPartyEntityName); } + /** + * @return The WebAuthn relying party ID. + * + */ public Optional relyingPartyId() { return Optional.ofNullable(this.relyingPartyId); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/outputs/RealmWebAuthnPolicy.java b/sdk/java/src/main/java/com/pulumi/keycloak/outputs/RealmWebAuthnPolicy.java index a93c4efb..eacce099 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/outputs/RealmWebAuthnPolicy.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/outputs/RealmWebAuthnPolicy.java @@ -14,6 +14,10 @@ @CustomType public final class RealmWebAuthnPolicy { + /** + * @return A set of AAGUIDs for which an authenticator can be registered. + * + */ private @Nullable List acceptableAaguids; /** * @return Either none, indirect or direct @@ -25,9 +29,25 @@ public final class RealmWebAuthnPolicy { * */ private @Nullable String authenticatorAttachment; + /** + * @return When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + * + */ private @Nullable Boolean avoidSameAuthenticatorRegister; + /** + * @return The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + * + */ private @Nullable Integer createTimeout; + /** + * @return A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + * + */ private @Nullable String relyingPartyEntityName; + /** + * @return The WebAuthn relying party ID. + * + */ private @Nullable String relyingPartyId; /** * @return Either Yes or No @@ -46,6 +66,10 @@ public final class RealmWebAuthnPolicy { private @Nullable String userVerificationRequirement; private RealmWebAuthnPolicy() {} + /** + * @return A set of AAGUIDs for which an authenticator can be registered. + * + */ public List acceptableAaguids() { return this.acceptableAaguids == null ? List.of() : this.acceptableAaguids; } @@ -63,15 +87,31 @@ public Optional attestationConveyancePreference() { public Optional authenticatorAttachment() { return Optional.ofNullable(this.authenticatorAttachment); } + /** + * @return When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + * + */ public Optional avoidSameAuthenticatorRegister() { return Optional.ofNullable(this.avoidSameAuthenticatorRegister); } + /** + * @return The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + * + */ public Optional createTimeout() { return Optional.ofNullable(this.createTimeout); } + /** + * @return A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + * + */ public Optional relyingPartyEntityName() { return Optional.ofNullable(this.relyingPartyEntityName); } + /** + * @return The WebAuthn relying party ID. + * + */ public Optional relyingPartyId() { return Optional.ofNullable(this.relyingPartyId); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/outputs/UserFederatedIdentity.java b/sdk/java/src/main/java/com/pulumi/keycloak/outputs/UserFederatedIdentity.java index e27c4f57..cce00e48 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/outputs/UserFederatedIdentity.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/outputs/UserFederatedIdentity.java @@ -10,17 +10,41 @@ @CustomType public final class UserFederatedIdentity { + /** + * @return The name of the identity provider + * + */ private String identityProvider; + /** + * @return The ID of the user defined in the identity provider + * + */ private String userId; + /** + * @return The user name of the user defined in the identity provider + * + */ private String userName; private UserFederatedIdentity() {} + /** + * @return The name of the identity provider + * + */ public String identityProvider() { return this.identityProvider; } + /** + * @return The ID of the user defined in the identity provider + * + */ public String userId() { return this.userId; } + /** + * @return The user name of the user defined in the identity provider + * + */ public String userName() { return this.userName; } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/outputs/UserInitialPassword.java b/sdk/java/src/main/java/com/pulumi/keycloak/outputs/UserInitialPassword.java index 866abaf3..2b377ede 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/outputs/UserInitialPassword.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/outputs/UserInitialPassword.java @@ -13,13 +13,29 @@ @CustomType public final class UserInitialPassword { + /** + * @return If set to `true`, the initial password is set up for renewal on first use. Default to `false`. + * + */ private @Nullable Boolean temporary; + /** + * @return The initial password. + * + */ private String value; private UserInitialPassword() {} + /** + * @return If set to `true`, the initial password is set up for renewal on first use. Default to `false`. + * + */ public Optional temporary() { return Optional.ofNullable(this.temporary); } + /** + * @return The initial password. + * + */ public String value() { return this.value; } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/saml/Client.java b/sdk/java/src/main/java/com/pulumi/keycloak/saml/Client.java index 00042fd1..7c4aec76 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/saml/Client.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/saml/Client.java @@ -19,93 +19,193 @@ import javax.annotation.Nullable; /** - * ## # keycloak.saml.Client - * * Allows for creating and managing Keycloak clients that use the SAML protocol. * - * Clients are entities that can use Keycloak for user authentication. Typically, - * clients are applications that redirect users to Keycloak for authentication - * in order to take advantage of Keycloak's user sessions for SSO. + * Clients are entities that can use Keycloak for user authentication. Typically, clients are applications that redirect users + * to Keycloak for authentication in order to take advantage of Keycloak's user sessions for SSO. * - * ### Import + * ## Import * * Clients can be imported using the format `{{realm_id}}/{{client_keycloak_id}}`, where `client_keycloak_id` is the unique ID that Keycloak + * * assigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID. * * Example: * + * bash + * + * ```sh + * $ pulumi import keycloak:saml/client:Client saml_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352 + * ``` + * */ @ResourceType(type="keycloak:saml/client:Client") public class Client extends com.pulumi.resources.CustomResource { + /** + * SAML POST Binding URL for the client's assertion consumer service (login responses). + * + */ @Export(name="assertionConsumerPostUrl", refs={String.class}, tree="[0]") private Output assertionConsumerPostUrl; + /** + * @return SAML POST Binding URL for the client's assertion consumer service (login responses). + * + */ public Output> assertionConsumerPostUrl() { return Codegen.optional(this.assertionConsumerPostUrl); } + /** + * SAML Redirect Binding URL for the client's assertion consumer service (login responses). + * + */ @Export(name="assertionConsumerRedirectUrl", refs={String.class}, tree="[0]") private Output assertionConsumerRedirectUrl; + /** + * @return SAML Redirect Binding URL for the client's assertion consumer service (login responses). + * + */ public Output> assertionConsumerRedirectUrl() { return Codegen.optional(this.assertionConsumerRedirectUrl); } + /** + * Override realm authentication flow bindings + * + */ @Export(name="authenticationFlowBindingOverrides", refs={ClientAuthenticationFlowBindingOverrides.class}, tree="[0]") private Output authenticationFlowBindingOverrides; + /** + * @return Override realm authentication flow bindings + * + */ public Output> authenticationFlowBindingOverrides() { return Codegen.optional(this.authenticationFlowBindingOverrides); } + /** + * When specified, this URL will be used whenever Keycloak needs to link to this client. + * + */ @Export(name="baseUrl", refs={String.class}, tree="[0]") private Output baseUrl; + /** + * @return When specified, this URL will be used whenever Keycloak needs to link to this client. + * + */ public Output> baseUrl() { return Codegen.optional(this.baseUrl); } + /** + * The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE". + * + */ @Export(name="canonicalizationMethod", refs={String.class}, tree="[0]") private Output canonicalizationMethod; + /** + * @return The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE". + * + */ public Output> canonicalizationMethod() { return Codegen.optional(this.canonicalizationMethod); } + /** + * The unique ID of this client, referenced in the URI during authentication and in issued tokens. + * + */ @Export(name="clientId", refs={String.class}, tree="[0]") private Output clientId; + /** + * @return The unique ID of this client, referenced in the URI during authentication and in issued tokens. + * + */ public Output clientId() { return this.clientId; } + /** + * When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signing_certificate` and `signing_private_key`. Defaults to `true`. + * + */ @Export(name="clientSignatureRequired", refs={Boolean.class}, tree="[0]") private Output clientSignatureRequired; + /** + * @return When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signing_certificate` and `signing_private_key`. Defaults to `true`. + * + */ public Output> clientSignatureRequired() { return Codegen.optional(this.clientSignatureRequired); } + /** + * The description of this client in the GUI. + * + */ @Export(name="description", refs={String.class}, tree="[0]") private Output description; + /** + * @return The description of this client in the GUI. + * + */ public Output> description() { return Codegen.optional(this.description); } + /** + * When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + * + */ @Export(name="enabled", refs={Boolean.class}, tree="[0]") private Output enabled; + /** + * @return When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + * + */ public Output> enabled() { return Codegen.optional(this.enabled); } + /** + * When `true`, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to `false`. + * + */ @Export(name="encryptAssertions", refs={Boolean.class}, tree="[0]") private Output encryptAssertions; + /** + * @return When `true`, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to `false`. + * + */ public Output> encryptAssertions() { return Codegen.optional(this.encryptAssertions); } + /** + * If assertions for the client are encrypted, this certificate will be used for encryption. + * + */ @Export(name="encryptionCertificate", refs={String.class}, tree="[0]") private Output encryptionCertificate; + /** + * @return If assertions for the client are encrypted, this certificate will be used for encryption. + * + */ public Output encryptionCertificate() { return this.encryptionCertificate; } + /** + * (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty. + * + */ @Export(name="encryptionCertificateSha1", refs={String.class}, tree="[0]") private Output encryptionCertificateSha1; + /** + * @return (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty. + * + */ public Output encryptionCertificateSha1() { return this.encryptionCertificateSha1; } @@ -115,147 +215,339 @@ public Output encryptionCertificateSha1() { public Output>> extraConfig() { return Codegen.optional(this.extraConfig); } + /** + * Ignore requested NameID subject format and use the one defined in `name_id_format` instead. Defaults to `false`. + * + */ @Export(name="forceNameIdFormat", refs={Boolean.class}, tree="[0]") private Output forceNameIdFormat; + /** + * @return Ignore requested NameID subject format and use the one defined in `name_id_format` instead. Defaults to `false`. + * + */ public Output> forceNameIdFormat() { return Codegen.optional(this.forceNameIdFormat); } + /** + * When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to `true`. + * + */ @Export(name="forcePostBinding", refs={Boolean.class}, tree="[0]") private Output forcePostBinding; + /** + * @return When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to `true`. + * + */ public Output> forcePostBinding() { return Codegen.optional(this.forcePostBinding); } + /** + * When `true`, this client will require a browser redirect in order to perform a logout. Defaults to `true`. + * + */ @Export(name="frontChannelLogout", refs={Boolean.class}, tree="[0]") private Output frontChannelLogout; + /** + * @return When `true`, this client will require a browser redirect in order to perform a logout. Defaults to `true`. + * + */ public Output> frontChannelLogout() { return Codegen.optional(this.frontChannelLogout); } + /** + * Allow to include all roles mappings in the access token + * + */ @Export(name="fullScopeAllowed", refs={Boolean.class}, tree="[0]") private Output fullScopeAllowed; + /** + * @return Allow to include all roles mappings in the access token + * + */ public Output> fullScopeAllowed() { return Codegen.optional(this.fullScopeAllowed); } + /** + * Relay state you want to send with SAML request when you want to do IDP Initiated SSO. + * + */ @Export(name="idpInitiatedSsoRelayState", refs={String.class}, tree="[0]") private Output idpInitiatedSsoRelayState; + /** + * @return Relay state you want to send with SAML request when you want to do IDP Initiated SSO. + * + */ public Output> idpInitiatedSsoRelayState() { return Codegen.optional(this.idpInitiatedSsoRelayState); } + /** + * URL fragment name to reference client when you want to do IDP Initiated SSO. + * + */ @Export(name="idpInitiatedSsoUrlName", refs={String.class}, tree="[0]") private Output idpInitiatedSsoUrlName; + /** + * @return URL fragment name to reference client when you want to do IDP Initiated SSO. + * + */ public Output> idpInitiatedSsoUrlName() { return Codegen.optional(this.idpInitiatedSsoUrlName); } + /** + * When `true`, an `AuthnStatement` will be included in the SAML response. Defaults to `true`. + * + */ @Export(name="includeAuthnStatement", refs={Boolean.class}, tree="[0]") private Output includeAuthnStatement; + /** + * @return When `true`, an `AuthnStatement` will be included in the SAML response. Defaults to `true`. + * + */ public Output> includeAuthnStatement() { return Codegen.optional(this.includeAuthnStatement); } + /** + * The login theme of this client. + * + */ @Export(name="loginTheme", refs={String.class}, tree="[0]") private Output loginTheme; + /** + * @return The login theme of this client. + * + */ public Output> loginTheme() { return Codegen.optional(this.loginTheme); } + /** + * SAML POST Binding URL for the client's single logout service. + * + */ @Export(name="logoutServicePostBindingUrl", refs={String.class}, tree="[0]") private Output logoutServicePostBindingUrl; + /** + * @return SAML POST Binding URL for the client's single logout service. + * + */ public Output> logoutServicePostBindingUrl() { return Codegen.optional(this.logoutServicePostBindingUrl); } + /** + * SAML Redirect Binding URL for the client's single logout service. + * + */ @Export(name="logoutServiceRedirectBindingUrl", refs={String.class}, tree="[0]") private Output logoutServiceRedirectBindingUrl; + /** + * @return SAML Redirect Binding URL for the client's single logout service. + * + */ public Output> logoutServiceRedirectBindingUrl() { return Codegen.optional(this.logoutServiceRedirectBindingUrl); } + /** + * When specified, this URL will be used for all SAML requests. + * + */ @Export(name="masterSamlProcessingUrl", refs={String.class}, tree="[0]") private Output masterSamlProcessingUrl; + /** + * @return When specified, this URL will be used for all SAML requests. + * + */ public Output> masterSamlProcessingUrl() { return Codegen.optional(this.masterSamlProcessingUrl); } + /** + * The display name of this client in the GUI. + * + */ @Export(name="name", refs={String.class}, tree="[0]") private Output name; + /** + * @return The display name of this client in the GUI. + * + */ public Output name() { return this.name; } + /** + * Sets the Name ID format for the subject. + * + */ @Export(name="nameIdFormat", refs={String.class}, tree="[0]") private Output nameIdFormat; + /** + * @return Sets the Name ID format for the subject. + * + */ public Output nameIdFormat() { return this.nameIdFormat; } + /** + * The realm this client is attached to. + * + */ @Export(name="realmId", refs={String.class}, tree="[0]") private Output realmId; + /** + * @return The realm this client is attached to. + * + */ public Output realmId() { return this.realmId; } + /** + * When specified, this value is prepended to all relative URLs. + * + */ @Export(name="rootUrl", refs={String.class}, tree="[0]") private Output rootUrl; + /** + * @return When specified, this value is prepended to all relative URLs. + * + */ public Output> rootUrl() { return Codegen.optional(this.rootUrl); } + /** + * When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to `false`. + * + */ @Export(name="signAssertions", refs={Boolean.class}, tree="[0]") private Output signAssertions; + /** + * @return When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to `false`. + * + */ public Output> signAssertions() { return Codegen.optional(this.signAssertions); } + /** + * When `true`, the SAML document will be signed by Keycloak using the realm's private key. Defaults to `true`. + * + */ @Export(name="signDocuments", refs={Boolean.class}, tree="[0]") private Output signDocuments; + /** + * @return When `true`, the SAML document will be signed by Keycloak using the realm's private key. Defaults to `true`. + * + */ public Output> signDocuments() { return Codegen.optional(this.signDocuments); } + /** + * The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1". + * + */ @Export(name="signatureAlgorithm", refs={String.class}, tree="[0]") private Output signatureAlgorithm; + /** + * @return The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1". + * + */ public Output> signatureAlgorithm() { return Codegen.optional(this.signatureAlgorithm); } + /** + * The value of the `KeyName` element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID". + * + */ @Export(name="signatureKeyName", refs={String.class}, tree="[0]") private Output signatureKeyName; + /** + * @return The value of the `KeyName` element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID". + * + */ public Output> signatureKeyName() { return Codegen.optional(this.signatureKeyName); } + /** + * If documents or assertions from the client are signed, this certificate will be used to verify the signature. + * + */ @Export(name="signingCertificate", refs={String.class}, tree="[0]") private Output signingCertificate; + /** + * @return If documents or assertions from the client are signed, this certificate will be used to verify the signature. + * + */ public Output signingCertificate() { return this.signingCertificate; } + /** + * (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty. + * + */ @Export(name="signingCertificateSha1", refs={String.class}, tree="[0]") private Output signingCertificateSha1; + /** + * @return (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty. + * + */ public Output signingCertificateSha1() { return this.signingCertificateSha1; } + /** + * If documents or assertions from the client are signed, this private key will be used to verify the signature. + * + */ @Export(name="signingPrivateKey", refs={String.class}, tree="[0]") private Output signingPrivateKey; + /** + * @return If documents or assertions from the client are signed, this private key will be used to verify the signature. + * + */ public Output signingPrivateKey() { return this.signingPrivateKey; } + /** + * (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty. + * + */ @Export(name="signingPrivateKeySha1", refs={String.class}, tree="[0]") private Output signingPrivateKeySha1; + /** + * @return (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty. + * + */ public Output signingPrivateKeySha1() { return this.signingPrivateKeySha1; } + /** + * When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. + * + */ @Export(name="validRedirectUris", refs={List.class,String.class}, tree="[0,1]") private Output> validRedirectUris; + /** + * @return When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. + * + */ public Output>> validRedirectUris() { return Codegen.optional(this.validRedirectUris); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/saml/ClientArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/saml/ClientArgs.java index 112d47cd..3b3ccd54 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/saml/ClientArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/saml/ClientArgs.java @@ -20,79 +20,167 @@ public final class ClientArgs extends com.pulumi.resources.ResourceArgs { public static final ClientArgs Empty = new ClientArgs(); + /** + * SAML POST Binding URL for the client's assertion consumer service (login responses). + * + */ @Import(name="assertionConsumerPostUrl") private @Nullable Output assertionConsumerPostUrl; + /** + * @return SAML POST Binding URL for the client's assertion consumer service (login responses). + * + */ public Optional> assertionConsumerPostUrl() { return Optional.ofNullable(this.assertionConsumerPostUrl); } + /** + * SAML Redirect Binding URL for the client's assertion consumer service (login responses). + * + */ @Import(name="assertionConsumerRedirectUrl") private @Nullable Output assertionConsumerRedirectUrl; + /** + * @return SAML Redirect Binding URL for the client's assertion consumer service (login responses). + * + */ public Optional> assertionConsumerRedirectUrl() { return Optional.ofNullable(this.assertionConsumerRedirectUrl); } + /** + * Override realm authentication flow bindings + * + */ @Import(name="authenticationFlowBindingOverrides") private @Nullable Output authenticationFlowBindingOverrides; + /** + * @return Override realm authentication flow bindings + * + */ public Optional> authenticationFlowBindingOverrides() { return Optional.ofNullable(this.authenticationFlowBindingOverrides); } + /** + * When specified, this URL will be used whenever Keycloak needs to link to this client. + * + */ @Import(name="baseUrl") private @Nullable Output baseUrl; + /** + * @return When specified, this URL will be used whenever Keycloak needs to link to this client. + * + */ public Optional> baseUrl() { return Optional.ofNullable(this.baseUrl); } + /** + * The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE". + * + */ @Import(name="canonicalizationMethod") private @Nullable Output canonicalizationMethod; + /** + * @return The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE". + * + */ public Optional> canonicalizationMethod() { return Optional.ofNullable(this.canonicalizationMethod); } + /** + * The unique ID of this client, referenced in the URI during authentication and in issued tokens. + * + */ @Import(name="clientId", required=true) private Output clientId; + /** + * @return The unique ID of this client, referenced in the URI during authentication and in issued tokens. + * + */ public Output clientId() { return this.clientId; } + /** + * When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signing_certificate` and `signing_private_key`. Defaults to `true`. + * + */ @Import(name="clientSignatureRequired") private @Nullable Output clientSignatureRequired; + /** + * @return When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signing_certificate` and `signing_private_key`. Defaults to `true`. + * + */ public Optional> clientSignatureRequired() { return Optional.ofNullable(this.clientSignatureRequired); } + /** + * The description of this client in the GUI. + * + */ @Import(name="description") private @Nullable Output description; + /** + * @return The description of this client in the GUI. + * + */ public Optional> description() { return Optional.ofNullable(this.description); } + /** + * When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + * + */ @Import(name="enabled") private @Nullable Output enabled; + /** + * @return When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + * + */ public Optional> enabled() { return Optional.ofNullable(this.enabled); } + /** + * When `true`, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to `false`. + * + */ @Import(name="encryptAssertions") private @Nullable Output encryptAssertions; + /** + * @return When `true`, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to `false`. + * + */ public Optional> encryptAssertions() { return Optional.ofNullable(this.encryptAssertions); } + /** + * If assertions for the client are encrypted, this certificate will be used for encryption. + * + */ @Import(name="encryptionCertificate") private @Nullable Output encryptionCertificate; + /** + * @return If assertions for the client are encrypted, this certificate will be used for encryption. + * + */ public Optional> encryptionCertificate() { return Optional.ofNullable(this.encryptionCertificate); } @@ -104,156 +192,332 @@ public Optional>> extraConfig() { return Optional.ofNullable(this.extraConfig); } + /** + * Ignore requested NameID subject format and use the one defined in `name_id_format` instead. Defaults to `false`. + * + */ @Import(name="forceNameIdFormat") private @Nullable Output forceNameIdFormat; + /** + * @return Ignore requested NameID subject format and use the one defined in `name_id_format` instead. Defaults to `false`. + * + */ public Optional> forceNameIdFormat() { return Optional.ofNullable(this.forceNameIdFormat); } + /** + * When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to `true`. + * + */ @Import(name="forcePostBinding") private @Nullable Output forcePostBinding; + /** + * @return When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to `true`. + * + */ public Optional> forcePostBinding() { return Optional.ofNullable(this.forcePostBinding); } + /** + * When `true`, this client will require a browser redirect in order to perform a logout. Defaults to `true`. + * + */ @Import(name="frontChannelLogout") private @Nullable Output frontChannelLogout; + /** + * @return When `true`, this client will require a browser redirect in order to perform a logout. Defaults to `true`. + * + */ public Optional> frontChannelLogout() { return Optional.ofNullable(this.frontChannelLogout); } + /** + * Allow to include all roles mappings in the access token + * + */ @Import(name="fullScopeAllowed") private @Nullable Output fullScopeAllowed; + /** + * @return Allow to include all roles mappings in the access token + * + */ public Optional> fullScopeAllowed() { return Optional.ofNullable(this.fullScopeAllowed); } + /** + * Relay state you want to send with SAML request when you want to do IDP Initiated SSO. + * + */ @Import(name="idpInitiatedSsoRelayState") private @Nullable Output idpInitiatedSsoRelayState; + /** + * @return Relay state you want to send with SAML request when you want to do IDP Initiated SSO. + * + */ public Optional> idpInitiatedSsoRelayState() { return Optional.ofNullable(this.idpInitiatedSsoRelayState); } + /** + * URL fragment name to reference client when you want to do IDP Initiated SSO. + * + */ @Import(name="idpInitiatedSsoUrlName") private @Nullable Output idpInitiatedSsoUrlName; + /** + * @return URL fragment name to reference client when you want to do IDP Initiated SSO. + * + */ public Optional> idpInitiatedSsoUrlName() { return Optional.ofNullable(this.idpInitiatedSsoUrlName); } + /** + * When `true`, an `AuthnStatement` will be included in the SAML response. Defaults to `true`. + * + */ @Import(name="includeAuthnStatement") private @Nullable Output includeAuthnStatement; + /** + * @return When `true`, an `AuthnStatement` will be included in the SAML response. Defaults to `true`. + * + */ public Optional> includeAuthnStatement() { return Optional.ofNullable(this.includeAuthnStatement); } + /** + * The login theme of this client. + * + */ @Import(name="loginTheme") private @Nullable Output loginTheme; + /** + * @return The login theme of this client. + * + */ public Optional> loginTheme() { return Optional.ofNullable(this.loginTheme); } + /** + * SAML POST Binding URL for the client's single logout service. + * + */ @Import(name="logoutServicePostBindingUrl") private @Nullable Output logoutServicePostBindingUrl; + /** + * @return SAML POST Binding URL for the client's single logout service. + * + */ public Optional> logoutServicePostBindingUrl() { return Optional.ofNullable(this.logoutServicePostBindingUrl); } + /** + * SAML Redirect Binding URL for the client's single logout service. + * + */ @Import(name="logoutServiceRedirectBindingUrl") private @Nullable Output logoutServiceRedirectBindingUrl; + /** + * @return SAML Redirect Binding URL for the client's single logout service. + * + */ public Optional> logoutServiceRedirectBindingUrl() { return Optional.ofNullable(this.logoutServiceRedirectBindingUrl); } + /** + * When specified, this URL will be used for all SAML requests. + * + */ @Import(name="masterSamlProcessingUrl") private @Nullable Output masterSamlProcessingUrl; + /** + * @return When specified, this URL will be used for all SAML requests. + * + */ public Optional> masterSamlProcessingUrl() { return Optional.ofNullable(this.masterSamlProcessingUrl); } + /** + * The display name of this client in the GUI. + * + */ @Import(name="name") private @Nullable Output name; + /** + * @return The display name of this client in the GUI. + * + */ public Optional> name() { return Optional.ofNullable(this.name); } + /** + * Sets the Name ID format for the subject. + * + */ @Import(name="nameIdFormat") private @Nullable Output nameIdFormat; + /** + * @return Sets the Name ID format for the subject. + * + */ public Optional> nameIdFormat() { return Optional.ofNullable(this.nameIdFormat); } + /** + * The realm this client is attached to. + * + */ @Import(name="realmId", required=true) private Output realmId; + /** + * @return The realm this client is attached to. + * + */ public Output realmId() { return this.realmId; } + /** + * When specified, this value is prepended to all relative URLs. + * + */ @Import(name="rootUrl") private @Nullable Output rootUrl; + /** + * @return When specified, this value is prepended to all relative URLs. + * + */ public Optional> rootUrl() { return Optional.ofNullable(this.rootUrl); } + /** + * When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to `false`. + * + */ @Import(name="signAssertions") private @Nullable Output signAssertions; + /** + * @return When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to `false`. + * + */ public Optional> signAssertions() { return Optional.ofNullable(this.signAssertions); } + /** + * When `true`, the SAML document will be signed by Keycloak using the realm's private key. Defaults to `true`. + * + */ @Import(name="signDocuments") private @Nullable Output signDocuments; + /** + * @return When `true`, the SAML document will be signed by Keycloak using the realm's private key. Defaults to `true`. + * + */ public Optional> signDocuments() { return Optional.ofNullable(this.signDocuments); } + /** + * The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1". + * + */ @Import(name="signatureAlgorithm") private @Nullable Output signatureAlgorithm; + /** + * @return The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1". + * + */ public Optional> signatureAlgorithm() { return Optional.ofNullable(this.signatureAlgorithm); } + /** + * The value of the `KeyName` element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID". + * + */ @Import(name="signatureKeyName") private @Nullable Output signatureKeyName; + /** + * @return The value of the `KeyName` element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID". + * + */ public Optional> signatureKeyName() { return Optional.ofNullable(this.signatureKeyName); } + /** + * If documents or assertions from the client are signed, this certificate will be used to verify the signature. + * + */ @Import(name="signingCertificate") private @Nullable Output signingCertificate; + /** + * @return If documents or assertions from the client are signed, this certificate will be used to verify the signature. + * + */ public Optional> signingCertificate() { return Optional.ofNullable(this.signingCertificate); } + /** + * If documents or assertions from the client are signed, this private key will be used to verify the signature. + * + */ @Import(name="signingPrivateKey") private @Nullable Output signingPrivateKey; + /** + * @return If documents or assertions from the client are signed, this private key will be used to verify the signature. + * + */ public Optional> signingPrivateKey() { return Optional.ofNullable(this.signingPrivateKey); } + /** + * When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. + * + */ @Import(name="validRedirectUris") private @Nullable Output> validRedirectUris; + /** + * @return When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. + * + */ public Optional>> validRedirectUris() { return Optional.ofNullable(this.validRedirectUris); } @@ -315,101 +579,233 @@ public Builder(ClientArgs defaults) { $ = new ClientArgs(Objects.requireNonNull(defaults)); } + /** + * @param assertionConsumerPostUrl SAML POST Binding URL for the client's assertion consumer service (login responses). + * + * @return builder + * + */ public Builder assertionConsumerPostUrl(@Nullable Output assertionConsumerPostUrl) { $.assertionConsumerPostUrl = assertionConsumerPostUrl; return this; } + /** + * @param assertionConsumerPostUrl SAML POST Binding URL for the client's assertion consumer service (login responses). + * + * @return builder + * + */ public Builder assertionConsumerPostUrl(String assertionConsumerPostUrl) { return assertionConsumerPostUrl(Output.of(assertionConsumerPostUrl)); } + /** + * @param assertionConsumerRedirectUrl SAML Redirect Binding URL for the client's assertion consumer service (login responses). + * + * @return builder + * + */ public Builder assertionConsumerRedirectUrl(@Nullable Output assertionConsumerRedirectUrl) { $.assertionConsumerRedirectUrl = assertionConsumerRedirectUrl; return this; } + /** + * @param assertionConsumerRedirectUrl SAML Redirect Binding URL for the client's assertion consumer service (login responses). + * + * @return builder + * + */ public Builder assertionConsumerRedirectUrl(String assertionConsumerRedirectUrl) { return assertionConsumerRedirectUrl(Output.of(assertionConsumerRedirectUrl)); } + /** + * @param authenticationFlowBindingOverrides Override realm authentication flow bindings + * + * @return builder + * + */ public Builder authenticationFlowBindingOverrides(@Nullable Output authenticationFlowBindingOverrides) { $.authenticationFlowBindingOverrides = authenticationFlowBindingOverrides; return this; } + /** + * @param authenticationFlowBindingOverrides Override realm authentication flow bindings + * + * @return builder + * + */ public Builder authenticationFlowBindingOverrides(ClientAuthenticationFlowBindingOverridesArgs authenticationFlowBindingOverrides) { return authenticationFlowBindingOverrides(Output.of(authenticationFlowBindingOverrides)); } + /** + * @param baseUrl When specified, this URL will be used whenever Keycloak needs to link to this client. + * + * @return builder + * + */ public Builder baseUrl(@Nullable Output baseUrl) { $.baseUrl = baseUrl; return this; } + /** + * @param baseUrl When specified, this URL will be used whenever Keycloak needs to link to this client. + * + * @return builder + * + */ public Builder baseUrl(String baseUrl) { return baseUrl(Output.of(baseUrl)); } + /** + * @param canonicalizationMethod The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE". + * + * @return builder + * + */ public Builder canonicalizationMethod(@Nullable Output canonicalizationMethod) { $.canonicalizationMethod = canonicalizationMethod; return this; } + /** + * @param canonicalizationMethod The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE". + * + * @return builder + * + */ public Builder canonicalizationMethod(String canonicalizationMethod) { return canonicalizationMethod(Output.of(canonicalizationMethod)); } + /** + * @param clientId The unique ID of this client, referenced in the URI during authentication and in issued tokens. + * + * @return builder + * + */ public Builder clientId(Output clientId) { $.clientId = clientId; return this; } + /** + * @param clientId The unique ID of this client, referenced in the URI during authentication and in issued tokens. + * + * @return builder + * + */ public Builder clientId(String clientId) { return clientId(Output.of(clientId)); } + /** + * @param clientSignatureRequired When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signing_certificate` and `signing_private_key`. Defaults to `true`. + * + * @return builder + * + */ public Builder clientSignatureRequired(@Nullable Output clientSignatureRequired) { $.clientSignatureRequired = clientSignatureRequired; return this; } + /** + * @param clientSignatureRequired When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signing_certificate` and `signing_private_key`. Defaults to `true`. + * + * @return builder + * + */ public Builder clientSignatureRequired(Boolean clientSignatureRequired) { return clientSignatureRequired(Output.of(clientSignatureRequired)); } + /** + * @param description The description of this client in the GUI. + * + * @return builder + * + */ public Builder description(@Nullable Output description) { $.description = description; return this; } + /** + * @param description The description of this client in the GUI. + * + * @return builder + * + */ public Builder description(String description) { return description(Output.of(description)); } + /** + * @param enabled When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + * + * @return builder + * + */ public Builder enabled(@Nullable Output enabled) { $.enabled = enabled; return this; } + /** + * @param enabled When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + * + * @return builder + * + */ public Builder enabled(Boolean enabled) { return enabled(Output.of(enabled)); } + /** + * @param encryptAssertions When `true`, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to `false`. + * + * @return builder + * + */ public Builder encryptAssertions(@Nullable Output encryptAssertions) { $.encryptAssertions = encryptAssertions; return this; } + /** + * @param encryptAssertions When `true`, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to `false`. + * + * @return builder + * + */ public Builder encryptAssertions(Boolean encryptAssertions) { return encryptAssertions(Output.of(encryptAssertions)); } + /** + * @param encryptionCertificate If assertions for the client are encrypted, this certificate will be used for encryption. + * + * @return builder + * + */ public Builder encryptionCertificate(@Nullable Output encryptionCertificate) { $.encryptionCertificate = encryptionCertificate; return this; } + /** + * @param encryptionCertificate If assertions for the client are encrypted, this certificate will be used for encryption. + * + * @return builder + * + */ public Builder encryptionCertificate(String encryptionCertificate) { return encryptionCertificate(Output.of(encryptionCertificate)); } @@ -423,204 +819,474 @@ public Builder extraConfig(Map extraConfig) { return extraConfig(Output.of(extraConfig)); } + /** + * @param forceNameIdFormat Ignore requested NameID subject format and use the one defined in `name_id_format` instead. Defaults to `false`. + * + * @return builder + * + */ public Builder forceNameIdFormat(@Nullable Output forceNameIdFormat) { $.forceNameIdFormat = forceNameIdFormat; return this; } + /** + * @param forceNameIdFormat Ignore requested NameID subject format and use the one defined in `name_id_format` instead. Defaults to `false`. + * + * @return builder + * + */ public Builder forceNameIdFormat(Boolean forceNameIdFormat) { return forceNameIdFormat(Output.of(forceNameIdFormat)); } + /** + * @param forcePostBinding When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to `true`. + * + * @return builder + * + */ public Builder forcePostBinding(@Nullable Output forcePostBinding) { $.forcePostBinding = forcePostBinding; return this; } + /** + * @param forcePostBinding When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to `true`. + * + * @return builder + * + */ public Builder forcePostBinding(Boolean forcePostBinding) { return forcePostBinding(Output.of(forcePostBinding)); } + /** + * @param frontChannelLogout When `true`, this client will require a browser redirect in order to perform a logout. Defaults to `true`. + * + * @return builder + * + */ public Builder frontChannelLogout(@Nullable Output frontChannelLogout) { $.frontChannelLogout = frontChannelLogout; return this; } + /** + * @param frontChannelLogout When `true`, this client will require a browser redirect in order to perform a logout. Defaults to `true`. + * + * @return builder + * + */ public Builder frontChannelLogout(Boolean frontChannelLogout) { return frontChannelLogout(Output.of(frontChannelLogout)); } + /** + * @param fullScopeAllowed Allow to include all roles mappings in the access token + * + * @return builder + * + */ public Builder fullScopeAllowed(@Nullable Output fullScopeAllowed) { $.fullScopeAllowed = fullScopeAllowed; return this; } + /** + * @param fullScopeAllowed Allow to include all roles mappings in the access token + * + * @return builder + * + */ public Builder fullScopeAllowed(Boolean fullScopeAllowed) { return fullScopeAllowed(Output.of(fullScopeAllowed)); } + /** + * @param idpInitiatedSsoRelayState Relay state you want to send with SAML request when you want to do IDP Initiated SSO. + * + * @return builder + * + */ public Builder idpInitiatedSsoRelayState(@Nullable Output idpInitiatedSsoRelayState) { $.idpInitiatedSsoRelayState = idpInitiatedSsoRelayState; return this; } + /** + * @param idpInitiatedSsoRelayState Relay state you want to send with SAML request when you want to do IDP Initiated SSO. + * + * @return builder + * + */ public Builder idpInitiatedSsoRelayState(String idpInitiatedSsoRelayState) { return idpInitiatedSsoRelayState(Output.of(idpInitiatedSsoRelayState)); } + /** + * @param idpInitiatedSsoUrlName URL fragment name to reference client when you want to do IDP Initiated SSO. + * + * @return builder + * + */ public Builder idpInitiatedSsoUrlName(@Nullable Output idpInitiatedSsoUrlName) { $.idpInitiatedSsoUrlName = idpInitiatedSsoUrlName; return this; } + /** + * @param idpInitiatedSsoUrlName URL fragment name to reference client when you want to do IDP Initiated SSO. + * + * @return builder + * + */ public Builder idpInitiatedSsoUrlName(String idpInitiatedSsoUrlName) { return idpInitiatedSsoUrlName(Output.of(idpInitiatedSsoUrlName)); } + /** + * @param includeAuthnStatement When `true`, an `AuthnStatement` will be included in the SAML response. Defaults to `true`. + * + * @return builder + * + */ public Builder includeAuthnStatement(@Nullable Output includeAuthnStatement) { $.includeAuthnStatement = includeAuthnStatement; return this; } + /** + * @param includeAuthnStatement When `true`, an `AuthnStatement` will be included in the SAML response. Defaults to `true`. + * + * @return builder + * + */ public Builder includeAuthnStatement(Boolean includeAuthnStatement) { return includeAuthnStatement(Output.of(includeAuthnStatement)); } + /** + * @param loginTheme The login theme of this client. + * + * @return builder + * + */ public Builder loginTheme(@Nullable Output loginTheme) { $.loginTheme = loginTheme; return this; } + /** + * @param loginTheme The login theme of this client. + * + * @return builder + * + */ public Builder loginTheme(String loginTheme) { return loginTheme(Output.of(loginTheme)); } + /** + * @param logoutServicePostBindingUrl SAML POST Binding URL for the client's single logout service. + * + * @return builder + * + */ public Builder logoutServicePostBindingUrl(@Nullable Output logoutServicePostBindingUrl) { $.logoutServicePostBindingUrl = logoutServicePostBindingUrl; return this; } + /** + * @param logoutServicePostBindingUrl SAML POST Binding URL for the client's single logout service. + * + * @return builder + * + */ public Builder logoutServicePostBindingUrl(String logoutServicePostBindingUrl) { return logoutServicePostBindingUrl(Output.of(logoutServicePostBindingUrl)); } + /** + * @param logoutServiceRedirectBindingUrl SAML Redirect Binding URL for the client's single logout service. + * + * @return builder + * + */ public Builder logoutServiceRedirectBindingUrl(@Nullable Output logoutServiceRedirectBindingUrl) { $.logoutServiceRedirectBindingUrl = logoutServiceRedirectBindingUrl; return this; } + /** + * @param logoutServiceRedirectBindingUrl SAML Redirect Binding URL for the client's single logout service. + * + * @return builder + * + */ public Builder logoutServiceRedirectBindingUrl(String logoutServiceRedirectBindingUrl) { return logoutServiceRedirectBindingUrl(Output.of(logoutServiceRedirectBindingUrl)); } + /** + * @param masterSamlProcessingUrl When specified, this URL will be used for all SAML requests. + * + * @return builder + * + */ public Builder masterSamlProcessingUrl(@Nullable Output masterSamlProcessingUrl) { $.masterSamlProcessingUrl = masterSamlProcessingUrl; return this; } + /** + * @param masterSamlProcessingUrl When specified, this URL will be used for all SAML requests. + * + * @return builder + * + */ public Builder masterSamlProcessingUrl(String masterSamlProcessingUrl) { return masterSamlProcessingUrl(Output.of(masterSamlProcessingUrl)); } + /** + * @param name The display name of this client in the GUI. + * + * @return builder + * + */ public Builder name(@Nullable Output name) { $.name = name; return this; } + /** + * @param name The display name of this client in the GUI. + * + * @return builder + * + */ public Builder name(String name) { return name(Output.of(name)); } + /** + * @param nameIdFormat Sets the Name ID format for the subject. + * + * @return builder + * + */ public Builder nameIdFormat(@Nullable Output nameIdFormat) { $.nameIdFormat = nameIdFormat; return this; } + /** + * @param nameIdFormat Sets the Name ID format for the subject. + * + * @return builder + * + */ public Builder nameIdFormat(String nameIdFormat) { return nameIdFormat(Output.of(nameIdFormat)); } + /** + * @param realmId The realm this client is attached to. + * + * @return builder + * + */ public Builder realmId(Output realmId) { $.realmId = realmId; return this; } + /** + * @param realmId The realm this client is attached to. + * + * @return builder + * + */ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } + /** + * @param rootUrl When specified, this value is prepended to all relative URLs. + * + * @return builder + * + */ public Builder rootUrl(@Nullable Output rootUrl) { $.rootUrl = rootUrl; return this; } + /** + * @param rootUrl When specified, this value is prepended to all relative URLs. + * + * @return builder + * + */ public Builder rootUrl(String rootUrl) { return rootUrl(Output.of(rootUrl)); } + /** + * @param signAssertions When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to `false`. + * + * @return builder + * + */ public Builder signAssertions(@Nullable Output signAssertions) { $.signAssertions = signAssertions; return this; } + /** + * @param signAssertions When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to `false`. + * + * @return builder + * + */ public Builder signAssertions(Boolean signAssertions) { return signAssertions(Output.of(signAssertions)); } + /** + * @param signDocuments When `true`, the SAML document will be signed by Keycloak using the realm's private key. Defaults to `true`. + * + * @return builder + * + */ public Builder signDocuments(@Nullable Output signDocuments) { $.signDocuments = signDocuments; return this; } + /** + * @param signDocuments When `true`, the SAML document will be signed by Keycloak using the realm's private key. Defaults to `true`. + * + * @return builder + * + */ public Builder signDocuments(Boolean signDocuments) { return signDocuments(Output.of(signDocuments)); } + /** + * @param signatureAlgorithm The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1". + * + * @return builder + * + */ public Builder signatureAlgorithm(@Nullable Output signatureAlgorithm) { $.signatureAlgorithm = signatureAlgorithm; return this; } + /** + * @param signatureAlgorithm The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1". + * + * @return builder + * + */ public Builder signatureAlgorithm(String signatureAlgorithm) { return signatureAlgorithm(Output.of(signatureAlgorithm)); } + /** + * @param signatureKeyName The value of the `KeyName` element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID". + * + * @return builder + * + */ public Builder signatureKeyName(@Nullable Output signatureKeyName) { $.signatureKeyName = signatureKeyName; return this; } + /** + * @param signatureKeyName The value of the `KeyName` element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID". + * + * @return builder + * + */ public Builder signatureKeyName(String signatureKeyName) { return signatureKeyName(Output.of(signatureKeyName)); } + /** + * @param signingCertificate If documents or assertions from the client are signed, this certificate will be used to verify the signature. + * + * @return builder + * + */ public Builder signingCertificate(@Nullable Output signingCertificate) { $.signingCertificate = signingCertificate; return this; } + /** + * @param signingCertificate If documents or assertions from the client are signed, this certificate will be used to verify the signature. + * + * @return builder + * + */ public Builder signingCertificate(String signingCertificate) { return signingCertificate(Output.of(signingCertificate)); } + /** + * @param signingPrivateKey If documents or assertions from the client are signed, this private key will be used to verify the signature. + * + * @return builder + * + */ public Builder signingPrivateKey(@Nullable Output signingPrivateKey) { $.signingPrivateKey = signingPrivateKey; return this; } + /** + * @param signingPrivateKey If documents or assertions from the client are signed, this private key will be used to verify the signature. + * + * @return builder + * + */ public Builder signingPrivateKey(String signingPrivateKey) { return signingPrivateKey(Output.of(signingPrivateKey)); } + /** + * @param validRedirectUris When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. + * + * @return builder + * + */ public Builder validRedirectUris(@Nullable Output> validRedirectUris) { $.validRedirectUris = validRedirectUris; return this; } + /** + * @param validRedirectUris When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. + * + * @return builder + * + */ public Builder validRedirectUris(List validRedirectUris) { return validRedirectUris(Output.of(validRedirectUris)); } + /** + * @param validRedirectUris When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. + * + * @return builder + * + */ public Builder validRedirectUris(String... validRedirectUris) { return validRedirectUris(List.of(validRedirectUris)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/saml/IdentityProvider.java b/sdk/java/src/main/java/com/pulumi/keycloak/saml/IdentityProvider.java index e729e015..97471c54 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/saml/IdentityProvider.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/saml/IdentityProvider.java @@ -18,13 +18,11 @@ import javax.annotation.Nullable; /** - * ## # keycloak.saml.IdentityProvider + * Allows for creating and managing SAML Identity Providers within Keycloak. * - * Allows to create and manage SAML Identity Providers within Keycloak. + * SAML (Security Assertion Markup Language) identity providers allows users to authenticate through a third-party system using the SAML protocol. * - * SAML (Security Assertion Markup Language) identity providers allows to authenticate through a third-party system, using SAML standard. - * - * ### Example Usage + * ## Example Usage * * <!--Start PulumiCodeChooser --> *
@@ -34,6 +32,8 @@
  * import com.pulumi.Context;
  * import com.pulumi.Pulumi;
  * import com.pulumi.core.Output;
+ * import com.pulumi.keycloak.Realm;
+ * import com.pulumi.keycloak.RealmArgs;
  * import com.pulumi.keycloak.saml.IdentityProvider;
  * import com.pulumi.keycloak.saml.IdentityProviderArgs;
  * import java.util.List;
@@ -49,9 +49,15 @@
  *     }
  * 
  *     public static void stack(Context ctx) {
- *         var realmIdentityProvider = new IdentityProvider("realmIdentityProvider", IdentityProviderArgs.builder()
+ *         var realm = new Realm("realm", RealmArgs.builder()
  *             .realm("my-realm")
- *             .alias("my-idp")
+ *             .enabled(true)
+ *             .build());
+ * 
+ *         var realmSamlIdentityProvider = new IdentityProvider("realmSamlIdentityProvider", IdentityProviderArgs.builder()
+ *             .realm(realm.id())
+ *             .alias("my-saml-idp")
+ *             .entityId("https://domain.com/entity_id")
  *             .singleSignOnServiceUrl("https://domain.com/adfs/ls/")
  *             .singleLogoutServiceUrl("https://domain.com/adfs/ls/?wa=wsignout1.0")
  *             .backchannelSupported(true)
@@ -69,170 +75,142 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realm` - (Required) The name of the realm. This is unique across Keycloak. - * - `alias` - (Optional) The uniq name of identity provider. - * - `enabled` - (Optional) When false, users and clients will not be able to access this realm. Defaults to `true`. - * - `display_name` - (Optional) The display name for the realm that is shown when logging in to the admin console. - * - `store_token` - (Optional) Enable/disable if tokens must be stored after authenticating users. Defaults to `true`. - * - `add_read_token_role_on_create` - (Optional) Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. Defaults to `false`. - * - `trust_email` - (Optional) If enabled then email provided by this provider is not verified even if verification is enabled for the realm. Defaults to `false`. - * - `link_only` - (Optional) If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider. Defaults to `false`. - * - `hide_on_login_page` - (Optional) If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. - * - `first_broker_login_flow_alias` - (Optional) Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. - * - `post_broker_login_flow_alias` - (Optional) Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. - * - `authenticate_by_default` - (Optional) Authenticate users by default. Defaults to `false`. - * - * #### SAML Configuration - * - * - `single_sign_on_service_url` - (Optional) The Url that must be used to send authentication requests (SAML AuthnRequest). - * - `single_logout_service_url` - (Optional) The Url that must be used to send logout requests. - * - `backchannel_supported` - (Optional) Does the external IDP support back-channel logout ?. - * - `name_id_policy_format` - (Optional) Specifies the URI reference corresponding to a name identifier format. Defaults to empty. - * - `post_binding_response` - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. - * - `post_binding_authn_request` - (Optional) Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. - * - `post_binding_logout` - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. - * - `want_assertions_signed` - (Optional) Indicates whether this service provider expects a signed Assertion. - * - `want_assertions_encrypted` - (Optional) Indicates whether this service provider expects an encrypted Assertion. - * - `force_authn` - (Optional) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. - * - `validate_signature` - (Optional) Enable/disable signature validation of SAML responses. - * - `signing_certificate` - (Optional) Signing Certificate. - * - `signature_algorithm` - (Optional) Signing Algorithm. Defaults to empty. - * - `xml_sign_key_info_key_name_transformer` - (Optional) Sign Key Transformer. Defaults to empty. - * - * ### Import + * ## Import * * Identity providers can be imported using the format `{{realm_id}}/{{idp_alias}}`, where `idp_alias` is the identity provider alias. * * Example: * + * bash + * + * ```sh + * $ pulumi import keycloak:saml/identityProvider:IdentityProvider realm_saml_identity_provider my-realm/my-saml-idp + * ``` + * */ @ResourceType(type="keycloak:saml/identityProvider:IdentityProvider") public class IdentityProvider extends com.pulumi.resources.CustomResource { /** - * Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. + * When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`. * */ @Export(name="addReadTokenRoleOnCreate", refs={Boolean.class}, tree="[0]") private Output addReadTokenRoleOnCreate; /** - * @return Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. + * @return When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`. * */ public Output> addReadTokenRoleOnCreate() { return Codegen.optional(this.addReadTokenRoleOnCreate); } /** - * The alias uniquely identifies an identity provider and it is also used to build the redirect uri. + * The unique name of identity provider. * */ @Export(name="alias", refs={String.class}, tree="[0]") private Output alias; /** - * @return The alias uniquely identifies an identity provider and it is also used to build the redirect uri. + * @return The unique name of identity provider. * */ public Output alias() { return this.alias; } /** - * Enable/disable authenticate users by default. + * Authenticate users by default. Defaults to `false`. * */ @Export(name="authenticateByDefault", refs={Boolean.class}, tree="[0]") private Output authenticateByDefault; /** - * @return Enable/disable authenticate users by default. + * @return Authenticate users by default. Defaults to `false`. * */ public Output> authenticateByDefault() { return Codegen.optional(this.authenticateByDefault); } /** - * AuthnContext ClassRefs + * Ordered list of requested AuthnContext ClassRefs. * */ @Export(name="authnContextClassRefs", refs={List.class,String.class}, tree="[0,1]") private Output> authnContextClassRefs; /** - * @return AuthnContext ClassRefs + * @return Ordered list of requested AuthnContext ClassRefs. * */ public Output>> authnContextClassRefs() { return Codegen.optional(this.authnContextClassRefs); } /** - * AuthnContext Comparison + * Specifies the comparison method used to evaluate the requested context classes or statements. * */ @Export(name="authnContextComparisonType", refs={String.class}, tree="[0]") private Output authnContextComparisonType; /** - * @return AuthnContext Comparison + * @return Specifies the comparison method used to evaluate the requested context classes or statements. * */ public Output> authnContextComparisonType() { return Codegen.optional(this.authnContextComparisonType); } /** - * AuthnContext DeclRefs + * Ordered list of requested AuthnContext DeclRefs. * */ @Export(name="authnContextDeclRefs", refs={List.class,String.class}, tree="[0,1]") private Output> authnContextDeclRefs; /** - * @return AuthnContext DeclRefs + * @return Ordered list of requested AuthnContext DeclRefs. * */ public Output>> authnContextDeclRefs() { return Codegen.optional(this.authnContextDeclRefs); } /** - * Does the external IDP support backchannel logout? + * Does the external IDP support backchannel logout?. Defaults to `false`. * */ @Export(name="backchannelSupported", refs={Boolean.class}, tree="[0]") private Output backchannelSupported; /** - * @return Does the external IDP support backchannel logout? + * @return Does the external IDP support backchannel logout?. Defaults to `false`. * */ public Output> backchannelSupported() { return Codegen.optional(this.backchannelSupported); } /** - * Friendly name for Identity Providers. + * The display name for the realm that is shown when logging in to the admin console. * */ @Export(name="displayName", refs={String.class}, tree="[0]") private Output displayName; /** - * @return Friendly name for Identity Providers. + * @return The display name for the realm that is shown when logging in to the admin console. * */ public Output> displayName() { return Codegen.optional(this.displayName); } /** - * Enable/disable this identity provider. + * When `false`, users and clients will not be able to access this realm. Defaults to `true`. * */ @Export(name="enabled", refs={Boolean.class}, tree="[0]") private Output enabled; /** - * @return Enable/disable this identity provider. + * @return When `false`, users and clients will not be able to access this realm. Defaults to `true`. * */ public Output> enabled() { @@ -259,58 +237,56 @@ public Output>> extraConfig() { return Codegen.optional(this.extraConfig); } /** - * Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means - * that there is not yet existing Keycloak account linked with the authenticated identity provider account. + * Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. * */ @Export(name="firstBrokerLoginFlowAlias", refs={String.class}, tree="[0]") private Output firstBrokerLoginFlowAlias; /** - * @return Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means - * that there is not yet existing Keycloak account linked with the authenticated identity provider account. + * @return Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. * */ public Output> firstBrokerLoginFlowAlias() { return Codegen.optional(this.firstBrokerLoginFlowAlias); } /** - * Require Force Authn. + * Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. * */ @Export(name="forceAuthn", refs={Boolean.class}, tree="[0]") private Output forceAuthn; /** - * @return Require Force Authn. + * @return Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. * */ public Output> forceAuthn() { return Codegen.optional(this.forceAuthn); } /** - * GUI Order + * A number defining the order of this identity provider in the GUI. * */ @Export(name="guiOrder", refs={String.class}, tree="[0]") private Output guiOrder; /** - * @return GUI Order + * @return A number defining the order of this identity provider in the GUI. * */ public Output> guiOrder() { return Codegen.optional(this.guiOrder); } /** - * Hide On Login Page. + * If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. * */ @Export(name="hideOnLoginPage", refs={Boolean.class}, tree="[0]") private Output hideOnLoginPage; /** - * @return Hide On Login Page. + * @return If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. * */ public Output> hideOnLoginPage() { @@ -331,16 +307,14 @@ public Output internalId() { return this.internalId; } /** - * If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't - * want to allow login from the provider, but want to integrate with a provider + * When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`. * */ @Export(name="linkOnly", refs={Boolean.class}, tree="[0]") private Output linkOnly; /** - * @return If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't - * want to allow login from the provider, but want to integrate with a provider + * @return When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`. * */ public Output> linkOnly() { @@ -361,146 +335,140 @@ public Output> loginHint() { return Codegen.optional(this.loginHint); } /** - * Name ID Policy Format. + * Specifies the URI reference corresponding to a name identifier format. Defaults to empty. * */ @Export(name="nameIdPolicyFormat", refs={String.class}, tree="[0]") private Output nameIdPolicyFormat; /** - * @return Name ID Policy Format. + * @return Specifies the URI reference corresponding to a name identifier format. Defaults to empty. * */ public Output> nameIdPolicyFormat() { return Codegen.optional(this.nameIdPolicyFormat); } /** - * Post Binding Authn Request. + * Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. * */ @Export(name="postBindingAuthnRequest", refs={Boolean.class}, tree="[0]") private Output postBindingAuthnRequest; /** - * @return Post Binding Authn Request. + * @return Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. * */ public Output> postBindingAuthnRequest() { return Codegen.optional(this.postBindingAuthnRequest); } /** - * Post Binding Logout. + * Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. * */ @Export(name="postBindingLogout", refs={Boolean.class}, tree="[0]") private Output postBindingLogout; /** - * @return Post Binding Logout. + * @return Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. * */ public Output> postBindingLogout() { return Codegen.optional(this.postBindingLogout); } /** - * Post Binding Response. + * Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. * */ @Export(name="postBindingResponse", refs={Boolean.class}, tree="[0]") private Output postBindingResponse; /** - * @return Post Binding Response. + * @return Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. * */ public Output> postBindingResponse() { return Codegen.optional(this.postBindingResponse); } /** - * Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want - * additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if - * you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that - * authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. + * Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. * */ @Export(name="postBrokerLoginFlowAlias", refs={String.class}, tree="[0]") private Output postBrokerLoginFlowAlias; /** - * @return Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want - * additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if - * you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that - * authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. + * @return Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. * */ public Output> postBrokerLoginFlowAlias() { return Codegen.optional(this.postBrokerLoginFlowAlias); } /** - * Principal Attribute + * The principal attribute. * */ @Export(name="principalAttribute", refs={String.class}, tree="[0]") private Output principalAttribute; /** - * @return Principal Attribute + * @return The principal attribute. * */ public Output> principalAttribute() { return Codegen.optional(this.principalAttribute); } /** - * Principal Type + * The principal type. Can be one of `SUBJECT`, `ATTRIBUTE` or `FRIENDLY_ATTRIBUTE`. * */ @Export(name="principalType", refs={String.class}, tree="[0]") private Output principalType; /** - * @return Principal Type + * @return The principal type. Can be one of `SUBJECT`, `ATTRIBUTE` or `FRIENDLY_ATTRIBUTE`. * */ public Output> principalType() { return Codegen.optional(this.principalType); } /** - * provider id, is always saml, unless you have a custom implementation + * The ID of the identity provider to use. Defaults to `saml`, which should be used unless you have extended Keycloak and provided your own implementation. * */ @Export(name="providerId", refs={String.class}, tree="[0]") private Output providerId; /** - * @return provider id, is always saml, unless you have a custom implementation + * @return The ID of the identity provider to use. Defaults to `saml`, which should be used unless you have extended Keycloak and provided your own implementation. * */ public Output> providerId() { return Codegen.optional(this.providerId); } /** - * Realm Name + * The name of the realm. This is unique across Keycloak. * */ @Export(name="realm", refs={String.class}, tree="[0]") private Output realm; /** - * @return Realm Name + * @return The name of the realm. This is unique across Keycloak. * */ public Output realm() { return this.realm; } /** - * Signing Algorithm. + * Signing Algorithm. Defaults to empty. * */ @Export(name="signatureAlgorithm", refs={String.class}, tree="[0]") private Output signatureAlgorithm; /** - * @return Signing Algorithm. + * @return Signing Algorithm. Defaults to empty. * */ public Output> signatureAlgorithm() { @@ -521,70 +489,70 @@ public Output> signingCertificate() { return Codegen.optional(this.signingCertificate); } /** - * Logout URL. + * The Url that must be used to send logout requests. * */ @Export(name="singleLogoutServiceUrl", refs={String.class}, tree="[0]") private Output singleLogoutServiceUrl; /** - * @return Logout URL. + * @return The Url that must be used to send logout requests. * */ public Output> singleLogoutServiceUrl() { return Codegen.optional(this.singleLogoutServiceUrl); } /** - * SSO Logout URL. + * The Url that must be used to send authentication requests (SAML AuthnRequest). * */ @Export(name="singleSignOnServiceUrl", refs={String.class}, tree="[0]") private Output singleSignOnServiceUrl; /** - * @return SSO Logout URL. + * @return The Url that must be used to send authentication requests (SAML AuthnRequest). * */ public Output singleSignOnServiceUrl() { return this.singleSignOnServiceUrl; } /** - * Enable/disable if tokens must be stored after authenticating users. + * When `true`, tokens will be stored after authenticating users. Defaults to `true`. * */ @Export(name="storeToken", refs={Boolean.class}, tree="[0]") private Output storeToken; /** - * @return Enable/disable if tokens must be stored after authenticating users. + * @return When `true`, tokens will be stored after authenticating users. Defaults to `true`. * */ public Output> storeToken() { return Codegen.optional(this.storeToken); } /** - * Sync Mode + * The default sync mode to use for all mappers attached to this identity provider. Can be one of `IMPORT`, `FORCE`, or `LEGACY`. * */ @Export(name="syncMode", refs={String.class}, tree="[0]") private Output syncMode; /** - * @return Sync Mode + * @return The default sync mode to use for all mappers attached to this identity provider. Can be one of `IMPORT`, `FORCE`, or `LEGACY`. * */ public Output> syncMode() { return Codegen.optional(this.syncMode); } /** - * If enabled then email provided by this provider is not verified even if verification is enabled for the realm. + * When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`. * */ @Export(name="trustEmail", refs={Boolean.class}, tree="[0]") private Output trustEmail; /** - * @return If enabled then email provided by this provider is not verified even if verification is enabled for the realm. + * @return When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`. * */ public Output> trustEmail() { @@ -605,42 +573,42 @@ public Output> validateSignature() { return Codegen.optional(this.validateSignature); } /** - * Want Assertions Encrypted. + * Indicates whether this service provider expects an encrypted Assertion. * */ @Export(name="wantAssertionsEncrypted", refs={Boolean.class}, tree="[0]") private Output wantAssertionsEncrypted; /** - * @return Want Assertions Encrypted. + * @return Indicates whether this service provider expects an encrypted Assertion. * */ public Output> wantAssertionsEncrypted() { return Codegen.optional(this.wantAssertionsEncrypted); } /** - * Want Assertions Signed. + * Indicates whether this service provider expects a signed Assertion. * */ @Export(name="wantAssertionsSigned", refs={Boolean.class}, tree="[0]") private Output wantAssertionsSigned; /** - * @return Want Assertions Signed. + * @return Indicates whether this service provider expects a signed Assertion. * */ public Output> wantAssertionsSigned() { return Codegen.optional(this.wantAssertionsSigned); } /** - * Sign Key Transformer. + * The SAML signature key name. Can be one of `NONE`, `KEY_ID`, or `CERT_SUBJECT`. * */ @Export(name="xmlSignKeyInfoKeyNameTransformer", refs={String.class}, tree="[0]") private Output xmlSignKeyInfoKeyNameTransformer; /** - * @return Sign Key Transformer. + * @return The SAML signature key name. Can be one of `NONE`, `KEY_ID`, or `CERT_SUBJECT`. * */ public Output> xmlSignKeyInfoKeyNameTransformer() { diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/saml/IdentityProviderArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/saml/IdentityProviderArgs.java index f513ac9a..a34361a9 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/saml/IdentityProviderArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/saml/IdentityProviderArgs.java @@ -20,14 +20,14 @@ public final class IdentityProviderArgs extends com.pulumi.resources.ResourceArg public static final IdentityProviderArgs Empty = new IdentityProviderArgs(); /** - * Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. + * When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`. * */ @Import(name="addReadTokenRoleOnCreate") private @Nullable Output addReadTokenRoleOnCreate; /** - * @return Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. + * @return When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`. * */ public Optional> addReadTokenRoleOnCreate() { @@ -35,14 +35,14 @@ public Optional> addReadTokenRoleOnCreate() { } /** - * The alias uniquely identifies an identity provider and it is also used to build the redirect uri. + * The unique name of identity provider. * */ @Import(name="alias", required=true) private Output alias; /** - * @return The alias uniquely identifies an identity provider and it is also used to build the redirect uri. + * @return The unique name of identity provider. * */ public Output alias() { @@ -50,14 +50,14 @@ public Output alias() { } /** - * Enable/disable authenticate users by default. + * Authenticate users by default. Defaults to `false`. * */ @Import(name="authenticateByDefault") private @Nullable Output authenticateByDefault; /** - * @return Enable/disable authenticate users by default. + * @return Authenticate users by default. Defaults to `false`. * */ public Optional> authenticateByDefault() { @@ -65,14 +65,14 @@ public Optional> authenticateByDefault() { } /** - * AuthnContext ClassRefs + * Ordered list of requested AuthnContext ClassRefs. * */ @Import(name="authnContextClassRefs") private @Nullable Output> authnContextClassRefs; /** - * @return AuthnContext ClassRefs + * @return Ordered list of requested AuthnContext ClassRefs. * */ public Optional>> authnContextClassRefs() { @@ -80,14 +80,14 @@ public Optional>> authnContextClassRefs() { } /** - * AuthnContext Comparison + * Specifies the comparison method used to evaluate the requested context classes or statements. * */ @Import(name="authnContextComparisonType") private @Nullable Output authnContextComparisonType; /** - * @return AuthnContext Comparison + * @return Specifies the comparison method used to evaluate the requested context classes or statements. * */ public Optional> authnContextComparisonType() { @@ -95,14 +95,14 @@ public Optional> authnContextComparisonType() { } /** - * AuthnContext DeclRefs + * Ordered list of requested AuthnContext DeclRefs. * */ @Import(name="authnContextDeclRefs") private @Nullable Output> authnContextDeclRefs; /** - * @return AuthnContext DeclRefs + * @return Ordered list of requested AuthnContext DeclRefs. * */ public Optional>> authnContextDeclRefs() { @@ -110,14 +110,14 @@ public Optional>> authnContextDeclRefs() { } /** - * Does the external IDP support backchannel logout? + * Does the external IDP support backchannel logout?. Defaults to `false`. * */ @Import(name="backchannelSupported") private @Nullable Output backchannelSupported; /** - * @return Does the external IDP support backchannel logout? + * @return Does the external IDP support backchannel logout?. Defaults to `false`. * */ public Optional> backchannelSupported() { @@ -125,14 +125,14 @@ public Optional> backchannelSupported() { } /** - * Friendly name for Identity Providers. + * The display name for the realm that is shown when logging in to the admin console. * */ @Import(name="displayName") private @Nullable Output displayName; /** - * @return Friendly name for Identity Providers. + * @return The display name for the realm that is shown when logging in to the admin console. * */ public Optional> displayName() { @@ -140,14 +140,14 @@ public Optional> displayName() { } /** - * Enable/disable this identity provider. + * When `false`, users and clients will not be able to access this realm. Defaults to `true`. * */ @Import(name="enabled") private @Nullable Output enabled; /** - * @return Enable/disable this identity provider. + * @return When `false`, users and clients will not be able to access this realm. Defaults to `true`. * */ public Optional> enabled() { @@ -177,16 +177,14 @@ public Optional>> extraConfig() { } /** - * Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means - * that there is not yet existing Keycloak account linked with the authenticated identity provider account. + * Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. * */ @Import(name="firstBrokerLoginFlowAlias") private @Nullable Output firstBrokerLoginFlowAlias; /** - * @return Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means - * that there is not yet existing Keycloak account linked with the authenticated identity provider account. + * @return Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. * */ public Optional> firstBrokerLoginFlowAlias() { @@ -194,14 +192,14 @@ public Optional> firstBrokerLoginFlowAlias() { } /** - * Require Force Authn. + * Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. * */ @Import(name="forceAuthn") private @Nullable Output forceAuthn; /** - * @return Require Force Authn. + * @return Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. * */ public Optional> forceAuthn() { @@ -209,14 +207,14 @@ public Optional> forceAuthn() { } /** - * GUI Order + * A number defining the order of this identity provider in the GUI. * */ @Import(name="guiOrder") private @Nullable Output guiOrder; /** - * @return GUI Order + * @return A number defining the order of this identity provider in the GUI. * */ public Optional> guiOrder() { @@ -224,14 +222,14 @@ public Optional> guiOrder() { } /** - * Hide On Login Page. + * If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. * */ @Import(name="hideOnLoginPage") private @Nullable Output hideOnLoginPage; /** - * @return Hide On Login Page. + * @return If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. * */ public Optional> hideOnLoginPage() { @@ -239,16 +237,14 @@ public Optional> hideOnLoginPage() { } /** - * If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't - * want to allow login from the provider, but want to integrate with a provider + * When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`. * */ @Import(name="linkOnly") private @Nullable Output linkOnly; /** - * @return If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't - * want to allow login from the provider, but want to integrate with a provider + * @return When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`. * */ public Optional> linkOnly() { @@ -271,14 +267,14 @@ public Optional> loginHint() { } /** - * Name ID Policy Format. + * Specifies the URI reference corresponding to a name identifier format. Defaults to empty. * */ @Import(name="nameIdPolicyFormat") private @Nullable Output nameIdPolicyFormat; /** - * @return Name ID Policy Format. + * @return Specifies the URI reference corresponding to a name identifier format. Defaults to empty. * */ public Optional> nameIdPolicyFormat() { @@ -286,14 +282,14 @@ public Optional> nameIdPolicyFormat() { } /** - * Post Binding Authn Request. + * Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. * */ @Import(name="postBindingAuthnRequest") private @Nullable Output postBindingAuthnRequest; /** - * @return Post Binding Authn Request. + * @return Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. * */ public Optional> postBindingAuthnRequest() { @@ -301,14 +297,14 @@ public Optional> postBindingAuthnRequest() { } /** - * Post Binding Logout. + * Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. * */ @Import(name="postBindingLogout") private @Nullable Output postBindingLogout; /** - * @return Post Binding Logout. + * @return Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. * */ public Optional> postBindingLogout() { @@ -316,14 +312,14 @@ public Optional> postBindingLogout() { } /** - * Post Binding Response. + * Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. * */ @Import(name="postBindingResponse") private @Nullable Output postBindingResponse; /** - * @return Post Binding Response. + * @return Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. * */ public Optional> postBindingResponse() { @@ -331,20 +327,14 @@ public Optional> postBindingResponse() { } /** - * Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want - * additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if - * you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that - * authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. + * Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. * */ @Import(name="postBrokerLoginFlowAlias") private @Nullable Output postBrokerLoginFlowAlias; /** - * @return Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want - * additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if - * you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that - * authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. + * @return Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. * */ public Optional> postBrokerLoginFlowAlias() { @@ -352,14 +342,14 @@ public Optional> postBrokerLoginFlowAlias() { } /** - * Principal Attribute + * The principal attribute. * */ @Import(name="principalAttribute") private @Nullable Output principalAttribute; /** - * @return Principal Attribute + * @return The principal attribute. * */ public Optional> principalAttribute() { @@ -367,14 +357,14 @@ public Optional> principalAttribute() { } /** - * Principal Type + * The principal type. Can be one of `SUBJECT`, `ATTRIBUTE` or `FRIENDLY_ATTRIBUTE`. * */ @Import(name="principalType") private @Nullable Output principalType; /** - * @return Principal Type + * @return The principal type. Can be one of `SUBJECT`, `ATTRIBUTE` or `FRIENDLY_ATTRIBUTE`. * */ public Optional> principalType() { @@ -382,14 +372,14 @@ public Optional> principalType() { } /** - * provider id, is always saml, unless you have a custom implementation + * The ID of the identity provider to use. Defaults to `saml`, which should be used unless you have extended Keycloak and provided your own implementation. * */ @Import(name="providerId") private @Nullable Output providerId; /** - * @return provider id, is always saml, unless you have a custom implementation + * @return The ID of the identity provider to use. Defaults to `saml`, which should be used unless you have extended Keycloak and provided your own implementation. * */ public Optional> providerId() { @@ -397,14 +387,14 @@ public Optional> providerId() { } /** - * Realm Name + * The name of the realm. This is unique across Keycloak. * */ @Import(name="realm", required=true) private Output realm; /** - * @return Realm Name + * @return The name of the realm. This is unique across Keycloak. * */ public Output realm() { @@ -412,14 +402,14 @@ public Output realm() { } /** - * Signing Algorithm. + * Signing Algorithm. Defaults to empty. * */ @Import(name="signatureAlgorithm") private @Nullable Output signatureAlgorithm; /** - * @return Signing Algorithm. + * @return Signing Algorithm. Defaults to empty. * */ public Optional> signatureAlgorithm() { @@ -442,14 +432,14 @@ public Optional> signingCertificate() { } /** - * Logout URL. + * The Url that must be used to send logout requests. * */ @Import(name="singleLogoutServiceUrl") private @Nullable Output singleLogoutServiceUrl; /** - * @return Logout URL. + * @return The Url that must be used to send logout requests. * */ public Optional> singleLogoutServiceUrl() { @@ -457,14 +447,14 @@ public Optional> singleLogoutServiceUrl() { } /** - * SSO Logout URL. + * The Url that must be used to send authentication requests (SAML AuthnRequest). * */ @Import(name="singleSignOnServiceUrl", required=true) private Output singleSignOnServiceUrl; /** - * @return SSO Logout URL. + * @return The Url that must be used to send authentication requests (SAML AuthnRequest). * */ public Output singleSignOnServiceUrl() { @@ -472,14 +462,14 @@ public Output singleSignOnServiceUrl() { } /** - * Enable/disable if tokens must be stored after authenticating users. + * When `true`, tokens will be stored after authenticating users. Defaults to `true`. * */ @Import(name="storeToken") private @Nullable Output storeToken; /** - * @return Enable/disable if tokens must be stored after authenticating users. + * @return When `true`, tokens will be stored after authenticating users. Defaults to `true`. * */ public Optional> storeToken() { @@ -487,14 +477,14 @@ public Optional> storeToken() { } /** - * Sync Mode + * The default sync mode to use for all mappers attached to this identity provider. Can be one of `IMPORT`, `FORCE`, or `LEGACY`. * */ @Import(name="syncMode") private @Nullable Output syncMode; /** - * @return Sync Mode + * @return The default sync mode to use for all mappers attached to this identity provider. Can be one of `IMPORT`, `FORCE`, or `LEGACY`. * */ public Optional> syncMode() { @@ -502,14 +492,14 @@ public Optional> syncMode() { } /** - * If enabled then email provided by this provider is not verified even if verification is enabled for the realm. + * When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`. * */ @Import(name="trustEmail") private @Nullable Output trustEmail; /** - * @return If enabled then email provided by this provider is not verified even if verification is enabled for the realm. + * @return When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`. * */ public Optional> trustEmail() { @@ -532,14 +522,14 @@ public Optional> validateSignature() { } /** - * Want Assertions Encrypted. + * Indicates whether this service provider expects an encrypted Assertion. * */ @Import(name="wantAssertionsEncrypted") private @Nullable Output wantAssertionsEncrypted; /** - * @return Want Assertions Encrypted. + * @return Indicates whether this service provider expects an encrypted Assertion. * */ public Optional> wantAssertionsEncrypted() { @@ -547,14 +537,14 @@ public Optional> wantAssertionsEncrypted() { } /** - * Want Assertions Signed. + * Indicates whether this service provider expects a signed Assertion. * */ @Import(name="wantAssertionsSigned") private @Nullable Output wantAssertionsSigned; /** - * @return Want Assertions Signed. + * @return Indicates whether this service provider expects a signed Assertion. * */ public Optional> wantAssertionsSigned() { @@ -562,14 +552,14 @@ public Optional> wantAssertionsSigned() { } /** - * Sign Key Transformer. + * The SAML signature key name. Can be one of `NONE`, `KEY_ID`, or `CERT_SUBJECT`. * */ @Import(name="xmlSignKeyInfoKeyNameTransformer") private @Nullable Output xmlSignKeyInfoKeyNameTransformer; /** - * @return Sign Key Transformer. + * @return The SAML signature key name. Can be one of `NONE`, `KEY_ID`, or `CERT_SUBJECT`. * */ public Optional> xmlSignKeyInfoKeyNameTransformer() { @@ -637,7 +627,7 @@ public Builder(IdentityProviderArgs defaults) { } /** - * @param addReadTokenRoleOnCreate Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. + * @param addReadTokenRoleOnCreate When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`. * * @return builder * @@ -648,7 +638,7 @@ public Builder addReadTokenRoleOnCreate(@Nullable Output addReadTokenRo } /** - * @param addReadTokenRoleOnCreate Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. + * @param addReadTokenRoleOnCreate When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`. * * @return builder * @@ -658,7 +648,7 @@ public Builder addReadTokenRoleOnCreate(Boolean addReadTokenRoleOnCreate) { } /** - * @param alias The alias uniquely identifies an identity provider and it is also used to build the redirect uri. + * @param alias The unique name of identity provider. * * @return builder * @@ -669,7 +659,7 @@ public Builder alias(Output alias) { } /** - * @param alias The alias uniquely identifies an identity provider and it is also used to build the redirect uri. + * @param alias The unique name of identity provider. * * @return builder * @@ -679,7 +669,7 @@ public Builder alias(String alias) { } /** - * @param authenticateByDefault Enable/disable authenticate users by default. + * @param authenticateByDefault Authenticate users by default. Defaults to `false`. * * @return builder * @@ -690,7 +680,7 @@ public Builder authenticateByDefault(@Nullable Output authenticateByDef } /** - * @param authenticateByDefault Enable/disable authenticate users by default. + * @param authenticateByDefault Authenticate users by default. Defaults to `false`. * * @return builder * @@ -700,7 +690,7 @@ public Builder authenticateByDefault(Boolean authenticateByDefault) { } /** - * @param authnContextClassRefs AuthnContext ClassRefs + * @param authnContextClassRefs Ordered list of requested AuthnContext ClassRefs. * * @return builder * @@ -711,7 +701,7 @@ public Builder authnContextClassRefs(@Nullable Output> authnContext } /** - * @param authnContextClassRefs AuthnContext ClassRefs + * @param authnContextClassRefs Ordered list of requested AuthnContext ClassRefs. * * @return builder * @@ -721,7 +711,7 @@ public Builder authnContextClassRefs(List authnContextClassRefs) { } /** - * @param authnContextClassRefs AuthnContext ClassRefs + * @param authnContextClassRefs Ordered list of requested AuthnContext ClassRefs. * * @return builder * @@ -731,7 +721,7 @@ public Builder authnContextClassRefs(String... authnContextClassRefs) { } /** - * @param authnContextComparisonType AuthnContext Comparison + * @param authnContextComparisonType Specifies the comparison method used to evaluate the requested context classes or statements. * * @return builder * @@ -742,7 +732,7 @@ public Builder authnContextComparisonType(@Nullable Output authnContextC } /** - * @param authnContextComparisonType AuthnContext Comparison + * @param authnContextComparisonType Specifies the comparison method used to evaluate the requested context classes or statements. * * @return builder * @@ -752,7 +742,7 @@ public Builder authnContextComparisonType(String authnContextComparisonType) { } /** - * @param authnContextDeclRefs AuthnContext DeclRefs + * @param authnContextDeclRefs Ordered list of requested AuthnContext DeclRefs. * * @return builder * @@ -763,7 +753,7 @@ public Builder authnContextDeclRefs(@Nullable Output> authnContextD } /** - * @param authnContextDeclRefs AuthnContext DeclRefs + * @param authnContextDeclRefs Ordered list of requested AuthnContext DeclRefs. * * @return builder * @@ -773,7 +763,7 @@ public Builder authnContextDeclRefs(List authnContextDeclRefs) { } /** - * @param authnContextDeclRefs AuthnContext DeclRefs + * @param authnContextDeclRefs Ordered list of requested AuthnContext DeclRefs. * * @return builder * @@ -783,7 +773,7 @@ public Builder authnContextDeclRefs(String... authnContextDeclRefs) { } /** - * @param backchannelSupported Does the external IDP support backchannel logout? + * @param backchannelSupported Does the external IDP support backchannel logout?. Defaults to `false`. * * @return builder * @@ -794,7 +784,7 @@ public Builder backchannelSupported(@Nullable Output backchannelSupport } /** - * @param backchannelSupported Does the external IDP support backchannel logout? + * @param backchannelSupported Does the external IDP support backchannel logout?. Defaults to `false`. * * @return builder * @@ -804,7 +794,7 @@ public Builder backchannelSupported(Boolean backchannelSupported) { } /** - * @param displayName Friendly name for Identity Providers. + * @param displayName The display name for the realm that is shown when logging in to the admin console. * * @return builder * @@ -815,7 +805,7 @@ public Builder displayName(@Nullable Output displayName) { } /** - * @param displayName Friendly name for Identity Providers. + * @param displayName The display name for the realm that is shown when logging in to the admin console. * * @return builder * @@ -825,7 +815,7 @@ public Builder displayName(String displayName) { } /** - * @param enabled Enable/disable this identity provider. + * @param enabled When `false`, users and clients will not be able to access this realm. Defaults to `true`. * * @return builder * @@ -836,7 +826,7 @@ public Builder enabled(@Nullable Output enabled) { } /** - * @param enabled Enable/disable this identity provider. + * @param enabled When `false`, users and clients will not be able to access this realm. Defaults to `true`. * * @return builder * @@ -876,8 +866,7 @@ public Builder extraConfig(Map extraConfig) { } /** - * @param firstBrokerLoginFlowAlias Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means - * that there is not yet existing Keycloak account linked with the authenticated identity provider account. + * @param firstBrokerLoginFlowAlias Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. * * @return builder * @@ -888,8 +877,7 @@ public Builder firstBrokerLoginFlowAlias(@Nullable Output firstBrokerLog } /** - * @param firstBrokerLoginFlowAlias Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means - * that there is not yet existing Keycloak account linked with the authenticated identity provider account. + * @param firstBrokerLoginFlowAlias Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. * * @return builder * @@ -899,7 +887,7 @@ public Builder firstBrokerLoginFlowAlias(String firstBrokerLoginFlowAlias) { } /** - * @param forceAuthn Require Force Authn. + * @param forceAuthn Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. * * @return builder * @@ -910,7 +898,7 @@ public Builder forceAuthn(@Nullable Output forceAuthn) { } /** - * @param forceAuthn Require Force Authn. + * @param forceAuthn Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. * * @return builder * @@ -920,7 +908,7 @@ public Builder forceAuthn(Boolean forceAuthn) { } /** - * @param guiOrder GUI Order + * @param guiOrder A number defining the order of this identity provider in the GUI. * * @return builder * @@ -931,7 +919,7 @@ public Builder guiOrder(@Nullable Output guiOrder) { } /** - * @param guiOrder GUI Order + * @param guiOrder A number defining the order of this identity provider in the GUI. * * @return builder * @@ -941,7 +929,7 @@ public Builder guiOrder(String guiOrder) { } /** - * @param hideOnLoginPage Hide On Login Page. + * @param hideOnLoginPage If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. * * @return builder * @@ -952,7 +940,7 @@ public Builder hideOnLoginPage(@Nullable Output hideOnLoginPage) { } /** - * @param hideOnLoginPage Hide On Login Page. + * @param hideOnLoginPage If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. * * @return builder * @@ -962,8 +950,7 @@ public Builder hideOnLoginPage(Boolean hideOnLoginPage) { } /** - * @param linkOnly If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't - * want to allow login from the provider, but want to integrate with a provider + * @param linkOnly When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`. * * @return builder * @@ -974,8 +961,7 @@ public Builder linkOnly(@Nullable Output linkOnly) { } /** - * @param linkOnly If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't - * want to allow login from the provider, but want to integrate with a provider + * @param linkOnly When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`. * * @return builder * @@ -1006,7 +992,7 @@ public Builder loginHint(String loginHint) { } /** - * @param nameIdPolicyFormat Name ID Policy Format. + * @param nameIdPolicyFormat Specifies the URI reference corresponding to a name identifier format. Defaults to empty. * * @return builder * @@ -1017,7 +1003,7 @@ public Builder nameIdPolicyFormat(@Nullable Output nameIdPolicyFormat) { } /** - * @param nameIdPolicyFormat Name ID Policy Format. + * @param nameIdPolicyFormat Specifies the URI reference corresponding to a name identifier format. Defaults to empty. * * @return builder * @@ -1027,7 +1013,7 @@ public Builder nameIdPolicyFormat(String nameIdPolicyFormat) { } /** - * @param postBindingAuthnRequest Post Binding Authn Request. + * @param postBindingAuthnRequest Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. * * @return builder * @@ -1038,7 +1024,7 @@ public Builder postBindingAuthnRequest(@Nullable Output postBindingAuth } /** - * @param postBindingAuthnRequest Post Binding Authn Request. + * @param postBindingAuthnRequest Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. * * @return builder * @@ -1048,7 +1034,7 @@ public Builder postBindingAuthnRequest(Boolean postBindingAuthnRequest) { } /** - * @param postBindingLogout Post Binding Logout. + * @param postBindingLogout Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. * * @return builder * @@ -1059,7 +1045,7 @@ public Builder postBindingLogout(@Nullable Output postBindingLogout) { } /** - * @param postBindingLogout Post Binding Logout. + * @param postBindingLogout Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. * * @return builder * @@ -1069,7 +1055,7 @@ public Builder postBindingLogout(Boolean postBindingLogout) { } /** - * @param postBindingResponse Post Binding Response. + * @param postBindingResponse Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. * * @return builder * @@ -1080,7 +1066,7 @@ public Builder postBindingResponse(@Nullable Output postBindingResponse } /** - * @param postBindingResponse Post Binding Response. + * @param postBindingResponse Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. * * @return builder * @@ -1090,10 +1076,7 @@ public Builder postBindingResponse(Boolean postBindingResponse) { } /** - * @param postBrokerLoginFlowAlias Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want - * additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if - * you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that - * authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. + * @param postBrokerLoginFlowAlias Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. * * @return builder * @@ -1104,10 +1087,7 @@ public Builder postBrokerLoginFlowAlias(@Nullable Output postBrokerLogin } /** - * @param postBrokerLoginFlowAlias Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want - * additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if - * you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that - * authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. + * @param postBrokerLoginFlowAlias Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. * * @return builder * @@ -1117,7 +1097,7 @@ public Builder postBrokerLoginFlowAlias(String postBrokerLoginFlowAlias) { } /** - * @param principalAttribute Principal Attribute + * @param principalAttribute The principal attribute. * * @return builder * @@ -1128,7 +1108,7 @@ public Builder principalAttribute(@Nullable Output principalAttribute) { } /** - * @param principalAttribute Principal Attribute + * @param principalAttribute The principal attribute. * * @return builder * @@ -1138,7 +1118,7 @@ public Builder principalAttribute(String principalAttribute) { } /** - * @param principalType Principal Type + * @param principalType The principal type. Can be one of `SUBJECT`, `ATTRIBUTE` or `FRIENDLY_ATTRIBUTE`. * * @return builder * @@ -1149,7 +1129,7 @@ public Builder principalType(@Nullable Output principalType) { } /** - * @param principalType Principal Type + * @param principalType The principal type. Can be one of `SUBJECT`, `ATTRIBUTE` or `FRIENDLY_ATTRIBUTE`. * * @return builder * @@ -1159,7 +1139,7 @@ public Builder principalType(String principalType) { } /** - * @param providerId provider id, is always saml, unless you have a custom implementation + * @param providerId The ID of the identity provider to use. Defaults to `saml`, which should be used unless you have extended Keycloak and provided your own implementation. * * @return builder * @@ -1170,7 +1150,7 @@ public Builder providerId(@Nullable Output providerId) { } /** - * @param providerId provider id, is always saml, unless you have a custom implementation + * @param providerId The ID of the identity provider to use. Defaults to `saml`, which should be used unless you have extended Keycloak and provided your own implementation. * * @return builder * @@ -1180,7 +1160,7 @@ public Builder providerId(String providerId) { } /** - * @param realm Realm Name + * @param realm The name of the realm. This is unique across Keycloak. * * @return builder * @@ -1191,7 +1171,7 @@ public Builder realm(Output realm) { } /** - * @param realm Realm Name + * @param realm The name of the realm. This is unique across Keycloak. * * @return builder * @@ -1201,7 +1181,7 @@ public Builder realm(String realm) { } /** - * @param signatureAlgorithm Signing Algorithm. + * @param signatureAlgorithm Signing Algorithm. Defaults to empty. * * @return builder * @@ -1212,7 +1192,7 @@ public Builder signatureAlgorithm(@Nullable Output signatureAlgorithm) { } /** - * @param signatureAlgorithm Signing Algorithm. + * @param signatureAlgorithm Signing Algorithm. Defaults to empty. * * @return builder * @@ -1243,7 +1223,7 @@ public Builder signingCertificate(String signingCertificate) { } /** - * @param singleLogoutServiceUrl Logout URL. + * @param singleLogoutServiceUrl The Url that must be used to send logout requests. * * @return builder * @@ -1254,7 +1234,7 @@ public Builder singleLogoutServiceUrl(@Nullable Output singleLogoutServi } /** - * @param singleLogoutServiceUrl Logout URL. + * @param singleLogoutServiceUrl The Url that must be used to send logout requests. * * @return builder * @@ -1264,7 +1244,7 @@ public Builder singleLogoutServiceUrl(String singleLogoutServiceUrl) { } /** - * @param singleSignOnServiceUrl SSO Logout URL. + * @param singleSignOnServiceUrl The Url that must be used to send authentication requests (SAML AuthnRequest). * * @return builder * @@ -1275,7 +1255,7 @@ public Builder singleSignOnServiceUrl(Output singleSignOnServiceUrl) { } /** - * @param singleSignOnServiceUrl SSO Logout URL. + * @param singleSignOnServiceUrl The Url that must be used to send authentication requests (SAML AuthnRequest). * * @return builder * @@ -1285,7 +1265,7 @@ public Builder singleSignOnServiceUrl(String singleSignOnServiceUrl) { } /** - * @param storeToken Enable/disable if tokens must be stored after authenticating users. + * @param storeToken When `true`, tokens will be stored after authenticating users. Defaults to `true`. * * @return builder * @@ -1296,7 +1276,7 @@ public Builder storeToken(@Nullable Output storeToken) { } /** - * @param storeToken Enable/disable if tokens must be stored after authenticating users. + * @param storeToken When `true`, tokens will be stored after authenticating users. Defaults to `true`. * * @return builder * @@ -1306,7 +1286,7 @@ public Builder storeToken(Boolean storeToken) { } /** - * @param syncMode Sync Mode + * @param syncMode The default sync mode to use for all mappers attached to this identity provider. Can be one of `IMPORT`, `FORCE`, or `LEGACY`. * * @return builder * @@ -1317,7 +1297,7 @@ public Builder syncMode(@Nullable Output syncMode) { } /** - * @param syncMode Sync Mode + * @param syncMode The default sync mode to use for all mappers attached to this identity provider. Can be one of `IMPORT`, `FORCE`, or `LEGACY`. * * @return builder * @@ -1327,7 +1307,7 @@ public Builder syncMode(String syncMode) { } /** - * @param trustEmail If enabled then email provided by this provider is not verified even if verification is enabled for the realm. + * @param trustEmail When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`. * * @return builder * @@ -1338,7 +1318,7 @@ public Builder trustEmail(@Nullable Output trustEmail) { } /** - * @param trustEmail If enabled then email provided by this provider is not verified even if verification is enabled for the realm. + * @param trustEmail When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`. * * @return builder * @@ -1369,7 +1349,7 @@ public Builder validateSignature(Boolean validateSignature) { } /** - * @param wantAssertionsEncrypted Want Assertions Encrypted. + * @param wantAssertionsEncrypted Indicates whether this service provider expects an encrypted Assertion. * * @return builder * @@ -1380,7 +1360,7 @@ public Builder wantAssertionsEncrypted(@Nullable Output wantAssertionsE } /** - * @param wantAssertionsEncrypted Want Assertions Encrypted. + * @param wantAssertionsEncrypted Indicates whether this service provider expects an encrypted Assertion. * * @return builder * @@ -1390,7 +1370,7 @@ public Builder wantAssertionsEncrypted(Boolean wantAssertionsEncrypted) { } /** - * @param wantAssertionsSigned Want Assertions Signed. + * @param wantAssertionsSigned Indicates whether this service provider expects a signed Assertion. * * @return builder * @@ -1401,7 +1381,7 @@ public Builder wantAssertionsSigned(@Nullable Output wantAssertionsSign } /** - * @param wantAssertionsSigned Want Assertions Signed. + * @param wantAssertionsSigned Indicates whether this service provider expects a signed Assertion. * * @return builder * @@ -1411,7 +1391,7 @@ public Builder wantAssertionsSigned(Boolean wantAssertionsSigned) { } /** - * @param xmlSignKeyInfoKeyNameTransformer Sign Key Transformer. + * @param xmlSignKeyInfoKeyNameTransformer The SAML signature key name. Can be one of `NONE`, `KEY_ID`, or `CERT_SUBJECT`. * * @return builder * @@ -1422,7 +1402,7 @@ public Builder xmlSignKeyInfoKeyNameTransformer(@Nullable Output xmlSign } /** - * @param xmlSignKeyInfoKeyNameTransformer Sign Key Transformer. + * @param xmlSignKeyInfoKeyNameTransformer The SAML signature key name. Can be one of `NONE`, `KEY_ID`, or `CERT_SUBJECT`. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/saml/UserAttributeProtocolMapper.java b/sdk/java/src/main/java/com/pulumi/keycloak/saml/UserAttributeProtocolMapper.java index 4d132207..d5be9d56 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/saml/UserAttributeProtocolMapper.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/saml/UserAttributeProtocolMapper.java @@ -15,17 +15,15 @@ import javax.annotation.Nullable; /** - * ## # keycloak.saml.UserAttributeProtocolMapper + * Allows for creating and managing user attribute protocol mappers for SAML clients within Keycloak. * - * Allows for creating and managing user attribute protocol mappers for - * SAML clients within Keycloak. + * SAML user attribute protocol mappers allow you to map custom attributes defined for a user within Keycloak to an attribute + * in a SAML assertion. * - * SAML user attribute protocol mappers allow you to map custom attributes defined - * for a user within Keycloak to an attribute in a SAML assertion. Protocol mappers - * can be defined for a single client, or they can be defined for a client scope which - * can be shared between multiple different clients. + * Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + * multiple different clients. * - * ### Example Usage (Client) + * ## Example Usage * * <!--Start PulumiCodeChooser --> *
@@ -60,13 +58,13 @@
  *             .build());
  * 
  *         var samlClient = new Client("samlClient", ClientArgs.builder()
- *             .realmId(test.id())
- *             .clientId("test-saml-client")
- *             .name("test-saml-client")
+ *             .realmId(realm.id())
+ *             .clientId("saml-client")
+ *             .name("saml-client")
  *             .build());
  * 
  *         var samlUserAttributeMapper = new UserAttributeProtocolMapper("samlUserAttributeMapper", UserAttributeProtocolMapperArgs.builder()
- *             .realmId(test.id())
+ *             .realmId(realm.id())
  *             .clientId(samlClient.id())
  *             .name("displayname-user-attribute-mapper")
  *             .userAttribute("displayName")
@@ -80,75 +78,138 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realm_id` - (Required) The realm this protocol mapper exists within. - * - `client_id` - (Required if `client_scope_id` is not specified) The SAML client this protocol mapper is attached to. - * - `client_scope_id` - (Required if `client_id` is not specified) The SAML client scope this protocol mapper is attached to. - * - `name` - (Required) The display name of this protocol mapper in the GUI. - * - `user_attribute` - (Required) The custom user attribute to map. - * - `friendly_name` - (Optional) An optional human-friendly name for this attribute. - * - `saml_attribute_name` - (Required) The name of the SAML attribute. - * - `saml_attribute_name_format` - (Required) The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. - * - * ### Import + * ## Import * * Protocol mappers can be imported using one of the following formats: + * * - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + * * - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` * * Example: * + * bash + * + * ```sh + * $ pulumi import keycloak:saml/userAttributeProtocolMapper:UserAttributeProtocolMapper saml_user_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` + * + * ```sh + * $ pulumi import keycloak:saml/userAttributeProtocolMapper:UserAttributeProtocolMapper saml_user_attribute_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` + * */ @ResourceType(type="keycloak:saml/userAttributeProtocolMapper:UserAttributeProtocolMapper") public class UserAttributeProtocolMapper extends com.pulumi.resources.CustomResource { + /** + * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ @Export(name="clientId", refs={String.class}, tree="[0]") private Output clientId; + /** + * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ public Output> clientId() { return Codegen.optional(this.clientId); } + /** + * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ @Export(name="clientScopeId", refs={String.class}, tree="[0]") private Output clientScopeId; + /** + * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ public Output> clientScopeId() { return Codegen.optional(this.clientScopeId); } + /** + * An optional human-friendly name for this attribute. + * + */ @Export(name="friendlyName", refs={String.class}, tree="[0]") private Output friendlyName; + /** + * @return An optional human-friendly name for this attribute. + * + */ public Output> friendlyName() { return Codegen.optional(this.friendlyName); } + /** + * The display name of this protocol mapper in the GUI. + * + */ @Export(name="name", refs={String.class}, tree="[0]") private Output name; + /** + * @return The display name of this protocol mapper in the GUI. + * + */ public Output name() { return this.name; } + /** + * The realm this protocol mapper exists within. + * + */ @Export(name="realmId", refs={String.class}, tree="[0]") private Output realmId; + /** + * @return The realm this protocol mapper exists within. + * + */ public Output realmId() { return this.realmId; } + /** + * The name of the SAML attribute. + * + */ @Export(name="samlAttributeName", refs={String.class}, tree="[0]") private Output samlAttributeName; + /** + * @return The name of the SAML attribute. + * + */ public Output samlAttributeName() { return this.samlAttributeName; } + /** + * The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + * + */ @Export(name="samlAttributeNameFormat", refs={String.class}, tree="[0]") private Output samlAttributeNameFormat; + /** + * @return The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + * + */ public Output samlAttributeNameFormat() { return this.samlAttributeNameFormat; } + /** + * The custom user attribute to map. + * + */ @Export(name="userAttribute", refs={String.class}, tree="[0]") private Output userAttribute; + /** + * @return The custom user attribute to map. + * + */ public Output userAttribute() { return this.userAttribute; } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/saml/UserAttributeProtocolMapperArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/saml/UserAttributeProtocolMapperArgs.java index d5ce3967..3b2c1f9e 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/saml/UserAttributeProtocolMapperArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/saml/UserAttributeProtocolMapperArgs.java @@ -16,58 +16,122 @@ public final class UserAttributeProtocolMapperArgs extends com.pulumi.resources. public static final UserAttributeProtocolMapperArgs Empty = new UserAttributeProtocolMapperArgs(); + /** + * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ @Import(name="clientId") private @Nullable Output clientId; + /** + * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ public Optional> clientId() { return Optional.ofNullable(this.clientId); } + /** + * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ @Import(name="clientScopeId") private @Nullable Output clientScopeId; + /** + * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ public Optional> clientScopeId() { return Optional.ofNullable(this.clientScopeId); } + /** + * An optional human-friendly name for this attribute. + * + */ @Import(name="friendlyName") private @Nullable Output friendlyName; + /** + * @return An optional human-friendly name for this attribute. + * + */ public Optional> friendlyName() { return Optional.ofNullable(this.friendlyName); } + /** + * The display name of this protocol mapper in the GUI. + * + */ @Import(name="name") private @Nullable Output name; + /** + * @return The display name of this protocol mapper in the GUI. + * + */ public Optional> name() { return Optional.ofNullable(this.name); } + /** + * The realm this protocol mapper exists within. + * + */ @Import(name="realmId", required=true) private Output realmId; + /** + * @return The realm this protocol mapper exists within. + * + */ public Output realmId() { return this.realmId; } + /** + * The name of the SAML attribute. + * + */ @Import(name="samlAttributeName", required=true) private Output samlAttributeName; + /** + * @return The name of the SAML attribute. + * + */ public Output samlAttributeName() { return this.samlAttributeName; } + /** + * The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + * + */ @Import(name="samlAttributeNameFormat", required=true) private Output samlAttributeNameFormat; + /** + * @return The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + * + */ public Output samlAttributeNameFormat() { return this.samlAttributeNameFormat; } + /** + * The custom user attribute to map. + * + */ @Import(name="userAttribute", required=true) private Output userAttribute; + /** + * @return The custom user attribute to map. + * + */ public Output userAttribute() { return this.userAttribute; } @@ -103,74 +167,170 @@ public Builder(UserAttributeProtocolMapperArgs defaults) { $ = new UserAttributeProtocolMapperArgs(Objects.requireNonNull(defaults)); } + /** + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * + * @return builder + * + */ public Builder clientId(@Nullable Output clientId) { $.clientId = clientId; return this; } + /** + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * + * @return builder + * + */ public Builder clientId(String clientId) { return clientId(Output.of(clientId)); } + /** + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * + * @return builder + * + */ public Builder clientScopeId(@Nullable Output clientScopeId) { $.clientScopeId = clientScopeId; return this; } + /** + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * + * @return builder + * + */ public Builder clientScopeId(String clientScopeId) { return clientScopeId(Output.of(clientScopeId)); } + /** + * @param friendlyName An optional human-friendly name for this attribute. + * + * @return builder + * + */ public Builder friendlyName(@Nullable Output friendlyName) { $.friendlyName = friendlyName; return this; } + /** + * @param friendlyName An optional human-friendly name for this attribute. + * + * @return builder + * + */ public Builder friendlyName(String friendlyName) { return friendlyName(Output.of(friendlyName)); } + /** + * @param name The display name of this protocol mapper in the GUI. + * + * @return builder + * + */ public Builder name(@Nullable Output name) { $.name = name; return this; } + /** + * @param name The display name of this protocol mapper in the GUI. + * + * @return builder + * + */ public Builder name(String name) { return name(Output.of(name)); } + /** + * @param realmId The realm this protocol mapper exists within. + * + * @return builder + * + */ public Builder realmId(Output realmId) { $.realmId = realmId; return this; } + /** + * @param realmId The realm this protocol mapper exists within. + * + * @return builder + * + */ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } + /** + * @param samlAttributeName The name of the SAML attribute. + * + * @return builder + * + */ public Builder samlAttributeName(Output samlAttributeName) { $.samlAttributeName = samlAttributeName; return this; } + /** + * @param samlAttributeName The name of the SAML attribute. + * + * @return builder + * + */ public Builder samlAttributeName(String samlAttributeName) { return samlAttributeName(Output.of(samlAttributeName)); } + /** + * @param samlAttributeNameFormat The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + * + * @return builder + * + */ public Builder samlAttributeNameFormat(Output samlAttributeNameFormat) { $.samlAttributeNameFormat = samlAttributeNameFormat; return this; } + /** + * @param samlAttributeNameFormat The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + * + * @return builder + * + */ public Builder samlAttributeNameFormat(String samlAttributeNameFormat) { return samlAttributeNameFormat(Output.of(samlAttributeNameFormat)); } + /** + * @param userAttribute The custom user attribute to map. + * + * @return builder + * + */ public Builder userAttribute(Output userAttribute) { $.userAttribute = userAttribute; return this; } + /** + * @param userAttribute The custom user attribute to map. + * + * @return builder + * + */ public Builder userAttribute(String userAttribute) { return userAttribute(Output.of(userAttribute)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/saml/UserPropertyProtocolMapper.java b/sdk/java/src/main/java/com/pulumi/keycloak/saml/UserPropertyProtocolMapper.java index 7e908f1f..eed4f913 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/saml/UserPropertyProtocolMapper.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/saml/UserPropertyProtocolMapper.java @@ -15,17 +15,15 @@ import javax.annotation.Nullable; /** - * ## # keycloak.saml.UserPropertyProtocolMapper - * - * Allows for creating and managing user property protocol mappers for - * SAML clients within Keycloak. + * Allows for creating and managing user property protocol mappers for SAML clients within Keycloak. * * SAML user property protocol mappers allow you to map properties of the Keycloak - * user model to an attribute in a SAML assertion. Protocol mappers - * can be defined for a single client, or they can be defined for a client scope which - * can be shared between multiple different clients. + * user model to an attribute in a SAML assertion. + * + * Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + * multiple different clients. * - * ### Example Usage (Client) + * ## Example Usage * * <!--Start PulumiCodeChooser --> *
@@ -60,13 +58,13 @@
  *             .build());
  * 
  *         var samlClient = new Client("samlClient", ClientArgs.builder()
- *             .realmId(test.id())
- *             .clientId("test-saml-client")
- *             .name("test-saml-client")
+ *             .realmId(realm.id())
+ *             .clientId("saml-client")
+ *             .name("saml-client")
  *             .build());
  * 
  *         var samlUserPropertyMapper = new UserPropertyProtocolMapper("samlUserPropertyMapper", UserPropertyProtocolMapperArgs.builder()
- *             .realmId(test.id())
+ *             .realmId(realm.id())
  *             .clientId(samlClient.id())
  *             .name("email-user-property-mapper")
  *             .userProperty("email")
@@ -80,75 +78,138 @@
  * 
* <!--End PulumiCodeChooser --> * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realm_id` - (Required) The realm this protocol mapper exists within. - * - `client_id` - (Required if `client_scope_id` is not specified) The SAML client this protocol mapper is attached to. - * - `client_scope_id` - (Required if `client_id` is not specified) The SAML client scope this protocol mapper is attached to. - * - `name` - (Required) The display name of this protocol mapper in the GUI. - * - `user_property` - (Required) The property of the Keycloak user model to map. - * - `friendly_name` - (Optional) An optional human-friendly name for this attribute. - * - `saml_attribute_name` - (Required) The name of the SAML attribute. - * - `saml_attribute_name_format` - (Required) The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. - * - * ### Import + * ## Import * * Protocol mappers can be imported using one of the following formats: + * * - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + * * - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` * * Example: * + * bash + * + * ```sh + * $ pulumi import keycloak:saml/userPropertyProtocolMapper:UserPropertyProtocolMapper saml_user_property_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` + * + * ```sh + * $ pulumi import keycloak:saml/userPropertyProtocolMapper:UserPropertyProtocolMapper saml_user_property_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` + * */ @ResourceType(type="keycloak:saml/userPropertyProtocolMapper:UserPropertyProtocolMapper") public class UserPropertyProtocolMapper extends com.pulumi.resources.CustomResource { + /** + * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ @Export(name="clientId", refs={String.class}, tree="[0]") private Output clientId; + /** + * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ public Output> clientId() { return Codegen.optional(this.clientId); } + /** + * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ @Export(name="clientScopeId", refs={String.class}, tree="[0]") private Output clientScopeId; + /** + * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ public Output> clientScopeId() { return Codegen.optional(this.clientScopeId); } + /** + * An optional human-friendly name for this attribute. + * + */ @Export(name="friendlyName", refs={String.class}, tree="[0]") private Output friendlyName; + /** + * @return An optional human-friendly name for this attribute. + * + */ public Output> friendlyName() { return Codegen.optional(this.friendlyName); } + /** + * The display name of this protocol mapper in the GUI. + * + */ @Export(name="name", refs={String.class}, tree="[0]") private Output name; + /** + * @return The display name of this protocol mapper in the GUI. + * + */ public Output name() { return this.name; } + /** + * The realm this protocol mapper exists within. + * + */ @Export(name="realmId", refs={String.class}, tree="[0]") private Output realmId; + /** + * @return The realm this protocol mapper exists within. + * + */ public Output realmId() { return this.realmId; } + /** + * The name of the SAML attribute. + * + */ @Export(name="samlAttributeName", refs={String.class}, tree="[0]") private Output samlAttributeName; + /** + * @return The name of the SAML attribute. + * + */ public Output samlAttributeName() { return this.samlAttributeName; } + /** + * The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + * + */ @Export(name="samlAttributeNameFormat", refs={String.class}, tree="[0]") private Output samlAttributeNameFormat; + /** + * @return The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + * + */ public Output samlAttributeNameFormat() { return this.samlAttributeNameFormat; } + /** + * The property of the Keycloak user model to map. + * + */ @Export(name="userProperty", refs={String.class}, tree="[0]") private Output userProperty; + /** + * @return The property of the Keycloak user model to map. + * + */ public Output userProperty() { return this.userProperty; } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/saml/UserPropertyProtocolMapperArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/saml/UserPropertyProtocolMapperArgs.java index 297c3629..69aff091 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/saml/UserPropertyProtocolMapperArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/saml/UserPropertyProtocolMapperArgs.java @@ -16,58 +16,122 @@ public final class UserPropertyProtocolMapperArgs extends com.pulumi.resources.R public static final UserPropertyProtocolMapperArgs Empty = new UserPropertyProtocolMapperArgs(); + /** + * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ @Import(name="clientId") private @Nullable Output clientId; + /** + * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ public Optional> clientId() { return Optional.ofNullable(this.clientId); } + /** + * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ @Import(name="clientScopeId") private @Nullable Output clientScopeId; + /** + * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ public Optional> clientScopeId() { return Optional.ofNullable(this.clientScopeId); } + /** + * An optional human-friendly name for this attribute. + * + */ @Import(name="friendlyName") private @Nullable Output friendlyName; + /** + * @return An optional human-friendly name for this attribute. + * + */ public Optional> friendlyName() { return Optional.ofNullable(this.friendlyName); } + /** + * The display name of this protocol mapper in the GUI. + * + */ @Import(name="name") private @Nullable Output name; + /** + * @return The display name of this protocol mapper in the GUI. + * + */ public Optional> name() { return Optional.ofNullable(this.name); } + /** + * The realm this protocol mapper exists within. + * + */ @Import(name="realmId", required=true) private Output realmId; + /** + * @return The realm this protocol mapper exists within. + * + */ public Output realmId() { return this.realmId; } + /** + * The name of the SAML attribute. + * + */ @Import(name="samlAttributeName", required=true) private Output samlAttributeName; + /** + * @return The name of the SAML attribute. + * + */ public Output samlAttributeName() { return this.samlAttributeName; } + /** + * The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + * + */ @Import(name="samlAttributeNameFormat", required=true) private Output samlAttributeNameFormat; + /** + * @return The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + * + */ public Output samlAttributeNameFormat() { return this.samlAttributeNameFormat; } + /** + * The property of the Keycloak user model to map. + * + */ @Import(name="userProperty", required=true) private Output userProperty; + /** + * @return The property of the Keycloak user model to map. + * + */ public Output userProperty() { return this.userProperty; } @@ -103,74 +167,170 @@ public Builder(UserPropertyProtocolMapperArgs defaults) { $ = new UserPropertyProtocolMapperArgs(Objects.requireNonNull(defaults)); } + /** + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * + * @return builder + * + */ public Builder clientId(@Nullable Output clientId) { $.clientId = clientId; return this; } + /** + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * + * @return builder + * + */ public Builder clientId(String clientId) { return clientId(Output.of(clientId)); } + /** + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * + * @return builder + * + */ public Builder clientScopeId(@Nullable Output clientScopeId) { $.clientScopeId = clientScopeId; return this; } + /** + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * + * @return builder + * + */ public Builder clientScopeId(String clientScopeId) { return clientScopeId(Output.of(clientScopeId)); } + /** + * @param friendlyName An optional human-friendly name for this attribute. + * + * @return builder + * + */ public Builder friendlyName(@Nullable Output friendlyName) { $.friendlyName = friendlyName; return this; } + /** + * @param friendlyName An optional human-friendly name for this attribute. + * + * @return builder + * + */ public Builder friendlyName(String friendlyName) { return friendlyName(Output.of(friendlyName)); } + /** + * @param name The display name of this protocol mapper in the GUI. + * + * @return builder + * + */ public Builder name(@Nullable Output name) { $.name = name; return this; } + /** + * @param name The display name of this protocol mapper in the GUI. + * + * @return builder + * + */ public Builder name(String name) { return name(Output.of(name)); } + /** + * @param realmId The realm this protocol mapper exists within. + * + * @return builder + * + */ public Builder realmId(Output realmId) { $.realmId = realmId; return this; } + /** + * @param realmId The realm this protocol mapper exists within. + * + * @return builder + * + */ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } + /** + * @param samlAttributeName The name of the SAML attribute. + * + * @return builder + * + */ public Builder samlAttributeName(Output samlAttributeName) { $.samlAttributeName = samlAttributeName; return this; } + /** + * @param samlAttributeName The name of the SAML attribute. + * + * @return builder + * + */ public Builder samlAttributeName(String samlAttributeName) { return samlAttributeName(Output.of(samlAttributeName)); } + /** + * @param samlAttributeNameFormat The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + * + * @return builder + * + */ public Builder samlAttributeNameFormat(Output samlAttributeNameFormat) { $.samlAttributeNameFormat = samlAttributeNameFormat; return this; } + /** + * @param samlAttributeNameFormat The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + * + * @return builder + * + */ public Builder samlAttributeNameFormat(String samlAttributeNameFormat) { return samlAttributeNameFormat(Output.of(samlAttributeNameFormat)); } + /** + * @param userProperty The property of the Keycloak user model to map. + * + * @return builder + * + */ public Builder userProperty(Output userProperty) { $.userProperty = userProperty; return this; } + /** + * @param userProperty The property of the Keycloak user model to map. + * + * @return builder + * + */ public Builder userProperty(String userProperty) { return userProperty(Output.of(userProperty)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/saml/inputs/ClientAuthenticationFlowBindingOverridesArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/saml/inputs/ClientAuthenticationFlowBindingOverridesArgs.java index ccad41ca..9420ecba 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/saml/inputs/ClientAuthenticationFlowBindingOverridesArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/saml/inputs/ClientAuthenticationFlowBindingOverridesArgs.java @@ -15,16 +15,32 @@ public final class ClientAuthenticationFlowBindingOverridesArgs extends com.pulu public static final ClientAuthenticationFlowBindingOverridesArgs Empty = new ClientAuthenticationFlowBindingOverridesArgs(); + /** + * Browser flow id, (flow needs to exist) + * + */ @Import(name="browserId") private @Nullable Output browserId; + /** + * @return Browser flow id, (flow needs to exist) + * + */ public Optional> browserId() { return Optional.ofNullable(this.browserId); } + /** + * Direct grant flow id (flow needs to exist) + * + */ @Import(name="directGrantId") private @Nullable Output directGrantId; + /** + * @return Direct grant flow id (flow needs to exist) + * + */ public Optional> directGrantId() { return Optional.ofNullable(this.directGrantId); } @@ -54,20 +70,44 @@ public Builder(ClientAuthenticationFlowBindingOverridesArgs defaults) { $ = new ClientAuthenticationFlowBindingOverridesArgs(Objects.requireNonNull(defaults)); } + /** + * @param browserId Browser flow id, (flow needs to exist) + * + * @return builder + * + */ public Builder browserId(@Nullable Output browserId) { $.browserId = browserId; return this; } + /** + * @param browserId Browser flow id, (flow needs to exist) + * + * @return builder + * + */ public Builder browserId(String browserId) { return browserId(Output.of(browserId)); } + /** + * @param directGrantId Direct grant flow id (flow needs to exist) + * + * @return builder + * + */ public Builder directGrantId(@Nullable Output directGrantId) { $.directGrantId = directGrantId; return this; } + /** + * @param directGrantId Direct grant flow id (flow needs to exist) + * + * @return builder + * + */ public Builder directGrantId(String directGrantId) { return directGrantId(Output.of(directGrantId)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/saml/inputs/ClientState.java b/sdk/java/src/main/java/com/pulumi/keycloak/saml/inputs/ClientState.java index 89baa255..04ca5c6a 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/saml/inputs/ClientState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/saml/inputs/ClientState.java @@ -19,86 +19,182 @@ public final class ClientState extends com.pulumi.resources.ResourceArgs { public static final ClientState Empty = new ClientState(); + /** + * SAML POST Binding URL for the client's assertion consumer service (login responses). + * + */ @Import(name="assertionConsumerPostUrl") private @Nullable Output assertionConsumerPostUrl; + /** + * @return SAML POST Binding URL for the client's assertion consumer service (login responses). + * + */ public Optional> assertionConsumerPostUrl() { return Optional.ofNullable(this.assertionConsumerPostUrl); } + /** + * SAML Redirect Binding URL for the client's assertion consumer service (login responses). + * + */ @Import(name="assertionConsumerRedirectUrl") private @Nullable Output assertionConsumerRedirectUrl; + /** + * @return SAML Redirect Binding URL for the client's assertion consumer service (login responses). + * + */ public Optional> assertionConsumerRedirectUrl() { return Optional.ofNullable(this.assertionConsumerRedirectUrl); } + /** + * Override realm authentication flow bindings + * + */ @Import(name="authenticationFlowBindingOverrides") private @Nullable Output authenticationFlowBindingOverrides; + /** + * @return Override realm authentication flow bindings + * + */ public Optional> authenticationFlowBindingOverrides() { return Optional.ofNullable(this.authenticationFlowBindingOverrides); } + /** + * When specified, this URL will be used whenever Keycloak needs to link to this client. + * + */ @Import(name="baseUrl") private @Nullable Output baseUrl; + /** + * @return When specified, this URL will be used whenever Keycloak needs to link to this client. + * + */ public Optional> baseUrl() { return Optional.ofNullable(this.baseUrl); } + /** + * The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE". + * + */ @Import(name="canonicalizationMethod") private @Nullable Output canonicalizationMethod; + /** + * @return The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE". + * + */ public Optional> canonicalizationMethod() { return Optional.ofNullable(this.canonicalizationMethod); } + /** + * The unique ID of this client, referenced in the URI during authentication and in issued tokens. + * + */ @Import(name="clientId") private @Nullable Output clientId; + /** + * @return The unique ID of this client, referenced in the URI during authentication and in issued tokens. + * + */ public Optional> clientId() { return Optional.ofNullable(this.clientId); } + /** + * When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signing_certificate` and `signing_private_key`. Defaults to `true`. + * + */ @Import(name="clientSignatureRequired") private @Nullable Output clientSignatureRequired; + /** + * @return When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signing_certificate` and `signing_private_key`. Defaults to `true`. + * + */ public Optional> clientSignatureRequired() { return Optional.ofNullable(this.clientSignatureRequired); } + /** + * The description of this client in the GUI. + * + */ @Import(name="description") private @Nullable Output description; + /** + * @return The description of this client in the GUI. + * + */ public Optional> description() { return Optional.ofNullable(this.description); } + /** + * When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + * + */ @Import(name="enabled") private @Nullable Output enabled; + /** + * @return When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + * + */ public Optional> enabled() { return Optional.ofNullable(this.enabled); } + /** + * When `true`, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to `false`. + * + */ @Import(name="encryptAssertions") private @Nullable Output encryptAssertions; + /** + * @return When `true`, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to `false`. + * + */ public Optional> encryptAssertions() { return Optional.ofNullable(this.encryptAssertions); } + /** + * If assertions for the client are encrypted, this certificate will be used for encryption. + * + */ @Import(name="encryptionCertificate") private @Nullable Output encryptionCertificate; + /** + * @return If assertions for the client are encrypted, this certificate will be used for encryption. + * + */ public Optional> encryptionCertificate() { return Optional.ofNullable(this.encryptionCertificate); } + /** + * (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty. + * + */ @Import(name="encryptionCertificateSha1") private @Nullable Output encryptionCertificateSha1; + /** + * @return (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty. + * + */ public Optional> encryptionCertificateSha1() { return Optional.ofNullable(this.encryptionCertificateSha1); } @@ -110,170 +206,362 @@ public Optional>> extraConfig() { return Optional.ofNullable(this.extraConfig); } + /** + * Ignore requested NameID subject format and use the one defined in `name_id_format` instead. Defaults to `false`. + * + */ @Import(name="forceNameIdFormat") private @Nullable Output forceNameIdFormat; + /** + * @return Ignore requested NameID subject format and use the one defined in `name_id_format` instead. Defaults to `false`. + * + */ public Optional> forceNameIdFormat() { return Optional.ofNullable(this.forceNameIdFormat); } + /** + * When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to `true`. + * + */ @Import(name="forcePostBinding") private @Nullable Output forcePostBinding; + /** + * @return When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to `true`. + * + */ public Optional> forcePostBinding() { return Optional.ofNullable(this.forcePostBinding); } + /** + * When `true`, this client will require a browser redirect in order to perform a logout. Defaults to `true`. + * + */ @Import(name="frontChannelLogout") private @Nullable Output frontChannelLogout; + /** + * @return When `true`, this client will require a browser redirect in order to perform a logout. Defaults to `true`. + * + */ public Optional> frontChannelLogout() { return Optional.ofNullable(this.frontChannelLogout); } + /** + * Allow to include all roles mappings in the access token + * + */ @Import(name="fullScopeAllowed") private @Nullable Output fullScopeAllowed; + /** + * @return Allow to include all roles mappings in the access token + * + */ public Optional> fullScopeAllowed() { return Optional.ofNullable(this.fullScopeAllowed); } + /** + * Relay state you want to send with SAML request when you want to do IDP Initiated SSO. + * + */ @Import(name="idpInitiatedSsoRelayState") private @Nullable Output idpInitiatedSsoRelayState; + /** + * @return Relay state you want to send with SAML request when you want to do IDP Initiated SSO. + * + */ public Optional> idpInitiatedSsoRelayState() { return Optional.ofNullable(this.idpInitiatedSsoRelayState); } + /** + * URL fragment name to reference client when you want to do IDP Initiated SSO. + * + */ @Import(name="idpInitiatedSsoUrlName") private @Nullable Output idpInitiatedSsoUrlName; + /** + * @return URL fragment name to reference client when you want to do IDP Initiated SSO. + * + */ public Optional> idpInitiatedSsoUrlName() { return Optional.ofNullable(this.idpInitiatedSsoUrlName); } + /** + * When `true`, an `AuthnStatement` will be included in the SAML response. Defaults to `true`. + * + */ @Import(name="includeAuthnStatement") private @Nullable Output includeAuthnStatement; + /** + * @return When `true`, an `AuthnStatement` will be included in the SAML response. Defaults to `true`. + * + */ public Optional> includeAuthnStatement() { return Optional.ofNullable(this.includeAuthnStatement); } + /** + * The login theme of this client. + * + */ @Import(name="loginTheme") private @Nullable Output loginTheme; + /** + * @return The login theme of this client. + * + */ public Optional> loginTheme() { return Optional.ofNullable(this.loginTheme); } + /** + * SAML POST Binding URL for the client's single logout service. + * + */ @Import(name="logoutServicePostBindingUrl") private @Nullable Output logoutServicePostBindingUrl; + /** + * @return SAML POST Binding URL for the client's single logout service. + * + */ public Optional> logoutServicePostBindingUrl() { return Optional.ofNullable(this.logoutServicePostBindingUrl); } + /** + * SAML Redirect Binding URL for the client's single logout service. + * + */ @Import(name="logoutServiceRedirectBindingUrl") private @Nullable Output logoutServiceRedirectBindingUrl; + /** + * @return SAML Redirect Binding URL for the client's single logout service. + * + */ public Optional> logoutServiceRedirectBindingUrl() { return Optional.ofNullable(this.logoutServiceRedirectBindingUrl); } + /** + * When specified, this URL will be used for all SAML requests. + * + */ @Import(name="masterSamlProcessingUrl") private @Nullable Output masterSamlProcessingUrl; + /** + * @return When specified, this URL will be used for all SAML requests. + * + */ public Optional> masterSamlProcessingUrl() { return Optional.ofNullable(this.masterSamlProcessingUrl); } + /** + * The display name of this client in the GUI. + * + */ @Import(name="name") private @Nullable Output name; + /** + * @return The display name of this client in the GUI. + * + */ public Optional> name() { return Optional.ofNullable(this.name); } + /** + * Sets the Name ID format for the subject. + * + */ @Import(name="nameIdFormat") private @Nullable Output nameIdFormat; + /** + * @return Sets the Name ID format for the subject. + * + */ public Optional> nameIdFormat() { return Optional.ofNullable(this.nameIdFormat); } + /** + * The realm this client is attached to. + * + */ @Import(name="realmId") private @Nullable Output realmId; + /** + * @return The realm this client is attached to. + * + */ public Optional> realmId() { return Optional.ofNullable(this.realmId); } + /** + * When specified, this value is prepended to all relative URLs. + * + */ @Import(name="rootUrl") private @Nullable Output rootUrl; + /** + * @return When specified, this value is prepended to all relative URLs. + * + */ public Optional> rootUrl() { return Optional.ofNullable(this.rootUrl); } + /** + * When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to `false`. + * + */ @Import(name="signAssertions") private @Nullable Output signAssertions; + /** + * @return When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to `false`. + * + */ public Optional> signAssertions() { return Optional.ofNullable(this.signAssertions); } + /** + * When `true`, the SAML document will be signed by Keycloak using the realm's private key. Defaults to `true`. + * + */ @Import(name="signDocuments") private @Nullable Output signDocuments; + /** + * @return When `true`, the SAML document will be signed by Keycloak using the realm's private key. Defaults to `true`. + * + */ public Optional> signDocuments() { return Optional.ofNullable(this.signDocuments); } + /** + * The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1". + * + */ @Import(name="signatureAlgorithm") private @Nullable Output signatureAlgorithm; + /** + * @return The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1". + * + */ public Optional> signatureAlgorithm() { return Optional.ofNullable(this.signatureAlgorithm); } + /** + * The value of the `KeyName` element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID". + * + */ @Import(name="signatureKeyName") private @Nullable Output signatureKeyName; + /** + * @return The value of the `KeyName` element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID". + * + */ public Optional> signatureKeyName() { return Optional.ofNullable(this.signatureKeyName); } + /** + * If documents or assertions from the client are signed, this certificate will be used to verify the signature. + * + */ @Import(name="signingCertificate") private @Nullable Output signingCertificate; + /** + * @return If documents or assertions from the client are signed, this certificate will be used to verify the signature. + * + */ public Optional> signingCertificate() { return Optional.ofNullable(this.signingCertificate); } + /** + * (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty. + * + */ @Import(name="signingCertificateSha1") private @Nullable Output signingCertificateSha1; + /** + * @return (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty. + * + */ public Optional> signingCertificateSha1() { return Optional.ofNullable(this.signingCertificateSha1); } + /** + * If documents or assertions from the client are signed, this private key will be used to verify the signature. + * + */ @Import(name="signingPrivateKey") private @Nullable Output signingPrivateKey; + /** + * @return If documents or assertions from the client are signed, this private key will be used to verify the signature. + * + */ public Optional> signingPrivateKey() { return Optional.ofNullable(this.signingPrivateKey); } + /** + * (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty. + * + */ @Import(name="signingPrivateKeySha1") private @Nullable Output signingPrivateKeySha1; + /** + * @return (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty. + * + */ public Optional> signingPrivateKeySha1() { return Optional.ofNullable(this.signingPrivateKeySha1); } + /** + * When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. + * + */ @Import(name="validRedirectUris") private @Nullable Output> validRedirectUris; + /** + * @return When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. + * + */ public Optional>> validRedirectUris() { return Optional.ofNullable(this.validRedirectUris); } @@ -338,110 +626,254 @@ public Builder(ClientState defaults) { $ = new ClientState(Objects.requireNonNull(defaults)); } + /** + * @param assertionConsumerPostUrl SAML POST Binding URL for the client's assertion consumer service (login responses). + * + * @return builder + * + */ public Builder assertionConsumerPostUrl(@Nullable Output assertionConsumerPostUrl) { $.assertionConsumerPostUrl = assertionConsumerPostUrl; return this; } + /** + * @param assertionConsumerPostUrl SAML POST Binding URL for the client's assertion consumer service (login responses). + * + * @return builder + * + */ public Builder assertionConsumerPostUrl(String assertionConsumerPostUrl) { return assertionConsumerPostUrl(Output.of(assertionConsumerPostUrl)); } + /** + * @param assertionConsumerRedirectUrl SAML Redirect Binding URL for the client's assertion consumer service (login responses). + * + * @return builder + * + */ public Builder assertionConsumerRedirectUrl(@Nullable Output assertionConsumerRedirectUrl) { $.assertionConsumerRedirectUrl = assertionConsumerRedirectUrl; return this; } + /** + * @param assertionConsumerRedirectUrl SAML Redirect Binding URL for the client's assertion consumer service (login responses). + * + * @return builder + * + */ public Builder assertionConsumerRedirectUrl(String assertionConsumerRedirectUrl) { return assertionConsumerRedirectUrl(Output.of(assertionConsumerRedirectUrl)); } + /** + * @param authenticationFlowBindingOverrides Override realm authentication flow bindings + * + * @return builder + * + */ public Builder authenticationFlowBindingOverrides(@Nullable Output authenticationFlowBindingOverrides) { $.authenticationFlowBindingOverrides = authenticationFlowBindingOverrides; return this; } + /** + * @param authenticationFlowBindingOverrides Override realm authentication flow bindings + * + * @return builder + * + */ public Builder authenticationFlowBindingOverrides(ClientAuthenticationFlowBindingOverridesArgs authenticationFlowBindingOverrides) { return authenticationFlowBindingOverrides(Output.of(authenticationFlowBindingOverrides)); } + /** + * @param baseUrl When specified, this URL will be used whenever Keycloak needs to link to this client. + * + * @return builder + * + */ public Builder baseUrl(@Nullable Output baseUrl) { $.baseUrl = baseUrl; return this; } + /** + * @param baseUrl When specified, this URL will be used whenever Keycloak needs to link to this client. + * + * @return builder + * + */ public Builder baseUrl(String baseUrl) { return baseUrl(Output.of(baseUrl)); } + /** + * @param canonicalizationMethod The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE". + * + * @return builder + * + */ public Builder canonicalizationMethod(@Nullable Output canonicalizationMethod) { $.canonicalizationMethod = canonicalizationMethod; return this; } + /** + * @param canonicalizationMethod The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE". + * + * @return builder + * + */ public Builder canonicalizationMethod(String canonicalizationMethod) { return canonicalizationMethod(Output.of(canonicalizationMethod)); } + /** + * @param clientId The unique ID of this client, referenced in the URI during authentication and in issued tokens. + * + * @return builder + * + */ public Builder clientId(@Nullable Output clientId) { $.clientId = clientId; return this; } + /** + * @param clientId The unique ID of this client, referenced in the URI during authentication and in issued tokens. + * + * @return builder + * + */ public Builder clientId(String clientId) { return clientId(Output.of(clientId)); } + /** + * @param clientSignatureRequired When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signing_certificate` and `signing_private_key`. Defaults to `true`. + * + * @return builder + * + */ public Builder clientSignatureRequired(@Nullable Output clientSignatureRequired) { $.clientSignatureRequired = clientSignatureRequired; return this; } + /** + * @param clientSignatureRequired When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signing_certificate` and `signing_private_key`. Defaults to `true`. + * + * @return builder + * + */ public Builder clientSignatureRequired(Boolean clientSignatureRequired) { return clientSignatureRequired(Output.of(clientSignatureRequired)); } + /** + * @param description The description of this client in the GUI. + * + * @return builder + * + */ public Builder description(@Nullable Output description) { $.description = description; return this; } + /** + * @param description The description of this client in the GUI. + * + * @return builder + * + */ public Builder description(String description) { return description(Output.of(description)); } + /** + * @param enabled When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + * + * @return builder + * + */ public Builder enabled(@Nullable Output enabled) { $.enabled = enabled; return this; } + /** + * @param enabled When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + * + * @return builder + * + */ public Builder enabled(Boolean enabled) { return enabled(Output.of(enabled)); } + /** + * @param encryptAssertions When `true`, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to `false`. + * + * @return builder + * + */ public Builder encryptAssertions(@Nullable Output encryptAssertions) { $.encryptAssertions = encryptAssertions; return this; } + /** + * @param encryptAssertions When `true`, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to `false`. + * + * @return builder + * + */ public Builder encryptAssertions(Boolean encryptAssertions) { return encryptAssertions(Output.of(encryptAssertions)); } + /** + * @param encryptionCertificate If assertions for the client are encrypted, this certificate will be used for encryption. + * + * @return builder + * + */ public Builder encryptionCertificate(@Nullable Output encryptionCertificate) { $.encryptionCertificate = encryptionCertificate; return this; } + /** + * @param encryptionCertificate If assertions for the client are encrypted, this certificate will be used for encryption. + * + * @return builder + * + */ public Builder encryptionCertificate(String encryptionCertificate) { return encryptionCertificate(Output.of(encryptionCertificate)); } + /** + * @param encryptionCertificateSha1 (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty. + * + * @return builder + * + */ public Builder encryptionCertificateSha1(@Nullable Output encryptionCertificateSha1) { $.encryptionCertificateSha1 = encryptionCertificateSha1; return this; } + /** + * @param encryptionCertificateSha1 (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty. + * + * @return builder + * + */ public Builder encryptionCertificateSha1(String encryptionCertificateSha1) { return encryptionCertificateSha1(Output.of(encryptionCertificateSha1)); } @@ -455,222 +887,516 @@ public Builder extraConfig(Map extraConfig) { return extraConfig(Output.of(extraConfig)); } + /** + * @param forceNameIdFormat Ignore requested NameID subject format and use the one defined in `name_id_format` instead. Defaults to `false`. + * + * @return builder + * + */ public Builder forceNameIdFormat(@Nullable Output forceNameIdFormat) { $.forceNameIdFormat = forceNameIdFormat; return this; } + /** + * @param forceNameIdFormat Ignore requested NameID subject format and use the one defined in `name_id_format` instead. Defaults to `false`. + * + * @return builder + * + */ public Builder forceNameIdFormat(Boolean forceNameIdFormat) { return forceNameIdFormat(Output.of(forceNameIdFormat)); } + /** + * @param forcePostBinding When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to `true`. + * + * @return builder + * + */ public Builder forcePostBinding(@Nullable Output forcePostBinding) { $.forcePostBinding = forcePostBinding; return this; } + /** + * @param forcePostBinding When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to `true`. + * + * @return builder + * + */ public Builder forcePostBinding(Boolean forcePostBinding) { return forcePostBinding(Output.of(forcePostBinding)); } + /** + * @param frontChannelLogout When `true`, this client will require a browser redirect in order to perform a logout. Defaults to `true`. + * + * @return builder + * + */ public Builder frontChannelLogout(@Nullable Output frontChannelLogout) { $.frontChannelLogout = frontChannelLogout; return this; } + /** + * @param frontChannelLogout When `true`, this client will require a browser redirect in order to perform a logout. Defaults to `true`. + * + * @return builder + * + */ public Builder frontChannelLogout(Boolean frontChannelLogout) { return frontChannelLogout(Output.of(frontChannelLogout)); } + /** + * @param fullScopeAllowed Allow to include all roles mappings in the access token + * + * @return builder + * + */ public Builder fullScopeAllowed(@Nullable Output fullScopeAllowed) { $.fullScopeAllowed = fullScopeAllowed; return this; } + /** + * @param fullScopeAllowed Allow to include all roles mappings in the access token + * + * @return builder + * + */ public Builder fullScopeAllowed(Boolean fullScopeAllowed) { return fullScopeAllowed(Output.of(fullScopeAllowed)); } + /** + * @param idpInitiatedSsoRelayState Relay state you want to send with SAML request when you want to do IDP Initiated SSO. + * + * @return builder + * + */ public Builder idpInitiatedSsoRelayState(@Nullable Output idpInitiatedSsoRelayState) { $.idpInitiatedSsoRelayState = idpInitiatedSsoRelayState; return this; } + /** + * @param idpInitiatedSsoRelayState Relay state you want to send with SAML request when you want to do IDP Initiated SSO. + * + * @return builder + * + */ public Builder idpInitiatedSsoRelayState(String idpInitiatedSsoRelayState) { return idpInitiatedSsoRelayState(Output.of(idpInitiatedSsoRelayState)); } + /** + * @param idpInitiatedSsoUrlName URL fragment name to reference client when you want to do IDP Initiated SSO. + * + * @return builder + * + */ public Builder idpInitiatedSsoUrlName(@Nullable Output idpInitiatedSsoUrlName) { $.idpInitiatedSsoUrlName = idpInitiatedSsoUrlName; return this; } + /** + * @param idpInitiatedSsoUrlName URL fragment name to reference client when you want to do IDP Initiated SSO. + * + * @return builder + * + */ public Builder idpInitiatedSsoUrlName(String idpInitiatedSsoUrlName) { return idpInitiatedSsoUrlName(Output.of(idpInitiatedSsoUrlName)); } + /** + * @param includeAuthnStatement When `true`, an `AuthnStatement` will be included in the SAML response. Defaults to `true`. + * + * @return builder + * + */ public Builder includeAuthnStatement(@Nullable Output includeAuthnStatement) { $.includeAuthnStatement = includeAuthnStatement; return this; } + /** + * @param includeAuthnStatement When `true`, an `AuthnStatement` will be included in the SAML response. Defaults to `true`. + * + * @return builder + * + */ public Builder includeAuthnStatement(Boolean includeAuthnStatement) { return includeAuthnStatement(Output.of(includeAuthnStatement)); } + /** + * @param loginTheme The login theme of this client. + * + * @return builder + * + */ public Builder loginTheme(@Nullable Output loginTheme) { $.loginTheme = loginTheme; return this; } + /** + * @param loginTheme The login theme of this client. + * + * @return builder + * + */ public Builder loginTheme(String loginTheme) { return loginTheme(Output.of(loginTheme)); } + /** + * @param logoutServicePostBindingUrl SAML POST Binding URL for the client's single logout service. + * + * @return builder + * + */ public Builder logoutServicePostBindingUrl(@Nullable Output logoutServicePostBindingUrl) { $.logoutServicePostBindingUrl = logoutServicePostBindingUrl; return this; } + /** + * @param logoutServicePostBindingUrl SAML POST Binding URL for the client's single logout service. + * + * @return builder + * + */ public Builder logoutServicePostBindingUrl(String logoutServicePostBindingUrl) { return logoutServicePostBindingUrl(Output.of(logoutServicePostBindingUrl)); } + /** + * @param logoutServiceRedirectBindingUrl SAML Redirect Binding URL for the client's single logout service. + * + * @return builder + * + */ public Builder logoutServiceRedirectBindingUrl(@Nullable Output logoutServiceRedirectBindingUrl) { $.logoutServiceRedirectBindingUrl = logoutServiceRedirectBindingUrl; return this; } + /** + * @param logoutServiceRedirectBindingUrl SAML Redirect Binding URL for the client's single logout service. + * + * @return builder + * + */ public Builder logoutServiceRedirectBindingUrl(String logoutServiceRedirectBindingUrl) { return logoutServiceRedirectBindingUrl(Output.of(logoutServiceRedirectBindingUrl)); } + /** + * @param masterSamlProcessingUrl When specified, this URL will be used for all SAML requests. + * + * @return builder + * + */ public Builder masterSamlProcessingUrl(@Nullable Output masterSamlProcessingUrl) { $.masterSamlProcessingUrl = masterSamlProcessingUrl; return this; } + /** + * @param masterSamlProcessingUrl When specified, this URL will be used for all SAML requests. + * + * @return builder + * + */ public Builder masterSamlProcessingUrl(String masterSamlProcessingUrl) { return masterSamlProcessingUrl(Output.of(masterSamlProcessingUrl)); } + /** + * @param name The display name of this client in the GUI. + * + * @return builder + * + */ public Builder name(@Nullable Output name) { $.name = name; return this; } + /** + * @param name The display name of this client in the GUI. + * + * @return builder + * + */ public Builder name(String name) { return name(Output.of(name)); } + /** + * @param nameIdFormat Sets the Name ID format for the subject. + * + * @return builder + * + */ public Builder nameIdFormat(@Nullable Output nameIdFormat) { $.nameIdFormat = nameIdFormat; return this; } + /** + * @param nameIdFormat Sets the Name ID format for the subject. + * + * @return builder + * + */ public Builder nameIdFormat(String nameIdFormat) { return nameIdFormat(Output.of(nameIdFormat)); } + /** + * @param realmId The realm this client is attached to. + * + * @return builder + * + */ public Builder realmId(@Nullable Output realmId) { $.realmId = realmId; return this; } + /** + * @param realmId The realm this client is attached to. + * + * @return builder + * + */ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } + /** + * @param rootUrl When specified, this value is prepended to all relative URLs. + * + * @return builder + * + */ public Builder rootUrl(@Nullable Output rootUrl) { $.rootUrl = rootUrl; return this; } + /** + * @param rootUrl When specified, this value is prepended to all relative URLs. + * + * @return builder + * + */ public Builder rootUrl(String rootUrl) { return rootUrl(Output.of(rootUrl)); } + /** + * @param signAssertions When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to `false`. + * + * @return builder + * + */ public Builder signAssertions(@Nullable Output signAssertions) { $.signAssertions = signAssertions; return this; } + /** + * @param signAssertions When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to `false`. + * + * @return builder + * + */ public Builder signAssertions(Boolean signAssertions) { return signAssertions(Output.of(signAssertions)); } + /** + * @param signDocuments When `true`, the SAML document will be signed by Keycloak using the realm's private key. Defaults to `true`. + * + * @return builder + * + */ public Builder signDocuments(@Nullable Output signDocuments) { $.signDocuments = signDocuments; return this; } + /** + * @param signDocuments When `true`, the SAML document will be signed by Keycloak using the realm's private key. Defaults to `true`. + * + * @return builder + * + */ public Builder signDocuments(Boolean signDocuments) { return signDocuments(Output.of(signDocuments)); } + /** + * @param signatureAlgorithm The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1". + * + * @return builder + * + */ public Builder signatureAlgorithm(@Nullable Output signatureAlgorithm) { $.signatureAlgorithm = signatureAlgorithm; return this; } + /** + * @param signatureAlgorithm The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1". + * + * @return builder + * + */ public Builder signatureAlgorithm(String signatureAlgorithm) { return signatureAlgorithm(Output.of(signatureAlgorithm)); } + /** + * @param signatureKeyName The value of the `KeyName` element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID". + * + * @return builder + * + */ public Builder signatureKeyName(@Nullable Output signatureKeyName) { $.signatureKeyName = signatureKeyName; return this; } + /** + * @param signatureKeyName The value of the `KeyName` element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID". + * + * @return builder + * + */ public Builder signatureKeyName(String signatureKeyName) { return signatureKeyName(Output.of(signatureKeyName)); } + /** + * @param signingCertificate If documents or assertions from the client are signed, this certificate will be used to verify the signature. + * + * @return builder + * + */ public Builder signingCertificate(@Nullable Output signingCertificate) { $.signingCertificate = signingCertificate; return this; } + /** + * @param signingCertificate If documents or assertions from the client are signed, this certificate will be used to verify the signature. + * + * @return builder + * + */ public Builder signingCertificate(String signingCertificate) { return signingCertificate(Output.of(signingCertificate)); } + /** + * @param signingCertificateSha1 (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty. + * + * @return builder + * + */ public Builder signingCertificateSha1(@Nullable Output signingCertificateSha1) { $.signingCertificateSha1 = signingCertificateSha1; return this; } + /** + * @param signingCertificateSha1 (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty. + * + * @return builder + * + */ public Builder signingCertificateSha1(String signingCertificateSha1) { return signingCertificateSha1(Output.of(signingCertificateSha1)); } + /** + * @param signingPrivateKey If documents or assertions from the client are signed, this private key will be used to verify the signature. + * + * @return builder + * + */ public Builder signingPrivateKey(@Nullable Output signingPrivateKey) { $.signingPrivateKey = signingPrivateKey; return this; } + /** + * @param signingPrivateKey If documents or assertions from the client are signed, this private key will be used to verify the signature. + * + * @return builder + * + */ public Builder signingPrivateKey(String signingPrivateKey) { return signingPrivateKey(Output.of(signingPrivateKey)); } + /** + * @param signingPrivateKeySha1 (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty. + * + * @return builder + * + */ public Builder signingPrivateKeySha1(@Nullable Output signingPrivateKeySha1) { $.signingPrivateKeySha1 = signingPrivateKeySha1; return this; } + /** + * @param signingPrivateKeySha1 (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty. + * + * @return builder + * + */ public Builder signingPrivateKeySha1(String signingPrivateKeySha1) { return signingPrivateKeySha1(Output.of(signingPrivateKeySha1)); } + /** + * @param validRedirectUris When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. + * + * @return builder + * + */ public Builder validRedirectUris(@Nullable Output> validRedirectUris) { $.validRedirectUris = validRedirectUris; return this; } + /** + * @param validRedirectUris When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. + * + * @return builder + * + */ public Builder validRedirectUris(List validRedirectUris) { return validRedirectUris(Output.of(validRedirectUris)); } + /** + * @param validRedirectUris When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. + * + * @return builder + * + */ public Builder validRedirectUris(String... validRedirectUris) { return validRedirectUris(List.of(validRedirectUris)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/saml/inputs/IdentityProviderState.java b/sdk/java/src/main/java/com/pulumi/keycloak/saml/inputs/IdentityProviderState.java index 40236513..be77fe39 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/saml/inputs/IdentityProviderState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/saml/inputs/IdentityProviderState.java @@ -19,14 +19,14 @@ public final class IdentityProviderState extends com.pulumi.resources.ResourceAr public static final IdentityProviderState Empty = new IdentityProviderState(); /** - * Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. + * When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`. * */ @Import(name="addReadTokenRoleOnCreate") private @Nullable Output addReadTokenRoleOnCreate; /** - * @return Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. + * @return When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`. * */ public Optional> addReadTokenRoleOnCreate() { @@ -34,14 +34,14 @@ public Optional> addReadTokenRoleOnCreate() { } /** - * The alias uniquely identifies an identity provider and it is also used to build the redirect uri. + * The unique name of identity provider. * */ @Import(name="alias") private @Nullable Output alias; /** - * @return The alias uniquely identifies an identity provider and it is also used to build the redirect uri. + * @return The unique name of identity provider. * */ public Optional> alias() { @@ -49,14 +49,14 @@ public Optional> alias() { } /** - * Enable/disable authenticate users by default. + * Authenticate users by default. Defaults to `false`. * */ @Import(name="authenticateByDefault") private @Nullable Output authenticateByDefault; /** - * @return Enable/disable authenticate users by default. + * @return Authenticate users by default. Defaults to `false`. * */ public Optional> authenticateByDefault() { @@ -64,14 +64,14 @@ public Optional> authenticateByDefault() { } /** - * AuthnContext ClassRefs + * Ordered list of requested AuthnContext ClassRefs. * */ @Import(name="authnContextClassRefs") private @Nullable Output> authnContextClassRefs; /** - * @return AuthnContext ClassRefs + * @return Ordered list of requested AuthnContext ClassRefs. * */ public Optional>> authnContextClassRefs() { @@ -79,14 +79,14 @@ public Optional>> authnContextClassRefs() { } /** - * AuthnContext Comparison + * Specifies the comparison method used to evaluate the requested context classes or statements. * */ @Import(name="authnContextComparisonType") private @Nullable Output authnContextComparisonType; /** - * @return AuthnContext Comparison + * @return Specifies the comparison method used to evaluate the requested context classes or statements. * */ public Optional> authnContextComparisonType() { @@ -94,14 +94,14 @@ public Optional> authnContextComparisonType() { } /** - * AuthnContext DeclRefs + * Ordered list of requested AuthnContext DeclRefs. * */ @Import(name="authnContextDeclRefs") private @Nullable Output> authnContextDeclRefs; /** - * @return AuthnContext DeclRefs + * @return Ordered list of requested AuthnContext DeclRefs. * */ public Optional>> authnContextDeclRefs() { @@ -109,14 +109,14 @@ public Optional>> authnContextDeclRefs() { } /** - * Does the external IDP support backchannel logout? + * Does the external IDP support backchannel logout?. Defaults to `false`. * */ @Import(name="backchannelSupported") private @Nullable Output backchannelSupported; /** - * @return Does the external IDP support backchannel logout? + * @return Does the external IDP support backchannel logout?. Defaults to `false`. * */ public Optional> backchannelSupported() { @@ -124,14 +124,14 @@ public Optional> backchannelSupported() { } /** - * Friendly name for Identity Providers. + * The display name for the realm that is shown when logging in to the admin console. * */ @Import(name="displayName") private @Nullable Output displayName; /** - * @return Friendly name for Identity Providers. + * @return The display name for the realm that is shown when logging in to the admin console. * */ public Optional> displayName() { @@ -139,14 +139,14 @@ public Optional> displayName() { } /** - * Enable/disable this identity provider. + * When `false`, users and clients will not be able to access this realm. Defaults to `true`. * */ @Import(name="enabled") private @Nullable Output enabled; /** - * @return Enable/disable this identity provider. + * @return When `false`, users and clients will not be able to access this realm. Defaults to `true`. * */ public Optional> enabled() { @@ -176,16 +176,14 @@ public Optional>> extraConfig() { } /** - * Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means - * that there is not yet existing Keycloak account linked with the authenticated identity provider account. + * Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. * */ @Import(name="firstBrokerLoginFlowAlias") private @Nullable Output firstBrokerLoginFlowAlias; /** - * @return Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means - * that there is not yet existing Keycloak account linked with the authenticated identity provider account. + * @return Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. * */ public Optional> firstBrokerLoginFlowAlias() { @@ -193,14 +191,14 @@ public Optional> firstBrokerLoginFlowAlias() { } /** - * Require Force Authn. + * Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. * */ @Import(name="forceAuthn") private @Nullable Output forceAuthn; /** - * @return Require Force Authn. + * @return Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. * */ public Optional> forceAuthn() { @@ -208,14 +206,14 @@ public Optional> forceAuthn() { } /** - * GUI Order + * A number defining the order of this identity provider in the GUI. * */ @Import(name="guiOrder") private @Nullable Output guiOrder; /** - * @return GUI Order + * @return A number defining the order of this identity provider in the GUI. * */ public Optional> guiOrder() { @@ -223,14 +221,14 @@ public Optional> guiOrder() { } /** - * Hide On Login Page. + * If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. * */ @Import(name="hideOnLoginPage") private @Nullable Output hideOnLoginPage; /** - * @return Hide On Login Page. + * @return If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. * */ public Optional> hideOnLoginPage() { @@ -253,16 +251,14 @@ public Optional> internalId() { } /** - * If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't - * want to allow login from the provider, but want to integrate with a provider + * When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`. * */ @Import(name="linkOnly") private @Nullable Output linkOnly; /** - * @return If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't - * want to allow login from the provider, but want to integrate with a provider + * @return When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`. * */ public Optional> linkOnly() { @@ -285,14 +281,14 @@ public Optional> loginHint() { } /** - * Name ID Policy Format. + * Specifies the URI reference corresponding to a name identifier format. Defaults to empty. * */ @Import(name="nameIdPolicyFormat") private @Nullable Output nameIdPolicyFormat; /** - * @return Name ID Policy Format. + * @return Specifies the URI reference corresponding to a name identifier format. Defaults to empty. * */ public Optional> nameIdPolicyFormat() { @@ -300,14 +296,14 @@ public Optional> nameIdPolicyFormat() { } /** - * Post Binding Authn Request. + * Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. * */ @Import(name="postBindingAuthnRequest") private @Nullable Output postBindingAuthnRequest; /** - * @return Post Binding Authn Request. + * @return Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. * */ public Optional> postBindingAuthnRequest() { @@ -315,14 +311,14 @@ public Optional> postBindingAuthnRequest() { } /** - * Post Binding Logout. + * Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. * */ @Import(name="postBindingLogout") private @Nullable Output postBindingLogout; /** - * @return Post Binding Logout. + * @return Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. * */ public Optional> postBindingLogout() { @@ -330,14 +326,14 @@ public Optional> postBindingLogout() { } /** - * Post Binding Response. + * Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. * */ @Import(name="postBindingResponse") private @Nullable Output postBindingResponse; /** - * @return Post Binding Response. + * @return Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. * */ public Optional> postBindingResponse() { @@ -345,20 +341,14 @@ public Optional> postBindingResponse() { } /** - * Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want - * additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if - * you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that - * authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. + * Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. * */ @Import(name="postBrokerLoginFlowAlias") private @Nullable Output postBrokerLoginFlowAlias; /** - * @return Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want - * additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if - * you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that - * authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. + * @return Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. * */ public Optional> postBrokerLoginFlowAlias() { @@ -366,14 +356,14 @@ public Optional> postBrokerLoginFlowAlias() { } /** - * Principal Attribute + * The principal attribute. * */ @Import(name="principalAttribute") private @Nullable Output principalAttribute; /** - * @return Principal Attribute + * @return The principal attribute. * */ public Optional> principalAttribute() { @@ -381,14 +371,14 @@ public Optional> principalAttribute() { } /** - * Principal Type + * The principal type. Can be one of `SUBJECT`, `ATTRIBUTE` or `FRIENDLY_ATTRIBUTE`. * */ @Import(name="principalType") private @Nullable Output principalType; /** - * @return Principal Type + * @return The principal type. Can be one of `SUBJECT`, `ATTRIBUTE` or `FRIENDLY_ATTRIBUTE`. * */ public Optional> principalType() { @@ -396,14 +386,14 @@ public Optional> principalType() { } /** - * provider id, is always saml, unless you have a custom implementation + * The ID of the identity provider to use. Defaults to `saml`, which should be used unless you have extended Keycloak and provided your own implementation. * */ @Import(name="providerId") private @Nullable Output providerId; /** - * @return provider id, is always saml, unless you have a custom implementation + * @return The ID of the identity provider to use. Defaults to `saml`, which should be used unless you have extended Keycloak and provided your own implementation. * */ public Optional> providerId() { @@ -411,14 +401,14 @@ public Optional> providerId() { } /** - * Realm Name + * The name of the realm. This is unique across Keycloak. * */ @Import(name="realm") private @Nullable Output realm; /** - * @return Realm Name + * @return The name of the realm. This is unique across Keycloak. * */ public Optional> realm() { @@ -426,14 +416,14 @@ public Optional> realm() { } /** - * Signing Algorithm. + * Signing Algorithm. Defaults to empty. * */ @Import(name="signatureAlgorithm") private @Nullable Output signatureAlgorithm; /** - * @return Signing Algorithm. + * @return Signing Algorithm. Defaults to empty. * */ public Optional> signatureAlgorithm() { @@ -456,14 +446,14 @@ public Optional> signingCertificate() { } /** - * Logout URL. + * The Url that must be used to send logout requests. * */ @Import(name="singleLogoutServiceUrl") private @Nullable Output singleLogoutServiceUrl; /** - * @return Logout URL. + * @return The Url that must be used to send logout requests. * */ public Optional> singleLogoutServiceUrl() { @@ -471,14 +461,14 @@ public Optional> singleLogoutServiceUrl() { } /** - * SSO Logout URL. + * The Url that must be used to send authentication requests (SAML AuthnRequest). * */ @Import(name="singleSignOnServiceUrl") private @Nullable Output singleSignOnServiceUrl; /** - * @return SSO Logout URL. + * @return The Url that must be used to send authentication requests (SAML AuthnRequest). * */ public Optional> singleSignOnServiceUrl() { @@ -486,14 +476,14 @@ public Optional> singleSignOnServiceUrl() { } /** - * Enable/disable if tokens must be stored after authenticating users. + * When `true`, tokens will be stored after authenticating users. Defaults to `true`. * */ @Import(name="storeToken") private @Nullable Output storeToken; /** - * @return Enable/disable if tokens must be stored after authenticating users. + * @return When `true`, tokens will be stored after authenticating users. Defaults to `true`. * */ public Optional> storeToken() { @@ -501,14 +491,14 @@ public Optional> storeToken() { } /** - * Sync Mode + * The default sync mode to use for all mappers attached to this identity provider. Can be one of `IMPORT`, `FORCE`, or `LEGACY`. * */ @Import(name="syncMode") private @Nullable Output syncMode; /** - * @return Sync Mode + * @return The default sync mode to use for all mappers attached to this identity provider. Can be one of `IMPORT`, `FORCE`, or `LEGACY`. * */ public Optional> syncMode() { @@ -516,14 +506,14 @@ public Optional> syncMode() { } /** - * If enabled then email provided by this provider is not verified even if verification is enabled for the realm. + * When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`. * */ @Import(name="trustEmail") private @Nullable Output trustEmail; /** - * @return If enabled then email provided by this provider is not verified even if verification is enabled for the realm. + * @return When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`. * */ public Optional> trustEmail() { @@ -546,14 +536,14 @@ public Optional> validateSignature() { } /** - * Want Assertions Encrypted. + * Indicates whether this service provider expects an encrypted Assertion. * */ @Import(name="wantAssertionsEncrypted") private @Nullable Output wantAssertionsEncrypted; /** - * @return Want Assertions Encrypted. + * @return Indicates whether this service provider expects an encrypted Assertion. * */ public Optional> wantAssertionsEncrypted() { @@ -561,14 +551,14 @@ public Optional> wantAssertionsEncrypted() { } /** - * Want Assertions Signed. + * Indicates whether this service provider expects a signed Assertion. * */ @Import(name="wantAssertionsSigned") private @Nullable Output wantAssertionsSigned; /** - * @return Want Assertions Signed. + * @return Indicates whether this service provider expects a signed Assertion. * */ public Optional> wantAssertionsSigned() { @@ -576,14 +566,14 @@ public Optional> wantAssertionsSigned() { } /** - * Sign Key Transformer. + * The SAML signature key name. Can be one of `NONE`, `KEY_ID`, or `CERT_SUBJECT`. * */ @Import(name="xmlSignKeyInfoKeyNameTransformer") private @Nullable Output xmlSignKeyInfoKeyNameTransformer; /** - * @return Sign Key Transformer. + * @return The SAML signature key name. Can be one of `NONE`, `KEY_ID`, or `CERT_SUBJECT`. * */ public Optional> xmlSignKeyInfoKeyNameTransformer() { @@ -652,7 +642,7 @@ public Builder(IdentityProviderState defaults) { } /** - * @param addReadTokenRoleOnCreate Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. + * @param addReadTokenRoleOnCreate When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`. * * @return builder * @@ -663,7 +653,7 @@ public Builder addReadTokenRoleOnCreate(@Nullable Output addReadTokenRo } /** - * @param addReadTokenRoleOnCreate Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. + * @param addReadTokenRoleOnCreate When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`. * * @return builder * @@ -673,7 +663,7 @@ public Builder addReadTokenRoleOnCreate(Boolean addReadTokenRoleOnCreate) { } /** - * @param alias The alias uniquely identifies an identity provider and it is also used to build the redirect uri. + * @param alias The unique name of identity provider. * * @return builder * @@ -684,7 +674,7 @@ public Builder alias(@Nullable Output alias) { } /** - * @param alias The alias uniquely identifies an identity provider and it is also used to build the redirect uri. + * @param alias The unique name of identity provider. * * @return builder * @@ -694,7 +684,7 @@ public Builder alias(String alias) { } /** - * @param authenticateByDefault Enable/disable authenticate users by default. + * @param authenticateByDefault Authenticate users by default. Defaults to `false`. * * @return builder * @@ -705,7 +695,7 @@ public Builder authenticateByDefault(@Nullable Output authenticateByDef } /** - * @param authenticateByDefault Enable/disable authenticate users by default. + * @param authenticateByDefault Authenticate users by default. Defaults to `false`. * * @return builder * @@ -715,7 +705,7 @@ public Builder authenticateByDefault(Boolean authenticateByDefault) { } /** - * @param authnContextClassRefs AuthnContext ClassRefs + * @param authnContextClassRefs Ordered list of requested AuthnContext ClassRefs. * * @return builder * @@ -726,7 +716,7 @@ public Builder authnContextClassRefs(@Nullable Output> authnContext } /** - * @param authnContextClassRefs AuthnContext ClassRefs + * @param authnContextClassRefs Ordered list of requested AuthnContext ClassRefs. * * @return builder * @@ -736,7 +726,7 @@ public Builder authnContextClassRefs(List authnContextClassRefs) { } /** - * @param authnContextClassRefs AuthnContext ClassRefs + * @param authnContextClassRefs Ordered list of requested AuthnContext ClassRefs. * * @return builder * @@ -746,7 +736,7 @@ public Builder authnContextClassRefs(String... authnContextClassRefs) { } /** - * @param authnContextComparisonType AuthnContext Comparison + * @param authnContextComparisonType Specifies the comparison method used to evaluate the requested context classes or statements. * * @return builder * @@ -757,7 +747,7 @@ public Builder authnContextComparisonType(@Nullable Output authnContextC } /** - * @param authnContextComparisonType AuthnContext Comparison + * @param authnContextComparisonType Specifies the comparison method used to evaluate the requested context classes or statements. * * @return builder * @@ -767,7 +757,7 @@ public Builder authnContextComparisonType(String authnContextComparisonType) { } /** - * @param authnContextDeclRefs AuthnContext DeclRefs + * @param authnContextDeclRefs Ordered list of requested AuthnContext DeclRefs. * * @return builder * @@ -778,7 +768,7 @@ public Builder authnContextDeclRefs(@Nullable Output> authnContextD } /** - * @param authnContextDeclRefs AuthnContext DeclRefs + * @param authnContextDeclRefs Ordered list of requested AuthnContext DeclRefs. * * @return builder * @@ -788,7 +778,7 @@ public Builder authnContextDeclRefs(List authnContextDeclRefs) { } /** - * @param authnContextDeclRefs AuthnContext DeclRefs + * @param authnContextDeclRefs Ordered list of requested AuthnContext DeclRefs. * * @return builder * @@ -798,7 +788,7 @@ public Builder authnContextDeclRefs(String... authnContextDeclRefs) { } /** - * @param backchannelSupported Does the external IDP support backchannel logout? + * @param backchannelSupported Does the external IDP support backchannel logout?. Defaults to `false`. * * @return builder * @@ -809,7 +799,7 @@ public Builder backchannelSupported(@Nullable Output backchannelSupport } /** - * @param backchannelSupported Does the external IDP support backchannel logout? + * @param backchannelSupported Does the external IDP support backchannel logout?. Defaults to `false`. * * @return builder * @@ -819,7 +809,7 @@ public Builder backchannelSupported(Boolean backchannelSupported) { } /** - * @param displayName Friendly name for Identity Providers. + * @param displayName The display name for the realm that is shown when logging in to the admin console. * * @return builder * @@ -830,7 +820,7 @@ public Builder displayName(@Nullable Output displayName) { } /** - * @param displayName Friendly name for Identity Providers. + * @param displayName The display name for the realm that is shown when logging in to the admin console. * * @return builder * @@ -840,7 +830,7 @@ public Builder displayName(String displayName) { } /** - * @param enabled Enable/disable this identity provider. + * @param enabled When `false`, users and clients will not be able to access this realm. Defaults to `true`. * * @return builder * @@ -851,7 +841,7 @@ public Builder enabled(@Nullable Output enabled) { } /** - * @param enabled Enable/disable this identity provider. + * @param enabled When `false`, users and clients will not be able to access this realm. Defaults to `true`. * * @return builder * @@ -891,8 +881,7 @@ public Builder extraConfig(Map extraConfig) { } /** - * @param firstBrokerLoginFlowAlias Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means - * that there is not yet existing Keycloak account linked with the authenticated identity provider account. + * @param firstBrokerLoginFlowAlias Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. * * @return builder * @@ -903,8 +892,7 @@ public Builder firstBrokerLoginFlowAlias(@Nullable Output firstBrokerLog } /** - * @param firstBrokerLoginFlowAlias Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means - * that there is not yet existing Keycloak account linked with the authenticated identity provider account. + * @param firstBrokerLoginFlowAlias Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. * * @return builder * @@ -914,7 +902,7 @@ public Builder firstBrokerLoginFlowAlias(String firstBrokerLoginFlowAlias) { } /** - * @param forceAuthn Require Force Authn. + * @param forceAuthn Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. * * @return builder * @@ -925,7 +913,7 @@ public Builder forceAuthn(@Nullable Output forceAuthn) { } /** - * @param forceAuthn Require Force Authn. + * @param forceAuthn Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. * * @return builder * @@ -935,7 +923,7 @@ public Builder forceAuthn(Boolean forceAuthn) { } /** - * @param guiOrder GUI Order + * @param guiOrder A number defining the order of this identity provider in the GUI. * * @return builder * @@ -946,7 +934,7 @@ public Builder guiOrder(@Nullable Output guiOrder) { } /** - * @param guiOrder GUI Order + * @param guiOrder A number defining the order of this identity provider in the GUI. * * @return builder * @@ -956,7 +944,7 @@ public Builder guiOrder(String guiOrder) { } /** - * @param hideOnLoginPage Hide On Login Page. + * @param hideOnLoginPage If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. * * @return builder * @@ -967,7 +955,7 @@ public Builder hideOnLoginPage(@Nullable Output hideOnLoginPage) { } /** - * @param hideOnLoginPage Hide On Login Page. + * @param hideOnLoginPage If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. * * @return builder * @@ -998,8 +986,7 @@ public Builder internalId(String internalId) { } /** - * @param linkOnly If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't - * want to allow login from the provider, but want to integrate with a provider + * @param linkOnly When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`. * * @return builder * @@ -1010,8 +997,7 @@ public Builder linkOnly(@Nullable Output linkOnly) { } /** - * @param linkOnly If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't - * want to allow login from the provider, but want to integrate with a provider + * @param linkOnly When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`. * * @return builder * @@ -1042,7 +1028,7 @@ public Builder loginHint(String loginHint) { } /** - * @param nameIdPolicyFormat Name ID Policy Format. + * @param nameIdPolicyFormat Specifies the URI reference corresponding to a name identifier format. Defaults to empty. * * @return builder * @@ -1053,7 +1039,7 @@ public Builder nameIdPolicyFormat(@Nullable Output nameIdPolicyFormat) { } /** - * @param nameIdPolicyFormat Name ID Policy Format. + * @param nameIdPolicyFormat Specifies the URI reference corresponding to a name identifier format. Defaults to empty. * * @return builder * @@ -1063,7 +1049,7 @@ public Builder nameIdPolicyFormat(String nameIdPolicyFormat) { } /** - * @param postBindingAuthnRequest Post Binding Authn Request. + * @param postBindingAuthnRequest Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. * * @return builder * @@ -1074,7 +1060,7 @@ public Builder postBindingAuthnRequest(@Nullable Output postBindingAuth } /** - * @param postBindingAuthnRequest Post Binding Authn Request. + * @param postBindingAuthnRequest Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. * * @return builder * @@ -1084,7 +1070,7 @@ public Builder postBindingAuthnRequest(Boolean postBindingAuthnRequest) { } /** - * @param postBindingLogout Post Binding Logout. + * @param postBindingLogout Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. * * @return builder * @@ -1095,7 +1081,7 @@ public Builder postBindingLogout(@Nullable Output postBindingLogout) { } /** - * @param postBindingLogout Post Binding Logout. + * @param postBindingLogout Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. * * @return builder * @@ -1105,7 +1091,7 @@ public Builder postBindingLogout(Boolean postBindingLogout) { } /** - * @param postBindingResponse Post Binding Response. + * @param postBindingResponse Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. * * @return builder * @@ -1116,7 +1102,7 @@ public Builder postBindingResponse(@Nullable Output postBindingResponse } /** - * @param postBindingResponse Post Binding Response. + * @param postBindingResponse Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. * * @return builder * @@ -1126,10 +1112,7 @@ public Builder postBindingResponse(Boolean postBindingResponse) { } /** - * @param postBrokerLoginFlowAlias Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want - * additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if - * you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that - * authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. + * @param postBrokerLoginFlowAlias Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. * * @return builder * @@ -1140,10 +1123,7 @@ public Builder postBrokerLoginFlowAlias(@Nullable Output postBrokerLogin } /** - * @param postBrokerLoginFlowAlias Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want - * additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if - * you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that - * authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. + * @param postBrokerLoginFlowAlias Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. * * @return builder * @@ -1153,7 +1133,7 @@ public Builder postBrokerLoginFlowAlias(String postBrokerLoginFlowAlias) { } /** - * @param principalAttribute Principal Attribute + * @param principalAttribute The principal attribute. * * @return builder * @@ -1164,7 +1144,7 @@ public Builder principalAttribute(@Nullable Output principalAttribute) { } /** - * @param principalAttribute Principal Attribute + * @param principalAttribute The principal attribute. * * @return builder * @@ -1174,7 +1154,7 @@ public Builder principalAttribute(String principalAttribute) { } /** - * @param principalType Principal Type + * @param principalType The principal type. Can be one of `SUBJECT`, `ATTRIBUTE` or `FRIENDLY_ATTRIBUTE`. * * @return builder * @@ -1185,7 +1165,7 @@ public Builder principalType(@Nullable Output principalType) { } /** - * @param principalType Principal Type + * @param principalType The principal type. Can be one of `SUBJECT`, `ATTRIBUTE` or `FRIENDLY_ATTRIBUTE`. * * @return builder * @@ -1195,7 +1175,7 @@ public Builder principalType(String principalType) { } /** - * @param providerId provider id, is always saml, unless you have a custom implementation + * @param providerId The ID of the identity provider to use. Defaults to `saml`, which should be used unless you have extended Keycloak and provided your own implementation. * * @return builder * @@ -1206,7 +1186,7 @@ public Builder providerId(@Nullable Output providerId) { } /** - * @param providerId provider id, is always saml, unless you have a custom implementation + * @param providerId The ID of the identity provider to use. Defaults to `saml`, which should be used unless you have extended Keycloak and provided your own implementation. * * @return builder * @@ -1216,7 +1196,7 @@ public Builder providerId(String providerId) { } /** - * @param realm Realm Name + * @param realm The name of the realm. This is unique across Keycloak. * * @return builder * @@ -1227,7 +1207,7 @@ public Builder realm(@Nullable Output realm) { } /** - * @param realm Realm Name + * @param realm The name of the realm. This is unique across Keycloak. * * @return builder * @@ -1237,7 +1217,7 @@ public Builder realm(String realm) { } /** - * @param signatureAlgorithm Signing Algorithm. + * @param signatureAlgorithm Signing Algorithm. Defaults to empty. * * @return builder * @@ -1248,7 +1228,7 @@ public Builder signatureAlgorithm(@Nullable Output signatureAlgorithm) { } /** - * @param signatureAlgorithm Signing Algorithm. + * @param signatureAlgorithm Signing Algorithm. Defaults to empty. * * @return builder * @@ -1279,7 +1259,7 @@ public Builder signingCertificate(String signingCertificate) { } /** - * @param singleLogoutServiceUrl Logout URL. + * @param singleLogoutServiceUrl The Url that must be used to send logout requests. * * @return builder * @@ -1290,7 +1270,7 @@ public Builder singleLogoutServiceUrl(@Nullable Output singleLogoutServi } /** - * @param singleLogoutServiceUrl Logout URL. + * @param singleLogoutServiceUrl The Url that must be used to send logout requests. * * @return builder * @@ -1300,7 +1280,7 @@ public Builder singleLogoutServiceUrl(String singleLogoutServiceUrl) { } /** - * @param singleSignOnServiceUrl SSO Logout URL. + * @param singleSignOnServiceUrl The Url that must be used to send authentication requests (SAML AuthnRequest). * * @return builder * @@ -1311,7 +1291,7 @@ public Builder singleSignOnServiceUrl(@Nullable Output singleSignOnServi } /** - * @param singleSignOnServiceUrl SSO Logout URL. + * @param singleSignOnServiceUrl The Url that must be used to send authentication requests (SAML AuthnRequest). * * @return builder * @@ -1321,7 +1301,7 @@ public Builder singleSignOnServiceUrl(String singleSignOnServiceUrl) { } /** - * @param storeToken Enable/disable if tokens must be stored after authenticating users. + * @param storeToken When `true`, tokens will be stored after authenticating users. Defaults to `true`. * * @return builder * @@ -1332,7 +1312,7 @@ public Builder storeToken(@Nullable Output storeToken) { } /** - * @param storeToken Enable/disable if tokens must be stored after authenticating users. + * @param storeToken When `true`, tokens will be stored after authenticating users. Defaults to `true`. * * @return builder * @@ -1342,7 +1322,7 @@ public Builder storeToken(Boolean storeToken) { } /** - * @param syncMode Sync Mode + * @param syncMode The default sync mode to use for all mappers attached to this identity provider. Can be one of `IMPORT`, `FORCE`, or `LEGACY`. * * @return builder * @@ -1353,7 +1333,7 @@ public Builder syncMode(@Nullable Output syncMode) { } /** - * @param syncMode Sync Mode + * @param syncMode The default sync mode to use for all mappers attached to this identity provider. Can be one of `IMPORT`, `FORCE`, or `LEGACY`. * * @return builder * @@ -1363,7 +1343,7 @@ public Builder syncMode(String syncMode) { } /** - * @param trustEmail If enabled then email provided by this provider is not verified even if verification is enabled for the realm. + * @param trustEmail When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`. * * @return builder * @@ -1374,7 +1354,7 @@ public Builder trustEmail(@Nullable Output trustEmail) { } /** - * @param trustEmail If enabled then email provided by this provider is not verified even if verification is enabled for the realm. + * @param trustEmail When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`. * * @return builder * @@ -1405,7 +1385,7 @@ public Builder validateSignature(Boolean validateSignature) { } /** - * @param wantAssertionsEncrypted Want Assertions Encrypted. + * @param wantAssertionsEncrypted Indicates whether this service provider expects an encrypted Assertion. * * @return builder * @@ -1416,7 +1396,7 @@ public Builder wantAssertionsEncrypted(@Nullable Output wantAssertionsE } /** - * @param wantAssertionsEncrypted Want Assertions Encrypted. + * @param wantAssertionsEncrypted Indicates whether this service provider expects an encrypted Assertion. * * @return builder * @@ -1426,7 +1406,7 @@ public Builder wantAssertionsEncrypted(Boolean wantAssertionsEncrypted) { } /** - * @param wantAssertionsSigned Want Assertions Signed. + * @param wantAssertionsSigned Indicates whether this service provider expects a signed Assertion. * * @return builder * @@ -1437,7 +1417,7 @@ public Builder wantAssertionsSigned(@Nullable Output wantAssertionsSign } /** - * @param wantAssertionsSigned Want Assertions Signed. + * @param wantAssertionsSigned Indicates whether this service provider expects a signed Assertion. * * @return builder * @@ -1447,7 +1427,7 @@ public Builder wantAssertionsSigned(Boolean wantAssertionsSigned) { } /** - * @param xmlSignKeyInfoKeyNameTransformer Sign Key Transformer. + * @param xmlSignKeyInfoKeyNameTransformer The SAML signature key name. Can be one of `NONE`, `KEY_ID`, or `CERT_SUBJECT`. * * @return builder * @@ -1458,7 +1438,7 @@ public Builder xmlSignKeyInfoKeyNameTransformer(@Nullable Output xmlSign } /** - * @param xmlSignKeyInfoKeyNameTransformer Sign Key Transformer. + * @param xmlSignKeyInfoKeyNameTransformer The SAML signature key name. Can be one of `NONE`, `KEY_ID`, or `CERT_SUBJECT`. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/saml/inputs/UserAttributeProtocolMapperState.java b/sdk/java/src/main/java/com/pulumi/keycloak/saml/inputs/UserAttributeProtocolMapperState.java index 418e82bd..d074f2b8 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/saml/inputs/UserAttributeProtocolMapperState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/saml/inputs/UserAttributeProtocolMapperState.java @@ -15,58 +15,122 @@ public final class UserAttributeProtocolMapperState extends com.pulumi.resources public static final UserAttributeProtocolMapperState Empty = new UserAttributeProtocolMapperState(); + /** + * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ @Import(name="clientId") private @Nullable Output clientId; + /** + * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ public Optional> clientId() { return Optional.ofNullable(this.clientId); } + /** + * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ @Import(name="clientScopeId") private @Nullable Output clientScopeId; + /** + * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ public Optional> clientScopeId() { return Optional.ofNullable(this.clientScopeId); } + /** + * An optional human-friendly name for this attribute. + * + */ @Import(name="friendlyName") private @Nullable Output friendlyName; + /** + * @return An optional human-friendly name for this attribute. + * + */ public Optional> friendlyName() { return Optional.ofNullable(this.friendlyName); } + /** + * The display name of this protocol mapper in the GUI. + * + */ @Import(name="name") private @Nullable Output name; + /** + * @return The display name of this protocol mapper in the GUI. + * + */ public Optional> name() { return Optional.ofNullable(this.name); } + /** + * The realm this protocol mapper exists within. + * + */ @Import(name="realmId") private @Nullable Output realmId; + /** + * @return The realm this protocol mapper exists within. + * + */ public Optional> realmId() { return Optional.ofNullable(this.realmId); } + /** + * The name of the SAML attribute. + * + */ @Import(name="samlAttributeName") private @Nullable Output samlAttributeName; + /** + * @return The name of the SAML attribute. + * + */ public Optional> samlAttributeName() { return Optional.ofNullable(this.samlAttributeName); } + /** + * The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + * + */ @Import(name="samlAttributeNameFormat") private @Nullable Output samlAttributeNameFormat; + /** + * @return The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + * + */ public Optional> samlAttributeNameFormat() { return Optional.ofNullable(this.samlAttributeNameFormat); } + /** + * The custom user attribute to map. + * + */ @Import(name="userAttribute") private @Nullable Output userAttribute; + /** + * @return The custom user attribute to map. + * + */ public Optional> userAttribute() { return Optional.ofNullable(this.userAttribute); } @@ -102,74 +166,170 @@ public Builder(UserAttributeProtocolMapperState defaults) { $ = new UserAttributeProtocolMapperState(Objects.requireNonNull(defaults)); } + /** + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * + * @return builder + * + */ public Builder clientId(@Nullable Output clientId) { $.clientId = clientId; return this; } + /** + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * + * @return builder + * + */ public Builder clientId(String clientId) { return clientId(Output.of(clientId)); } + /** + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * + * @return builder + * + */ public Builder clientScopeId(@Nullable Output clientScopeId) { $.clientScopeId = clientScopeId; return this; } + /** + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * + * @return builder + * + */ public Builder clientScopeId(String clientScopeId) { return clientScopeId(Output.of(clientScopeId)); } + /** + * @param friendlyName An optional human-friendly name for this attribute. + * + * @return builder + * + */ public Builder friendlyName(@Nullable Output friendlyName) { $.friendlyName = friendlyName; return this; } + /** + * @param friendlyName An optional human-friendly name for this attribute. + * + * @return builder + * + */ public Builder friendlyName(String friendlyName) { return friendlyName(Output.of(friendlyName)); } + /** + * @param name The display name of this protocol mapper in the GUI. + * + * @return builder + * + */ public Builder name(@Nullable Output name) { $.name = name; return this; } + /** + * @param name The display name of this protocol mapper in the GUI. + * + * @return builder + * + */ public Builder name(String name) { return name(Output.of(name)); } + /** + * @param realmId The realm this protocol mapper exists within. + * + * @return builder + * + */ public Builder realmId(@Nullable Output realmId) { $.realmId = realmId; return this; } + /** + * @param realmId The realm this protocol mapper exists within. + * + * @return builder + * + */ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } + /** + * @param samlAttributeName The name of the SAML attribute. + * + * @return builder + * + */ public Builder samlAttributeName(@Nullable Output samlAttributeName) { $.samlAttributeName = samlAttributeName; return this; } + /** + * @param samlAttributeName The name of the SAML attribute. + * + * @return builder + * + */ public Builder samlAttributeName(String samlAttributeName) { return samlAttributeName(Output.of(samlAttributeName)); } + /** + * @param samlAttributeNameFormat The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + * + * @return builder + * + */ public Builder samlAttributeNameFormat(@Nullable Output samlAttributeNameFormat) { $.samlAttributeNameFormat = samlAttributeNameFormat; return this; } + /** + * @param samlAttributeNameFormat The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + * + * @return builder + * + */ public Builder samlAttributeNameFormat(String samlAttributeNameFormat) { return samlAttributeNameFormat(Output.of(samlAttributeNameFormat)); } + /** + * @param userAttribute The custom user attribute to map. + * + * @return builder + * + */ public Builder userAttribute(@Nullable Output userAttribute) { $.userAttribute = userAttribute; return this; } + /** + * @param userAttribute The custom user attribute to map. + * + * @return builder + * + */ public Builder userAttribute(String userAttribute) { return userAttribute(Output.of(userAttribute)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/saml/inputs/UserPropertyProtocolMapperState.java b/sdk/java/src/main/java/com/pulumi/keycloak/saml/inputs/UserPropertyProtocolMapperState.java index f1b4870b..60174996 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/saml/inputs/UserPropertyProtocolMapperState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/saml/inputs/UserPropertyProtocolMapperState.java @@ -15,58 +15,122 @@ public final class UserPropertyProtocolMapperState extends com.pulumi.resources. public static final UserPropertyProtocolMapperState Empty = new UserPropertyProtocolMapperState(); + /** + * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ @Import(name="clientId") private @Nullable Output clientId; + /** + * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ public Optional> clientId() { return Optional.ofNullable(this.clientId); } + /** + * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ @Import(name="clientScopeId") private @Nullable Output clientScopeId; + /** + * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ public Optional> clientScopeId() { return Optional.ofNullable(this.clientScopeId); } + /** + * An optional human-friendly name for this attribute. + * + */ @Import(name="friendlyName") private @Nullable Output friendlyName; + /** + * @return An optional human-friendly name for this attribute. + * + */ public Optional> friendlyName() { return Optional.ofNullable(this.friendlyName); } + /** + * The display name of this protocol mapper in the GUI. + * + */ @Import(name="name") private @Nullable Output name; + /** + * @return The display name of this protocol mapper in the GUI. + * + */ public Optional> name() { return Optional.ofNullable(this.name); } + /** + * The realm this protocol mapper exists within. + * + */ @Import(name="realmId") private @Nullable Output realmId; + /** + * @return The realm this protocol mapper exists within. + * + */ public Optional> realmId() { return Optional.ofNullable(this.realmId); } + /** + * The name of the SAML attribute. + * + */ @Import(name="samlAttributeName") private @Nullable Output samlAttributeName; + /** + * @return The name of the SAML attribute. + * + */ public Optional> samlAttributeName() { return Optional.ofNullable(this.samlAttributeName); } + /** + * The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + * + */ @Import(name="samlAttributeNameFormat") private @Nullable Output samlAttributeNameFormat; + /** + * @return The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + * + */ public Optional> samlAttributeNameFormat() { return Optional.ofNullable(this.samlAttributeNameFormat); } + /** + * The property of the Keycloak user model to map. + * + */ @Import(name="userProperty") private @Nullable Output userProperty; + /** + * @return The property of the Keycloak user model to map. + * + */ public Optional> userProperty() { return Optional.ofNullable(this.userProperty); } @@ -102,74 +166,170 @@ public Builder(UserPropertyProtocolMapperState defaults) { $ = new UserPropertyProtocolMapperState(Objects.requireNonNull(defaults)); } + /** + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * + * @return builder + * + */ public Builder clientId(@Nullable Output clientId) { $.clientId = clientId; return this; } + /** + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * + * @return builder + * + */ public Builder clientId(String clientId) { return clientId(Output.of(clientId)); } + /** + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * + * @return builder + * + */ public Builder clientScopeId(@Nullable Output clientScopeId) { $.clientScopeId = clientScopeId; return this; } + /** + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * + * @return builder + * + */ public Builder clientScopeId(String clientScopeId) { return clientScopeId(Output.of(clientScopeId)); } + /** + * @param friendlyName An optional human-friendly name for this attribute. + * + * @return builder + * + */ public Builder friendlyName(@Nullable Output friendlyName) { $.friendlyName = friendlyName; return this; } + /** + * @param friendlyName An optional human-friendly name for this attribute. + * + * @return builder + * + */ public Builder friendlyName(String friendlyName) { return friendlyName(Output.of(friendlyName)); } + /** + * @param name The display name of this protocol mapper in the GUI. + * + * @return builder + * + */ public Builder name(@Nullable Output name) { $.name = name; return this; } + /** + * @param name The display name of this protocol mapper in the GUI. + * + * @return builder + * + */ public Builder name(String name) { return name(Output.of(name)); } + /** + * @param realmId The realm this protocol mapper exists within. + * + * @return builder + * + */ public Builder realmId(@Nullable Output realmId) { $.realmId = realmId; return this; } + /** + * @param realmId The realm this protocol mapper exists within. + * + * @return builder + * + */ public Builder realmId(String realmId) { return realmId(Output.of(realmId)); } + /** + * @param samlAttributeName The name of the SAML attribute. + * + * @return builder + * + */ public Builder samlAttributeName(@Nullable Output samlAttributeName) { $.samlAttributeName = samlAttributeName; return this; } + /** + * @param samlAttributeName The name of the SAML attribute. + * + * @return builder + * + */ public Builder samlAttributeName(String samlAttributeName) { return samlAttributeName(Output.of(samlAttributeName)); } + /** + * @param samlAttributeNameFormat The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + * + * @return builder + * + */ public Builder samlAttributeNameFormat(@Nullable Output samlAttributeNameFormat) { $.samlAttributeNameFormat = samlAttributeNameFormat; return this; } + /** + * @param samlAttributeNameFormat The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + * + * @return builder + * + */ public Builder samlAttributeNameFormat(String samlAttributeNameFormat) { return samlAttributeNameFormat(Output.of(samlAttributeNameFormat)); } + /** + * @param userProperty The property of the Keycloak user model to map. + * + * @return builder + * + */ public Builder userProperty(@Nullable Output userProperty) { $.userProperty = userProperty; return this; } + /** + * @param userProperty The property of the Keycloak user model to map. + * + * @return builder + * + */ public Builder userProperty(String userProperty) { return userProperty(Output.of(userProperty)); } diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/saml/outputs/ClientAuthenticationFlowBindingOverrides.java b/sdk/java/src/main/java/com/pulumi/keycloak/saml/outputs/ClientAuthenticationFlowBindingOverrides.java index fa289259..e03101b9 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/saml/outputs/ClientAuthenticationFlowBindingOverrides.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/saml/outputs/ClientAuthenticationFlowBindingOverrides.java @@ -11,13 +11,29 @@ @CustomType public final class ClientAuthenticationFlowBindingOverrides { + /** + * @return Browser flow id, (flow needs to exist) + * + */ private @Nullable String browserId; + /** + * @return Direct grant flow id (flow needs to exist) + * + */ private @Nullable String directGrantId; private ClientAuthenticationFlowBindingOverrides() {} + /** + * @return Browser flow id, (flow needs to exist) + * + */ public Optional browserId() { return Optional.ofNullable(this.browserId); } + /** + * @return Direct grant flow id (flow needs to exist) + * + */ public Optional directGrantId() { return Optional.ofNullable(this.directGrantId); } diff --git a/sdk/nodejs/attributeImporterIdentityProviderMapper.ts b/sdk/nodejs/attributeImporterIdentityProviderMapper.ts index dd4fd937..b73919ae 100644 --- a/sdk/nodejs/attributeImporterIdentityProviderMapper.ts +++ b/sdk/nodejs/attributeImporterIdentityProviderMapper.ts @@ -5,43 +5,59 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "./utilities"; /** - * ## # keycloak.AttributeImporterIdentityProviderMapper + * Allows for creating and managing an attribute importer identity provider mapper within Keycloak. * - * Allows to create and manage identity provider mappers within Keycloak. + * The attribute importer mapper can be used to map attributes from externally defined users to attributes or properties of the imported Keycloak user: + * - For the OIDC identity provider, this will map a claim on the ID or access token to an attribute for the imported Keycloak user. + * - For the SAML identity provider, this will map a SAML attribute found within the assertion to an attribute for the imported Keycloak user. + * - For social identity providers, this will map a JSON field from the user profile to an attribute for the imported Keycloak user. * - * ### Example Usage + * > If you are using Keycloak 10 or higher, you will need to specify the `extraConfig` argument in order to define a `syncMode` for the mapper. + * + * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as keycloak from "@pulumi/keycloak"; * - * const testMapper = new keycloak.AttributeImporterIdentityProviderMapper("test_mapper", { + * const realm = new keycloak.Realm("realm", { * realm: "my-realm", - * name: "my-mapper", - * identityProviderAlias: "idp_alias", - * attributeName: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", - * userAttribute: "lastName", + * enabled: true, + * }); + * const oidc = new keycloak.oidc.IdentityProvider("oidc", { + * realm: realm.id, + * alias: "oidc", + * authorizationUrl: "https://example.com/auth", + * tokenUrl: "https://example.com/token", + * clientId: "example_id", + * clientSecret: "example_token", + * defaultScopes: "openid random profile", + * }); + * const oidcAttributeImporterIdentityProviderMapper = new keycloak.AttributeImporterIdentityProviderMapper("oidc", { + * realm: realm.id, + * name: "email-attribute-importer", + * claimName: "my-email-claim", + * identityProviderAlias: oidc.alias, + * userAttribute: "email", + * extraConfig: { + * syncMode: "INHERIT", + * }, * }); * ``` * - * ### Argument Reference - * - * The following arguments are supported: + * ## Import * - * - `realm` - (Required) The name of the realm. - * - `name` - (Required) The name of the mapper. - * - `identityProviderAlias` - (Required) The alias of the associated identity provider. - * - `userAttribute` - (Required) The user attribute name to store SAML attribute. - * - `attributeName` - (Optional) The Name of attribute to search for in assertion. You can leave this blank and specify a friendly name instead. - * - `attributeFriendlyName` - (Optional) The friendly name of attribute to search for in assertion. You can leave this blank and specify an attribute name instead. - * - `claimName` - (Optional) The claim name. + * Identity provider mappers can be imported using the format `{{realm_id}}/{{idp_alias}}/{{idp_mapper_id}}`, where `idp_alias` is the identity provider alias, and `idp_mapper_id` is the unique ID that Keycloak * - * ### Import - * - * Identity provider mapper can be imported using the format `{{realm_id}}/{{idp_alias}}/{{idp_mapper_id}}`, where `idpAlias` is the identity provider alias, and `idpMapperId` is the unique ID that Keycloak * assigns to the mapper upon creation. This value can be found in the URI when editing this mapper in the GUI, and is typically a GUID. * * Example: + * + * bash + * + * ```sh + * $ pulumi import keycloak:index/attributeImporterIdentityProviderMapper:AttributeImporterIdentityProviderMapper test_mapper my-realm/my-mapper/f446db98-7133-4e30-b18a-3d28fde7ca1b + * ``` */ export class AttributeImporterIdentityProviderMapper extends pulumi.CustomResource { /** @@ -72,32 +88,35 @@ export class AttributeImporterIdentityProviderMapper extends pulumi.CustomResour } /** - * Attribute Friendly Name + * For SAML based providers, this is the friendly name of the attribute to search for in the assertion. Conflicts with `attributeName`. */ public readonly attributeFriendlyName!: pulumi.Output; /** - * Attribute Name + * For SAML based providers, this is the name of the attribute to search for in the assertion. Conflicts with `attributeFriendlyName`. */ public readonly attributeName!: pulumi.Output; /** - * Claim Name + * For OIDC based providers, this is the name of the claim to use. */ public readonly claimName!: pulumi.Output; + /** + * Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + */ public readonly extraConfig!: pulumi.Output<{[key: string]: string} | undefined>; /** - * IDP Alias + * The alias of the associated identity provider. */ public readonly identityProviderAlias!: pulumi.Output; /** - * IDP Mapper Name + * The name of the mapper. */ public readonly name!: pulumi.Output; /** - * Realm Name + * The name of the realm. */ public readonly realm!: pulumi.Output; /** - * User Attribute + * The user attribute or property name to store the mapped result. */ public readonly userAttribute!: pulumi.Output; @@ -152,32 +171,35 @@ export class AttributeImporterIdentityProviderMapper extends pulumi.CustomResour */ export interface AttributeImporterIdentityProviderMapperState { /** - * Attribute Friendly Name + * For SAML based providers, this is the friendly name of the attribute to search for in the assertion. Conflicts with `attributeName`. */ attributeFriendlyName?: pulumi.Input; /** - * Attribute Name + * For SAML based providers, this is the name of the attribute to search for in the assertion. Conflicts with `attributeFriendlyName`. */ attributeName?: pulumi.Input; /** - * Claim Name + * For OIDC based providers, this is the name of the claim to use. */ claimName?: pulumi.Input; + /** + * Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + */ extraConfig?: pulumi.Input<{[key: string]: pulumi.Input}>; /** - * IDP Alias + * The alias of the associated identity provider. */ identityProviderAlias?: pulumi.Input; /** - * IDP Mapper Name + * The name of the mapper. */ name?: pulumi.Input; /** - * Realm Name + * The name of the realm. */ realm?: pulumi.Input; /** - * User Attribute + * The user attribute or property name to store the mapped result. */ userAttribute?: pulumi.Input; } @@ -187,32 +209,35 @@ export interface AttributeImporterIdentityProviderMapperState { */ export interface AttributeImporterIdentityProviderMapperArgs { /** - * Attribute Friendly Name + * For SAML based providers, this is the friendly name of the attribute to search for in the assertion. Conflicts with `attributeName`. */ attributeFriendlyName?: pulumi.Input; /** - * Attribute Name + * For SAML based providers, this is the name of the attribute to search for in the assertion. Conflicts with `attributeFriendlyName`. */ attributeName?: pulumi.Input; /** - * Claim Name + * For OIDC based providers, this is the name of the claim to use. */ claimName?: pulumi.Input; + /** + * Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + */ extraConfig?: pulumi.Input<{[key: string]: pulumi.Input}>; /** - * IDP Alias + * The alias of the associated identity provider. */ identityProviderAlias: pulumi.Input; /** - * IDP Mapper Name + * The name of the mapper. */ name?: pulumi.Input; /** - * Realm Name + * The name of the realm. */ realm: pulumi.Input; /** - * User Attribute + * The user attribute or property name to store the mapped result. */ userAttribute: pulumi.Input; } diff --git a/sdk/nodejs/customUserFederation.ts b/sdk/nodejs/customUserFederation.ts index 005e84b8..63a127f1 100644 --- a/sdk/nodejs/customUserFederation.ts +++ b/sdk/nodejs/customUserFederation.ts @@ -5,15 +5,12 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "./utilities"; /** - * ## # keycloak.CustomUserFederation - * * Allows for creating and managing custom user federation providers within Keycloak. * - * A custom user federation provider is an implementation of Keycloak's - * [User Storage SPI](https://www.keycloak.org/docs/4.2/server_development/index.html#_user-storage-spi). + * A custom user federation provider is an implementation of Keycloak's [User Storage SPI](https://www.keycloak.org/docs/4.2/server_development/index.html#_user-storage-spi). * An example of this implementation can be found here. * - * ### Example Usage + * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; @@ -28,24 +25,25 @@ import * as utilities from "./utilities"; * realmId: realm.id, * providerId: "custom", * enabled: true, + * config: { + * dummyString: "foobar", + * dummyBool: "true", + * multivalue: "value1##value2", + * }, * }); * ``` * - * ### Argument Reference + * ## Import * - * The following arguments are supported: + * Custom user federation providers can be imported using the format `{{realm_id}}/{{custom_user_federation_id}}`. * - * - `realmId` - (Required) The realm that this provider will provide user federation for. - * - `name` - (Required) Display name of the provider when displayed in the console. - * - `providerId` - (Required) The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. - * - `enabled` - (Optional) When `false`, this provider will not be used when performing queries for users. Defaults to `true`. - * - `priority` - (Optional) Priority of this provider when looking up users. Lower values are first. Defaults to `0`. - * - `cachePolicy` - (Optional) Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + * The ID of the custom user federation provider can be found within the Keycloak GUI and is typically a GUID: * - * ### Import + * bash * - * Custom user federation providers can be imported using the format `{{realm_id}}/{{custom_user_federation_id}}`. - * The ID of the custom user federation provider can be found within the Keycloak GUI and is typically a GUID: + * ```sh + * $ pulumi import keycloak:index/customUserFederation:CustomUserFederation custom_user_federation my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860 + * ``` */ export class CustomUserFederation extends pulumi.CustomResource { /** @@ -75,15 +73,20 @@ export class CustomUserFederation extends pulumi.CustomResource { return obj['__pulumiType'] === CustomUserFederation.__pulumiType; } + /** + * Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + */ public readonly cachePolicy!: pulumi.Output; /** - * How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users - * sync. + * How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users sync. */ public readonly changedSyncPeriod!: pulumi.Output; + /** + * The provider configuration handed over to your custom user federation provider. In order to add multivalue settings, use `##` to seperate the values. + */ public readonly config!: pulumi.Output<{[key: string]: string} | undefined>; /** - * When false, this provider will not be used when performing queries for users. + * When `false`, this provider will not be used when performing queries for users. Defaults to `true`. */ public readonly enabled!: pulumi.Output; /** @@ -95,20 +98,19 @@ export class CustomUserFederation extends pulumi.CustomResource { */ public readonly name!: pulumi.Output; /** - * The parentId of the generated component. will use realmId if not specified. + * Must be set to the realms' `internalId` when it differs from the realm. This can happen when existing resources are imported into the state. */ public readonly parentId!: pulumi.Output; /** - * Priority of this provider when looking up users. Lower values are first. + * Priority of this provider when looking up users. Lower values are first. Defaults to `0`. */ public readonly priority!: pulumi.Output; /** - * The unique ID of the custom provider, specified in the `getId` implementation for the UserStorageProviderFactory - * interface + * The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. */ public readonly providerId!: pulumi.Output; /** - * The realm (name) this provider will provide user federation for. + * The realm that this provider will provide user federation for. */ public readonly realmId!: pulumi.Output; @@ -163,15 +165,20 @@ export class CustomUserFederation extends pulumi.CustomResource { * Input properties used for looking up and filtering CustomUserFederation resources. */ export interface CustomUserFederationState { + /** + * Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + */ cachePolicy?: pulumi.Input; /** - * How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users - * sync. + * How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users sync. */ changedSyncPeriod?: pulumi.Input; + /** + * The provider configuration handed over to your custom user federation provider. In order to add multivalue settings, use `##` to seperate the values. + */ config?: pulumi.Input<{[key: string]: pulumi.Input}>; /** - * When false, this provider will not be used when performing queries for users. + * When `false`, this provider will not be used when performing queries for users. Defaults to `true`. */ enabled?: pulumi.Input; /** @@ -183,20 +190,19 @@ export interface CustomUserFederationState { */ name?: pulumi.Input; /** - * The parentId of the generated component. will use realmId if not specified. + * Must be set to the realms' `internalId` when it differs from the realm. This can happen when existing resources are imported into the state. */ parentId?: pulumi.Input; /** - * Priority of this provider when looking up users. Lower values are first. + * Priority of this provider when looking up users. Lower values are first. Defaults to `0`. */ priority?: pulumi.Input; /** - * The unique ID of the custom provider, specified in the `getId` implementation for the UserStorageProviderFactory - * interface + * The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. */ providerId?: pulumi.Input; /** - * The realm (name) this provider will provide user federation for. + * The realm that this provider will provide user federation for. */ realmId?: pulumi.Input; } @@ -205,15 +211,20 @@ export interface CustomUserFederationState { * The set of arguments for constructing a CustomUserFederation resource. */ export interface CustomUserFederationArgs { + /** + * Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + */ cachePolicy?: pulumi.Input; /** - * How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users - * sync. + * How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users sync. */ changedSyncPeriod?: pulumi.Input; + /** + * The provider configuration handed over to your custom user federation provider. In order to add multivalue settings, use `##` to seperate the values. + */ config?: pulumi.Input<{[key: string]: pulumi.Input}>; /** - * When false, this provider will not be used when performing queries for users. + * When `false`, this provider will not be used when performing queries for users. Defaults to `true`. */ enabled?: pulumi.Input; /** @@ -225,20 +236,19 @@ export interface CustomUserFederationArgs { */ name?: pulumi.Input; /** - * The parentId of the generated component. will use realmId if not specified. + * Must be set to the realms' `internalId` when it differs from the realm. This can happen when existing resources are imported into the state. */ parentId?: pulumi.Input; /** - * Priority of this provider when looking up users. Lower values are first. + * Priority of this provider when looking up users. Lower values are first. Defaults to `0`. */ priority?: pulumi.Input; /** - * The unique ID of the custom provider, specified in the `getId` implementation for the UserStorageProviderFactory - * interface + * The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. */ providerId: pulumi.Input; /** - * The realm (name) this provider will provide user federation for. + * The realm that this provider will provide user federation for. */ realmId: pulumi.Input; } diff --git a/sdk/nodejs/defaultGroups.ts b/sdk/nodejs/defaultGroups.ts index 8785726c..c31a29b4 100644 --- a/sdk/nodejs/defaultGroups.ts +++ b/sdk/nodejs/defaultGroups.ts @@ -5,14 +5,11 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "./utilities"; /** - * ## # keycloak.DefaultGroups - * * Allows for managing a realm's default groups. * - * Note that you should not use `keycloak.DefaultGroups` with a group with memberships managed - * by `keycloak.GroupMemberships`. + * > You should not use `keycloak.DefaultGroups` with a group whose members are managed by `keycloak.GroupMemberships`. * - * ### Example Usage + * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; @@ -32,18 +29,17 @@ import * as utilities from "./utilities"; * }); * ``` * - * ### Argument Reference - * - * The following arguments are supported: + * ## Import * - * - `realmId` - (Required) The realm this group exists in. - * - `groupIds` - (Required) A set of group ids that should be default groups on the realm referenced by `realmId`. + * Default groups can be imported using the format `{{realm_id}}` where `realm_id` is the realm the group exists in. * - * ### Import + * Example: * - * Groups can be imported using the format `{{realm_id}}` where `realmId` is the realm the group exists in. + * bash * - * Example: + * ```sh + * $ pulumi import keycloak:index/defaultGroups:DefaultGroups default my-realm + * ``` */ export class DefaultGroups extends pulumi.CustomResource { /** @@ -73,7 +69,13 @@ export class DefaultGroups extends pulumi.CustomResource { return obj['__pulumiType'] === DefaultGroups.__pulumiType; } + /** + * A set of group ids that should be default groups on the realm referenced by `realmId`. + */ public readonly groupIds!: pulumi.Output; + /** + * The realm this group exists in. + */ public readonly realmId!: pulumi.Output; /** @@ -111,7 +113,13 @@ export class DefaultGroups extends pulumi.CustomResource { * Input properties used for looking up and filtering DefaultGroups resources. */ export interface DefaultGroupsState { + /** + * A set of group ids that should be default groups on the realm referenced by `realmId`. + */ groupIds?: pulumi.Input[]>; + /** + * The realm this group exists in. + */ realmId?: pulumi.Input; } @@ -119,6 +127,12 @@ export interface DefaultGroupsState { * The set of arguments for constructing a DefaultGroups resource. */ export interface DefaultGroupsArgs { + /** + * A set of group ids that should be default groups on the realm referenced by `realmId`. + */ groupIds: pulumi.Input[]>; + /** + * The realm this group exists in. + */ realmId: pulumi.Input; } diff --git a/sdk/nodejs/genericClientProtocolMapper.ts b/sdk/nodejs/genericClientProtocolMapper.ts index cb611609..f39497a4 100644 --- a/sdk/nodejs/genericClientProtocolMapper.ts +++ b/sdk/nodejs/genericClientProtocolMapper.ts @@ -5,9 +5,9 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "./utilities"; /** - * ## # keycloak.GenericClientProtocolMapper + * !> **WARNING:** This resource is deprecated and will be removed in the next major version. Please use `keycloak.GenericProtocolMapper` instead. * - * Allows for creating and managing protocol mapper for both types of clients (openid-connect and saml) within Keycloak. + * Allows for creating and managing protocol mappers for both types of clients (openid-connect and saml) within Keycloak. * * There are two uses cases for using this resource: * * If you implemented a custom protocol mapper, this resource can be used to configure it @@ -16,7 +16,7 @@ import * as utilities from "./utilities"; * Due to the generic nature of this mapper, it is less user-friendly and more prone to configuration errors. * Therefore, if possible, a specific mapper should be used. * - * ### Example Usage + * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; @@ -33,7 +33,7 @@ import * as utilities from "./utilities"; * const samlHardcodeAttributeMapper = new keycloak.GenericClientProtocolMapper("saml_hardcode_attribute_mapper", { * realmId: realm.id, * clientId: samlClient.id, - * name: "tes-mapper", + * name: "test-mapper", * protocol: "saml", * protocolMapper: "saml-hardcode-attribute-mapper", * config: { @@ -45,23 +45,17 @@ import * as utilities from "./utilities"; * }); * ``` * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realmId` - (Required) The realm this protocol mapper exists within. - * - `clientId` - (Required) The client this protocol mapper is attached to. - * - `name` - (Required) The display name of this protocol mapper in the GUI. - * - `protocol` - (Required) The type of client (either `openid-connect` or `saml`). The type must match the type of the client. - * - `protocolMapper` - (Required) The name of the protocol mapper. The protocol mapper must be - * compatible with the specified client. - * - `config` - (Required) A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. - * - * ### Import + * ## Import * * Protocol mappers can be imported using the following format: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` * * Example: + * + * bash + * + * ```sh + * $ pulumi import keycloak:index/genericClientProtocolMapper:GenericClientProtocolMapper saml_hardcode_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` */ export class GenericClientProtocolMapper extends pulumi.CustomResource { /** @@ -92,28 +86,31 @@ export class GenericClientProtocolMapper extends pulumi.CustomResource { } /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper is attached to. */ public readonly clientId!: pulumi.Output; /** * The mapper's associated client scope. Cannot be used at the same time as client_id. */ public readonly clientScopeId!: pulumi.Output; + /** + * A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. + */ public readonly config!: pulumi.Output<{[key: string]: string}>; /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. */ public readonly name!: pulumi.Output; /** - * The protocol of the client (openid-connect / saml). + * The type of client (either `openid-connect` or `saml`). The type must match the type of the client. */ public readonly protocol!: pulumi.Output; /** - * The type of the protocol mapper. + * The name of the protocol mapper. The protocol mapper must be compatible with the specified client. */ public readonly protocolMapper!: pulumi.Output; /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. */ public readonly realmId!: pulumi.Output; @@ -169,28 +166,31 @@ export class GenericClientProtocolMapper extends pulumi.CustomResource { */ export interface GenericClientProtocolMapperState { /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper is attached to. */ clientId?: pulumi.Input; /** * The mapper's associated client scope. Cannot be used at the same time as client_id. */ clientScopeId?: pulumi.Input; + /** + * A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. + */ config?: pulumi.Input<{[key: string]: pulumi.Input}>; /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. */ name?: pulumi.Input; /** - * The protocol of the client (openid-connect / saml). + * The type of client (either `openid-connect` or `saml`). The type must match the type of the client. */ protocol?: pulumi.Input; /** - * The type of the protocol mapper. + * The name of the protocol mapper. The protocol mapper must be compatible with the specified client. */ protocolMapper?: pulumi.Input; /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. */ realmId?: pulumi.Input; } @@ -200,28 +200,31 @@ export interface GenericClientProtocolMapperState { */ export interface GenericClientProtocolMapperArgs { /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper is attached to. */ clientId?: pulumi.Input; /** * The mapper's associated client scope. Cannot be used at the same time as client_id. */ clientScopeId?: pulumi.Input; + /** + * A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. + */ config: pulumi.Input<{[key: string]: pulumi.Input}>; /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. */ name?: pulumi.Input; /** - * The protocol of the client (openid-connect / saml). + * The type of client (either `openid-connect` or `saml`). The type must match the type of the client. */ protocol: pulumi.Input; /** - * The type of the protocol mapper. + * The name of the protocol mapper. The protocol mapper must be compatible with the specified client. */ protocolMapper: pulumi.Input; /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. */ realmId: pulumi.Input; } diff --git a/sdk/nodejs/getGroup.ts b/sdk/nodejs/getGroup.ts index 61f8e601..0ae3e33f 100644 --- a/sdk/nodejs/getGroup.ts +++ b/sdk/nodejs/getGroup.ts @@ -5,10 +5,33 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "./utilities"; /** - * ## # keycloak.Group data source - * * This data source can be used to fetch properties of a Keycloak group for * usage with other resources, such as `keycloak.GroupRoles`. + * + * ## Example Usage + * + * ```typescript + * import * as pulumi from "@pulumi/pulumi"; + * import * as keycloak from "@pulumi/keycloak"; + * + * const realm = new keycloak.Realm("realm", { + * realm: "my-realm", + * enabled: true, + * }); + * const offlineAccess = keycloak.getRoleOutput({ + * realmId: realm.id, + * name: "offline_access", + * }); + * const group = keycloak.getGroupOutput({ + * realmId: realm.id, + * name: "group", + * }); + * const groupRoles = new keycloak.GroupRoles("group_roles", { + * realmId: realm.id, + * groupId: group.apply(group => group.id), + * roleIds: [offlineAccess.apply(offlineAccess => offlineAccess.id)], + * }); + * ``` */ export function getGroup(args: GetGroupArgs, opts?: pulumi.InvokeOptions): Promise { opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts || {}); @@ -22,7 +45,13 @@ export function getGroup(args: GetGroupArgs, opts?: pulumi.InvokeOptions): Promi * A collection of arguments for invoking getGroup. */ export interface GetGroupArgs { + /** + * The name of the group. If there are multiple groups match `name`, the first result will be returned. + */ name: string; + /** + * The realm this group exists within. + */ realmId: string; } @@ -41,10 +70,33 @@ export interface GetGroupResult { readonly realmId: string; } /** - * ## # keycloak.Group data source - * * This data source can be used to fetch properties of a Keycloak group for * usage with other resources, such as `keycloak.GroupRoles`. + * + * ## Example Usage + * + * ```typescript + * import * as pulumi from "@pulumi/pulumi"; + * import * as keycloak from "@pulumi/keycloak"; + * + * const realm = new keycloak.Realm("realm", { + * realm: "my-realm", + * enabled: true, + * }); + * const offlineAccess = keycloak.getRoleOutput({ + * realmId: realm.id, + * name: "offline_access", + * }); + * const group = keycloak.getGroupOutput({ + * realmId: realm.id, + * name: "group", + * }); + * const groupRoles = new keycloak.GroupRoles("group_roles", { + * realmId: realm.id, + * groupId: group.apply(group => group.id), + * roleIds: [offlineAccess.apply(offlineAccess => offlineAccess.id)], + * }); + * ``` */ export function getGroupOutput(args: GetGroupOutputArgs, opts?: pulumi.InvokeOptions): pulumi.Output { opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts || {}); @@ -58,6 +110,12 @@ export function getGroupOutput(args: GetGroupOutputArgs, opts?: pulumi.InvokeOpt * A collection of arguments for invoking getGroup. */ export interface GetGroupOutputArgs { + /** + * The name of the group. If there are multiple groups match `name`, the first result will be returned. + */ name: pulumi.Input; + /** + * The realm this group exists within. + */ realmId: pulumi.Input; } diff --git a/sdk/nodejs/getRealm.ts b/sdk/nodejs/getRealm.ts index 531b489c..68e6878e 100644 --- a/sdk/nodejs/getRealm.ts +++ b/sdk/nodejs/getRealm.ts @@ -7,12 +7,10 @@ import * as outputs from "./types/output"; import * as utilities from "./utilities"; /** - * ## # keycloak.Realm data source - * * This data source can be used to fetch properties of a Keycloak realm for * usage with other resources. * - * ### Example Usage + * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; @@ -23,20 +21,10 @@ import * as utilities from "./utilities"; * }); * // use the data source * const group = new keycloak.Role("group", { - * realmId: id, + * realmId: realm.then(realm => realm.id), * name: "group", * }); * ``` - * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realm` - (Required) The realm name. - * - * ### Attributes Reference - * - * See the docs for the `keycloak.Realm` resource for details on the exported attributes. */ export function getRealm(args: GetRealmArgs, opts?: pulumi.InvokeOptions): Promise { opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts || {}); @@ -65,6 +53,9 @@ export interface GetRealmArgs { displayNameHtml?: string; internationalizations?: inputs.GetRealmInternationalization[]; otpPolicy?: inputs.GetRealmOtpPolicy; + /** + * The realm name. + */ realm: string; securityDefenses?: inputs.GetRealmSecurityDefense[]; smtpServers?: inputs.GetRealmSmtpServer[]; @@ -138,12 +129,10 @@ export interface GetRealmResult { readonly webAuthnPolicy: outputs.GetRealmWebAuthnPolicy; } /** - * ## # keycloak.Realm data source - * * This data source can be used to fetch properties of a Keycloak realm for * usage with other resources. * - * ### Example Usage + * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; @@ -154,20 +143,10 @@ export interface GetRealmResult { * }); * // use the data source * const group = new keycloak.Role("group", { - * realmId: id, + * realmId: realm.then(realm => realm.id), * name: "group", * }); * ``` - * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realm` - (Required) The realm name. - * - * ### Attributes Reference - * - * See the docs for the `keycloak.Realm` resource for details on the exported attributes. */ export function getRealmOutput(args: GetRealmOutputArgs, opts?: pulumi.InvokeOptions): pulumi.Output { opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts || {}); @@ -196,6 +175,9 @@ export interface GetRealmOutputArgs { displayNameHtml?: pulumi.Input; internationalizations?: pulumi.Input[]>; otpPolicy?: pulumi.Input; + /** + * The realm name. + */ realm: pulumi.Input; securityDefenses?: pulumi.Input[]>; smtpServers?: pulumi.Input[]>; diff --git a/sdk/nodejs/getRealmKeys.ts b/sdk/nodejs/getRealmKeys.ts index 337b6eb0..8daced6e 100644 --- a/sdk/nodejs/getRealmKeys.ts +++ b/sdk/nodejs/getRealmKeys.ts @@ -7,15 +7,13 @@ import * as outputs from "./types/output"; import * as utilities from "./utilities"; /** - * ## # keycloak.getRealmKeys data source - * * Use this data source to get the keys of a realm. Keys can be filtered by algorithm and status. * * Remarks: * * - A key must meet all filter criteria - * - This datasource may return more than one value. - * - If no key matches the filter criteria, then an error is returned. + * - This data source may return more than one value. + * - If no key matches the filter criteria, then an error will be returned. */ export function getRealmKeys(args: GetRealmKeysArgs, opts?: pulumi.InvokeOptions): Promise { opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts || {}); @@ -30,8 +28,17 @@ export function getRealmKeys(args: GetRealmKeysArgs, opts?: pulumi.InvokeOptions * A collection of arguments for invoking getRealmKeys. */ export interface GetRealmKeysArgs { + /** + * When specified, keys will be filtered by algorithm. The algorithms can be any of `HS256`, `RS256`,`AES`, etc. + */ algorithms?: string[]; + /** + * The realm from which the keys will be retrieved. + */ realmId: string; + /** + * When specified, keys will be filtered by status. The statuses can be any of `ACTIVE`, `DISABLED` and `PASSIVE`. + */ statuses?: string[]; } @@ -44,20 +51,24 @@ export interface GetRealmKeysResult { * The provider-assigned unique ID for this managed resource. */ readonly id: string; + /** + * (Computed) A list of keys that match the filter criteria. Each key has the following attributes: + */ readonly keys: outputs.GetRealmKeysKey[]; readonly realmId: string; + /** + * Key status (string) + */ readonly statuses?: string[]; } /** - * ## # keycloak.getRealmKeys data source - * * Use this data source to get the keys of a realm. Keys can be filtered by algorithm and status. * * Remarks: * * - A key must meet all filter criteria - * - This datasource may return more than one value. - * - If no key matches the filter criteria, then an error is returned. + * - This data source may return more than one value. + * - If no key matches the filter criteria, then an error will be returned. */ export function getRealmKeysOutput(args: GetRealmKeysOutputArgs, opts?: pulumi.InvokeOptions): pulumi.Output { opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts || {}); @@ -72,7 +83,16 @@ export function getRealmKeysOutput(args: GetRealmKeysOutputArgs, opts?: pulumi.I * A collection of arguments for invoking getRealmKeys. */ export interface GetRealmKeysOutputArgs { + /** + * When specified, keys will be filtered by algorithm. The algorithms can be any of `HS256`, `RS256`,`AES`, etc. + */ algorithms?: pulumi.Input[]>; + /** + * The realm from which the keys will be retrieved. + */ realmId: pulumi.Input; + /** + * When specified, keys will be filtered by status. The statuses can be any of `ACTIVE`, `DISABLED` and `PASSIVE`. + */ statuses?: pulumi.Input[]>; } diff --git a/sdk/nodejs/getRole.ts b/sdk/nodejs/getRole.ts index 340e5f8a..53937361 100644 --- a/sdk/nodejs/getRole.ts +++ b/sdk/nodejs/getRole.ts @@ -5,10 +5,34 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "./utilities"; /** - * ## # keycloak.Role data source - * * This data source can be used to fetch properties of a Keycloak role for * usage with other resources, such as `keycloak.GroupRoles`. + * + * ## Example Usage + * + * ```typescript + * import * as pulumi from "@pulumi/pulumi"; + * import * as keycloak from "@pulumi/keycloak"; + * + * const realm = new keycloak.Realm("realm", { + * realm: "my-realm", + * enabled: true, + * }); + * const offlineAccess = keycloak.getRoleOutput({ + * realmId: realm.id, + * name: "offline_access", + * }); + * // use the data source + * const group = new keycloak.Group("group", { + * realmId: realm.id, + * name: "group", + * }); + * const groupRoles = new keycloak.GroupRoles("group_roles", { + * realmId: realm.id, + * groupId: group.id, + * roleIds: [offlineAccess.apply(offlineAccess => offlineAccess.id)], + * }); + * ``` */ export function getRole(args: GetRoleArgs, opts?: pulumi.InvokeOptions): Promise { opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts || {}); @@ -23,8 +47,17 @@ export function getRole(args: GetRoleArgs, opts?: pulumi.InvokeOptions): Promise * A collection of arguments for invoking getRole. */ export interface GetRoleArgs { + /** + * When specified, this role is assumed to be a client role belonging to the client with the provided ID. The `id` attribute of a `keycloakClient` resource should be used here. + */ clientId?: string; + /** + * The name of the role. + */ name: string; + /** + * The realm this role exists within. + */ realmId: string; } @@ -35,6 +68,9 @@ export interface GetRoleResult { readonly attributes: {[key: string]: string}; readonly clientId?: string; readonly compositeRoles: string[]; + /** + * (Computed) The description of the role. + */ readonly description: string; /** * The provider-assigned unique ID for this managed resource. @@ -44,10 +80,34 @@ export interface GetRoleResult { readonly realmId: string; } /** - * ## # keycloak.Role data source - * * This data source can be used to fetch properties of a Keycloak role for * usage with other resources, such as `keycloak.GroupRoles`. + * + * ## Example Usage + * + * ```typescript + * import * as pulumi from "@pulumi/pulumi"; + * import * as keycloak from "@pulumi/keycloak"; + * + * const realm = new keycloak.Realm("realm", { + * realm: "my-realm", + * enabled: true, + * }); + * const offlineAccess = keycloak.getRoleOutput({ + * realmId: realm.id, + * name: "offline_access", + * }); + * // use the data source + * const group = new keycloak.Group("group", { + * realmId: realm.id, + * name: "group", + * }); + * const groupRoles = new keycloak.GroupRoles("group_roles", { + * realmId: realm.id, + * groupId: group.id, + * roleIds: [offlineAccess.apply(offlineAccess => offlineAccess.id)], + * }); + * ``` */ export function getRoleOutput(args: GetRoleOutputArgs, opts?: pulumi.InvokeOptions): pulumi.Output { opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts || {}); @@ -62,7 +122,16 @@ export function getRoleOutput(args: GetRoleOutputArgs, opts?: pulumi.InvokeOptio * A collection of arguments for invoking getRole. */ export interface GetRoleOutputArgs { + /** + * When specified, this role is assumed to be a client role belonging to the client with the provided ID. The `id` attribute of a `keycloakClient` resource should be used here. + */ clientId?: pulumi.Input; + /** + * The name of the role. + */ name: pulumi.Input; + /** + * The realm this role exists within. + */ realmId: pulumi.Input; } diff --git a/sdk/nodejs/group.ts b/sdk/nodejs/group.ts index a388ee66..5fb373b7 100644 --- a/sdk/nodejs/group.ts +++ b/sdk/nodejs/group.ts @@ -5,20 +5,17 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "./utilities"; /** - * ## # keycloak.Group - * * Allows for creating and managing Groups within Keycloak. * - * Groups provide a logical wrapping for users within Keycloak. Users within a - * group can share attributes and roles, and group membership can be mapped - * to a claim. + * Groups provide a logical wrapping for users within Keycloak. Users within a group can share attributes and roles, and + * group membership can be mapped to a claim. * * Attributes can also be defined on Groups. * - * Groups can also be federated from external data sources, such as LDAP or Active Directory. - * This resource **should not** be used to manage groups that were created this way. + * Groups can also be federated from external data sources, such as LDAP or Active Directory. This resource **should not** + * be used to manage groups that were created this way. * - * ### Example Usage + * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; @@ -42,33 +39,25 @@ import * as utilities from "./utilities"; * parentId: parentGroup.id, * name: "child-group-with-optional-attributes", * attributes: { - * key1: "value1", - * key2: "value2", + * foo: "bar", + * multivalue: "value1##value2", * }, * }); * ``` * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realmId` - (Required) The realm this group exists in. - * - `parentId` - (Optional) The ID of this group's parent. If omitted, this group will be defined at the root level. - * - `name` - (Required) The name of the group. - * - `attributes` - (Optional) A dict of key/value pairs to set as custom attributes for the group. - * - * ### Attributes Reference - * - * In addition to the arguments listed above, the following computed attributes are exported: + * ## Import * - * - `path` - The complete path of the group. For example, the child group's path in the example configuration would be `/parent-group/child-group`. + * Groups can be imported using the format `{{realm_id}}/{{group_id}}`, where `group_id` is the unique ID that Keycloak * - * ### Import - * - * Groups can be imported using the format `{{realm_id}}/{{group_id}}`, where `groupId` is the unique ID that Keycloak * assigns to the group upon creation. This value can be found in the URI when editing this group in the GUI, and is typically a GUID. * * Example: + * + * bash + * + * ```sh + * $ pulumi import keycloak:index/group:Group child_group my-realm/934a4a4e-28bd-4703-a0fa-332df153aabd + * ``` */ export class Group extends pulumi.CustomResource { /** @@ -98,10 +87,25 @@ export class Group extends pulumi.CustomResource { return obj['__pulumiType'] === Group.__pulumiType; } + /** + * A map representing attributes for the group. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + */ public readonly attributes!: pulumi.Output<{[key: string]: string} | undefined>; + /** + * The name of the group. + */ public readonly name!: pulumi.Output; + /** + * The ID of this group's parent. If omitted, this group will be defined at the root level. + */ public readonly parentId!: pulumi.Output; + /** + * (Computed) The complete path of the group. For example, the child group's path in the example configuration would be `/parent-group/child-group`. + */ public /*out*/ readonly path!: pulumi.Output; + /** + * The realm this group exists in. + */ public readonly realmId!: pulumi.Output; /** @@ -142,10 +146,25 @@ export class Group extends pulumi.CustomResource { * Input properties used for looking up and filtering Group resources. */ export interface GroupState { + /** + * A map representing attributes for the group. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + */ attributes?: pulumi.Input<{[key: string]: pulumi.Input}>; + /** + * The name of the group. + */ name?: pulumi.Input; + /** + * The ID of this group's parent. If omitted, this group will be defined at the root level. + */ parentId?: pulumi.Input; + /** + * (Computed) The complete path of the group. For example, the child group's path in the example configuration would be `/parent-group/child-group`. + */ path?: pulumi.Input; + /** + * The realm this group exists in. + */ realmId?: pulumi.Input; } @@ -153,8 +172,20 @@ export interface GroupState { * The set of arguments for constructing a Group resource. */ export interface GroupArgs { + /** + * A map representing attributes for the group. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + */ attributes?: pulumi.Input<{[key: string]: pulumi.Input}>; + /** + * The name of the group. + */ name?: pulumi.Input; + /** + * The ID of this group's parent. If omitted, this group will be defined at the root level. + */ parentId?: pulumi.Input; + /** + * The realm this group exists in. + */ realmId: pulumi.Input; } diff --git a/sdk/nodejs/groupMemberships.ts b/sdk/nodejs/groupMemberships.ts index a27dec55..49f92124 100644 --- a/sdk/nodejs/groupMemberships.ts +++ b/sdk/nodejs/groupMemberships.ts @@ -5,23 +5,23 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "./utilities"; /** - * ## # keycloak.GroupMemberships - * * Allows for managing a Keycloak group's members. * - * Note that this resource attempts to be an **authoritative** source over group members. - * When this resource takes control over a group's members, users that are manually added - * to the group will be removed, and users that are manually removed from the group will - * be added upon the next run of `pulumi up`. Eventually, a non-authoritative resource - * for group membership will be added to this provider. + * Note that this resource attempts to be an **authoritative** source over group members. When this resource takes control + * over a group's members, users that are manually added to the group will be removed, and users that are manually removed + * from the group will be added upon the next run of `pulumi up`. + * + * Also note that you should not use `keycloak.GroupMemberships` with a group has been assigned as a default group via + * `keycloak.DefaultGroups`. * - * Also note that you should not use `keycloak.GroupMemberships` with a group has been assigned - * as a default group via `keycloak.DefaultGroups`. + * This resource **should not** be used to control membership of a group that has its members federated from an external + * source via group mapping. * - * This resource **should not** be used to control membership of a group that has its members - * federated from an external source via group mapping. + * To non-exclusively manage the group's of a user, see the [`keycloak.UserGroups` resource][1] * - * ### Example Usage + * This resource paginates its data loading on refresh by 50 items. + * + * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; @@ -46,18 +46,13 @@ import * as utilities from "./utilities"; * }); * ``` * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realmId` - (Required) The realm this group exists in. - * - `groupId` - (Required) The ID of the group this resource should manage memberships for. - * - `members` - (Required) An array of usernames that belong to this group. - * - * ### Import + * ## Import * * This resource does not support import. Instead of importing, feel free to create this resource + * * as if it did not already exist on the server. + * + * [1]: providers/mrparkers/keycloak/latest/docs/resources/group_memberships */ export class GroupMemberships extends pulumi.CustomResource { /** @@ -87,8 +82,17 @@ export class GroupMemberships extends pulumi.CustomResource { return obj['__pulumiType'] === GroupMemberships.__pulumiType; } + /** + * The ID of the group this resource should manage memberships for. + */ public readonly groupId!: pulumi.Output; + /** + * A list of usernames that belong to this group. + */ public readonly members!: pulumi.Output; + /** + * The realm this group exists in. + */ public readonly realmId!: pulumi.Output; /** @@ -128,8 +132,17 @@ export class GroupMemberships extends pulumi.CustomResource { * Input properties used for looking up and filtering GroupMemberships resources. */ export interface GroupMembershipsState { + /** + * The ID of the group this resource should manage memberships for. + */ groupId?: pulumi.Input; + /** + * A list of usernames that belong to this group. + */ members?: pulumi.Input[]>; + /** + * The realm this group exists in. + */ realmId?: pulumi.Input; } @@ -137,7 +150,16 @@ export interface GroupMembershipsState { * The set of arguments for constructing a GroupMemberships resource. */ export interface GroupMembershipsArgs { + /** + * The ID of the group this resource should manage memberships for. + */ groupId?: pulumi.Input; + /** + * A list of usernames that belong to this group. + */ members: pulumi.Input[]>; + /** + * The realm this group exists in. + */ realmId: pulumi.Input; } diff --git a/sdk/nodejs/groupRoles.ts b/sdk/nodejs/groupRoles.ts index a487ef18..946304d7 100644 --- a/sdk/nodejs/groupRoles.ts +++ b/sdk/nodejs/groupRoles.ts @@ -5,21 +5,18 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "./utilities"; /** - * ## # keycloak.GroupRoles - * * Allows you to manage roles assigned to a Keycloak group. * - * Note that this resource attempts to be an **authoritative** source over - * group roles. When this resource takes control over a group's roles, - * roles that are manually added to the group will be removed, and roles - * that are manually removed from the group will be added upon the next run - * of `pulumi up`. + * If `exhaustive` is true, this resource attempts to be an **authoritative** source over group roles: roles that are manually added to the group will be removed, and roles that are manually removed from the + * group will be added upon the next run of `pulumi up`. + * If `exhaustive` is false, this resource is a partial assignation of roles to a group. As a result, you can get multiple `keycloak.GroupRoles` for the same `groupId`. + * + * Note that when assigning composite roles to a group, you may see a non-empty plan following a `pulumi up` if you + * assign a role and a composite that includes that role to the same group. * - * Note that when assigning composite roles to a group, you may see a - * non-empty plan following a `pulumi up` if you assign a role and a - * composite that includes that role to the same group. + * ## Example Usage * - * ### Example Usage + * ### Exhaustive Roles) * * ```typescript * import * as pulumi from "@pulumi/pulumi"; @@ -61,23 +58,67 @@ import * as utilities from "./utilities"; * }); * ``` * - * ### Argument Reference + * ### Non Exhaustive Roles) * - * The following arguments are supported: + * ```typescript + * import * as pulumi from "@pulumi/pulumi"; + * import * as keycloak from "@pulumi/keycloak"; * - * - `realmId` - (Required) The realm this group exists in. - * - `groupId` - (Required) The ID of the group this resource should - * manage roles for. - * - `roleIds` - (Required) A list of role IDs to map to the group + * const realm = new keycloak.Realm("realm", { + * realm: "my-realm", + * enabled: true, + * }); + * const realmRole = new keycloak.Role("realm_role", { + * realmId: realm.id, + * name: "my-realm-role", + * description: "My Realm Role", + * }); + * const client = new keycloak.openid.Client("client", { + * realmId: realm.id, + * clientId: "client", + * name: "client", + * enabled: true, + * accessType: "BEARER-ONLY", + * }); + * const clientRole = new keycloak.Role("client_role", { + * realmId: realm.id, + * clientId: clientKeycloakClient.id, + * name: "my-client-role", + * description: "My Client Role", + * }); + * const group = new keycloak.Group("group", { + * realmId: realm.id, + * name: "my-group", + * }); + * const groupRoleAssociation1 = new keycloak.GroupRoles("group_role_association1", { + * realmId: realm.id, + * groupId: group.id, + * exhaustive: false, + * roleIds: [realmRole.id], + * }); + * const groupRoleAssociation2 = new keycloak.GroupRoles("group_role_association2", { + * realmId: realm.id, + * groupId: group.id, + * exhaustive: false, + * roleIds: [clientRole.id], + * }); + * ``` + * + * ## Import * - * ### Import + * This resource can be imported using the format `{{realm_id}}/{{group_id}}`, where `group_id` is the unique ID that Keycloak * - * This resource can be imported using the format - * `{{realm_id}}/{{group_id}}`, where `groupId` is the unique ID that - * Keycloak assigns to the group upon creation. This value can be found in - * the URI when editing this group in the GUI, and is typically a GUID. + * assigns to the group upon creation. This value can be found in the URI when editing this group in the GUI, and is typically + * + * a GUID. * * Example: + * + * bash + * + * ```sh + * $ pulumi import keycloak:index/groupRoles:GroupRoles group_roles my-realm/18cc6b87-2ce7-4e59-bdc8-b9d49ec98a94 + * ``` */ export class GroupRoles extends pulumi.CustomResource { /** @@ -107,9 +148,21 @@ export class GroupRoles extends pulumi.CustomResource { return obj['__pulumiType'] === GroupRoles.__pulumiType; } + /** + * Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the group will be removed. Defaults to `true`. + */ public readonly exhaustive!: pulumi.Output; + /** + * The ID of the group this resource should manage roles for. + */ public readonly groupId!: pulumi.Output; + /** + * The realm this group exists in. + */ public readonly realmId!: pulumi.Output; + /** + * A list of role IDs to map to the group. + */ public readonly roleIds!: pulumi.Output; /** @@ -154,9 +207,21 @@ export class GroupRoles extends pulumi.CustomResource { * Input properties used for looking up and filtering GroupRoles resources. */ export interface GroupRolesState { + /** + * Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the group will be removed. Defaults to `true`. + */ exhaustive?: pulumi.Input; + /** + * The ID of the group this resource should manage roles for. + */ groupId?: pulumi.Input; + /** + * The realm this group exists in. + */ realmId?: pulumi.Input; + /** + * A list of role IDs to map to the group. + */ roleIds?: pulumi.Input[]>; } @@ -164,8 +229,20 @@ export interface GroupRolesState { * The set of arguments for constructing a GroupRoles resource. */ export interface GroupRolesArgs { + /** + * Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the group will be removed. Defaults to `true`. + */ exhaustive?: pulumi.Input; + /** + * The ID of the group this resource should manage roles for. + */ groupId: pulumi.Input; + /** + * The realm this group exists in. + */ realmId: pulumi.Input; + /** + * A list of role IDs to map to the group. + */ roleIds: pulumi.Input[]>; } diff --git a/sdk/nodejs/ldap/fullNameMapper.ts b/sdk/nodejs/ldap/fullNameMapper.ts index 15255da9..3424f925 100644 --- a/sdk/nodejs/ldap/fullNameMapper.ts +++ b/sdk/nodejs/ldap/fullNameMapper.ts @@ -5,22 +5,19 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "../utilities"; /** - * ## # keycloak.ldap.FullNameMapper + * Allows for creating and managing full name mappers for Keycloak users federated via LDAP. * - * Allows for creating and managing full name mappers for Keycloak users federated - * via LDAP. + * The LDAP full name mapper can map a user's full name from an LDAP attribute to the first and last name attributes of a + * Keycloak user. * - * The LDAP full name mapper can map a user's full name from an LDAP attribute - * to the first and last name attributes of a Keycloak user. - * - * ### Example Usage + * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as keycloak from "@pulumi/keycloak"; * * const realm = new keycloak.Realm("realm", { - * realm: "test", + * realm: "my-realm", * enabled: true, * }); * const ldapUserFederation = new keycloak.ldap.UserFederation("ldap_user_federation", { @@ -46,22 +43,19 @@ import * as utilities from "../utilities"; * }); * ``` * - * ### Argument Reference + * ## Import * - * The following arguments are supported: + * LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. * - * - `realmId` - (Required) The realm that this LDAP mapper will exist in. - * - `ldapUserFederationId` - (Required) The ID of the LDAP user federation provider to attach this mapper to. - * - `name` - (Required) Display name of this mapper when displayed in the console. - * - `ldapFullNameAttribute` - (Required) The name of the LDAP attribute containing the user's full name. - * - `readOnly` - (Optional) When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. - * - `writeOnly` - (Optional) When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. + * The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. * - * ### Import + * Example: * - * LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. - * The ID of the LDAP user federation provider and the mapper can be found within - * the Keycloak GUI, and they are typically GUIDs: + * bash + * + * ```sh + * $ pulumi import keycloak:ldap/fullNameMapper:FullNameMapper ldap_full_name_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 + * ``` */ export class FullNameMapper extends pulumi.CustomResource { /** @@ -91,20 +85,29 @@ export class FullNameMapper extends pulumi.CustomResource { return obj['__pulumiType'] === FullNameMapper.__pulumiType; } + /** + * The name of the LDAP attribute containing the user's full name. + */ public readonly ldapFullNameAttribute!: pulumi.Output; /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. */ public readonly ldapUserFederationId!: pulumi.Output; /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. */ public readonly name!: pulumi.Output; + /** + * When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. + */ public readonly readOnly!: pulumi.Output; /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. */ public readonly realmId!: pulumi.Output; + /** + * When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. + */ public readonly writeOnly!: pulumi.Output; /** @@ -153,20 +156,29 @@ export class FullNameMapper extends pulumi.CustomResource { * Input properties used for looking up and filtering FullNameMapper resources. */ export interface FullNameMapperState { + /** + * The name of the LDAP attribute containing the user's full name. + */ ldapFullNameAttribute?: pulumi.Input; /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. */ ldapUserFederationId?: pulumi.Input; /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. */ name?: pulumi.Input; + /** + * When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. + */ readOnly?: pulumi.Input; /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. */ realmId?: pulumi.Input; + /** + * When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. + */ writeOnly?: pulumi.Input; } @@ -174,19 +186,28 @@ export interface FullNameMapperState { * The set of arguments for constructing a FullNameMapper resource. */ export interface FullNameMapperArgs { + /** + * The name of the LDAP attribute containing the user's full name. + */ ldapFullNameAttribute: pulumi.Input; /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. */ ldapUserFederationId: pulumi.Input; /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. */ name?: pulumi.Input; + /** + * When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. + */ readOnly?: pulumi.Input; /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. */ realmId: pulumi.Input; + /** + * When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. + */ writeOnly?: pulumi.Input; } diff --git a/sdk/nodejs/ldap/groupMapper.ts b/sdk/nodejs/ldap/groupMapper.ts index 8dc7c8df..136c31fc 100644 --- a/sdk/nodejs/ldap/groupMapper.ts +++ b/sdk/nodejs/ldap/groupMapper.ts @@ -5,23 +5,19 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "../utilities"; /** - * ## # keycloak.ldap.GroupMapper + * Allows for creating and managing group mappers for Keycloak users federated via LDAP. * - * Allows for creating and managing group mappers for Keycloak users federated - * via LDAP. + * The LDAP group mapper can be used to map an LDAP user's groups from some DN to Keycloak groups. This group mapper will also + * create the groups within Keycloak if they do not already exist. * - * The LDAP group mapper can be used to map an LDAP user's groups from some DN - * to Keycloak groups. This group mapper will also create the groups within Keycloak - * if they do not already exist. - * - * ### Example Usage + * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as keycloak from "@pulumi/keycloak"; * * const realm = new keycloak.Realm("realm", { - * realm: "test", + * realm: "my-realm", * enabled: true, * }); * const ldapUserFederation = new keycloak.ldap.UserFederation("ldap_user_federation", { @@ -53,33 +49,19 @@ import * as utilities from "../utilities"; * }); * ``` * - * ### Argument Reference + * ## Import * - * The following arguments are supported: + * LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. * - * - `realmId` - (Required) The realm that this LDAP mapper will exist in. - * - `ldapUserFederationId` - (Required) The ID of the LDAP user federation provider to attach this mapper to. - * - `name` - (Required) Display name of this mapper when displayed in the console. - * - `ldapGroupsDn` - (Required) The LDAP DN where groups can be found. - * - `groupNameLdapAttribute` - (Required) The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. - * - `groupObjectClasses` - (Required) Array of strings representing the object classes for the group. Must contain at least one. - * - `preserveGroupInheritance` - (Optional) When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. - * - `ignoreMissingGroups` - (Optional) When `true`, missing groups in the hierarchy will be ignored. - * - `membershipLdapAttribute` - (Required) The name of the LDAP attribute that is used for membership mappings. - * - `membershipAttributeType` - (Optional) Can be one of `DN` or `UID`. Defaults to `DN`. - * - `membershipUserLdapAttribute` - (Required) The name of the LDAP attribute on a user that is used for membership mappings. - * - `groupsLdapFilter` - (Optional) When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. - * - `mode` - (Optional) Can be one of `READ_ONLY` or `LDAP_ONLY`. Defaults to `READ_ONLY`. - * - `userRolesRetrieveStrategy` - (Optional) Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. - * - `memberofLdapAttribute` - (Optional) Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. - * - `mappedGroupAttributes` - (Optional) Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. - * - `dropNonExistingGroupsDuringSync` - (Optional) When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. + * The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. * - * ### Import + * Example: * - * LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. - * The ID of the LDAP user federation provider and the mapper can be found within - * the Keycloak GUI, and they are typically GUIDs: + * bash + * + * ```sh + * $ pulumi import keycloak:ldap/groupMapper:GroupMapper ldap_group_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 + * ``` */ export class GroupMapper extends pulumi.CustomResource { /** @@ -109,32 +91,77 @@ export class GroupMapper extends pulumi.CustomResource { return obj['__pulumiType'] === GroupMapper.__pulumiType; } + /** + * When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. + */ public readonly dropNonExistingGroupsDuringSync!: pulumi.Output; + /** + * The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. + */ public readonly groupNameLdapAttribute!: pulumi.Output; + /** + * List of strings representing the object classes for the group. Must contain at least one. + */ public readonly groupObjectClasses!: pulumi.Output; + /** + * When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. + */ public readonly groupsLdapFilter!: pulumi.Output; + /** + * Keycloak group path the LDAP groups are added to. For example if value `/Applications/App1` is used, then LDAP groups will be available in Keycloak under group `App1`, which is the child of top level group `Applications`. The configured group path must already exist in Keycloak when creating this mapper. + */ public readonly groupsPath!: pulumi.Output; + /** + * When `true`, missing groups in the hierarchy will be ignored. + */ public readonly ignoreMissingGroups!: pulumi.Output; + /** + * The LDAP DN where groups can be found. + */ public readonly ldapGroupsDn!: pulumi.Output; /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. */ public readonly ldapUserFederationId!: pulumi.Output; + /** + * Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. + */ public readonly mappedGroupAttributes!: pulumi.Output; + /** + * Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. + */ public readonly memberofLdapAttribute!: pulumi.Output; + /** + * Can be one of `DN` or `UID`. Defaults to `DN`. + */ public readonly membershipAttributeType!: pulumi.Output; + /** + * The name of the LDAP attribute that is used for membership mappings. + */ public readonly membershipLdapAttribute!: pulumi.Output; + /** + * The name of the LDAP attribute on a user that is used for membership mappings. + */ public readonly membershipUserLdapAttribute!: pulumi.Output; + /** + * Can be one of `READ_ONLY`, `LDAP_ONLY` or `IMPORT`. Defaults to `READ_ONLY`. + */ public readonly mode!: pulumi.Output; /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. */ public readonly name!: pulumi.Output; + /** + * When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. + */ public readonly preserveGroupInheritance!: pulumi.Output; /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. */ public readonly realmId!: pulumi.Output; + /** + * Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. + */ public readonly userRolesRetrieveStrategy!: pulumi.Output; /** @@ -219,32 +246,77 @@ export class GroupMapper extends pulumi.CustomResource { * Input properties used for looking up and filtering GroupMapper resources. */ export interface GroupMapperState { + /** + * When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. + */ dropNonExistingGroupsDuringSync?: pulumi.Input; + /** + * The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. + */ groupNameLdapAttribute?: pulumi.Input; + /** + * List of strings representing the object classes for the group. Must contain at least one. + */ groupObjectClasses?: pulumi.Input[]>; + /** + * When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. + */ groupsLdapFilter?: pulumi.Input; + /** + * Keycloak group path the LDAP groups are added to. For example if value `/Applications/App1` is used, then LDAP groups will be available in Keycloak under group `App1`, which is the child of top level group `Applications`. The configured group path must already exist in Keycloak when creating this mapper. + */ groupsPath?: pulumi.Input; + /** + * When `true`, missing groups in the hierarchy will be ignored. + */ ignoreMissingGroups?: pulumi.Input; + /** + * The LDAP DN where groups can be found. + */ ldapGroupsDn?: pulumi.Input; /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. */ ldapUserFederationId?: pulumi.Input; + /** + * Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. + */ mappedGroupAttributes?: pulumi.Input[]>; + /** + * Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. + */ memberofLdapAttribute?: pulumi.Input; + /** + * Can be one of `DN` or `UID`. Defaults to `DN`. + */ membershipAttributeType?: pulumi.Input; + /** + * The name of the LDAP attribute that is used for membership mappings. + */ membershipLdapAttribute?: pulumi.Input; + /** + * The name of the LDAP attribute on a user that is used for membership mappings. + */ membershipUserLdapAttribute?: pulumi.Input; + /** + * Can be one of `READ_ONLY`, `LDAP_ONLY` or `IMPORT`. Defaults to `READ_ONLY`. + */ mode?: pulumi.Input; /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. */ name?: pulumi.Input; + /** + * When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. + */ preserveGroupInheritance?: pulumi.Input; /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. */ realmId?: pulumi.Input; + /** + * Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. + */ userRolesRetrieveStrategy?: pulumi.Input; } @@ -252,31 +324,76 @@ export interface GroupMapperState { * The set of arguments for constructing a GroupMapper resource. */ export interface GroupMapperArgs { + /** + * When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. + */ dropNonExistingGroupsDuringSync?: pulumi.Input; + /** + * The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. + */ groupNameLdapAttribute: pulumi.Input; + /** + * List of strings representing the object classes for the group. Must contain at least one. + */ groupObjectClasses: pulumi.Input[]>; + /** + * When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. + */ groupsLdapFilter?: pulumi.Input; + /** + * Keycloak group path the LDAP groups are added to. For example if value `/Applications/App1` is used, then LDAP groups will be available in Keycloak under group `App1`, which is the child of top level group `Applications`. The configured group path must already exist in Keycloak when creating this mapper. + */ groupsPath?: pulumi.Input; + /** + * When `true`, missing groups in the hierarchy will be ignored. + */ ignoreMissingGroups?: pulumi.Input; + /** + * The LDAP DN where groups can be found. + */ ldapGroupsDn: pulumi.Input; /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. */ ldapUserFederationId: pulumi.Input; + /** + * Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. + */ mappedGroupAttributes?: pulumi.Input[]>; + /** + * Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. + */ memberofLdapAttribute?: pulumi.Input; + /** + * Can be one of `DN` or `UID`. Defaults to `DN`. + */ membershipAttributeType?: pulumi.Input; + /** + * The name of the LDAP attribute that is used for membership mappings. + */ membershipLdapAttribute: pulumi.Input; + /** + * The name of the LDAP attribute on a user that is used for membership mappings. + */ membershipUserLdapAttribute: pulumi.Input; + /** + * Can be one of `READ_ONLY`, `LDAP_ONLY` or `IMPORT`. Defaults to `READ_ONLY`. + */ mode?: pulumi.Input; /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. */ name?: pulumi.Input; + /** + * When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. + */ preserveGroupInheritance?: pulumi.Input; /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. */ realmId: pulumi.Input; + /** + * Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. + */ userRolesRetrieveStrategy?: pulumi.Input; } diff --git a/sdk/nodejs/ldap/hardcodedRoleMapper.ts b/sdk/nodejs/ldap/hardcodedRoleMapper.ts index 27af164f..64c44b9c 100644 --- a/sdk/nodejs/ldap/hardcodedRoleMapper.ts +++ b/sdk/nodejs/ldap/hardcodedRoleMapper.ts @@ -5,18 +5,20 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "../utilities"; /** - * ## # keycloak.ldap.HardcodedRoleMapper + * Allows for creating and managing hardcoded role mappers for Keycloak users federated via LDAP. * - * This mapper will grant a specified Keycloak role to each Keycloak user linked with LDAP. + * The LDAP hardcoded role mapper will grant a specified Keycloak role to each Keycloak user linked with LDAP. * - * ### Example Usage + * ## Example Usage + * + * ### Realm Role) * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as keycloak from "@pulumi/keycloak"; * * const realm = new keycloak.Realm("realm", { - * realm: "test", + * realm: "my-realm", * enabled: true, * }); * const ldapUserFederation = new keycloak.ldap.UserFederation("ldap_user_federation", { @@ -34,28 +36,75 @@ import * as utilities from "../utilities"; * bindDn: "cn=admin,dc=example,dc=org", * bindCredential: "admin", * }); + * const realmAdminRole = new keycloak.Role("realm_admin_role", { + * realmId: realm.id, + * name: "my-admin-role", + * description: "My Realm Role", + * }); * const assignAdminRoleToAllUsers = new keycloak.ldap.HardcodedRoleMapper("assign_admin_role_to_all_users", { * realmId: realm.id, * ldapUserFederationId: ldapUserFederation.id, * name: "assign-admin-role-to-all-users", - * role: "admin", + * role: realmAdminRole.name, * }); * ``` * - * ### Argument Reference + * ### Client Role) * - * The following arguments are supported: + * ```typescript + * import * as pulumi from "@pulumi/pulumi"; + * import * as keycloak from "@pulumi/keycloak"; * - * - `realmId` - (Required) The realm that this LDAP mapper will exist in. - * - `ldapUserFederationId` - (Required) The ID of the LDAP user federation provider to attach this mapper to. - * - `name` - (Required) Display name of this mapper when displayed in the console. - * - `role` - (Required) The role which should be assigned to the users. + * const realm = new keycloak.Realm("realm", { + * realm: "my-realm", + * enabled: true, + * }); + * const ldapUserFederation = new keycloak.ldap.UserFederation("ldap_user_federation", { + * name: "openldap", + * realmId: realm.id, + * usernameLdapAttribute: "cn", + * rdnLdapAttribute: "cn", + * uuidLdapAttribute: "entryDN", + * userObjectClasses: [ + * "simpleSecurityObject", + * "organizationalRole", + * ], + * connectionUrl: "ldap://openldap", + * usersDn: "dc=example,dc=org", + * bindDn: "cn=admin,dc=example,dc=org", + * bindCredential: "admin", + * }); + * // data sources aren't technically necessary here, but they are helpful for demonstration purposes + * const realmManagement = keycloak.openid.getClientOutput({ + * realmId: realm.id, + * clientId: "realm-management", + * }); + * const createClient = pulumi.all([realm.id, realmManagement]).apply(([id, realmManagement]) => keycloak.getRoleOutput({ + * realmId: id, + * clientId: realmManagement.id, + * name: "create-client", + * })); + * const assignAdminRoleToAllUsers = new keycloak.ldap.HardcodedRoleMapper("assign_admin_role_to_all_users", { + * realmId: realm.id, + * ldapUserFederationId: ldapUserFederation.id, + * name: "assign-admin-role-to-all-users", + * role: pulumi.all([realmManagement, createClient]).apply(([realmManagement, createClient]) => `${realmManagement.clientId}.${createClient.name}`), + * }); + * ``` * - * ### Import + * ## Import * * LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. - * The ID of the LDAP user federation provider and the mapper can be found within - * the Keycloak GUI, and they are typically GUIDs: + * + * The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. + * + * Example: + * + * bash + * + * ```sh + * $ pulumi import keycloak:ldap/hardcodedRoleMapper:HardcodedRoleMapper assign_admin_role_to_all_users my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 + * ``` */ export class HardcodedRoleMapper extends pulumi.CustomResource { /** @@ -86,19 +135,19 @@ export class HardcodedRoleMapper extends pulumi.CustomResource { } /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. */ public readonly ldapUserFederationId!: pulumi.Output; /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. */ public readonly name!: pulumi.Output; /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. */ public readonly realmId!: pulumi.Output; /** - * Role to grant to user. + * The name of the role which should be assigned to the users. Client roles should use the format `{{client_id}}.{{client_role_name}}`. */ public readonly role!: pulumi.Output; @@ -145,19 +194,19 @@ export class HardcodedRoleMapper extends pulumi.CustomResource { */ export interface HardcodedRoleMapperState { /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. */ ldapUserFederationId?: pulumi.Input; /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. */ name?: pulumi.Input; /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. */ realmId?: pulumi.Input; /** - * Role to grant to user. + * The name of the role which should be assigned to the users. Client roles should use the format `{{client_id}}.{{client_role_name}}`. */ role?: pulumi.Input; } @@ -167,19 +216,19 @@ export interface HardcodedRoleMapperState { */ export interface HardcodedRoleMapperArgs { /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. */ ldapUserFederationId: pulumi.Input; /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. */ name?: pulumi.Input; /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. */ realmId: pulumi.Input; /** - * Role to grant to user. + * The name of the role which should be assigned to the users. Client roles should use the format `{{client_id}}.{{client_role_name}}`. */ role: pulumi.Input; } diff --git a/sdk/nodejs/ldap/msadUserAccountControlMapper.ts b/sdk/nodejs/ldap/msadUserAccountControlMapper.ts index 5e707901..7ff601d0 100644 --- a/sdk/nodejs/ldap/msadUserAccountControlMapper.ts +++ b/sdk/nodejs/ldap/msadUserAccountControlMapper.ts @@ -5,8 +5,6 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "../utilities"; /** - * ## # keycloak.ldap.MsadUserAccountControlMapper - * * Allows for creating and managing MSAD user account control mappers for Keycloak * users federated via LDAP. * @@ -15,14 +13,14 @@ import * as utilities from "../utilities"; * AD user state to Keycloak in order to enforce settings like expired passwords * or disabled accounts. * - * ### Example Usage + * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as keycloak from "@pulumi/keycloak"; * * const realm = new keycloak.Realm("realm", { - * realm: "test", + * realm: "my-realm", * enabled: true, * }); * const ldapUserFederation = new keycloak.ldap.UserFederation("ldap_user_federation", { @@ -48,20 +46,19 @@ import * as utilities from "../utilities"; * }); * ``` * - * ### Argument Reference + * ## Import * - * The following arguments are supported: + * LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. * - * - `realmId` - (Required) The realm that this LDAP mapper will exist in. - * - `ldapUserFederationId` - (Required) The ID of the LDAP user federation provider to attach this mapper to. - * - `name` - (Required) Display name of this mapper when displayed in the console. - * - `ldapPasswordPolicyHintsEnabled` - (Optional) When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. + * The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. * - * ### Import + * Example: * - * LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. - * The ID of the LDAP user federation provider and the mapper can be found within - * the Keycloak GUI, and they are typically GUIDs: + * bash + * + * ```sh + * $ pulumi import keycloak:ldap/msadUserAccountControlMapper:MsadUserAccountControlMapper msad_user_account_control_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 + * ``` */ export class MsadUserAccountControlMapper extends pulumi.CustomResource { /** @@ -91,17 +88,20 @@ export class MsadUserAccountControlMapper extends pulumi.CustomResource { return obj['__pulumiType'] === MsadUserAccountControlMapper.__pulumiType; } + /** + * When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. + */ public readonly ldapPasswordPolicyHintsEnabled!: pulumi.Output; /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. */ public readonly ldapUserFederationId!: pulumi.Output; /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. */ public readonly name!: pulumi.Output; /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. */ public readonly realmId!: pulumi.Output; @@ -144,17 +144,20 @@ export class MsadUserAccountControlMapper extends pulumi.CustomResource { * Input properties used for looking up and filtering MsadUserAccountControlMapper resources. */ export interface MsadUserAccountControlMapperState { + /** + * When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. + */ ldapPasswordPolicyHintsEnabled?: pulumi.Input; /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. */ ldapUserFederationId?: pulumi.Input; /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. */ name?: pulumi.Input; /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. */ realmId?: pulumi.Input; } @@ -163,17 +166,20 @@ export interface MsadUserAccountControlMapperState { * The set of arguments for constructing a MsadUserAccountControlMapper resource. */ export interface MsadUserAccountControlMapperArgs { + /** + * When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. + */ ldapPasswordPolicyHintsEnabled?: pulumi.Input; /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. */ ldapUserFederationId: pulumi.Input; /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. */ name?: pulumi.Input; /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. */ realmId: pulumi.Input; } diff --git a/sdk/nodejs/ldap/userAttributeMapper.ts b/sdk/nodejs/ldap/userAttributeMapper.ts index c01a00df..b0219dff 100644 --- a/sdk/nodejs/ldap/userAttributeMapper.ts +++ b/sdk/nodejs/ldap/userAttributeMapper.ts @@ -5,22 +5,20 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "../utilities"; /** - * ## # keycloak.ldap.UserAttributeMapper - * * Allows for creating and managing user attribute mappers for Keycloak users * federated via LDAP. * * The LDAP user attribute mapper can be used to map a single LDAP attribute * to an attribute on the Keycloak user model. * - * ### Example Usage + * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as keycloak from "@pulumi/keycloak"; * * const realm = new keycloak.Realm("realm", { - * realm: "test", + * realm: "my-realm", * enabled: true, * }); * const ldapUserFederation = new keycloak.ldap.UserFederation("ldap_user_federation", { @@ -47,24 +45,19 @@ import * as utilities from "../utilities"; * }); * ``` * - * ### Argument Reference + * ## Import * - * The following arguments are supported: + * LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. * - * - `realmId` - (Required) The realm that this LDAP mapper will exist in. - * - `ldapUserFederationId` - (Required) The ID of the LDAP user federation provider to attach this mapper to. - * - `name` - (Required) Display name of this mapper when displayed in the console. - * - `userModelAttribute` - (Required) Name of the user property or attribute you want to map the LDAP attribute into. - * - `ldapAttribute` - (Required) Name of the mapped attribute on the LDAP object. - * - `readOnly` - (Optional) When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. - * - `alwaysReadValueFromLdap` - (Optional) When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. - * - `isMandatoryInLdap` - (Optional) When `true`, this attribute must exist in LDAP. Defaults to `false`. + * The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. * - * ### Import + * Example: * - * LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. - * The ID of the LDAP user federation provider and the mapper can be found within - * the Keycloak GUI, and they are typically GUIDs: + * bash + * + * ```sh + * $ pulumi import keycloak:ldap/userAttributeMapper:UserAttributeMapper ldap_user_attribute_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 + * ``` */ export class UserAttributeMapper extends pulumi.CustomResource { /** @@ -95,43 +88,43 @@ export class UserAttributeMapper extends pulumi.CustomResource { } /** - * When true, the value fetched from LDAP will override the value stored in Keycloak. + * When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. */ public readonly alwaysReadValueFromLdap!: pulumi.Output; /** - * Default value to set in LDAP if isMandatoryInLdap and the value is empty + * Default value to set in LDAP if `isMandatoryInLdap` is true and the value is empty. */ public readonly attributeDefaultValue!: pulumi.Output; /** - * Should be true for binary LDAP attributes + * Should be true for binary LDAP attributes. */ public readonly isBinaryAttribute!: pulumi.Output; /** - * When true, this attribute must exist in LDAP. + * When `true`, this attribute must exist in LDAP. Defaults to `false`. */ public readonly isMandatoryInLdap!: pulumi.Output; /** - * Name of the mapped attribute on LDAP object. + * Name of the mapped attribute on the LDAP object. */ public readonly ldapAttribute!: pulumi.Output; /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. */ public readonly ldapUserFederationId!: pulumi.Output; /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. */ public readonly name!: pulumi.Output; /** - * When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. + * When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. */ public readonly readOnly!: pulumi.Output; /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. */ public readonly realmId!: pulumi.Output; /** - * Name of the UserModel property or attribute you want to map the LDAP attribute into. + * Name of the user property or attribute you want to map the LDAP attribute into. */ public readonly userModelAttribute!: pulumi.Output; @@ -193,43 +186,43 @@ export class UserAttributeMapper extends pulumi.CustomResource { */ export interface UserAttributeMapperState { /** - * When true, the value fetched from LDAP will override the value stored in Keycloak. + * When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. */ alwaysReadValueFromLdap?: pulumi.Input; /** - * Default value to set in LDAP if isMandatoryInLdap and the value is empty + * Default value to set in LDAP if `isMandatoryInLdap` is true and the value is empty. */ attributeDefaultValue?: pulumi.Input; /** - * Should be true for binary LDAP attributes + * Should be true for binary LDAP attributes. */ isBinaryAttribute?: pulumi.Input; /** - * When true, this attribute must exist in LDAP. + * When `true`, this attribute must exist in LDAP. Defaults to `false`. */ isMandatoryInLdap?: pulumi.Input; /** - * Name of the mapped attribute on LDAP object. + * Name of the mapped attribute on the LDAP object. */ ldapAttribute?: pulumi.Input; /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. */ ldapUserFederationId?: pulumi.Input; /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. */ name?: pulumi.Input; /** - * When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. + * When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. */ readOnly?: pulumi.Input; /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. */ realmId?: pulumi.Input; /** - * Name of the UserModel property or attribute you want to map the LDAP attribute into. + * Name of the user property or attribute you want to map the LDAP attribute into. */ userModelAttribute?: pulumi.Input; } @@ -239,43 +232,43 @@ export interface UserAttributeMapperState { */ export interface UserAttributeMapperArgs { /** - * When true, the value fetched from LDAP will override the value stored in Keycloak. + * When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. */ alwaysReadValueFromLdap?: pulumi.Input; /** - * Default value to set in LDAP if isMandatoryInLdap and the value is empty + * Default value to set in LDAP if `isMandatoryInLdap` is true and the value is empty. */ attributeDefaultValue?: pulumi.Input; /** - * Should be true for binary LDAP attributes + * Should be true for binary LDAP attributes. */ isBinaryAttribute?: pulumi.Input; /** - * When true, this attribute must exist in LDAP. + * When `true`, this attribute must exist in LDAP. Defaults to `false`. */ isMandatoryInLdap?: pulumi.Input; /** - * Name of the mapped attribute on LDAP object. + * Name of the mapped attribute on the LDAP object. */ ldapAttribute: pulumi.Input; /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. */ ldapUserFederationId: pulumi.Input; /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. */ name?: pulumi.Input; /** - * When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. + * When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. */ readOnly?: pulumi.Input; /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. */ realmId: pulumi.Input; /** - * Name of the UserModel property or attribute you want to map the LDAP attribute into. + * Name of the user property or attribute you want to map the LDAP attribute into. */ userModelAttribute: pulumi.Input; } diff --git a/sdk/nodejs/ldap/userFederation.ts b/sdk/nodejs/ldap/userFederation.ts index 645c3d9e..83dd8d99 100644 --- a/sdk/nodejs/ldap/userFederation.ts +++ b/sdk/nodejs/ldap/userFederation.ts @@ -7,8 +7,6 @@ import * as outputs from "../types/output"; import * as utilities from "../utilities"; /** - * ## # keycloak.ldap.UserFederation - * * Allows for creating and managing LDAP user federation providers within Keycloak. * * Keycloak can use an LDAP user federation provider to federate users to Keycloak @@ -16,14 +14,14 @@ import * as utilities from "../utilities"; * will exist within the realm and will be able to log in to clients. Federated * users can have their attributes defined using mappers. * - * ### Example Usage + * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as keycloak from "@pulumi/keycloak"; * * const realm = new keycloak.Realm("realm", { - * realm: "test", + * realm: "my-realm", * enabled: true, * }); * const ldapUserFederation = new keycloak.ldap.UserFederation("ldap_user_federation", { @@ -43,50 +41,25 @@ import * as utilities from "../utilities"; * bindCredential: "admin", * connectionTimeout: "5s", * readTimeout: "10s", + * kerberos: { + * kerberosRealm: "FOO.LOCAL", + * serverPrincipal: "HTTP/host.foo.com@FOO.LOCAL", + * keyTab: "/etc/host.keytab", + * }, * }); * ``` * - * ### Argument Reference + * ## Import * - * The following arguments are supported: + * LDAP user federation providers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}`. * - * - `realmId` - (Required) The realm that this provider will provide user federation for. - * - `name` - (Required) Display name of the provider when displayed in the console. - * - `enabled` - (Optional) When `false`, this provider will not be used when performing queries for users. Defaults to `true`. - * - `priority` - (Optional) Priority of this provider when looking up users. Lower values are first. Defaults to `0`. - * - `importEnabled` - (Optional) When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. - * - `editMode` - (Optional) Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. - * - `syncRegistrations` - (Optional) When `true`, newly created users will be synced back to LDAP. Defaults to `false`. - * - `vendor` - (Optional) Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OPTIONAL`. - * - `usernameLdapAttribute` - (Required) Name of the LDAP attribute to use as the Keycloak username. - * - `rdnLdapAttribute` - (Required) Name of the LDAP attribute to use as the relative distinguished name. - * - `uuidLdapAttribute` - (Required) Name of the LDAP attribute to use as a unique object identifier for objects in LDAP. - * - `userObjectClasses` - (Required) Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. - * - `connectionUrl` - (Required) Connection URL to the LDAP server. - * - `usersDn` - (Required) Full DN of LDAP tree where your users are. - * - `bindDn` - (Optional) DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bindCredential` is set. - * - `bindCredential` - (Optional) Password of LDAP admin. This attribute must be set if `bindDn` is set. - * - `customUserSearchFilter` - (Optional) Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. - * - `searchScope` - (Optional) Can be one of `ONE_LEVEL` or `SUBTREE`: - * - `ONE_LEVEL`: Only search for users in the DN specified by `userDn`. - * - `SUBTREE`: Search entire LDAP subtree. - * - `validatePasswordPolicy` - (Optional) When `true`, Keycloak will validate passwords using the realm policy before updating it. - * - `useTruststoreSpi` - (Optional) Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: - * - `ALWAYS` - Always use the truststore SPI for LDAP connections. - * - `NEVER` - Never use the truststore SPI for LDAP connections. - * - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. - * - `connectionTimeout` - (Optional) LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). - * - `readTimeout` - (Optional) LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). - * - `pagination` - (Optional) When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. - * - `batchSizeForSync` - (Optional) The number of users to sync within a single transaction. Defaults to `1000`. - * - `fullSyncPeriod` - (Optional) How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync. - * - `changedSyncPeriod` - (Optional) How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. - * - `cachePolicy` - (Optional) Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + * The ID of the LDAP user federation provider can be found within the Keycloak GUI and is typically a GUID: * - * ### Import + * bash * - * LDAP user federation providers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}`. - * The ID of the LDAP user federation provider can be found within the Keycloak GUI and is typically a GUID: + * ```sh + * $ pulumi import keycloak:ldap/userFederation:UserFederation ldap_user_federation my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860 + * ``` */ export class UserFederation extends pulumi.CustomResource { /** @@ -117,28 +90,27 @@ export class UserFederation extends pulumi.CustomResource { } /** - * The number of users to sync within a single transaction. + * The number of users to sync within a single transaction. Defaults to `1000`. */ public readonly batchSizeForSync!: pulumi.Output; /** - * Password of LDAP admin. + * Password of LDAP admin. This attribute must be set if `bindDn` is set. */ public readonly bindCredential!: pulumi.Output; /** - * DN of LDAP admin, which will be used by Keycloak to access LDAP server. + * DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bindCredential` is set. */ public readonly bindDn!: pulumi.Output; /** - * Settings regarding cache policy for this realm. + * A block containing the cache settings. */ public readonly cache!: pulumi.Output; /** - * How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users - * sync. + * How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. */ public readonly changedSyncPeriod!: pulumi.Output; /** - * LDAP connection timeout (duration string) + * LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). */ public readonly connectionTimeout!: pulumi.Output; /** @@ -146,20 +118,19 @@ export class UserFederation extends pulumi.CustomResource { */ public readonly connectionUrl!: pulumi.Output; /** - * Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'. + * Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. */ public readonly customUserSearchFilter!: pulumi.Output; /** - * When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP - * user federation provider. + * When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to `false`. */ public readonly deleteDefaultMappers!: pulumi.Output; /** - * READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP. + * Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. */ public readonly editMode!: pulumi.Output; /** - * When false, this provider will not be used when performing queries for users. + * When `false`, this provider will not be used when performing queries for users. Defaults to `true`. */ public readonly enabled!: pulumi.Output; /** @@ -167,11 +138,11 @@ export class UserFederation extends pulumi.CustomResource { */ public readonly fullSyncPeriod!: pulumi.Output; /** - * When true, LDAP users will be imported into the Keycloak database. + * When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. */ public readonly importEnabled!: pulumi.Output; /** - * Settings regarding kerberos authentication for this realm. + * A block containing the kerberos settings. */ public readonly kerberos!: pulumi.Output; /** @@ -179,11 +150,11 @@ export class UserFederation extends pulumi.CustomResource { */ public readonly name!: pulumi.Output; /** - * When true, Keycloak assumes the LDAP server supports pagination. + * When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. */ public readonly pagination!: pulumi.Output; /** - * Priority of this provider when looking up users. Lower values are first. + * Priority of this provider when looking up users. Lower values are first. Defaults to `0`. */ public readonly priority!: pulumi.Output; /** @@ -191,23 +162,25 @@ export class UserFederation extends pulumi.CustomResource { */ public readonly rdnLdapAttribute!: pulumi.Output; /** - * LDAP read timeout (duration string) + * LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). */ public readonly readTimeout!: pulumi.Output; /** - * The realm this provider will provide user federation for. + * The realm that this provider will provide user federation for. */ public readonly realmId!: pulumi.Output; /** - * ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree. + * Can be one of `ONE_LEVEL` or `SUBTREE`: + * - `ONE_LEVEL`: Only search for users in the DN specified by `userDn`. + * - `SUBTREE`: Search entire LDAP subtree. */ public readonly searchScope!: pulumi.Output; /** - * When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. + * When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. */ public readonly startTls!: pulumi.Output; /** - * When true, newly created users will be synced back to LDAP. + * When `true`, newly created users will be synced back to LDAP. Defaults to `false`. */ public readonly syncRegistrations!: pulumi.Output; /** @@ -218,9 +191,15 @@ export class UserFederation extends pulumi.CustomResource { * When `true`, use the LDAPv3 Password Modify Extended Operation (RFC-3062). */ public readonly usePasswordModifyExtendedOp!: pulumi.Output; + /** + * Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: + * - `ALWAYS` - Always use the truststore SPI for LDAP connections. + * - `NEVER` - Never use the truststore SPI for LDAP connections. + * - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. + */ public readonly useTruststoreSpi!: pulumi.Output; /** - * All values of LDAP objectClass attribute for users in LDAP. + * Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. */ public readonly userObjectClasses!: pulumi.Output; /** @@ -236,11 +215,11 @@ export class UserFederation extends pulumi.CustomResource { */ public readonly uuidLdapAttribute!: pulumi.Output; /** - * When true, Keycloak will validate passwords using the realm policy before updating it. + * When `true`, Keycloak will validate passwords using the realm policy before updating it. */ public readonly validatePasswordPolicy!: pulumi.Output; /** - * LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required. + * Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`. */ public readonly vendor!: pulumi.Output; @@ -357,28 +336,27 @@ export class UserFederation extends pulumi.CustomResource { */ export interface UserFederationState { /** - * The number of users to sync within a single transaction. + * The number of users to sync within a single transaction. Defaults to `1000`. */ batchSizeForSync?: pulumi.Input; /** - * Password of LDAP admin. + * Password of LDAP admin. This attribute must be set if `bindDn` is set. */ bindCredential?: pulumi.Input; /** - * DN of LDAP admin, which will be used by Keycloak to access LDAP server. + * DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bindCredential` is set. */ bindDn?: pulumi.Input; /** - * Settings regarding cache policy for this realm. + * A block containing the cache settings. */ cache?: pulumi.Input; /** - * How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users - * sync. + * How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. */ changedSyncPeriod?: pulumi.Input; /** - * LDAP connection timeout (duration string) + * LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). */ connectionTimeout?: pulumi.Input; /** @@ -386,20 +364,19 @@ export interface UserFederationState { */ connectionUrl?: pulumi.Input; /** - * Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'. + * Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. */ customUserSearchFilter?: pulumi.Input; /** - * When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP - * user federation provider. + * When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to `false`. */ deleteDefaultMappers?: pulumi.Input; /** - * READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP. + * Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. */ editMode?: pulumi.Input; /** - * When false, this provider will not be used when performing queries for users. + * When `false`, this provider will not be used when performing queries for users. Defaults to `true`. */ enabled?: pulumi.Input; /** @@ -407,11 +384,11 @@ export interface UserFederationState { */ fullSyncPeriod?: pulumi.Input; /** - * When true, LDAP users will be imported into the Keycloak database. + * When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. */ importEnabled?: pulumi.Input; /** - * Settings regarding kerberos authentication for this realm. + * A block containing the kerberos settings. */ kerberos?: pulumi.Input; /** @@ -419,11 +396,11 @@ export interface UserFederationState { */ name?: pulumi.Input; /** - * When true, Keycloak assumes the LDAP server supports pagination. + * When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. */ pagination?: pulumi.Input; /** - * Priority of this provider when looking up users. Lower values are first. + * Priority of this provider when looking up users. Lower values are first. Defaults to `0`. */ priority?: pulumi.Input; /** @@ -431,23 +408,25 @@ export interface UserFederationState { */ rdnLdapAttribute?: pulumi.Input; /** - * LDAP read timeout (duration string) + * LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). */ readTimeout?: pulumi.Input; /** - * The realm this provider will provide user federation for. + * The realm that this provider will provide user federation for. */ realmId?: pulumi.Input; /** - * ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree. + * Can be one of `ONE_LEVEL` or `SUBTREE`: + * - `ONE_LEVEL`: Only search for users in the DN specified by `userDn`. + * - `SUBTREE`: Search entire LDAP subtree. */ searchScope?: pulumi.Input; /** - * When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. + * When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. */ startTls?: pulumi.Input; /** - * When true, newly created users will be synced back to LDAP. + * When `true`, newly created users will be synced back to LDAP. Defaults to `false`. */ syncRegistrations?: pulumi.Input; /** @@ -458,9 +437,15 @@ export interface UserFederationState { * When `true`, use the LDAPv3 Password Modify Extended Operation (RFC-3062). */ usePasswordModifyExtendedOp?: pulumi.Input; + /** + * Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: + * - `ALWAYS` - Always use the truststore SPI for LDAP connections. + * - `NEVER` - Never use the truststore SPI for LDAP connections. + * - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. + */ useTruststoreSpi?: pulumi.Input; /** - * All values of LDAP objectClass attribute for users in LDAP. + * Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. */ userObjectClasses?: pulumi.Input[]>; /** @@ -476,11 +461,11 @@ export interface UserFederationState { */ uuidLdapAttribute?: pulumi.Input; /** - * When true, Keycloak will validate passwords using the realm policy before updating it. + * When `true`, Keycloak will validate passwords using the realm policy before updating it. */ validatePasswordPolicy?: pulumi.Input; /** - * LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required. + * Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`. */ vendor?: pulumi.Input; } @@ -490,28 +475,27 @@ export interface UserFederationState { */ export interface UserFederationArgs { /** - * The number of users to sync within a single transaction. + * The number of users to sync within a single transaction. Defaults to `1000`. */ batchSizeForSync?: pulumi.Input; /** - * Password of LDAP admin. + * Password of LDAP admin. This attribute must be set if `bindDn` is set. */ bindCredential?: pulumi.Input; /** - * DN of LDAP admin, which will be used by Keycloak to access LDAP server. + * DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bindCredential` is set. */ bindDn?: pulumi.Input; /** - * Settings regarding cache policy for this realm. + * A block containing the cache settings. */ cache?: pulumi.Input; /** - * How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users - * sync. + * How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. */ changedSyncPeriod?: pulumi.Input; /** - * LDAP connection timeout (duration string) + * LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). */ connectionTimeout?: pulumi.Input; /** @@ -519,20 +503,19 @@ export interface UserFederationArgs { */ connectionUrl: pulumi.Input; /** - * Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'. + * Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. */ customUserSearchFilter?: pulumi.Input; /** - * When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP - * user federation provider. + * When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to `false`. */ deleteDefaultMappers?: pulumi.Input; /** - * READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP. + * Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. */ editMode?: pulumi.Input; /** - * When false, this provider will not be used when performing queries for users. + * When `false`, this provider will not be used when performing queries for users. Defaults to `true`. */ enabled?: pulumi.Input; /** @@ -540,11 +523,11 @@ export interface UserFederationArgs { */ fullSyncPeriod?: pulumi.Input; /** - * When true, LDAP users will be imported into the Keycloak database. + * When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. */ importEnabled?: pulumi.Input; /** - * Settings regarding kerberos authentication for this realm. + * A block containing the kerberos settings. */ kerberos?: pulumi.Input; /** @@ -552,11 +535,11 @@ export interface UserFederationArgs { */ name?: pulumi.Input; /** - * When true, Keycloak assumes the LDAP server supports pagination. + * When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. */ pagination?: pulumi.Input; /** - * Priority of this provider when looking up users. Lower values are first. + * Priority of this provider when looking up users. Lower values are first. Defaults to `0`. */ priority?: pulumi.Input; /** @@ -564,23 +547,25 @@ export interface UserFederationArgs { */ rdnLdapAttribute: pulumi.Input; /** - * LDAP read timeout (duration string) + * LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). */ readTimeout?: pulumi.Input; /** - * The realm this provider will provide user federation for. + * The realm that this provider will provide user federation for. */ realmId: pulumi.Input; /** - * ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree. + * Can be one of `ONE_LEVEL` or `SUBTREE`: + * - `ONE_LEVEL`: Only search for users in the DN specified by `userDn`. + * - `SUBTREE`: Search entire LDAP subtree. */ searchScope?: pulumi.Input; /** - * When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. + * When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. */ startTls?: pulumi.Input; /** - * When true, newly created users will be synced back to LDAP. + * When `true`, newly created users will be synced back to LDAP. Defaults to `false`. */ syncRegistrations?: pulumi.Input; /** @@ -591,9 +576,15 @@ export interface UserFederationArgs { * When `true`, use the LDAPv3 Password Modify Extended Operation (RFC-3062). */ usePasswordModifyExtendedOp?: pulumi.Input; + /** + * Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: + * - `ALWAYS` - Always use the truststore SPI for LDAP connections. + * - `NEVER` - Never use the truststore SPI for LDAP connections. + * - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. + */ useTruststoreSpi?: pulumi.Input; /** - * All values of LDAP objectClass attribute for users in LDAP. + * Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. */ userObjectClasses: pulumi.Input[]>; /** @@ -609,11 +600,11 @@ export interface UserFederationArgs { */ uuidLdapAttribute: pulumi.Input; /** - * When true, Keycloak will validate passwords using the realm policy before updating it. + * When `true`, Keycloak will validate passwords using the realm policy before updating it. */ validatePasswordPolicy?: pulumi.Input; /** - * LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required. + * Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`. */ vendor?: pulumi.Input; } diff --git a/sdk/nodejs/openid/audienceProtocolMapper.ts b/sdk/nodejs/openid/audienceProtocolMapper.ts index 53c06fb6..39ba62bb 100644 --- a/sdk/nodejs/openid/audienceProtocolMapper.ts +++ b/sdk/nodejs/openid/audienceProtocolMapper.ts @@ -5,16 +5,14 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "../utilities"; /** - * ## # keycloak.openid.AudienceProtocolMapper + * Allows for creating and managing audience protocol mappers within Keycloak. * - * Allows for creating and managing audience protocol mappers within - * Keycloak. This mapper was added in Keycloak v4.6.0.Final. + * Audience protocol mappers allow you add audiences to the `aud` claim within issued tokens. The audience can be a custom + * string, or it can be mapped to the ID of a pre-existing client. * - * Audience protocol mappers allow you add audiences to the `aud` claim - * within issued tokens. The audience can be a custom string, or it can be - * mapped to the ID of a pre-existing client. + * ## Example Usage * - * ### Example Usage (Client) + * ### Client) * * ```typescript * import * as pulumi from "@pulumi/pulumi"; @@ -26,8 +24,8 @@ import * as utilities from "../utilities"; * }); * const openidClient = new keycloak.openid.Client("openid_client", { * realmId: realm.id, - * clientId: "test-client", - * name: "test client", + * clientId: "client", + * name: "client", * enabled: true, * accessType: "CONFIDENTIAL", * validRedirectUris: ["http://localhost:8080/openid-callback"], @@ -40,7 +38,7 @@ import * as utilities from "../utilities"; * }); * ``` * - * ### Example Usage (Client Scope) + * ### Client Scope) * * ```typescript * import * as pulumi from "@pulumi/pulumi"; @@ -62,26 +60,25 @@ import * as utilities from "../utilities"; * }); * ``` * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realmId` - (Required) The realm this protocol mapper exists within. - * - `clientId` - (Required if `clientScopeId` is not specified) The client this protocol mapper is attached to. - * - `clientScopeId` - (Required if `clientId` is not specified) The client scope this protocol mapper is attached to. - * - `name` - (Required) The display name of this protocol mapper in the GUI. - * - `includedClientAudience` - (Required if `includedCustomAudience` is not specified) A client ID to include within the token's `aud` claim. - * - `includedCustomAudience` - (Required if `includedClientAudience` is not specified) A custom audience to include within the token's `aud` claim. - * - `addToIdToken` - (Optional) Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. - * - `addToAccessToken` - (Optional) Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. - * - * ### Import + * ## Import * * Protocol mappers can be imported using one of the following formats: + * * - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + * * - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` * * Example: + * + * bash + * + * ```sh + * $ pulumi import keycloak:openid/audienceProtocolMapper:AudienceProtocolMapper audience_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` + * + * ```sh + * $ pulumi import keycloak:openid/audienceProtocolMapper:AudienceProtocolMapper audience_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` */ export class AudienceProtocolMapper extends pulumi.CustomResource { /** @@ -112,35 +109,35 @@ export class AudienceProtocolMapper extends pulumi.CustomResource { } /** - * Indicates if this claim should be added to the access token. + * Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. */ public readonly addToAccessToken!: pulumi.Output; /** - * Indicates if this claim should be added to the id token. + * Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. */ public readonly addToIdToken!: pulumi.Output; /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. */ public readonly clientId!: pulumi.Output; /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. */ public readonly clientScopeId!: pulumi.Output; /** - * A client ID to include within the token's `aud` claim. Cannot be used with included_custom_audience + * A client ID to include within the token's `aud` claim. Conflicts with `includedCustomAudience`. One of `includedClientAudience` or `includedCustomAudience` must be specified. */ public readonly includedClientAudience!: pulumi.Output; /** - * A custom audience to include within the token's `aud` claim. Cannot be used with included_custom_audience + * A custom audience to include within the token's `aud` claim. Conflicts with `includedClientAudience`. One of `includedClientAudience` or `includedCustomAudience` must be specified. */ public readonly includedCustomAudience!: pulumi.Output; /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. */ public readonly name!: pulumi.Output; /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. */ public readonly realmId!: pulumi.Output; @@ -189,35 +186,35 @@ export class AudienceProtocolMapper extends pulumi.CustomResource { */ export interface AudienceProtocolMapperState { /** - * Indicates if this claim should be added to the access token. + * Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. */ addToAccessToken?: pulumi.Input; /** - * Indicates if this claim should be added to the id token. + * Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. */ addToIdToken?: pulumi.Input; /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. */ clientId?: pulumi.Input; /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. */ clientScopeId?: pulumi.Input; /** - * A client ID to include within the token's `aud` claim. Cannot be used with included_custom_audience + * A client ID to include within the token's `aud` claim. Conflicts with `includedCustomAudience`. One of `includedClientAudience` or `includedCustomAudience` must be specified. */ includedClientAudience?: pulumi.Input; /** - * A custom audience to include within the token's `aud` claim. Cannot be used with included_custom_audience + * A custom audience to include within the token's `aud` claim. Conflicts with `includedClientAudience`. One of `includedClientAudience` or `includedCustomAudience` must be specified. */ includedCustomAudience?: pulumi.Input; /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. */ name?: pulumi.Input; /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. */ realmId?: pulumi.Input; } @@ -227,35 +224,35 @@ export interface AudienceProtocolMapperState { */ export interface AudienceProtocolMapperArgs { /** - * Indicates if this claim should be added to the access token. + * Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. */ addToAccessToken?: pulumi.Input; /** - * Indicates if this claim should be added to the id token. + * Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. */ addToIdToken?: pulumi.Input; /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. */ clientId?: pulumi.Input; /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. */ clientScopeId?: pulumi.Input; /** - * A client ID to include within the token's `aud` claim. Cannot be used with included_custom_audience + * A client ID to include within the token's `aud` claim. Conflicts with `includedCustomAudience`. One of `includedClientAudience` or `includedCustomAudience` must be specified. */ includedClientAudience?: pulumi.Input; /** - * A custom audience to include within the token's `aud` claim. Cannot be used with included_custom_audience + * A custom audience to include within the token's `aud` claim. Conflicts with `includedClientAudience`. One of `includedClientAudience` or `includedCustomAudience` must be specified. */ includedCustomAudience?: pulumi.Input; /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. */ name?: pulumi.Input; /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. */ realmId: pulumi.Input; } diff --git a/sdk/nodejs/openid/client.ts b/sdk/nodejs/openid/client.ts index 468ffe53..62e13ab1 100644 --- a/sdk/nodejs/openid/client.ts +++ b/sdk/nodejs/openid/client.ts @@ -7,15 +7,13 @@ import * as outputs from "../types/output"; import * as utilities from "../utilities"; /** - * ## # keycloak.openid.Client - * * Allows for creating and managing Keycloak clients that use the OpenID Connect protocol. * * Clients are entities that can use Keycloak for user authentication. Typically, * clients are applications that redirect users to Keycloak for authentication * in order to take advantage of Keycloak's user sessions for SSO. * - * ### Example Usage + * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; @@ -32,51 +30,27 @@ import * as utilities from "../utilities"; * enabled: true, * accessType: "CONFIDENTIAL", * validRedirectUris: ["http://localhost:8080/openid-callback"], + * loginTheme: "keycloak", + * extraConfig: { + * key1: "value1", + * key2: "value2", + * }, * }); * ``` * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realmId` - (Required) The realm this client is attached to. - * - `clientId` - (Required) The unique ID of this client, referenced in the URI during authentication and in issued tokens. - * - `name` - (Optional) The display name of this client in the GUI. - * - `enabled` - (Optional) When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. - * - `description` - (Optional) The description of this client in the GUI. - * - `accessType` - (Required) Specifies the type of client, which can be one of the following: - * - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. - * This client should be used for applications using the Authorization Code or Client Credentials grant flows. - * - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect - * URIs for security. This client should be used for applications using the Implicit grant flow. - * - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. - * - `clientSecret` - (Optional) The secret for clients with an `accessType` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and - * should be treated with the same care as a password. If omitted, Keycloak will generate a GUID for this attribute. - * - `standardFlowEnabled` - (Optional) When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. - * - `implicitFlowEnabled` - (Optional) When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. - * - `directAccessGrantsEnabled` - (Optional) When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. - * - `serviceAccountsEnabled` - (Optional) When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. - * - `validRedirectUris` - (Optional) A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple - * wildcards in the form of an asterisk can be used here. This attribute must be set if either `standardFlowEnabled` or `implicitFlowEnabled` - * is set to `true`. - * - `webOrigins` - (Optional) A list of allowed CORS origins. `+` can be used to permit all valid redirect URIs, and `*` can be used to permit all origins. - * - `adminUrl` - (Optional) URL to the admin interface of the client. - * - `baseUrl` - (Optional) Default URL to use when the auth server needs to redirect or link back to the client. - * - `pkceCodeChallengeMethod` - (Optional) The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. - * - `fullScopeAllowed` - (Optional) - Allow to include all roles mappings in the access token. - * - * ### Attributes Reference - * - * In addition to the arguments listed above, the following computed attributes are exported: + * ## Import * - * - `serviceAccountUserId` - When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account. + * Clients can be imported using the format `{{realm_id}}/{{client_keycloak_id}}`, where `client_keycloak_id` is the unique ID that Keycloak * - * ### Import - * - * Clients can be imported using the format `{{realm_id}}/{{client_keycloak_id}}`, where `clientKeycloakId` is the unique ID that Keycloak * assigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID. * * Example: + * + * bash + * + * ```sh + * $ pulumi import keycloak:openid/client:Client openid_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352 + * ``` */ export class Client extends pulumi.CustomResource { /** @@ -106,51 +80,197 @@ export class Client extends pulumi.CustomResource { return obj['__pulumiType'] === Client.__pulumiType; } + /** + * The amount of time in seconds before an access token expires. This will override the default for the realm. + */ public readonly accessTokenLifespan!: pulumi.Output; + /** + * Specifies the type of client, which can be one of the following: + * - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. + * This client should be used for applications using the Authorization Code or Client Credentials grant flows. + * - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect + * URIs for security. This client should be used for applications using the Implicit grant flow. + * - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. + */ public readonly accessType!: pulumi.Output; + /** + * URL to the admin interface of the client. + */ public readonly adminUrl!: pulumi.Output; + /** + * Override realm authentication flow bindings + */ public readonly authenticationFlowBindingOverrides!: pulumi.Output; + /** + * When this block is present, fine-grained authorization will be enabled for this client. The client's `accessType` must be `CONFIDENTIAL`, and `serviceAccountsEnabled` must be `true`. This block has the following arguments: + */ public readonly authorization!: pulumi.Output; + /** + * Specifying whether a "revokeOfflineAccess" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event. + */ public readonly backchannelLogoutRevokeOfflineSessions!: pulumi.Output; + /** + * When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`. + */ public readonly backchannelLogoutSessionRequired!: pulumi.Output; + /** + * The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case. + */ public readonly backchannelLogoutUrl!: pulumi.Output; + /** + * Default URL to use when the auth server needs to redirect or link back to the client. + */ public readonly baseUrl!: pulumi.Output; + /** + * Defaults to `client-secret`. The authenticator type for clients with an `accessType` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types: + * - `client-secret` (Default) Use client id and client secret to authenticate client. + * - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extraConfig` with `attributes.token.endpoint.auth.signing.alg = ` + * - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extraConfig` with `attributes.x509.subjectdn = ` + * - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extraConfig` with `attributes.token.endpoint.auth.signing.alg = ` + */ public readonly clientAuthenticatorType!: pulumi.Output; + /** + * The Client ID for this client, referenced in the URI during authentication and in issued tokens. + */ public readonly clientId!: pulumi.Output; + /** + * Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value. + */ public readonly clientOfflineSessionIdleTimeout!: pulumi.Output; + /** + * Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value. + */ public readonly clientOfflineSessionMaxLifespan!: pulumi.Output; + /** + * The secret for clients with an `accessType` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. + */ public readonly clientSecret!: pulumi.Output; + /** + * Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value. + */ public readonly clientSessionIdleTimeout!: pulumi.Output; + /** + * Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value. + */ public readonly clientSessionMaxLifespan!: pulumi.Output; + /** + * When `true`, users have to consent to client access. Defaults to `false`. + */ public readonly consentRequired!: pulumi.Output; + /** + * The text to display on the consent screen about permissions specific to this client. This is applicable only when `displayOnConsentScreen` is `true`. + */ public readonly consentScreenText!: pulumi.Output; + /** + * The description of this client in the GUI. + */ public readonly description!: pulumi.Output; + /** + * When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. + */ public readonly directAccessGrantsEnabled!: pulumi.Output; + /** + * When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consentRequired` is `true`. + */ public readonly displayOnConsentScreen!: pulumi.Output; + /** + * When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + */ public readonly enabled!: pulumi.Output; + /** + * When `true`, the parameter `sessionState` will not be included in OpenID Connect Authentication Response. + */ public readonly excludeSessionStateFromAuthResponse!: pulumi.Output; public readonly extraConfig!: pulumi.Output<{[key: string]: string} | undefined>; + /** + * When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannelLogoutUrl`. Defaults to `false`. + */ public readonly frontchannelLogoutEnabled!: pulumi.Output; + /** + * The frontchannel logout url. This is applicable only when `frontchannelLogoutEnabled` is `true`. + */ public readonly frontchannelLogoutUrl!: pulumi.Output; + /** + * Allow to include all roles mappings in the access token. + */ public readonly fullScopeAllowed!: pulumi.Output; + /** + * When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. + */ public readonly implicitFlowEnabled!: pulumi.Output; + /** + * When `true`, the client with the specified `clientId` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`. + */ public readonly import!: pulumi.Output; + /** + * The client login theme. This will override the default theme for the realm. + */ public readonly loginTheme!: pulumi.Output; + /** + * The display name of this client in the GUI. + */ public readonly name!: pulumi.Output; + /** + * Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser. + */ public readonly oauth2DeviceAuthorizationGrantEnabled!: pulumi.Output; + /** + * The maximum amount of time a client has to finish the device code flow before it expires. + */ public readonly oauth2DeviceCodeLifespan!: pulumi.Output; + /** + * The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint. + */ public readonly oauth2DevicePollingInterval!: pulumi.Output; + /** + * The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. + */ public readonly pkceCodeChallengeMethod!: pulumi.Output; + /** + * The realm this client is attached to. + */ public readonly realmId!: pulumi.Output; + /** + * (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the `.id` attribute). + */ public /*out*/ readonly resourceServerId!: pulumi.Output; + /** + * When specified, this URL is prepended to any relative URLs found within `validRedirectUris`, `webOrigins`, and `adminUrl`. NOTE: Due to limitations in the Keycloak API, when the `rootUrl` attribute is used, the `validRedirectUris`, `webOrigins`, and `adminUrl` attributes will be required. + */ public readonly rootUrl!: pulumi.Output; + /** + * (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account. + */ public /*out*/ readonly serviceAccountUserId!: pulumi.Output; + /** + * When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. + */ public readonly serviceAccountsEnabled!: pulumi.Output; + /** + * When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. + */ public readonly standardFlowEnabled!: pulumi.Output; + /** + * If this is `true`, a refreshToken will be created and added to the token response. If this is `false` then no refreshToken will be generated. Defaults to `true`. + */ public readonly useRefreshTokens!: pulumi.Output; + /** + * If this is `true`, a refreshToken will be created and added to the token response if the clientCredentials grant is used and a user session will be created. If this is `false` then no refreshToken will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`. + */ public readonly useRefreshTokensClientCredentials!: pulumi.Output; + /** + * A list of valid URIs a browser is permitted to redirect to after a successful logout. + */ public readonly validPostLogoutRedirectUris!: pulumi.Output; + /** + * A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple + * wildcards in the form of an asterisk can be used here. This attribute must be set if either `standardFlowEnabled` or `implicitFlowEnabled` + * is set to `true`. + */ public readonly validRedirectUris!: pulumi.Output; + /** + * A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`." + */ public readonly webOrigins!: pulumi.Output; /** @@ -281,51 +401,197 @@ export class Client extends pulumi.CustomResource { * Input properties used for looking up and filtering Client resources. */ export interface ClientState { + /** + * The amount of time in seconds before an access token expires. This will override the default for the realm. + */ accessTokenLifespan?: pulumi.Input; + /** + * Specifies the type of client, which can be one of the following: + * - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. + * This client should be used for applications using the Authorization Code or Client Credentials grant flows. + * - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect + * URIs for security. This client should be used for applications using the Implicit grant flow. + * - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. + */ accessType?: pulumi.Input; + /** + * URL to the admin interface of the client. + */ adminUrl?: pulumi.Input; + /** + * Override realm authentication flow bindings + */ authenticationFlowBindingOverrides?: pulumi.Input; + /** + * When this block is present, fine-grained authorization will be enabled for this client. The client's `accessType` must be `CONFIDENTIAL`, and `serviceAccountsEnabled` must be `true`. This block has the following arguments: + */ authorization?: pulumi.Input; + /** + * Specifying whether a "revokeOfflineAccess" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event. + */ backchannelLogoutRevokeOfflineSessions?: pulumi.Input; + /** + * When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`. + */ backchannelLogoutSessionRequired?: pulumi.Input; + /** + * The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case. + */ backchannelLogoutUrl?: pulumi.Input; + /** + * Default URL to use when the auth server needs to redirect or link back to the client. + */ baseUrl?: pulumi.Input; + /** + * Defaults to `client-secret`. The authenticator type for clients with an `accessType` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types: + * - `client-secret` (Default) Use client id and client secret to authenticate client. + * - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extraConfig` with `attributes.token.endpoint.auth.signing.alg = ` + * - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extraConfig` with `attributes.x509.subjectdn = ` + * - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extraConfig` with `attributes.token.endpoint.auth.signing.alg = ` + */ clientAuthenticatorType?: pulumi.Input; + /** + * The Client ID for this client, referenced in the URI during authentication and in issued tokens. + */ clientId?: pulumi.Input; + /** + * Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value. + */ clientOfflineSessionIdleTimeout?: pulumi.Input; + /** + * Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value. + */ clientOfflineSessionMaxLifespan?: pulumi.Input; + /** + * The secret for clients with an `accessType` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. + */ clientSecret?: pulumi.Input; + /** + * Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value. + */ clientSessionIdleTimeout?: pulumi.Input; + /** + * Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value. + */ clientSessionMaxLifespan?: pulumi.Input; + /** + * When `true`, users have to consent to client access. Defaults to `false`. + */ consentRequired?: pulumi.Input; + /** + * The text to display on the consent screen about permissions specific to this client. This is applicable only when `displayOnConsentScreen` is `true`. + */ consentScreenText?: pulumi.Input; + /** + * The description of this client in the GUI. + */ description?: pulumi.Input; + /** + * When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. + */ directAccessGrantsEnabled?: pulumi.Input; + /** + * When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consentRequired` is `true`. + */ displayOnConsentScreen?: pulumi.Input; + /** + * When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + */ enabled?: pulumi.Input; + /** + * When `true`, the parameter `sessionState` will not be included in OpenID Connect Authentication Response. + */ excludeSessionStateFromAuthResponse?: pulumi.Input; extraConfig?: pulumi.Input<{[key: string]: pulumi.Input}>; + /** + * When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannelLogoutUrl`. Defaults to `false`. + */ frontchannelLogoutEnabled?: pulumi.Input; + /** + * The frontchannel logout url. This is applicable only when `frontchannelLogoutEnabled` is `true`. + */ frontchannelLogoutUrl?: pulumi.Input; + /** + * Allow to include all roles mappings in the access token. + */ fullScopeAllowed?: pulumi.Input; + /** + * When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. + */ implicitFlowEnabled?: pulumi.Input; + /** + * When `true`, the client with the specified `clientId` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`. + */ import?: pulumi.Input; + /** + * The client login theme. This will override the default theme for the realm. + */ loginTheme?: pulumi.Input; + /** + * The display name of this client in the GUI. + */ name?: pulumi.Input; + /** + * Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser. + */ oauth2DeviceAuthorizationGrantEnabled?: pulumi.Input; + /** + * The maximum amount of time a client has to finish the device code flow before it expires. + */ oauth2DeviceCodeLifespan?: pulumi.Input; + /** + * The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint. + */ oauth2DevicePollingInterval?: pulumi.Input; + /** + * The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. + */ pkceCodeChallengeMethod?: pulumi.Input; + /** + * The realm this client is attached to. + */ realmId?: pulumi.Input; + /** + * (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the `.id` attribute). + */ resourceServerId?: pulumi.Input; + /** + * When specified, this URL is prepended to any relative URLs found within `validRedirectUris`, `webOrigins`, and `adminUrl`. NOTE: Due to limitations in the Keycloak API, when the `rootUrl` attribute is used, the `validRedirectUris`, `webOrigins`, and `adminUrl` attributes will be required. + */ rootUrl?: pulumi.Input; + /** + * (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account. + */ serviceAccountUserId?: pulumi.Input; + /** + * When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. + */ serviceAccountsEnabled?: pulumi.Input; + /** + * When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. + */ standardFlowEnabled?: pulumi.Input; + /** + * If this is `true`, a refreshToken will be created and added to the token response. If this is `false` then no refreshToken will be generated. Defaults to `true`. + */ useRefreshTokens?: pulumi.Input; + /** + * If this is `true`, a refreshToken will be created and added to the token response if the clientCredentials grant is used and a user session will be created. If this is `false` then no refreshToken will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`. + */ useRefreshTokensClientCredentials?: pulumi.Input; + /** + * A list of valid URIs a browser is permitted to redirect to after a successful logout. + */ validPostLogoutRedirectUris?: pulumi.Input[]>; + /** + * A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple + * wildcards in the form of an asterisk can be used here. This attribute must be set if either `standardFlowEnabled` or `implicitFlowEnabled` + * is set to `true`. + */ validRedirectUris?: pulumi.Input[]>; + /** + * A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`." + */ webOrigins?: pulumi.Input[]>; } @@ -333,48 +599,188 @@ export interface ClientState { * The set of arguments for constructing a Client resource. */ export interface ClientArgs { + /** + * The amount of time in seconds before an access token expires. This will override the default for the realm. + */ accessTokenLifespan?: pulumi.Input; + /** + * Specifies the type of client, which can be one of the following: + * - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. + * This client should be used for applications using the Authorization Code or Client Credentials grant flows. + * - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect + * URIs for security. This client should be used for applications using the Implicit grant flow. + * - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. + */ accessType: pulumi.Input; + /** + * URL to the admin interface of the client. + */ adminUrl?: pulumi.Input; + /** + * Override realm authentication flow bindings + */ authenticationFlowBindingOverrides?: pulumi.Input; + /** + * When this block is present, fine-grained authorization will be enabled for this client. The client's `accessType` must be `CONFIDENTIAL`, and `serviceAccountsEnabled` must be `true`. This block has the following arguments: + */ authorization?: pulumi.Input; + /** + * Specifying whether a "revokeOfflineAccess" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event. + */ backchannelLogoutRevokeOfflineSessions?: pulumi.Input; + /** + * When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`. + */ backchannelLogoutSessionRequired?: pulumi.Input; + /** + * The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case. + */ backchannelLogoutUrl?: pulumi.Input; + /** + * Default URL to use when the auth server needs to redirect or link back to the client. + */ baseUrl?: pulumi.Input; + /** + * Defaults to `client-secret`. The authenticator type for clients with an `accessType` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types: + * - `client-secret` (Default) Use client id and client secret to authenticate client. + * - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extraConfig` with `attributes.token.endpoint.auth.signing.alg = ` + * - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extraConfig` with `attributes.x509.subjectdn = ` + * - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extraConfig` with `attributes.token.endpoint.auth.signing.alg = ` + */ clientAuthenticatorType?: pulumi.Input; + /** + * The Client ID for this client, referenced in the URI during authentication and in issued tokens. + */ clientId: pulumi.Input; + /** + * Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value. + */ clientOfflineSessionIdleTimeout?: pulumi.Input; + /** + * Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value. + */ clientOfflineSessionMaxLifespan?: pulumi.Input; + /** + * The secret for clients with an `accessType` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. + */ clientSecret?: pulumi.Input; + /** + * Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value. + */ clientSessionIdleTimeout?: pulumi.Input; + /** + * Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value. + */ clientSessionMaxLifespan?: pulumi.Input; + /** + * When `true`, users have to consent to client access. Defaults to `false`. + */ consentRequired?: pulumi.Input; + /** + * The text to display on the consent screen about permissions specific to this client. This is applicable only when `displayOnConsentScreen` is `true`. + */ consentScreenText?: pulumi.Input; + /** + * The description of this client in the GUI. + */ description?: pulumi.Input; + /** + * When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. + */ directAccessGrantsEnabled?: pulumi.Input; + /** + * When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consentRequired` is `true`. + */ displayOnConsentScreen?: pulumi.Input; + /** + * When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + */ enabled?: pulumi.Input; + /** + * When `true`, the parameter `sessionState` will not be included in OpenID Connect Authentication Response. + */ excludeSessionStateFromAuthResponse?: pulumi.Input; extraConfig?: pulumi.Input<{[key: string]: pulumi.Input}>; + /** + * When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannelLogoutUrl`. Defaults to `false`. + */ frontchannelLogoutEnabled?: pulumi.Input; + /** + * The frontchannel logout url. This is applicable only when `frontchannelLogoutEnabled` is `true`. + */ frontchannelLogoutUrl?: pulumi.Input; + /** + * Allow to include all roles mappings in the access token. + */ fullScopeAllowed?: pulumi.Input; + /** + * When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. + */ implicitFlowEnabled?: pulumi.Input; + /** + * When `true`, the client with the specified `clientId` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`. + */ import?: pulumi.Input; + /** + * The client login theme. This will override the default theme for the realm. + */ loginTheme?: pulumi.Input; + /** + * The display name of this client in the GUI. + */ name?: pulumi.Input; + /** + * Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser. + */ oauth2DeviceAuthorizationGrantEnabled?: pulumi.Input; + /** + * The maximum amount of time a client has to finish the device code flow before it expires. + */ oauth2DeviceCodeLifespan?: pulumi.Input; + /** + * The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint. + */ oauth2DevicePollingInterval?: pulumi.Input; + /** + * The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. + */ pkceCodeChallengeMethod?: pulumi.Input; + /** + * The realm this client is attached to. + */ realmId: pulumi.Input; + /** + * When specified, this URL is prepended to any relative URLs found within `validRedirectUris`, `webOrigins`, and `adminUrl`. NOTE: Due to limitations in the Keycloak API, when the `rootUrl` attribute is used, the `validRedirectUris`, `webOrigins`, and `adminUrl` attributes will be required. + */ rootUrl?: pulumi.Input; + /** + * When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. + */ serviceAccountsEnabled?: pulumi.Input; + /** + * When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. + */ standardFlowEnabled?: pulumi.Input; + /** + * If this is `true`, a refreshToken will be created and added to the token response. If this is `false` then no refreshToken will be generated. Defaults to `true`. + */ useRefreshTokens?: pulumi.Input; + /** + * If this is `true`, a refreshToken will be created and added to the token response if the clientCredentials grant is used and a user session will be created. If this is `false` then no refreshToken will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`. + */ useRefreshTokensClientCredentials?: pulumi.Input; + /** + * A list of valid URIs a browser is permitted to redirect to after a successful logout. + */ validPostLogoutRedirectUris?: pulumi.Input[]>; + /** + * A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple + * wildcards in the form of an asterisk can be used here. This attribute must be set if either `standardFlowEnabled` or `implicitFlowEnabled` + * is set to `true`. + */ validRedirectUris?: pulumi.Input[]>; + /** + * A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`." + */ webOrigins?: pulumi.Input[]>; } diff --git a/sdk/nodejs/openid/clientDefaultScopes.ts b/sdk/nodejs/openid/clientDefaultScopes.ts index 5cb2965d..89291b4e 100644 --- a/sdk/nodejs/openid/clientDefaultScopes.ts +++ b/sdk/nodejs/openid/clientDefaultScopes.ts @@ -37,17 +37,10 @@ import * as utilities from "../utilities"; * }); * ``` * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realmId` - (Required) The realm this client and scopes exists in. - * - `clientId` - (Required) The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. - * - `defaultScopes` - (Required) An array of client scope names to attach to this client. - * - * ### Import + * ## Import * * This resource does not support import. Instead of importing, feel free to create this resource + * * as if it did not already exist on the server. */ export class ClientDefaultScopes extends pulumi.CustomResource { @@ -78,8 +71,17 @@ export class ClientDefaultScopes extends pulumi.CustomResource { return obj['__pulumiType'] === ClientDefaultScopes.__pulumiType; } + /** + * The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. + */ public readonly clientId!: pulumi.Output; + /** + * An array of client scope names to attach to this client. + */ public readonly defaultScopes!: pulumi.Output; + /** + * The realm this client and scopes exists in. + */ public readonly realmId!: pulumi.Output; /** @@ -122,8 +124,17 @@ export class ClientDefaultScopes extends pulumi.CustomResource { * Input properties used for looking up and filtering ClientDefaultScopes resources. */ export interface ClientDefaultScopesState { + /** + * The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. + */ clientId?: pulumi.Input; + /** + * An array of client scope names to attach to this client. + */ defaultScopes?: pulumi.Input[]>; + /** + * The realm this client and scopes exists in. + */ realmId?: pulumi.Input; } @@ -131,7 +142,16 @@ export interface ClientDefaultScopesState { * The set of arguments for constructing a ClientDefaultScopes resource. */ export interface ClientDefaultScopesArgs { + /** + * The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. + */ clientId: pulumi.Input; + /** + * An array of client scope names to attach to this client. + */ defaultScopes: pulumi.Input[]>; + /** + * The realm this client and scopes exists in. + */ realmId: pulumi.Input; } diff --git a/sdk/nodejs/openid/clientOptionalScopes.ts b/sdk/nodejs/openid/clientOptionalScopes.ts index 9a3c2909..9920995a 100644 --- a/sdk/nodejs/openid/clientOptionalScopes.ts +++ b/sdk/nodejs/openid/clientOptionalScopes.ts @@ -31,22 +31,16 @@ import * as utilities from "../utilities"; * "address", * "phone", * "offline_access", + * "microprofile-jwt", * clientScope.name, * ], * }); * ``` * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realmId` - (Required) The realm this client and scopes exists in. - * - `clientId` - (Required) The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. - * - `optionalScopes` - (Required) An array of client scope names to attach to this client as optional scopes. - * - * ### Import + * ## Import * * This resource does not support import. Instead of importing, feel free to create this resource + * * as if it did not already exist on the server. */ export class ClientOptionalScopes extends pulumi.CustomResource { @@ -77,8 +71,17 @@ export class ClientOptionalScopes extends pulumi.CustomResource { return obj['__pulumiType'] === ClientOptionalScopes.__pulumiType; } + /** + * The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. + */ public readonly clientId!: pulumi.Output; + /** + * An array of client scope names to attach to this client as optional scopes. + */ public readonly optionalScopes!: pulumi.Output; + /** + * The realm this client and scopes exists in. + */ public readonly realmId!: pulumi.Output; /** @@ -121,8 +124,17 @@ export class ClientOptionalScopes extends pulumi.CustomResource { * Input properties used for looking up and filtering ClientOptionalScopes resources. */ export interface ClientOptionalScopesState { + /** + * The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. + */ clientId?: pulumi.Input; + /** + * An array of client scope names to attach to this client as optional scopes. + */ optionalScopes?: pulumi.Input[]>; + /** + * The realm this client and scopes exists in. + */ realmId?: pulumi.Input; } @@ -130,7 +142,16 @@ export interface ClientOptionalScopesState { * The set of arguments for constructing a ClientOptionalScopes resource. */ export interface ClientOptionalScopesArgs { + /** + * The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. + */ clientId: pulumi.Input; + /** + * An array of client scope names to attach to this client as optional scopes. + */ optionalScopes: pulumi.Input[]>; + /** + * The realm this client and scopes exists in. + */ realmId: pulumi.Input; } diff --git a/sdk/nodejs/openid/clientScope.ts b/sdk/nodejs/openid/clientScope.ts index 42be4d04..c427dc50 100644 --- a/sdk/nodejs/openid/clientScope.ts +++ b/sdk/nodejs/openid/clientScope.ts @@ -5,16 +5,12 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "../utilities"; /** - * ## # keycloak.openid.ClientScope + * Allows for creating and managing Keycloak client scopes that can be attached to clients that use the OpenID Connect protocol. * - * Allows for creating and managing Keycloak client scopes that can be attached to - * clients that use the OpenID Connect protocol. + * Client Scopes can be used to share common protocol and role mappings between multiple clients within a realm. They can also + * be used by clients to conditionally request claims or roles for a user based on the OAuth 2.0 `scope` parameter. * - * Client Scopes can be used to share common protocol and role mappings between multiple - * clients within a realm. They can also be used by clients to conditionally request - * claims or roles for a user based on the OAuth 2.0 `scope` parameter. - * - * ### Example Usage + * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; @@ -28,26 +24,24 @@ import * as utilities from "../utilities"; * realmId: realm.id, * name: "groups", * description: "When requested, this scope will map a user's group memberships to a claim", + * includeInTokenScope: true, + * guiOrder: 1, * }); * ``` * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realmId` - (Required) The realm this client scope belongs to. - * - `name` - (Required) The display name of this client scope in the GUI. - * - `description` - (Optional) The description of this client scope in the GUI. - * - `consentScreenText` - (Optional) When set, a consent screen will be displayed to users - * authenticating to clients with this scope attached. The consent screen will display the string - * value of this attribute. + * ## Import * - * ### Import + * Client scopes can be imported using the format `{{realm_id}}/{{client_scope_id}}`, where `client_scope_id` is the unique ID that Keycloak * - * Client scopes can be imported using the format `{{realm_id}}/{{client_scope_id}}`, where `clientScopeId` is the unique ID that Keycloak * assigns to the client scope upon creation. This value can be found in the URI when editing this client scope in the GUI, and is typically a GUID. * * Example: + * + * bash + * + * ```sh + * $ pulumi import keycloak:openid/clientScope:ClientScope openid_client_scope my-realm/8e8f7fe1-df9b-40ed-bed3-4597aa0dac52 + * ``` */ export class ClientScope extends pulumi.CustomResource { /** @@ -77,11 +71,29 @@ export class ClientScope extends pulumi.CustomResource { return obj['__pulumiType'] === ClientScope.__pulumiType; } + /** + * When set, a consent screen will be displayed to users authenticating to clients with this scope attached. The consent screen will display the string value of this attribute. + */ public readonly consentScreenText!: pulumi.Output; + /** + * The description of this client scope in the GUI. + */ public readonly description!: pulumi.Output; + /** + * Specify order of the client scope in GUI (such as in Consent page) as integer. + */ public readonly guiOrder!: pulumi.Output; + /** + * When `true`, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response. + */ public readonly includeInTokenScope!: pulumi.Output; + /** + * The display name of this client scope in the GUI. + */ public readonly name!: pulumi.Output; + /** + * The realm this client scope belongs to. + */ public readonly realmId!: pulumi.Output; /** @@ -124,11 +136,29 @@ export class ClientScope extends pulumi.CustomResource { * Input properties used for looking up and filtering ClientScope resources. */ export interface ClientScopeState { + /** + * When set, a consent screen will be displayed to users authenticating to clients with this scope attached. The consent screen will display the string value of this attribute. + */ consentScreenText?: pulumi.Input; + /** + * The description of this client scope in the GUI. + */ description?: pulumi.Input; + /** + * Specify order of the client scope in GUI (such as in Consent page) as integer. + */ guiOrder?: pulumi.Input; + /** + * When `true`, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response. + */ includeInTokenScope?: pulumi.Input; + /** + * The display name of this client scope in the GUI. + */ name?: pulumi.Input; + /** + * The realm this client scope belongs to. + */ realmId?: pulumi.Input; } @@ -136,10 +166,28 @@ export interface ClientScopeState { * The set of arguments for constructing a ClientScope resource. */ export interface ClientScopeArgs { + /** + * When set, a consent screen will be displayed to users authenticating to clients with this scope attached. The consent screen will display the string value of this attribute. + */ consentScreenText?: pulumi.Input; + /** + * The description of this client scope in the GUI. + */ description?: pulumi.Input; + /** + * Specify order of the client scope in GUI (such as in Consent page) as integer. + */ guiOrder?: pulumi.Input; + /** + * When `true`, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response. + */ includeInTokenScope?: pulumi.Input; + /** + * The display name of this client scope in the GUI. + */ name?: pulumi.Input; + /** + * The realm this client scope belongs to. + */ realmId: pulumi.Input; } diff --git a/sdk/nodejs/openid/fullNameProtocolMapper.ts b/sdk/nodejs/openid/fullNameProtocolMapper.ts index c775d30f..069f561f 100644 --- a/sdk/nodejs/openid/fullNameProtocolMapper.ts +++ b/sdk/nodejs/openid/fullNameProtocolMapper.ts @@ -5,17 +5,16 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "../utilities"; /** - * ## # keycloak.openid.FullNameProtocolMapper + * Allows for creating and managing full name protocol mappers within Keycloak. * - * Allows for creating and managing full name protocol mappers within - * Keycloak. + * Full name protocol mappers allow you to map a user's first and last name to the OpenID Connect `name` claim in a token. * - * Full name protocol mappers allow you to map a user's first and last name - * to the OpenID Connect `name` claim in a token. Protocol mappers can be defined - * for a single client, or they can be defined for a client scope which can - * be shared between multiple different clients. + * Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + * multiple different clients. * - * ### Example Usage (Client) + * ## Example Usage + * + * ### Client) * * ```typescript * import * as pulumi from "@pulumi/pulumi"; @@ -27,8 +26,8 @@ import * as utilities from "../utilities"; * }); * const openidClient = new keycloak.openid.Client("openid_client", { * realmId: realm.id, - * clientId: "test-client", - * name: "test client", + * clientId: "client", + * name: "client", * enabled: true, * accessType: "CONFIDENTIAL", * validRedirectUris: ["http://localhost:8080/openid-callback"], @@ -40,7 +39,7 @@ import * as utilities from "../utilities"; * }); * ``` * - * ### Example Usage (Client Scope) + * ### Client Scope) * * ```typescript * import * as pulumi from "@pulumi/pulumi"; @@ -52,7 +51,7 @@ import * as utilities from "../utilities"; * }); * const clientScope = new keycloak.openid.ClientScope("client_scope", { * realmId: realm.id, - * name: "test-client-scope", + * name: "client-scope", * }); * const fullNameMapper = new keycloak.openid.FullNameProtocolMapper("full_name_mapper", { * realmId: realm.id, @@ -61,25 +60,25 @@ import * as utilities from "../utilities"; * }); * ``` * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realmId` - (Required) The realm this protocol mapper exists within. - * - `clientId` - (Required if `clientScopeId` is not specified) The client this protocol mapper is attached to. - * - `clientScopeId` - (Required if `clientId` is not specified) The client scope this protocol mapper is attached to. - * - `name` - (Required) The display name of this protocol mapper in the GUI. - * - `addToIdToken` - (Optional) Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. - * - `addToAccessToken` - (Optional) Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. - * - `addToUserinfo` - (Optional) Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. - * - * ### Import + * ## Import * * Protocol mappers can be imported using one of the following formats: + * * - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + * * - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` * * Example: + * + * bash + * + * ```sh + * $ pulumi import keycloak:openid/fullNameProtocolMapper:FullNameProtocolMapper full_name_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` + * + * ```sh + * $ pulumi import keycloak:openid/fullNameProtocolMapper:FullNameProtocolMapper full_name_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` */ export class FullNameProtocolMapper extends pulumi.CustomResource { /** @@ -109,23 +108,32 @@ export class FullNameProtocolMapper extends pulumi.CustomResource { return obj['__pulumiType'] === FullNameProtocolMapper.__pulumiType; } + /** + * Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. + */ public readonly addToAccessToken!: pulumi.Output; + /** + * Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. + */ public readonly addToIdToken!: pulumi.Output; + /** + * Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. + */ public readonly addToUserinfo!: pulumi.Output; /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. */ public readonly clientId!: pulumi.Output; /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. */ public readonly clientScopeId!: pulumi.Output; /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. */ public readonly name!: pulumi.Output; /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. */ public readonly realmId!: pulumi.Output; @@ -171,23 +179,32 @@ export class FullNameProtocolMapper extends pulumi.CustomResource { * Input properties used for looking up and filtering FullNameProtocolMapper resources. */ export interface FullNameProtocolMapperState { + /** + * Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. + */ addToAccessToken?: pulumi.Input; + /** + * Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. + */ addToIdToken?: pulumi.Input; + /** + * Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. + */ addToUserinfo?: pulumi.Input; /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. */ clientId?: pulumi.Input; /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. */ clientScopeId?: pulumi.Input; /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. */ name?: pulumi.Input; /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. */ realmId?: pulumi.Input; } @@ -196,23 +213,32 @@ export interface FullNameProtocolMapperState { * The set of arguments for constructing a FullNameProtocolMapper resource. */ export interface FullNameProtocolMapperArgs { + /** + * Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. + */ addToAccessToken?: pulumi.Input; + /** + * Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. + */ addToIdToken?: pulumi.Input; + /** + * Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. + */ addToUserinfo?: pulumi.Input; /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. */ clientId?: pulumi.Input; /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. */ clientScopeId?: pulumi.Input; /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. */ name?: pulumi.Input; /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. */ realmId: pulumi.Input; } diff --git a/sdk/nodejs/openid/getClient.ts b/sdk/nodejs/openid/getClient.ts index aa5374b4..731ea598 100644 --- a/sdk/nodejs/openid/getClient.ts +++ b/sdk/nodejs/openid/getClient.ts @@ -7,11 +7,9 @@ import * as outputs from "../types/output"; import * as utilities from "../utilities"; /** - * ## # keycloak.openid.Client data source - * * This data source can be used to fetch properties of a Keycloak OpenID client for usage with other resources. * - * ### Example Usage + * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; @@ -28,17 +26,6 @@ import * as utilities from "../utilities"; * name: "realm-admin", * })); * ``` - * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realmId` - (Required) The realm id. - * - `clientId` - (Required) The client id. - * - * ### Attributes Reference - * - * See the docs for the `keycloak.openid.Client` resource for details on the exported attributes. */ export function getClient(args: GetClientArgs, opts?: pulumi.InvokeOptions): Promise { opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts || {}); @@ -58,6 +45,9 @@ export function getClient(args: GetClientArgs, opts?: pulumi.InvokeOptions): Pro * A collection of arguments for invoking getClient. */ export interface GetClientArgs { + /** + * The client id (not its unique ID). + */ clientId: string; consentScreenText?: string; displayOnConsentScreen?: boolean; @@ -65,6 +55,9 @@ export interface GetClientArgs { oauth2DeviceAuthorizationGrantEnabled?: boolean; oauth2DeviceCodeLifespan?: string; oauth2DevicePollingInterval?: string; + /** + * The realm id. + */ realmId: string; } @@ -123,11 +116,9 @@ export interface GetClientResult { readonly webOrigins: string[]; } /** - * ## # keycloak.openid.Client data source - * * This data source can be used to fetch properties of a Keycloak OpenID client for usage with other resources. * - * ### Example Usage + * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; @@ -144,17 +135,6 @@ export interface GetClientResult { * name: "realm-admin", * })); * ``` - * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realmId` - (Required) The realm id. - * - `clientId` - (Required) The client id. - * - * ### Attributes Reference - * - * See the docs for the `keycloak.openid.Client` resource for details on the exported attributes. */ export function getClientOutput(args: GetClientOutputArgs, opts?: pulumi.InvokeOptions): pulumi.Output { opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts || {}); @@ -174,6 +154,9 @@ export function getClientOutput(args: GetClientOutputArgs, opts?: pulumi.InvokeO * A collection of arguments for invoking getClient. */ export interface GetClientOutputArgs { + /** + * The client id (not its unique ID). + */ clientId: pulumi.Input; consentScreenText?: pulumi.Input; displayOnConsentScreen?: pulumi.Input; @@ -181,5 +164,8 @@ export interface GetClientOutputArgs { oauth2DeviceAuthorizationGrantEnabled?: pulumi.Input; oauth2DeviceCodeLifespan?: pulumi.Input; oauth2DevicePollingInterval?: pulumi.Input; + /** + * The realm id. + */ realmId: pulumi.Input; } diff --git a/sdk/nodejs/openid/groupMembershipProtocolMapper.ts b/sdk/nodejs/openid/groupMembershipProtocolMapper.ts index 839fa1a5..85063c43 100644 --- a/sdk/nodejs/openid/groupMembershipProtocolMapper.ts +++ b/sdk/nodejs/openid/groupMembershipProtocolMapper.ts @@ -5,17 +5,16 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "../utilities"; /** - * ## # keycloak.openid.GroupMembershipProtocolMapper + * Allows for creating and managing group membership protocol mappers within Keycloak. * - * Allows for creating and managing group membership protocol mappers within - * Keycloak. + * Group membership protocol mappers allow you to map a user's group memberships to a claim in a token. * - * Group membership protocol mappers allow you to map a user's group memberships - * to a claim in a token. Protocol mappers can be defined for a single client, - * or they can be defined for a client scope which can be shared between multiple - * different clients. + * Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + * multiple different clients. * - * ### Example Usage (Client) + * ## Example Usage + * + * ### Client) * * ```typescript * import * as pulumi from "@pulumi/pulumi"; @@ -27,8 +26,8 @@ import * as utilities from "../utilities"; * }); * const openidClient = new keycloak.openid.Client("openid_client", { * realmId: realm.id, - * clientId: "test-client", - * name: "test client", + * clientId: "client", + * name: "client", * enabled: true, * accessType: "CONFIDENTIAL", * validRedirectUris: ["http://localhost:8080/openid-callback"], @@ -41,7 +40,7 @@ import * as utilities from "../utilities"; * }); * ``` * - * ### Example Usage (Client Scope) + * ### Client Scope) * * ```typescript * import * as pulumi from "@pulumi/pulumi"; @@ -53,7 +52,7 @@ import * as utilities from "../utilities"; * }); * const clientScope = new keycloak.openid.ClientScope("client_scope", { * realmId: realm.id, - * name: "test-client-scope", + * name: "client-scope", * }); * const groupMembershipMapper = new keycloak.openid.GroupMembershipProtocolMapper("group_membership_mapper", { * realmId: realm.id, @@ -63,27 +62,25 @@ import * as utilities from "../utilities"; * }); * ``` * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realmId` - (Required) The realm this protocol mapper exists within. - * - `clientId` - (Required if `clientScopeId` is not specified) The client this protocol mapper is attached to. - * - `clientScopeId` - (Required if `clientId` is not specified) The client scope this protocol mapper is attached to. - * - `name` - (Required) The display name of this protocol mapper in the GUI. - * - `claimName` - (Required) The name of the claim to insert into a token. - * - `fullPath` - (Optional) Indicates whether the full path of the group including its parents will be used. Defaults to `true`. - * - `addToIdToken` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. - * - `addToAccessToken` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. - * - `addToUserinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. - * - * ### Import + * ## Import * * Protocol mappers can be imported using one of the following formats: + * * - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + * * - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` * * Example: + * + * bash + * + * ```sh + * $ pulumi import keycloak:openid/groupMembershipProtocolMapper:GroupMembershipProtocolMapper group_membership_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` + * + * ```sh + * $ pulumi import keycloak:openid/groupMembershipProtocolMapper:GroupMembershipProtocolMapper group_membership_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` */ export class GroupMembershipProtocolMapper extends pulumi.CustomResource { /** @@ -113,25 +110,40 @@ export class GroupMembershipProtocolMapper extends pulumi.CustomResource { return obj['__pulumiType'] === GroupMembershipProtocolMapper.__pulumiType; } + /** + * Indicates if the property should be added as a claim to the access token. Defaults to `true`. + */ public readonly addToAccessToken!: pulumi.Output; + /** + * Indicates if the property should be added as a claim to the id token. Defaults to `true`. + */ public readonly addToIdToken!: pulumi.Output; + /** + * Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + */ public readonly addToUserinfo!: pulumi.Output; + /** + * The name of the claim to insert into a token. + */ public readonly claimName!: pulumi.Output; /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. */ public readonly clientId!: pulumi.Output; /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. */ public readonly clientScopeId!: pulumi.Output; + /** + * Indicates whether the full path of the group including its parents will be used. Defaults to `true`. + */ public readonly fullPath!: pulumi.Output; /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. */ public readonly name!: pulumi.Output; /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. */ public readonly realmId!: pulumi.Output; @@ -184,25 +196,40 @@ export class GroupMembershipProtocolMapper extends pulumi.CustomResource { * Input properties used for looking up and filtering GroupMembershipProtocolMapper resources. */ export interface GroupMembershipProtocolMapperState { + /** + * Indicates if the property should be added as a claim to the access token. Defaults to `true`. + */ addToAccessToken?: pulumi.Input; + /** + * Indicates if the property should be added as a claim to the id token. Defaults to `true`. + */ addToIdToken?: pulumi.Input; + /** + * Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + */ addToUserinfo?: pulumi.Input; + /** + * The name of the claim to insert into a token. + */ claimName?: pulumi.Input; /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. */ clientId?: pulumi.Input; /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. */ clientScopeId?: pulumi.Input; + /** + * Indicates whether the full path of the group including its parents will be used. Defaults to `true`. + */ fullPath?: pulumi.Input; /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. */ name?: pulumi.Input; /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. */ realmId?: pulumi.Input; } @@ -211,25 +238,40 @@ export interface GroupMembershipProtocolMapperState { * The set of arguments for constructing a GroupMembershipProtocolMapper resource. */ export interface GroupMembershipProtocolMapperArgs { + /** + * Indicates if the property should be added as a claim to the access token. Defaults to `true`. + */ addToAccessToken?: pulumi.Input; + /** + * Indicates if the property should be added as a claim to the id token. Defaults to `true`. + */ addToIdToken?: pulumi.Input; + /** + * Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + */ addToUserinfo?: pulumi.Input; + /** + * The name of the claim to insert into a token. + */ claimName: pulumi.Input; /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. */ clientId?: pulumi.Input; /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. */ clientScopeId?: pulumi.Input; + /** + * Indicates whether the full path of the group including its parents will be used. Defaults to `true`. + */ fullPath?: pulumi.Input; /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. */ name?: pulumi.Input; /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. */ realmId: pulumi.Input; } diff --git a/sdk/nodejs/openid/hardcodedClaimProtocolMapper.ts b/sdk/nodejs/openid/hardcodedClaimProtocolMapper.ts index 88c50727..2abe6595 100644 --- a/sdk/nodejs/openid/hardcodedClaimProtocolMapper.ts +++ b/sdk/nodejs/openid/hardcodedClaimProtocolMapper.ts @@ -5,17 +5,16 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "../utilities"; /** - * ## # keycloak.openid.HardcodedClaimProtocolMapper + * Allows for creating and managing hardcoded claim protocol mappers within Keycloak. * - * Allows for creating and managing hardcoded claim protocol mappers within - * Keycloak. + * Hardcoded claim protocol mappers allow you to define a claim with a hardcoded value. * - * Hardcoded claim protocol mappers allow you to define a claim with a hardcoded - * value. Protocol mappers can be defined for a single client, or they can - * be defined for a client scope which can be shared between multiple different - * clients. + * Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + * multiple different clients. * - * ### Example Usage (Client) + * ## Example Usage + * + * ### Client) * * ```typescript * import * as pulumi from "@pulumi/pulumi"; @@ -27,8 +26,8 @@ import * as utilities from "../utilities"; * }); * const openidClient = new keycloak.openid.Client("openid_client", { * realmId: realm.id, - * clientId: "test-client", - * name: "test client", + * clientId: "client", + * name: "client", * enabled: true, * accessType: "CONFIDENTIAL", * validRedirectUris: ["http://localhost:8080/openid-callback"], @@ -42,7 +41,7 @@ import * as utilities from "../utilities"; * }); * ``` * - * ### Example Usage (Client Scope) + * ### Client Scope) * * ```typescript * import * as pulumi from "@pulumi/pulumi"; @@ -54,7 +53,7 @@ import * as utilities from "../utilities"; * }); * const clientScope = new keycloak.openid.ClientScope("client_scope", { * realmId: realm.id, - * name: "test-client-scope", + * name: "client-scope", * }); * const hardcodedClaimMapper = new keycloak.openid.HardcodedClaimProtocolMapper("hardcoded_claim_mapper", { * realmId: realm.id, @@ -65,28 +64,25 @@ import * as utilities from "../utilities"; * }); * ``` * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realmId` - (Required) The realm this protocol mapper exists within. - * - `clientId` - (Required if `clientScopeId` is not specified) The client this protocol mapper is attached to. - * - `clientScopeId` - (Required if `clientId` is not specified) The client scope this protocol mapper is attached to. - * - `name` - (Required) The display name of this protocol mapper in the GUI. - * - `claimName` - (Required) The name of the claim to insert into a token. - * - `claimValue` - (Required) The hardcoded value of the claim. - * - `claimValueType` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`. - * - `addToIdToken` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. - * - `addToAccessToken` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. - * - `addToUserinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. - * - * ### Import + * ## Import * * Protocol mappers can be imported using one of the following formats: + * * - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + * * - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` * * Example: + * + * bash + * + * ```sh + * $ pulumi import keycloak:openid/hardcodedClaimProtocolMapper:HardcodedClaimProtocolMapper hardcoded_claim_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` + * + * ```sh + * $ pulumi import keycloak:openid/hardcodedClaimProtocolMapper:HardcodedClaimProtocolMapper hardcoded_claim_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` */ export class HardcodedClaimProtocolMapper extends pulumi.CustomResource { /** @@ -117,37 +113,43 @@ export class HardcodedClaimProtocolMapper extends pulumi.CustomResource { } /** - * Indicates if the attribute should be a claim in the access token. + * Indicates if the property should be added as a claim to the access token. Defaults to `true`. */ public readonly addToAccessToken!: pulumi.Output; /** - * Indicates if the attribute should be a claim in the id token. + * Indicates if the property should be added as a claim to the id token. Defaults to `true`. */ public readonly addToIdToken!: pulumi.Output; /** - * Indicates if the attribute should appear in the userinfo response body. + * Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. */ public readonly addToUserinfo!: pulumi.Output; + /** + * The name of the claim to insert into a token. + */ public readonly claimName!: pulumi.Output; + /** + * The hardcoded value of the claim. + */ public readonly claimValue!: pulumi.Output; /** - * Claim type used when serializing tokens. + * The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. */ public readonly claimValueType!: pulumi.Output; /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. */ public readonly clientId!: pulumi.Output; /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. */ public readonly clientScopeId!: pulumi.Output; /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. */ public readonly name!: pulumi.Output; /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. */ public readonly realmId!: pulumi.Output; @@ -206,37 +208,43 @@ export class HardcodedClaimProtocolMapper extends pulumi.CustomResource { */ export interface HardcodedClaimProtocolMapperState { /** - * Indicates if the attribute should be a claim in the access token. + * Indicates if the property should be added as a claim to the access token. Defaults to `true`. */ addToAccessToken?: pulumi.Input; /** - * Indicates if the attribute should be a claim in the id token. + * Indicates if the property should be added as a claim to the id token. Defaults to `true`. */ addToIdToken?: pulumi.Input; /** - * Indicates if the attribute should appear in the userinfo response body. + * Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. */ addToUserinfo?: pulumi.Input; + /** + * The name of the claim to insert into a token. + */ claimName?: pulumi.Input; + /** + * The hardcoded value of the claim. + */ claimValue?: pulumi.Input; /** - * Claim type used when serializing tokens. + * The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. */ claimValueType?: pulumi.Input; /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. */ clientId?: pulumi.Input; /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. */ clientScopeId?: pulumi.Input; /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. */ name?: pulumi.Input; /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. */ realmId?: pulumi.Input; } @@ -246,37 +254,43 @@ export interface HardcodedClaimProtocolMapperState { */ export interface HardcodedClaimProtocolMapperArgs { /** - * Indicates if the attribute should be a claim in the access token. + * Indicates if the property should be added as a claim to the access token. Defaults to `true`. */ addToAccessToken?: pulumi.Input; /** - * Indicates if the attribute should be a claim in the id token. + * Indicates if the property should be added as a claim to the id token. Defaults to `true`. */ addToIdToken?: pulumi.Input; /** - * Indicates if the attribute should appear in the userinfo response body. + * Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. */ addToUserinfo?: pulumi.Input; + /** + * The name of the claim to insert into a token. + */ claimName: pulumi.Input; + /** + * The hardcoded value of the claim. + */ claimValue: pulumi.Input; /** - * Claim type used when serializing tokens. + * The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. */ claimValueType?: pulumi.Input; /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. */ clientId?: pulumi.Input; /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. */ clientScopeId?: pulumi.Input; /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. */ name?: pulumi.Input; /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. */ realmId: pulumi.Input; } diff --git a/sdk/nodejs/openid/hardcodedRoleProtocolMapper.ts b/sdk/nodejs/openid/hardcodedRoleProtocolMapper.ts index a8e4d88f..da06d9ab 100644 --- a/sdk/nodejs/openid/hardcodedRoleProtocolMapper.ts +++ b/sdk/nodejs/openid/hardcodedRoleProtocolMapper.ts @@ -5,17 +5,16 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "../utilities"; /** - * ## # keycloak.openid.HardcodedRoleProtocolMapper + * Allows for creating and managing hardcoded role protocol mappers within Keycloak. * - * Allows for creating and managing hardcoded role protocol mappers within - * Keycloak. + * Hardcoded role protocol mappers allow you to specify a single role to always map to an access token for a client. * - * Hardcoded role protocol mappers allow you to specify a single role to - * always map to an access token for a client. Protocol mappers can be - * defined for a single client, or they can be defined for a client scope - * which can be shared between multiple different clients. + * Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + * multiple different clients. * - * ### Example Usage (Client) + * ## Example Usage + * + * ### Client) * * ```typescript * import * as pulumi from "@pulumi/pulumi"; @@ -31,8 +30,8 @@ import * as utilities from "../utilities"; * }); * const openidClient = new keycloak.openid.Client("openid_client", { * realmId: realm.id, - * clientId: "test-client", - * name: "test client", + * clientId: "client", + * name: "client", * enabled: true, * accessType: "CONFIDENTIAL", * validRedirectUris: ["http://localhost:8080/openid-callback"], @@ -45,7 +44,7 @@ import * as utilities from "../utilities"; * }); * ``` * - * ### Example Usage (Client Scope) + * ### Client Scope) * * ```typescript * import * as pulumi from "@pulumi/pulumi"; @@ -61,7 +60,7 @@ import * as utilities from "../utilities"; * }); * const clientScope = new keycloak.openid.ClientScope("client_scope", { * realmId: realm.id, - * name: "test-client-scope", + * name: "client-scope", * }); * const hardcodedRoleMapper = new keycloak.openid.HardcodedRoleProtocolMapper("hardcoded_role_mapper", { * realmId: realm.id, @@ -71,24 +70,25 @@ import * as utilities from "../utilities"; * }); * ``` * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realmId` - (Required) The realm this protocol mapper exists within. - * - `clientId` - (Required if `clientScopeId` is not specified) The client this protocol mapper is attached to. - * - `clientScopeId` - (Required if `clientId` is not specified) The client scope this protocol mapper is attached to. - * - `name` - (Required) The display name of this protocol mapper in the - * GUI. - * - `roleId` - (Required) The ID of the role to map to an access token. - * - * ### Import + * ## Import * * Protocol mappers can be imported using one of the following formats: + * * - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + * * - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` * * Example: + * + * bash + * + * ```sh + * $ pulumi import keycloak:openid/hardcodedRoleProtocolMapper:HardcodedRoleProtocolMapper hardcoded_role_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` + * + * ```sh + * $ pulumi import keycloak:openid/hardcodedRoleProtocolMapper:HardcodedRoleProtocolMapper hardcoded_role_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` */ export class HardcodedRoleProtocolMapper extends pulumi.CustomResource { /** @@ -119,21 +119,24 @@ export class HardcodedRoleProtocolMapper extends pulumi.CustomResource { } /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. */ public readonly clientId!: pulumi.Output; /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. */ public readonly clientScopeId!: pulumi.Output; /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. */ public readonly name!: pulumi.Output; /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. */ public readonly realmId!: pulumi.Output; + /** + * The ID of the role to map to an access token. + */ public readonly roleId!: pulumi.Output; /** @@ -178,21 +181,24 @@ export class HardcodedRoleProtocolMapper extends pulumi.CustomResource { */ export interface HardcodedRoleProtocolMapperState { /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. */ clientId?: pulumi.Input; /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. */ clientScopeId?: pulumi.Input; /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. */ name?: pulumi.Input; /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. */ realmId?: pulumi.Input; + /** + * The ID of the role to map to an access token. + */ roleId?: pulumi.Input; } @@ -201,20 +207,23 @@ export interface HardcodedRoleProtocolMapperState { */ export interface HardcodedRoleProtocolMapperArgs { /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. */ clientId?: pulumi.Input; /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. */ clientScopeId?: pulumi.Input; /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. */ name?: pulumi.Input; /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. */ realmId: pulumi.Input; + /** + * The ID of the role to map to an access token. + */ roleId: pulumi.Input; } diff --git a/sdk/nodejs/openid/userAttributeProtocolMapper.ts b/sdk/nodejs/openid/userAttributeProtocolMapper.ts index 37890253..879b318b 100644 --- a/sdk/nodejs/openid/userAttributeProtocolMapper.ts +++ b/sdk/nodejs/openid/userAttributeProtocolMapper.ts @@ -5,17 +5,16 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "../utilities"; /** - * ## # keycloak.openid.UserAttributeProtocolMapper + * Allows for creating and managing user attribute protocol mappers within Keycloak. * - * Allows for creating and managing user attribute protocol mappers within - * Keycloak. + * User attribute protocol mappers allow you to map custom attributes defined for a user within Keycloak to a claim in a token. * - * User attribute protocol mappers allow you to map custom attributes defined - * for a user within Keycloak to a claim in a token. Protocol mappers can be - * defined for a single client, or they can be defined for a client scope which - * can be shared between multiple different clients. + * Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + * multiple different clients. * - * ### Example Usage (Client) + * ## Example Usage + * + * ### Client) * * ```typescript * import * as pulumi from "@pulumi/pulumi"; @@ -27,8 +26,8 @@ import * as utilities from "../utilities"; * }); * const openidClient = new keycloak.openid.Client("openid_client", { * realmId: realm.id, - * clientId: "test-client", - * name: "test client", + * clientId: "client", + * name: "client", * enabled: true, * accessType: "CONFIDENTIAL", * validRedirectUris: ["http://localhost:8080/openid-callback"], @@ -36,13 +35,13 @@ import * as utilities from "../utilities"; * const userAttributeMapper = new keycloak.openid.UserAttributeProtocolMapper("user_attribute_mapper", { * realmId: realm.id, * clientId: openidClient.id, - * name: "test-mapper", + * name: "user-attribute-mapper", * userAttribute: "foo", * claimName: "bar", * }); * ``` * - * ### Example Usage (Client Scope) + * ### Client Scope) * * ```typescript * import * as pulumi from "@pulumi/pulumi"; @@ -54,40 +53,36 @@ import * as utilities from "../utilities"; * }); * const clientScope = new keycloak.openid.ClientScope("client_scope", { * realmId: realm.id, - * name: "test-client-scope", + * name: "client-scope", * }); * const userAttributeMapper = new keycloak.openid.UserAttributeProtocolMapper("user_attribute_mapper", { * realmId: realm.id, * clientScopeId: clientScope.id, - * name: "test-mapper", + * name: "user-attribute-mapper", * userAttribute: "foo", * claimName: "bar", * }); * ``` * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realmId` - (Required) The realm this protocol mapper exists within. - * - `clientId` - (Required if `clientScopeId` is not specified) The client this protocol mapper is attached to. - * - `clientScopeId` - (Required if `clientId` is not specified) The client scope this protocol mapper is attached to. - * - `name` - (Required) The display name of this protocol mapper in the GUI. - * - `userAttribute` - (Required) The custom user attribute to map a claim for. - * - `claimName` - (Required) The name of the claim to insert into a token. - * - `claimValueType` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`. - * - `multivalued` - (Optional) Indicates whether this attribute is a single value or an array of values. Defaults to `false`. - * - `addToIdToken` - (Optional) Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. - * - `addToAccessToken` - (Optional) Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. - * - `addToUserinfo` - (Optional) Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. - * - * ### Import + * ## Import * * Protocol mappers can be imported using one of the following formats: + * * - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + * * - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` * * Example: + * + * bash + * + * ```sh + * $ pulumi import keycloak:openid/userAttributeProtocolMapper:UserAttributeProtocolMapper user_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` + * + * ```sh + * $ pulumi import keycloak:openid/userAttributeProtocolMapper:UserAttributeProtocolMapper user_attribute_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` */ export class UserAttributeProtocolMapper extends pulumi.CustomResource { /** @@ -118,46 +113,52 @@ export class UserAttributeProtocolMapper extends pulumi.CustomResource { } /** - * Indicates if the attribute should be a claim in the access token. + * Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. */ public readonly addToAccessToken!: pulumi.Output; /** - * Indicates if the attribute should be a claim in the id token. + * Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. */ public readonly addToIdToken!: pulumi.Output; /** - * Indicates if the attribute should appear in the userinfo response body. + * Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. */ public readonly addToUserinfo!: pulumi.Output; /** - * Indicates if attribute values should be aggregated within the group attributes + * Indicates whether this attribute is a single value or an array of values. Defaults to `false`. */ public readonly aggregateAttributes!: pulumi.Output; + /** + * The name of the claim to insert into a token. + */ public readonly claimName!: pulumi.Output; /** - * Claim type used when serializing tokens. + * The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. */ public readonly claimValueType!: pulumi.Output; /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. */ public readonly clientId!: pulumi.Output; /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. */ public readonly clientScopeId!: pulumi.Output; /** - * Indicates whether this attribute is a single value or an array of values. + * Indicates whether this attribute is a single value or an array of values. Defaults to `false`. */ public readonly multivalued!: pulumi.Output; /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. */ public readonly name!: pulumi.Output; /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. */ public readonly realmId!: pulumi.Output; + /** + * The custom user attribute to map a claim for. + */ public readonly userAttribute!: pulumi.Output; /** @@ -219,46 +220,52 @@ export class UserAttributeProtocolMapper extends pulumi.CustomResource { */ export interface UserAttributeProtocolMapperState { /** - * Indicates if the attribute should be a claim in the access token. + * Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. */ addToAccessToken?: pulumi.Input; /** - * Indicates if the attribute should be a claim in the id token. + * Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. */ addToIdToken?: pulumi.Input; /** - * Indicates if the attribute should appear in the userinfo response body. + * Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. */ addToUserinfo?: pulumi.Input; /** - * Indicates if attribute values should be aggregated within the group attributes + * Indicates whether this attribute is a single value or an array of values. Defaults to `false`. */ aggregateAttributes?: pulumi.Input; + /** + * The name of the claim to insert into a token. + */ claimName?: pulumi.Input; /** - * Claim type used when serializing tokens. + * The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. */ claimValueType?: pulumi.Input; /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. */ clientId?: pulumi.Input; /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. */ clientScopeId?: pulumi.Input; /** - * Indicates whether this attribute is a single value or an array of values. + * Indicates whether this attribute is a single value or an array of values. Defaults to `false`. */ multivalued?: pulumi.Input; /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. */ name?: pulumi.Input; /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. */ realmId?: pulumi.Input; + /** + * The custom user attribute to map a claim for. + */ userAttribute?: pulumi.Input; } @@ -267,45 +274,51 @@ export interface UserAttributeProtocolMapperState { */ export interface UserAttributeProtocolMapperArgs { /** - * Indicates if the attribute should be a claim in the access token. + * Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. */ addToAccessToken?: pulumi.Input; /** - * Indicates if the attribute should be a claim in the id token. + * Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. */ addToIdToken?: pulumi.Input; /** - * Indicates if the attribute should appear in the userinfo response body. + * Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. */ addToUserinfo?: pulumi.Input; /** - * Indicates if attribute values should be aggregated within the group attributes + * Indicates whether this attribute is a single value or an array of values. Defaults to `false`. */ aggregateAttributes?: pulumi.Input; + /** + * The name of the claim to insert into a token. + */ claimName: pulumi.Input; /** - * Claim type used when serializing tokens. + * The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. */ claimValueType?: pulumi.Input; /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. */ clientId?: pulumi.Input; /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. */ clientScopeId?: pulumi.Input; /** - * Indicates whether this attribute is a single value or an array of values. + * Indicates whether this attribute is a single value or an array of values. Defaults to `false`. */ multivalued?: pulumi.Input; /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. */ name?: pulumi.Input; /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. */ realmId: pulumi.Input; + /** + * The custom user attribute to map a claim for. + */ userAttribute: pulumi.Input; } diff --git a/sdk/nodejs/openid/userPropertyProtocolMapper.ts b/sdk/nodejs/openid/userPropertyProtocolMapper.ts index d7483224..d3562ded 100644 --- a/sdk/nodejs/openid/userPropertyProtocolMapper.ts +++ b/sdk/nodejs/openid/userPropertyProtocolMapper.ts @@ -5,17 +5,17 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "../utilities"; /** - * ## # keycloak.openid.UserPropertyProtocolMapper + * Allows for creating and managing user property protocol mappers within Keycloak. * - * Allows for creating and managing user property protocol mappers within - * Keycloak. + * User property protocol mappers allow you to map built in properties defined on the Keycloak user interface to a claim in + * a token. * - * User property protocol mappers allow you to map built in properties defined - * on the Keycloak user interface to a claim in a token. Protocol mappers can be - * defined for a single client, or they can be defined for a client scope which - * can be shared between multiple different clients. + * Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + * multiple different clients. * - * ### Example Usage (Client) + * ## Example Usage + * + * ### Client) * * ```typescript * import * as pulumi from "@pulumi/pulumi"; @@ -27,8 +27,8 @@ import * as utilities from "../utilities"; * }); * const openidClient = new keycloak.openid.Client("openid_client", { * realmId: realm.id, - * clientId: "test-client", - * name: "test client", + * clientId: "client", + * name: "client", * enabled: true, * accessType: "CONFIDENTIAL", * validRedirectUris: ["http://localhost:8080/openid-callback"], @@ -36,13 +36,13 @@ import * as utilities from "../utilities"; * const userPropertyMapper = new keycloak.openid.UserPropertyProtocolMapper("user_property_mapper", { * realmId: realm.id, * clientId: openidClient.id, - * name: "test-mapper", + * name: "user-property-mapper", * userProperty: "email", * claimName: "email", * }); * ``` * - * ### Example Usage (Client Scope) + * ### Client Scope) * * ```typescript * import * as pulumi from "@pulumi/pulumi"; @@ -54,7 +54,7 @@ import * as utilities from "../utilities"; * }); * const clientScope = new keycloak.openid.ClientScope("client_scope", { * realmId: realm.id, - * name: "test-client-scope", + * name: "client-scope", * }); * const userPropertyMapper = new keycloak.openid.UserPropertyProtocolMapper("user_property_mapper", { * realmId: realm.id, @@ -65,28 +65,25 @@ import * as utilities from "../utilities"; * }); * ``` * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realmId` - (Required) The realm this protocol mapper exists within. - * - `clientId` - (Required if `clientScopeId` is not specified) The client this protocol mapper is attached to. - * - `clientScopeId` - (Required if `clientId` is not specified) The client scope this protocol mapper is attached to. - * - `name` - (Required) The display name of this protocol mapper in the GUI. - * - `userProperty` - (Required) The built in user property (such as email) to map a claim for. - * - `claimName` - (Required) The name of the claim to insert into a token. - * - `claimValueType` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`. - * - `addToIdToken` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. - * - `addToAccessToken` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. - * - `addToUserinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. - * - * ### Import + * ## Import * * Protocol mappers can be imported using one of the following formats: + * * - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + * * - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` * * Example: + * + * bash + * + * ```sh + * $ pulumi import keycloak:openid/userPropertyProtocolMapper:UserPropertyProtocolMapper user_property_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` + * + * ```sh + * $ pulumi import keycloak:openid/userPropertyProtocolMapper:UserPropertyProtocolMapper user_property_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` */ export class UserPropertyProtocolMapper extends pulumi.CustomResource { /** @@ -117,38 +114,44 @@ export class UserPropertyProtocolMapper extends pulumi.CustomResource { } /** - * Indicates if the property should be a claim in the access token. + * Indicates if the property should be added as a claim to the access token. Defaults to `true`. */ public readonly addToAccessToken!: pulumi.Output; /** - * Indicates if the property should be a claim in the id token. + * Indicates if the property should be added as a claim to the id token. Defaults to `true`. */ public readonly addToIdToken!: pulumi.Output; /** - * Indicates if the property should appear in the userinfo response body. + * Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. */ public readonly addToUserinfo!: pulumi.Output; + /** + * The name of the claim to insert into a token. + */ public readonly claimName!: pulumi.Output; /** - * Claim type used when serializing tokens. + * The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. */ public readonly claimValueType!: pulumi.Output; /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. */ public readonly clientId!: pulumi.Output; /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. `clientScopeId` - (Required if `clientId` is not specified) The client scope this protocol mapper is attached to. */ public readonly clientScopeId!: pulumi.Output; /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. */ public readonly name!: pulumi.Output; /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. */ public readonly realmId!: pulumi.Output; + /** + * The built in user property (such as email) to map a claim for. + */ public readonly userProperty!: pulumi.Output; /** @@ -206,38 +209,44 @@ export class UserPropertyProtocolMapper extends pulumi.CustomResource { */ export interface UserPropertyProtocolMapperState { /** - * Indicates if the property should be a claim in the access token. + * Indicates if the property should be added as a claim to the access token. Defaults to `true`. */ addToAccessToken?: pulumi.Input; /** - * Indicates if the property should be a claim in the id token. + * Indicates if the property should be added as a claim to the id token. Defaults to `true`. */ addToIdToken?: pulumi.Input; /** - * Indicates if the property should appear in the userinfo response body. + * Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. */ addToUserinfo?: pulumi.Input; + /** + * The name of the claim to insert into a token. + */ claimName?: pulumi.Input; /** - * Claim type used when serializing tokens. + * The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. */ claimValueType?: pulumi.Input; /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. */ clientId?: pulumi.Input; /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. `clientScopeId` - (Required if `clientId` is not specified) The client scope this protocol mapper is attached to. */ clientScopeId?: pulumi.Input; /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. */ name?: pulumi.Input; /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. */ realmId?: pulumi.Input; + /** + * The built in user property (such as email) to map a claim for. + */ userProperty?: pulumi.Input; } @@ -246,37 +255,43 @@ export interface UserPropertyProtocolMapperState { */ export interface UserPropertyProtocolMapperArgs { /** - * Indicates if the property should be a claim in the access token. + * Indicates if the property should be added as a claim to the access token. Defaults to `true`. */ addToAccessToken?: pulumi.Input; /** - * Indicates if the property should be a claim in the id token. + * Indicates if the property should be added as a claim to the id token. Defaults to `true`. */ addToIdToken?: pulumi.Input; /** - * Indicates if the property should appear in the userinfo response body. + * Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. */ addToUserinfo?: pulumi.Input; + /** + * The name of the claim to insert into a token. + */ claimName: pulumi.Input; /** - * Claim type used when serializing tokens. + * The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. */ claimValueType?: pulumi.Input; /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. */ clientId?: pulumi.Input; /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. `clientScopeId` - (Required if `clientId` is not specified) The client scope this protocol mapper is attached to. */ clientScopeId?: pulumi.Input; /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. */ name?: pulumi.Input; /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. */ realmId: pulumi.Input; + /** + * The built in user property (such as email) to map a claim for. + */ userProperty: pulumi.Input; } diff --git a/sdk/nodejs/openid/userRealmRoleProtocolMapper.ts b/sdk/nodejs/openid/userRealmRoleProtocolMapper.ts index 3c9cef24..aacbf766 100644 --- a/sdk/nodejs/openid/userRealmRoleProtocolMapper.ts +++ b/sdk/nodejs/openid/userRealmRoleProtocolMapper.ts @@ -5,17 +5,16 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "../utilities"; /** - * ## # keycloak.openid.UserRealmRoleProtocolMapper - * - * Allows for creating and managing user realm role protocol mappers within - * Keycloak. + * Allows for creating and managing user realm role protocol mappers within Keycloak. * * User realm role protocol mappers allow you to define a claim containing the list of the realm roles. - * Protocol mappers can be defined for a single client, or they can - * be defined for a client scope which can be shared between multiple different - * clients. * - * ### Example Usage (Client) + * Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + * multiple different clients. + * + * ## Example Usage + * + * ### Client) * * ```typescript * import * as pulumi from "@pulumi/pulumi"; @@ -27,8 +26,8 @@ import * as utilities from "../utilities"; * }); * const openidClient = new keycloak.openid.Client("openid_client", { * realmId: realm.id, - * clientId: "test-client", - * name: "test client", + * clientId: "client", + * name: "client", * enabled: true, * accessType: "CONFIDENTIAL", * validRedirectUris: ["http://localhost:8080/openid-callback"], @@ -41,7 +40,7 @@ import * as utilities from "../utilities"; * }); * ``` * - * ### Example Usage (Client Scope) + * ### Client Scope) * * ```typescript * import * as pulumi from "@pulumi/pulumi"; @@ -63,29 +62,25 @@ import * as utilities from "../utilities"; * }); * ``` * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realmId` - (Required) The realm this protocol mapper exists within. - * - `clientId` - (Required if `clientScopeId` is not specified) The client this protocol mapper is attached to. - * - `clientScopeId` - (Required if `clientId` is not specified) The client scope this protocol mapper is attached to. - * - `name` - (Required) The display name of this protocol mapper in the GUI. - * - `claimName` - (Required) The name of the claim to insert into a token. - * - `claimValueType` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`. - * - `multivalued` - (Optional) Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `true`. - * - `realmRolePrefix` - (Optional) A prefix for each Realm Role. - * - `addToIdToken` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. - * - `addToAccessToken` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. - * - `addToUserinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. - * - * ### Import + * ## Import * * Protocol mappers can be imported using one of the following formats: + * * - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + * * - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` * * Example: + * + * bash + * + * ```sh + * $ pulumi import keycloak:openid/userRealmRoleProtocolMapper:UserRealmRoleProtocolMapper user_realm_role_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` + * + * ```sh + * $ pulumi import keycloak:openid/userRealmRoleProtocolMapper:UserRealmRoleProtocolMapper user_realm_role_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` */ export class UserRealmRoleProtocolMapper extends pulumi.CustomResource { /** @@ -116,44 +111,47 @@ export class UserRealmRoleProtocolMapper extends pulumi.CustomResource { } /** - * Indicates if the attribute should be a claim in the access token. + * Indicates if the property should be added as a claim to the access token. Defaults to `true`. */ public readonly addToAccessToken!: pulumi.Output; /** - * Indicates if the attribute should be a claim in the id token. + * Indicates if the property should be added as a claim to the id token. Defaults to `true`. */ public readonly addToIdToken!: pulumi.Output; /** - * Indicates if the attribute should appear in the userinfo response body. + * Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. */ public readonly addToUserinfo!: pulumi.Output; + /** + * The name of the claim to insert into a token. + */ public readonly claimName!: pulumi.Output; /** - * Claim type used when serializing tokens. + * The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. */ public readonly claimValueType!: pulumi.Output; /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. */ public readonly clientId!: pulumi.Output; /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. */ public readonly clientScopeId!: pulumi.Output; /** - * Indicates whether this attribute is a single value or an array of values. + * Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`. */ public readonly multivalued!: pulumi.Output; /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. */ public readonly name!: pulumi.Output; /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. */ public readonly realmId!: pulumi.Output; /** - * Prefix that will be added to each realm role. + * A prefix for each Realm Role. */ public readonly realmRolePrefix!: pulumi.Output; @@ -211,44 +209,47 @@ export class UserRealmRoleProtocolMapper extends pulumi.CustomResource { */ export interface UserRealmRoleProtocolMapperState { /** - * Indicates if the attribute should be a claim in the access token. + * Indicates if the property should be added as a claim to the access token. Defaults to `true`. */ addToAccessToken?: pulumi.Input; /** - * Indicates if the attribute should be a claim in the id token. + * Indicates if the property should be added as a claim to the id token. Defaults to `true`. */ addToIdToken?: pulumi.Input; /** - * Indicates if the attribute should appear in the userinfo response body. + * Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. */ addToUserinfo?: pulumi.Input; + /** + * The name of the claim to insert into a token. + */ claimName?: pulumi.Input; /** - * Claim type used when serializing tokens. + * The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. */ claimValueType?: pulumi.Input; /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. */ clientId?: pulumi.Input; /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. */ clientScopeId?: pulumi.Input; /** - * Indicates whether this attribute is a single value or an array of values. + * Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`. */ multivalued?: pulumi.Input; /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. */ name?: pulumi.Input; /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. */ realmId?: pulumi.Input; /** - * Prefix that will be added to each realm role. + * A prefix for each Realm Role. */ realmRolePrefix?: pulumi.Input; } @@ -258,44 +259,47 @@ export interface UserRealmRoleProtocolMapperState { */ export interface UserRealmRoleProtocolMapperArgs { /** - * Indicates if the attribute should be a claim in the access token. + * Indicates if the property should be added as a claim to the access token. Defaults to `true`. */ addToAccessToken?: pulumi.Input; /** - * Indicates if the attribute should be a claim in the id token. + * Indicates if the property should be added as a claim to the id token. Defaults to `true`. */ addToIdToken?: pulumi.Input; /** - * Indicates if the attribute should appear in the userinfo response body. + * Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. */ addToUserinfo?: pulumi.Input; + /** + * The name of the claim to insert into a token. + */ claimName: pulumi.Input; /** - * Claim type used when serializing tokens. + * The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. */ claimValueType?: pulumi.Input; /** - * The mapper's associated client. Cannot be used at the same time as client_scope_id. + * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. */ clientId?: pulumi.Input; /** - * The mapper's associated client scope. Cannot be used at the same time as client_id. + * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. */ clientScopeId?: pulumi.Input; /** - * Indicates whether this attribute is a single value or an array of values. + * Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`. */ multivalued?: pulumi.Input; /** - * A human-friendly name that will appear in the Keycloak console. + * The display name of this protocol mapper in the GUI. */ name?: pulumi.Input; /** - * The realm id where the associated client or client scope exists. + * The realm this protocol mapper exists within. */ realmId: pulumi.Input; /** - * Prefix that will be added to each realm role. + * A prefix for each Realm Role. */ realmRolePrefix?: pulumi.Input; } diff --git a/sdk/nodejs/realm.ts b/sdk/nodejs/realm.ts index 51f83ff9..cb9a0447 100644 --- a/sdk/nodejs/realm.ts +++ b/sdk/nodejs/realm.ts @@ -6,6 +6,94 @@ import * as inputs from "./types/input"; import * as outputs from "./types/output"; import * as utilities from "./utilities"; +/** + * Allows for creating and managing Realms within Keycloak. + * + * A realm manages a logical collection of users, credentials, roles, and groups. Users log in to realms and can be federated + * from multiple sources. + * + * ## Example Usage + * + * ```typescript + * import * as pulumi from "@pulumi/pulumi"; + * import * as keycloak from "@pulumi/keycloak"; + * + * const realm = new keycloak.Realm("realm", { + * realm: "my-realm", + * enabled: true, + * displayName: "my realm", + * displayNameHtml: "my realm", + * loginTheme: "base", + * accessCodeLifespan: "1h", + * sslRequired: "external", + * passwordPolicy: "upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername", + * attributes: { + * mycustomAttribute: "myCustomValue", + * }, + * smtpServer: { + * host: "smtp.example.com", + * from: "example@example.com", + * auth: { + * username: "tom", + * password: "password", + * }, + * }, + * internationalization: { + * supportedLocales: [ + * "en", + * "de", + * "es", + * ], + * defaultLocale: "en", + * }, + * securityDefenses: { + * headers: { + * xFrameOptions: "DENY", + * contentSecurityPolicy: "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", + * contentSecurityPolicyReportOnly: "", + * xContentTypeOptions: "nosniff", + * xRobotsTag: "none", + * xXssProtection: "1; mode=block", + * strictTransportSecurity: "max-age=31536000; includeSubDomains", + * }, + * bruteForceDetection: { + * permanentLockout: false, + * maxLoginFailures: 30, + * waitIncrementSeconds: 60, + * quickLoginCheckMilliSeconds: 1000, + * minimumQuickLoginWaitSeconds: 60, + * maxFailureWaitSeconds: 900, + * failureResetTimeSeconds: 43200, + * }, + * }, + * webAuthnPolicy: { + * relyingPartyEntityName: "Example", + * relyingPartyId: "keycloak.example.com", + * signatureAlgorithms: [ + * "ES256", + * "RS256", + * ], + * }, + * }); + * ``` + * + * ## Default Client Scopes + * + * - `defaultDefaultClientScopes` - (Optional) A list of default default client scopes to be used for client definitions. Defaults to `[]` or keycloak's built-in default default client-scopes. + * - `defaultOptionalClientScopes` - (Optional) A list of default optional client scopes to be used for client definitions. Defaults to `[]` or keycloak's built-in default optional client-scopes. + * + * ## Import + * + * Realms can be imported using their name. + * + * Example: + * + * bash + * + * ```sh + * $ pulumi import keycloak:index/realm:Realm realm my-realm + * ``` + */ export class Realm extends pulumi.CustomResource { /** * Get an existing Realm resource's state with the given name, ID, and optional extra @@ -43,6 +131,9 @@ export class Realm extends pulumi.CustomResource { public readonly actionTokenGeneratedByAdminLifespan!: pulumi.Output; public readonly actionTokenGeneratedByUserLifespan!: pulumi.Output; public readonly adminTheme!: pulumi.Output; + /** + * A map of custom attributes to add to the realm. + */ public readonly attributes!: pulumi.Output<{[key: string]: string} | undefined>; /** * Which flow should be used for BrowserFlow @@ -61,7 +152,13 @@ export class Realm extends pulumi.CustomResource { * Which flow should be used for DirectGrantFlow */ public readonly directGrantFlow!: pulumi.Output; + /** + * The display name for the realm that is shown when logging in to the admin console. + */ public readonly displayName!: pulumi.Output; + /** + * The display name for the realm that is rendered as HTML on the screen when logging in to the admin console. + */ public readonly displayNameHtml!: pulumi.Output; /** * Which flow should be used for DockerAuthenticationFlow @@ -70,7 +167,13 @@ export class Realm extends pulumi.CustomResource { public readonly duplicateEmailsAllowed!: pulumi.Output; public readonly editUsernameAllowed!: pulumi.Output; public readonly emailTheme!: pulumi.Output; + /** + * When `false`, users and clients will not be able to access this realm. Defaults to `true`. + */ public readonly enabled!: pulumi.Output; + /** + * When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name. + */ public readonly internalId!: pulumi.Output; public readonly internationalization!: pulumi.Output; public readonly loginTheme!: pulumi.Output; @@ -87,6 +190,9 @@ export class Realm extends pulumi.CustomResource { * and notUsername(undefined)" */ public readonly passwordPolicy!: pulumi.Output; + /** + * The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak. + */ public readonly realm!: pulumi.Output; public readonly refreshTokenMaxReuse!: pulumi.Output; public readonly registrationAllowed!: pulumi.Output; @@ -112,6 +218,9 @@ export class Realm extends pulumi.CustomResource { public readonly ssoSessionIdleTimeoutRememberMe!: pulumi.Output; public readonly ssoSessionMaxLifespan!: pulumi.Output; public readonly ssoSessionMaxLifespanRememberMe!: pulumi.Output; + /** + * When `true`, users are allowed to manage their own resources. Defaults to `false`. + */ public readonly userManagedAccess!: pulumi.Output; public readonly verifyEmail!: pulumi.Output; public readonly webAuthnPasswordlessPolicy!: pulumi.Output; @@ -266,6 +375,9 @@ export interface RealmState { actionTokenGeneratedByAdminLifespan?: pulumi.Input; actionTokenGeneratedByUserLifespan?: pulumi.Input; adminTheme?: pulumi.Input; + /** + * A map of custom attributes to add to the realm. + */ attributes?: pulumi.Input<{[key: string]: pulumi.Input}>; /** * Which flow should be used for BrowserFlow @@ -284,7 +396,13 @@ export interface RealmState { * Which flow should be used for DirectGrantFlow */ directGrantFlow?: pulumi.Input; + /** + * The display name for the realm that is shown when logging in to the admin console. + */ displayName?: pulumi.Input; + /** + * The display name for the realm that is rendered as HTML on the screen when logging in to the admin console. + */ displayNameHtml?: pulumi.Input; /** * Which flow should be used for DockerAuthenticationFlow @@ -293,7 +411,13 @@ export interface RealmState { duplicateEmailsAllowed?: pulumi.Input; editUsernameAllowed?: pulumi.Input; emailTheme?: pulumi.Input; + /** + * When `false`, users and clients will not be able to access this realm. Defaults to `true`. + */ enabled?: pulumi.Input; + /** + * When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name. + */ internalId?: pulumi.Input; internationalization?: pulumi.Input; loginTheme?: pulumi.Input; @@ -310,6 +434,9 @@ export interface RealmState { * and notUsername(undefined)" */ passwordPolicy?: pulumi.Input; + /** + * The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak. + */ realm?: pulumi.Input; refreshTokenMaxReuse?: pulumi.Input; registrationAllowed?: pulumi.Input; @@ -335,6 +462,9 @@ export interface RealmState { ssoSessionIdleTimeoutRememberMe?: pulumi.Input; ssoSessionMaxLifespan?: pulumi.Input; ssoSessionMaxLifespanRememberMe?: pulumi.Input; + /** + * When `true`, users are allowed to manage their own resources. Defaults to `false`. + */ userManagedAccess?: pulumi.Input; verifyEmail?: pulumi.Input; webAuthnPasswordlessPolicy?: pulumi.Input; @@ -354,6 +484,9 @@ export interface RealmArgs { actionTokenGeneratedByAdminLifespan?: pulumi.Input; actionTokenGeneratedByUserLifespan?: pulumi.Input; adminTheme?: pulumi.Input; + /** + * A map of custom attributes to add to the realm. + */ attributes?: pulumi.Input<{[key: string]: pulumi.Input}>; /** * Which flow should be used for BrowserFlow @@ -372,7 +505,13 @@ export interface RealmArgs { * Which flow should be used for DirectGrantFlow */ directGrantFlow?: pulumi.Input; + /** + * The display name for the realm that is shown when logging in to the admin console. + */ displayName?: pulumi.Input; + /** + * The display name for the realm that is rendered as HTML on the screen when logging in to the admin console. + */ displayNameHtml?: pulumi.Input; /** * Which flow should be used for DockerAuthenticationFlow @@ -381,7 +520,13 @@ export interface RealmArgs { duplicateEmailsAllowed?: pulumi.Input; editUsernameAllowed?: pulumi.Input; emailTheme?: pulumi.Input; + /** + * When `false`, users and clients will not be able to access this realm. Defaults to `true`. + */ enabled?: pulumi.Input; + /** + * When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name. + */ internalId?: pulumi.Input; internationalization?: pulumi.Input; loginTheme?: pulumi.Input; @@ -398,6 +543,9 @@ export interface RealmArgs { * and notUsername(undefined)" */ passwordPolicy?: pulumi.Input; + /** + * The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak. + */ realm: pulumi.Input; refreshTokenMaxReuse?: pulumi.Input; registrationAllowed?: pulumi.Input; @@ -423,6 +571,9 @@ export interface RealmArgs { ssoSessionIdleTimeoutRememberMe?: pulumi.Input; ssoSessionMaxLifespan?: pulumi.Input; ssoSessionMaxLifespanRememberMe?: pulumi.Input; + /** + * When `true`, users are allowed to manage their own resources. Defaults to `false`. + */ userManagedAccess?: pulumi.Input; verifyEmail?: pulumi.Input; webAuthnPasswordlessPolicy?: pulumi.Input; diff --git a/sdk/nodejs/realmEvents.ts b/sdk/nodejs/realmEvents.ts index 276bfc48..76053888 100644 --- a/sdk/nodejs/realmEvents.ts +++ b/sdk/nodejs/realmEvents.ts @@ -5,17 +5,18 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "./utilities"; /** - * ## # keycloak.RealmEvents - * * Allows for managing Realm Events settings within Keycloak. * - * ### Example Usage + * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as keycloak from "@pulumi/keycloak"; * - * const realm = new keycloak.Realm("realm", {realm: "test"}); + * const realm = new keycloak.Realm("realm", { + * realm: "my-realm", + * enabled: true, + * }); * const realmEvents = new keycloak.RealmEvents("realm_events", { * realmId: realm.id, * eventsEnabled: true, @@ -30,17 +31,9 @@ import * as utilities from "./utilities"; * }); * ``` * - * ### Argument Reference - * - * The following arguments are supported: + * ## Import * - * - `realmId` - (Required) The name of the realm the event settings apply to. - * - `adminEventsEnabled` - (Optional) When true, admin events are saved to the database, making them available through the admin console. Defaults to `false`. - * - `adminEventsDetailsEnabled` - (Optional) When true, saved admin events will included detailed information for create/update requests. Defaults to `false`. - * - `eventsEnabled` - (Optional) When true, events from `enabledEventTypes` are saved to the database, making them available through the admin console. Defaults to `false`. - * - `eventsExpiration` - (Optional) The amount of time in seconds events will be saved in the database. Defaults to `0` or never. - * - `enabledEventTypes` - (Optional) The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. - * - `eventsListeners` - (Optional) The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. + * This resource currently does not support importing. */ export class RealmEvents extends pulumi.CustomResource { /** @@ -70,12 +63,33 @@ export class RealmEvents extends pulumi.CustomResource { return obj['__pulumiType'] === RealmEvents.__pulumiType; } + /** + * When `true`, saved admin events will included detailed information for create/update requests. Defaults to `false`. + */ public readonly adminEventsDetailsEnabled!: pulumi.Output; + /** + * When `true`, admin events are saved to the database, making them available through the admin console. Defaults to `false`. + */ public readonly adminEventsEnabled!: pulumi.Output; + /** + * The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. + */ public readonly enabledEventTypes!: pulumi.Output; + /** + * When `true`, events from `enabledEventTypes` are saved to the database, making them available through the admin console. Defaults to `false`. + */ public readonly eventsEnabled!: pulumi.Output; + /** + * The amount of time in seconds events will be saved in the database. Defaults to `0` or never. + */ public readonly eventsExpiration!: pulumi.Output; + /** + * The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. + */ public readonly eventsListeners!: pulumi.Output; + /** + * The name of the realm the event settings apply to. + */ public readonly realmId!: pulumi.Output; /** @@ -120,12 +134,33 @@ export class RealmEvents extends pulumi.CustomResource { * Input properties used for looking up and filtering RealmEvents resources. */ export interface RealmEventsState { + /** + * When `true`, saved admin events will included detailed information for create/update requests. Defaults to `false`. + */ adminEventsDetailsEnabled?: pulumi.Input; + /** + * When `true`, admin events are saved to the database, making them available through the admin console. Defaults to `false`. + */ adminEventsEnabled?: pulumi.Input; + /** + * The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. + */ enabledEventTypes?: pulumi.Input[]>; + /** + * When `true`, events from `enabledEventTypes` are saved to the database, making them available through the admin console. Defaults to `false`. + */ eventsEnabled?: pulumi.Input; + /** + * The amount of time in seconds events will be saved in the database. Defaults to `0` or never. + */ eventsExpiration?: pulumi.Input; + /** + * The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. + */ eventsListeners?: pulumi.Input[]>; + /** + * The name of the realm the event settings apply to. + */ realmId?: pulumi.Input; } @@ -133,11 +168,32 @@ export interface RealmEventsState { * The set of arguments for constructing a RealmEvents resource. */ export interface RealmEventsArgs { + /** + * When `true`, saved admin events will included detailed information for create/update requests. Defaults to `false`. + */ adminEventsDetailsEnabled?: pulumi.Input; + /** + * When `true`, admin events are saved to the database, making them available through the admin console. Defaults to `false`. + */ adminEventsEnabled?: pulumi.Input; + /** + * The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. + */ enabledEventTypes?: pulumi.Input[]>; + /** + * When `true`, events from `enabledEventTypes` are saved to the database, making them available through the admin console. Defaults to `false`. + */ eventsEnabled?: pulumi.Input; + /** + * The amount of time in seconds events will be saved in the database. Defaults to `0` or never. + */ eventsExpiration?: pulumi.Input; + /** + * The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. + */ eventsListeners?: pulumi.Input[]>; + /** + * The name of the realm the event settings apply to. + */ realmId: pulumi.Input; } diff --git a/sdk/nodejs/role.ts b/sdk/nodejs/role.ts index 3ecbbb93..085049e1 100644 --- a/sdk/nodejs/role.ts +++ b/sdk/nodejs/role.ts @@ -5,14 +5,13 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "./utilities"; /** - * ## # keycloak.Role - * * Allows for creating and managing roles within Keycloak. * - * Roles allow you define privileges within Keycloak and map them to users - * and groups. + * Roles allow you define privileges within Keycloak and map them to users and groups. + * + * ## Example Usage * - * ### Example Usage (Realm role) + * ### Realm Role) * * ```typescript * import * as pulumi from "@pulumi/pulumi"; @@ -26,10 +25,14 @@ import * as utilities from "./utilities"; * realmId: realm.id, * name: "my-realm-role", * description: "My Realm Role", + * attributes: { + * key: "value", + * multivalue: "value1##value2", + * }, * }); * ``` * - * ### Example Usage (Client role) + * ### Client Role) * * ```typescript * import * as pulumi from "@pulumi/pulumi"; @@ -39,22 +42,26 @@ import * as utilities from "./utilities"; * realm: "my-realm", * enabled: true, * }); - * const client = new keycloak.openid.Client("client", { + * const openidClient = new keycloak.openid.Client("openid_client", { * realmId: realm.id, * clientId: "client", * name: "client", * enabled: true, - * accessType: "BEARER-ONLY", + * accessType: "CONFIDENTIAL", + * validRedirectUris: ["http://localhost:8080/openid-callback"], * }); * const clientRole = new keycloak.Role("client_role", { * realmId: realm.id, - * clientId: clientKeycloakClient.id, + * clientId: openidClientKeycloakClient.id, * name: "my-client-role", * description: "My Client Role", + * attributes: { + * key: "value", + * }, * }); * ``` * - * ### Example Usage (Composite role) + * ### Composite Role) * * ```typescript * import * as pulumi from "@pulumi/pulumi"; @@ -68,67 +75,78 @@ import * as utilities from "./utilities"; * const createRole = new keycloak.Role("create_role", { * realmId: realm.id, * name: "create", + * attributes: { + * key: "value", + * }, * }); * const readRole = new keycloak.Role("read_role", { * realmId: realm.id, * name: "read", + * attributes: { + * key: "value", + * }, * }); * const updateRole = new keycloak.Role("update_role", { * realmId: realm.id, * name: "update", + * attributes: { + * key: "value", + * }, * }); * const deleteRole = new keycloak.Role("delete_role", { * realmId: realm.id, * name: "delete", + * attributes: { + * key: "value", + * }, * }); * // client role - * const client = new keycloak.openid.Client("client", { + * const openidClient = new keycloak.openid.Client("openid_client", { * realmId: realm.id, * clientId: "client", * name: "client", * enabled: true, - * accessType: "BEARER-ONLY", + * accessType: "CONFIDENTIAL", + * validRedirectUris: ["http://localhost:8080/openid-callback"], * }); * const clientRole = new keycloak.Role("client_role", { * realmId: realm.id, - * clientId: clientKeycloakClient.id, + * clientId: openidClientKeycloakClient.id, * name: "my-client-role", * description: "My Client Role", + * attributes: { + * key: "value", + * }, * }); * const adminRole = new keycloak.Role("admin_role", { * realmId: realm.id, * name: "admin", * compositeRoles: [ - * "{keycloak_role.create_role.id}", - * "{keycloak_role.read_role.id}", - * "{keycloak_role.update_role.id}", - * "{keycloak_role.delete_role.id}", - * "{keycloak_role.client_role.id}", + * createRole.id, + * readRole.id, + * updateRole.id, + * deleteRole.id, + * clientRole.id, * ], + * attributes: { + * key: "value", + * }, * }); * ``` * - * ### Argument Reference + * ## Import * - * The following arguments are supported: + * Roles can be imported using the format `{{realm_id}}/{{role_id}}`, where `role_id` is the unique ID that Keycloak assigns * - * - `realmId` - (Required) The realm this role exists within. - * - `clientId` - (Optional) When specified, this role will be created as - * a client role attached to the client with the provided ID - * - `name` - (Required) The name of the role - * - `description` - (Optional) The description of the role - * - `compositeRoles` - (Optional) When specified, this role will be a - * composite role, composed of all roles that have an ID present within - * this list. + * to the role. The ID is not easy to find in the GUI, but it appears in the URL when editing the role. * - * ### Import + * Example: * - * Roles can be imported using the format `{{realm_id}}/{{role_id}}`, where - * `roleId` is the unique ID that Keycloak assigns to the role. The ID is - * not easy to find in the GUI, but it appears in the URL when editing the - * role. + * bash * - * Example: + * ```sh + * $ pulumi import keycloak:index/role:Role role my-realm/7e8cf32a-8acb-4d34-89c4-04fb1d10ccad + * ``` */ export class Role extends pulumi.CustomResource { /** @@ -158,11 +176,29 @@ export class Role extends pulumi.CustomResource { return obj['__pulumiType'] === Role.__pulumiType; } + /** + * A map representing attributes for the role. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + */ public readonly attributes!: pulumi.Output<{[key: string]: string} | undefined>; + /** + * When specified, this role will be created as a client role attached to the client with the provided ID + */ public readonly clientId!: pulumi.Output; + /** + * When specified, this role will be a composite role, composed of all roles that have an ID present within this list. + */ public readonly compositeRoles!: pulumi.Output; + /** + * The description of the role + */ public readonly description!: pulumi.Output; + /** + * The name of the role + */ public readonly name!: pulumi.Output; + /** + * The realm this role exists within. + */ public readonly realmId!: pulumi.Output; /** @@ -205,11 +241,29 @@ export class Role extends pulumi.CustomResource { * Input properties used for looking up and filtering Role resources. */ export interface RoleState { + /** + * A map representing attributes for the role. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + */ attributes?: pulumi.Input<{[key: string]: pulumi.Input}>; + /** + * When specified, this role will be created as a client role attached to the client with the provided ID + */ clientId?: pulumi.Input; + /** + * When specified, this role will be a composite role, composed of all roles that have an ID present within this list. + */ compositeRoles?: pulumi.Input[]>; + /** + * The description of the role + */ description?: pulumi.Input; + /** + * The name of the role + */ name?: pulumi.Input; + /** + * The realm this role exists within. + */ realmId?: pulumi.Input; } @@ -217,10 +271,28 @@ export interface RoleState { * The set of arguments for constructing a Role resource. */ export interface RoleArgs { + /** + * A map representing attributes for the role. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + */ attributes?: pulumi.Input<{[key: string]: pulumi.Input}>; + /** + * When specified, this role will be created as a client role attached to the client with the provided ID + */ clientId?: pulumi.Input; + /** + * When specified, this role will be a composite role, composed of all roles that have an ID present within this list. + */ compositeRoles?: pulumi.Input[]>; + /** + * The description of the role + */ description?: pulumi.Input; + /** + * The name of the role + */ name?: pulumi.Input; + /** + * The realm this role exists within. + */ realmId: pulumi.Input; } diff --git a/sdk/nodejs/saml/client.ts b/sdk/nodejs/saml/client.ts index 6aa2bce4..79e9739c 100644 --- a/sdk/nodejs/saml/client.ts +++ b/sdk/nodejs/saml/client.ts @@ -7,20 +7,24 @@ import * as outputs from "../types/output"; import * as utilities from "../utilities"; /** - * ## # keycloak.saml.Client - * * Allows for creating and managing Keycloak clients that use the SAML protocol. * - * Clients are entities that can use Keycloak for user authentication. Typically, - * clients are applications that redirect users to Keycloak for authentication - * in order to take advantage of Keycloak's user sessions for SSO. + * Clients are entities that can use Keycloak for user authentication. Typically, clients are applications that redirect users + * to Keycloak for authentication in order to take advantage of Keycloak's user sessions for SSO. + * + * ## Import * - * ### Import + * Clients can be imported using the format `{{realm_id}}/{{client_keycloak_id}}`, where `client_keycloak_id` is the unique ID that Keycloak * - * Clients can be imported using the format `{{realm_id}}/{{client_keycloak_id}}`, where `clientKeycloakId` is the unique ID that Keycloak * assigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID. * * Example: + * + * bash + * + * ```sh + * $ pulumi import keycloak:saml/client:Client saml_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352 + * ``` */ export class Client extends pulumi.CustomResource { /** @@ -50,42 +54,150 @@ export class Client extends pulumi.CustomResource { return obj['__pulumiType'] === Client.__pulumiType; } + /** + * SAML POST Binding URL for the client's assertion consumer service (login responses). + */ public readonly assertionConsumerPostUrl!: pulumi.Output; + /** + * SAML Redirect Binding URL for the client's assertion consumer service (login responses). + */ public readonly assertionConsumerRedirectUrl!: pulumi.Output; + /** + * Override realm authentication flow bindings + */ public readonly authenticationFlowBindingOverrides!: pulumi.Output; + /** + * When specified, this URL will be used whenever Keycloak needs to link to this client. + */ public readonly baseUrl!: pulumi.Output; + /** + * The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE". + */ public readonly canonicalizationMethod!: pulumi.Output; + /** + * The unique ID of this client, referenced in the URI during authentication and in issued tokens. + */ public readonly clientId!: pulumi.Output; + /** + * When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signingCertificate` and `signingPrivateKey`. Defaults to `true`. + */ public readonly clientSignatureRequired!: pulumi.Output; + /** + * The description of this client in the GUI. + */ public readonly description!: pulumi.Output; + /** + * When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + */ public readonly enabled!: pulumi.Output; + /** + * When `true`, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to `false`. + */ public readonly encryptAssertions!: pulumi.Output; + /** + * If assertions for the client are encrypted, this certificate will be used for encryption. + */ public readonly encryptionCertificate!: pulumi.Output; + /** + * (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty. + */ public /*out*/ readonly encryptionCertificateSha1!: pulumi.Output; public readonly extraConfig!: pulumi.Output<{[key: string]: string} | undefined>; + /** + * Ignore requested NameID subject format and use the one defined in `nameIdFormat` instead. Defaults to `false`. + */ public readonly forceNameIdFormat!: pulumi.Output; + /** + * When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to `true`. + */ public readonly forcePostBinding!: pulumi.Output; + /** + * When `true`, this client will require a browser redirect in order to perform a logout. Defaults to `true`. + */ public readonly frontChannelLogout!: pulumi.Output; + /** + * Allow to include all roles mappings in the access token + */ public readonly fullScopeAllowed!: pulumi.Output; + /** + * Relay state you want to send with SAML request when you want to do IDP Initiated SSO. + */ public readonly idpInitiatedSsoRelayState!: pulumi.Output; + /** + * URL fragment name to reference client when you want to do IDP Initiated SSO. + */ public readonly idpInitiatedSsoUrlName!: pulumi.Output; + /** + * When `true`, an `AuthnStatement` will be included in the SAML response. Defaults to `true`. + */ public readonly includeAuthnStatement!: pulumi.Output; + /** + * The login theme of this client. + */ public readonly loginTheme!: pulumi.Output; + /** + * SAML POST Binding URL for the client's single logout service. + */ public readonly logoutServicePostBindingUrl!: pulumi.Output; + /** + * SAML Redirect Binding URL for the client's single logout service. + */ public readonly logoutServiceRedirectBindingUrl!: pulumi.Output; + /** + * When specified, this URL will be used for all SAML requests. + */ public readonly masterSamlProcessingUrl!: pulumi.Output; + /** + * The display name of this client in the GUI. + */ public readonly name!: pulumi.Output; + /** + * Sets the Name ID format for the subject. + */ public readonly nameIdFormat!: pulumi.Output; + /** + * The realm this client is attached to. + */ public readonly realmId!: pulumi.Output; + /** + * When specified, this value is prepended to all relative URLs. + */ public readonly rootUrl!: pulumi.Output; + /** + * When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to `false`. + */ public readonly signAssertions!: pulumi.Output; + /** + * When `true`, the SAML document will be signed by Keycloak using the realm's private key. Defaults to `true`. + */ public readonly signDocuments!: pulumi.Output; + /** + * The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1". + */ public readonly signatureAlgorithm!: pulumi.Output; + /** + * The value of the `KeyName` element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID". + */ public readonly signatureKeyName!: pulumi.Output; + /** + * If documents or assertions from the client are signed, this certificate will be used to verify the signature. + */ public readonly signingCertificate!: pulumi.Output; + /** + * (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty. + */ public /*out*/ readonly signingCertificateSha1!: pulumi.Output; + /** + * If documents or assertions from the client are signed, this private key will be used to verify the signature. + */ public readonly signingPrivateKey!: pulumi.Output; + /** + * (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty. + */ public /*out*/ readonly signingPrivateKeySha1!: pulumi.Output; + /** + * When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. + */ public readonly validRedirectUris!: pulumi.Output; /** @@ -193,42 +305,150 @@ export class Client extends pulumi.CustomResource { * Input properties used for looking up and filtering Client resources. */ export interface ClientState { + /** + * SAML POST Binding URL for the client's assertion consumer service (login responses). + */ assertionConsumerPostUrl?: pulumi.Input; + /** + * SAML Redirect Binding URL for the client's assertion consumer service (login responses). + */ assertionConsumerRedirectUrl?: pulumi.Input; + /** + * Override realm authentication flow bindings + */ authenticationFlowBindingOverrides?: pulumi.Input; + /** + * When specified, this URL will be used whenever Keycloak needs to link to this client. + */ baseUrl?: pulumi.Input; + /** + * The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE". + */ canonicalizationMethod?: pulumi.Input; + /** + * The unique ID of this client, referenced in the URI during authentication and in issued tokens. + */ clientId?: pulumi.Input; + /** + * When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signingCertificate` and `signingPrivateKey`. Defaults to `true`. + */ clientSignatureRequired?: pulumi.Input; + /** + * The description of this client in the GUI. + */ description?: pulumi.Input; + /** + * When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + */ enabled?: pulumi.Input; + /** + * When `true`, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to `false`. + */ encryptAssertions?: pulumi.Input; + /** + * If assertions for the client are encrypted, this certificate will be used for encryption. + */ encryptionCertificate?: pulumi.Input; + /** + * (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty. + */ encryptionCertificateSha1?: pulumi.Input; extraConfig?: pulumi.Input<{[key: string]: pulumi.Input}>; + /** + * Ignore requested NameID subject format and use the one defined in `nameIdFormat` instead. Defaults to `false`. + */ forceNameIdFormat?: pulumi.Input; + /** + * When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to `true`. + */ forcePostBinding?: pulumi.Input; + /** + * When `true`, this client will require a browser redirect in order to perform a logout. Defaults to `true`. + */ frontChannelLogout?: pulumi.Input; + /** + * Allow to include all roles mappings in the access token + */ fullScopeAllowed?: pulumi.Input; + /** + * Relay state you want to send with SAML request when you want to do IDP Initiated SSO. + */ idpInitiatedSsoRelayState?: pulumi.Input; + /** + * URL fragment name to reference client when you want to do IDP Initiated SSO. + */ idpInitiatedSsoUrlName?: pulumi.Input; + /** + * When `true`, an `AuthnStatement` will be included in the SAML response. Defaults to `true`. + */ includeAuthnStatement?: pulumi.Input; + /** + * The login theme of this client. + */ loginTheme?: pulumi.Input; + /** + * SAML POST Binding URL for the client's single logout service. + */ logoutServicePostBindingUrl?: pulumi.Input; + /** + * SAML Redirect Binding URL for the client's single logout service. + */ logoutServiceRedirectBindingUrl?: pulumi.Input; + /** + * When specified, this URL will be used for all SAML requests. + */ masterSamlProcessingUrl?: pulumi.Input; + /** + * The display name of this client in the GUI. + */ name?: pulumi.Input; + /** + * Sets the Name ID format for the subject. + */ nameIdFormat?: pulumi.Input; + /** + * The realm this client is attached to. + */ realmId?: pulumi.Input; + /** + * When specified, this value is prepended to all relative URLs. + */ rootUrl?: pulumi.Input; + /** + * When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to `false`. + */ signAssertions?: pulumi.Input; + /** + * When `true`, the SAML document will be signed by Keycloak using the realm's private key. Defaults to `true`. + */ signDocuments?: pulumi.Input; + /** + * The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1". + */ signatureAlgorithm?: pulumi.Input; + /** + * The value of the `KeyName` element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID". + */ signatureKeyName?: pulumi.Input; + /** + * If documents or assertions from the client are signed, this certificate will be used to verify the signature. + */ signingCertificate?: pulumi.Input; + /** + * (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty. + */ signingCertificateSha1?: pulumi.Input; + /** + * If documents or assertions from the client are signed, this private key will be used to verify the signature. + */ signingPrivateKey?: pulumi.Input; + /** + * (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty. + */ signingPrivateKeySha1?: pulumi.Input; + /** + * When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. + */ validRedirectUris?: pulumi.Input[]>; } @@ -236,38 +456,137 @@ export interface ClientState { * The set of arguments for constructing a Client resource. */ export interface ClientArgs { + /** + * SAML POST Binding URL for the client's assertion consumer service (login responses). + */ assertionConsumerPostUrl?: pulumi.Input; + /** + * SAML Redirect Binding URL for the client's assertion consumer service (login responses). + */ assertionConsumerRedirectUrl?: pulumi.Input; + /** + * Override realm authentication flow bindings + */ authenticationFlowBindingOverrides?: pulumi.Input; + /** + * When specified, this URL will be used whenever Keycloak needs to link to this client. + */ baseUrl?: pulumi.Input; + /** + * The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE". + */ canonicalizationMethod?: pulumi.Input; + /** + * The unique ID of this client, referenced in the URI during authentication and in issued tokens. + */ clientId: pulumi.Input; + /** + * When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signingCertificate` and `signingPrivateKey`. Defaults to `true`. + */ clientSignatureRequired?: pulumi.Input; + /** + * The description of this client in the GUI. + */ description?: pulumi.Input; + /** + * When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + */ enabled?: pulumi.Input; + /** + * When `true`, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to `false`. + */ encryptAssertions?: pulumi.Input; + /** + * If assertions for the client are encrypted, this certificate will be used for encryption. + */ encryptionCertificate?: pulumi.Input; extraConfig?: pulumi.Input<{[key: string]: pulumi.Input}>; + /** + * Ignore requested NameID subject format and use the one defined in `nameIdFormat` instead. Defaults to `false`. + */ forceNameIdFormat?: pulumi.Input; + /** + * When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to `true`. + */ forcePostBinding?: pulumi.Input; + /** + * When `true`, this client will require a browser redirect in order to perform a logout. Defaults to `true`. + */ frontChannelLogout?: pulumi.Input; + /** + * Allow to include all roles mappings in the access token + */ fullScopeAllowed?: pulumi.Input; + /** + * Relay state you want to send with SAML request when you want to do IDP Initiated SSO. + */ idpInitiatedSsoRelayState?: pulumi.Input; + /** + * URL fragment name to reference client when you want to do IDP Initiated SSO. + */ idpInitiatedSsoUrlName?: pulumi.Input; + /** + * When `true`, an `AuthnStatement` will be included in the SAML response. Defaults to `true`. + */ includeAuthnStatement?: pulumi.Input; + /** + * The login theme of this client. + */ loginTheme?: pulumi.Input; + /** + * SAML POST Binding URL for the client's single logout service. + */ logoutServicePostBindingUrl?: pulumi.Input; + /** + * SAML Redirect Binding URL for the client's single logout service. + */ logoutServiceRedirectBindingUrl?: pulumi.Input; + /** + * When specified, this URL will be used for all SAML requests. + */ masterSamlProcessingUrl?: pulumi.Input; + /** + * The display name of this client in the GUI. + */ name?: pulumi.Input; + /** + * Sets the Name ID format for the subject. + */ nameIdFormat?: pulumi.Input; + /** + * The realm this client is attached to. + */ realmId: pulumi.Input; + /** + * When specified, this value is prepended to all relative URLs. + */ rootUrl?: pulumi.Input; + /** + * When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to `false`. + */ signAssertions?: pulumi.Input; + /** + * When `true`, the SAML document will be signed by Keycloak using the realm's private key. Defaults to `true`. + */ signDocuments?: pulumi.Input; + /** + * The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1". + */ signatureAlgorithm?: pulumi.Input; + /** + * The value of the `KeyName` element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID". + */ signatureKeyName?: pulumi.Input; + /** + * If documents or assertions from the client are signed, this certificate will be used to verify the signature. + */ signingCertificate?: pulumi.Input; + /** + * If documents or assertions from the client are signed, this private key will be used to verify the signature. + */ signingPrivateKey?: pulumi.Input; + /** + * When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. + */ validRedirectUris?: pulumi.Input[]>; } diff --git a/sdk/nodejs/saml/identityProvider.ts b/sdk/nodejs/saml/identityProvider.ts index 4a3985bb..f3946598 100644 --- a/sdk/nodejs/saml/identityProvider.ts +++ b/sdk/nodejs/saml/identityProvider.ts @@ -5,21 +5,24 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "../utilities"; /** - * ## # keycloak.saml.IdentityProvider + * Allows for creating and managing SAML Identity Providers within Keycloak. * - * Allows to create and manage SAML Identity Providers within Keycloak. + * SAML (Security Assertion Markup Language) identity providers allows users to authenticate through a third-party system using the SAML protocol. * - * SAML (Security Assertion Markup Language) identity providers allows to authenticate through a third-party system, using SAML standard. - * - * ### Example Usage + * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as keycloak from "@pulumi/keycloak"; * - * const realmIdentityProvider = new keycloak.saml.IdentityProvider("realm_identity_provider", { + * const realm = new keycloak.Realm("realm", { * realm: "my-realm", - * alias: "my-idp", + * enabled: true, + * }); + * const realmSamlIdentityProvider = new keycloak.saml.IdentityProvider("realm_saml_identity_provider", { + * realm: realm.id, + * alias: "my-saml-idp", + * entityId: "https://domain.com/entity_id", * singleSignOnServiceUrl: "https://domain.com/adfs/ls/", * singleLogoutServiceUrl: "https://domain.com/adfs/ls/?wa=wsignout1.0", * backchannelSupported: true, @@ -32,45 +35,17 @@ import * as utilities from "../utilities"; * }); * ``` * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realm` - (Required) The name of the realm. This is unique across Keycloak. - * - `alias` - (Optional) The uniq name of identity provider. - * - `enabled` - (Optional) When false, users and clients will not be able to access this realm. Defaults to `true`. - * - `displayName` - (Optional) The display name for the realm that is shown when logging in to the admin console. - * - `storeToken` - (Optional) Enable/disable if tokens must be stored after authenticating users. Defaults to `true`. - * - `addReadTokenRoleOnCreate` - (Optional) Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. Defaults to `false`. - * - `trustEmail` - (Optional) If enabled then email provided by this provider is not verified even if verification is enabled for the realm. Defaults to `false`. - * - `linkOnly` - (Optional) If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider. Defaults to `false`. - * - `hideOnLoginPage` - (Optional) If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. - * - `firstBrokerLoginFlowAlias` - (Optional) Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. - * - `postBrokerLoginFlowAlias` - (Optional) Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. - * - `authenticateByDefault` - (Optional) Authenticate users by default. Defaults to `false`. + * ## Import * - * #### SAML Configuration + * Identity providers can be imported using the format `{{realm_id}}/{{idp_alias}}`, where `idp_alias` is the identity provider alias. * - * - `singleSignOnServiceUrl` - (Optional) The Url that must be used to send authentication requests (SAML AuthnRequest). - * - `singleLogoutServiceUrl` - (Optional) The Url that must be used to send logout requests. - * - `backchannelSupported` - (Optional) Does the external IDP support back-channel logout ?. - * - `nameIdPolicyFormat` - (Optional) Specifies the URI reference corresponding to a name identifier format. Defaults to empty. - * - `postBindingResponse` - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. - * - `postBindingAuthnRequest` - (Optional) Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. - * - `postBindingLogout` - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. - * - `wantAssertionsSigned` - (Optional) Indicates whether this service provider expects a signed Assertion. - * - `wantAssertionsEncrypted` - (Optional) Indicates whether this service provider expects an encrypted Assertion. - * - `forceAuthn` - (Optional) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. - * - `validateSignature` - (Optional) Enable/disable signature validation of SAML responses. - * - `signingCertificate` - (Optional) Signing Certificate. - * - `signatureAlgorithm` - (Optional) Signing Algorithm. Defaults to empty. - * - `xmlSignKeyInfoKeyNameTransformer` - (Optional) Sign Key Transformer. Defaults to empty. - * - * ### Import + * Example: * - * Identity providers can be imported using the format `{{realm_id}}/{{idp_alias}}`, where `idpAlias` is the identity provider alias. + * bash * - * Example: + * ```sh + * $ pulumi import keycloak:saml/identityProvider:IdentityProvider realm_saml_identity_provider my-realm/my-saml-idp + * ``` */ export class IdentityProvider extends pulumi.CustomResource { /** @@ -101,39 +76,39 @@ export class IdentityProvider extends pulumi.CustomResource { } /** - * Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. + * When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`. */ public readonly addReadTokenRoleOnCreate!: pulumi.Output; /** - * The alias uniquely identifies an identity provider and it is also used to build the redirect uri. + * The unique name of identity provider. */ public readonly alias!: pulumi.Output; /** - * Enable/disable authenticate users by default. + * Authenticate users by default. Defaults to `false`. */ public readonly authenticateByDefault!: pulumi.Output; /** - * AuthnContext ClassRefs + * Ordered list of requested AuthnContext ClassRefs. */ public readonly authnContextClassRefs!: pulumi.Output; /** - * AuthnContext Comparison + * Specifies the comparison method used to evaluate the requested context classes or statements. */ public readonly authnContextComparisonType!: pulumi.Output; /** - * AuthnContext DeclRefs + * Ordered list of requested AuthnContext DeclRefs. */ public readonly authnContextDeclRefs!: pulumi.Output; /** - * Does the external IDP support backchannel logout? + * Does the external IDP support backchannel logout?. Defaults to `false`. */ public readonly backchannelSupported!: pulumi.Output; /** - * Friendly name for Identity Providers. + * The display name for the realm that is shown when logging in to the admin console. */ public readonly displayName!: pulumi.Output; /** - * Enable/disable this identity provider. + * When `false`, users and clients will not be able to access this realm. Defaults to `true`. */ public readonly enabled!: pulumi.Output; /** @@ -142,20 +117,19 @@ export class IdentityProvider extends pulumi.CustomResource { public readonly entityId!: pulumi.Output; public readonly extraConfig!: pulumi.Output<{[key: string]: string} | undefined>; /** - * Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means - * that there is not yet existing Keycloak account linked with the authenticated identity provider account. + * Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. */ public readonly firstBrokerLoginFlowAlias!: pulumi.Output; /** - * Require Force Authn. + * Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. */ public readonly forceAuthn!: pulumi.Output; /** - * GUI Order + * A number defining the order of this identity provider in the GUI. */ public readonly guiOrder!: pulumi.Output; /** - * Hide On Login Page. + * If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. */ public readonly hideOnLoginPage!: pulumi.Output; /** @@ -163,8 +137,7 @@ export class IdentityProvider extends pulumi.CustomResource { */ public /*out*/ readonly internalId!: pulumi.Output; /** - * If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't - * want to allow login from the provider, but want to integrate with a provider + * When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`. */ public readonly linkOnly!: pulumi.Output; /** @@ -172,46 +145,43 @@ export class IdentityProvider extends pulumi.CustomResource { */ public readonly loginHint!: pulumi.Output; /** - * Name ID Policy Format. + * Specifies the URI reference corresponding to a name identifier format. Defaults to empty. */ public readonly nameIdPolicyFormat!: pulumi.Output; /** - * Post Binding Authn Request. + * Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. */ public readonly postBindingAuthnRequest!: pulumi.Output; /** - * Post Binding Logout. + * Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. */ public readonly postBindingLogout!: pulumi.Output; /** - * Post Binding Response. + * Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. */ public readonly postBindingResponse!: pulumi.Output; /** - * Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want - * additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if - * you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that - * authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. + * Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. */ public readonly postBrokerLoginFlowAlias!: pulumi.Output; /** - * Principal Attribute + * The principal attribute. */ public readonly principalAttribute!: pulumi.Output; /** - * Principal Type + * The principal type. Can be one of `SUBJECT`, `ATTRIBUTE` or `FRIENDLY_ATTRIBUTE`. */ public readonly principalType!: pulumi.Output; /** - * provider id, is always saml, unless you have a custom implementation + * The ID of the identity provider to use. Defaults to `saml`, which should be used unless you have extended Keycloak and provided your own implementation. */ public readonly providerId!: pulumi.Output; /** - * Realm Name + * The name of the realm. This is unique across Keycloak. */ public readonly realm!: pulumi.Output; /** - * Signing Algorithm. + * Signing Algorithm. Defaults to empty. */ public readonly signatureAlgorithm!: pulumi.Output; /** @@ -219,23 +189,23 @@ export class IdentityProvider extends pulumi.CustomResource { */ public readonly signingCertificate!: pulumi.Output; /** - * Logout URL. + * The Url that must be used to send logout requests. */ public readonly singleLogoutServiceUrl!: pulumi.Output; /** - * SSO Logout URL. + * The Url that must be used to send authentication requests (SAML AuthnRequest). */ public readonly singleSignOnServiceUrl!: pulumi.Output; /** - * Enable/disable if tokens must be stored after authenticating users. + * When `true`, tokens will be stored after authenticating users. Defaults to `true`. */ public readonly storeToken!: pulumi.Output; /** - * Sync Mode + * The default sync mode to use for all mappers attached to this identity provider. Can be one of `IMPORT`, `FORCE`, or `LEGACY`. */ public readonly syncMode!: pulumi.Output; /** - * If enabled then email provided by this provider is not verified even if verification is enabled for the realm. + * When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`. */ public readonly trustEmail!: pulumi.Output; /** @@ -243,15 +213,15 @@ export class IdentityProvider extends pulumi.CustomResource { */ public readonly validateSignature!: pulumi.Output; /** - * Want Assertions Encrypted. + * Indicates whether this service provider expects an encrypted Assertion. */ public readonly wantAssertionsEncrypted!: pulumi.Output; /** - * Want Assertions Signed. + * Indicates whether this service provider expects a signed Assertion. */ public readonly wantAssertionsSigned!: pulumi.Output; /** - * Sign Key Transformer. + * The SAML signature key name. Can be one of `NONE`, `KEY_ID`, or `CERT_SUBJECT`. */ public readonly xmlSignKeyInfoKeyNameTransformer!: pulumi.Output; @@ -369,39 +339,39 @@ export class IdentityProvider extends pulumi.CustomResource { */ export interface IdentityProviderState { /** - * Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. + * When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`. */ addReadTokenRoleOnCreate?: pulumi.Input; /** - * The alias uniquely identifies an identity provider and it is also used to build the redirect uri. + * The unique name of identity provider. */ alias?: pulumi.Input; /** - * Enable/disable authenticate users by default. + * Authenticate users by default. Defaults to `false`. */ authenticateByDefault?: pulumi.Input; /** - * AuthnContext ClassRefs + * Ordered list of requested AuthnContext ClassRefs. */ authnContextClassRefs?: pulumi.Input[]>; /** - * AuthnContext Comparison + * Specifies the comparison method used to evaluate the requested context classes or statements. */ authnContextComparisonType?: pulumi.Input; /** - * AuthnContext DeclRefs + * Ordered list of requested AuthnContext DeclRefs. */ authnContextDeclRefs?: pulumi.Input[]>; /** - * Does the external IDP support backchannel logout? + * Does the external IDP support backchannel logout?. Defaults to `false`. */ backchannelSupported?: pulumi.Input; /** - * Friendly name for Identity Providers. + * The display name for the realm that is shown when logging in to the admin console. */ displayName?: pulumi.Input; /** - * Enable/disable this identity provider. + * When `false`, users and clients will not be able to access this realm. Defaults to `true`. */ enabled?: pulumi.Input; /** @@ -410,20 +380,19 @@ export interface IdentityProviderState { entityId?: pulumi.Input; extraConfig?: pulumi.Input<{[key: string]: pulumi.Input}>; /** - * Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means - * that there is not yet existing Keycloak account linked with the authenticated identity provider account. + * Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. */ firstBrokerLoginFlowAlias?: pulumi.Input; /** - * Require Force Authn. + * Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. */ forceAuthn?: pulumi.Input; /** - * GUI Order + * A number defining the order of this identity provider in the GUI. */ guiOrder?: pulumi.Input; /** - * Hide On Login Page. + * If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. */ hideOnLoginPage?: pulumi.Input; /** @@ -431,8 +400,7 @@ export interface IdentityProviderState { */ internalId?: pulumi.Input; /** - * If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't - * want to allow login from the provider, but want to integrate with a provider + * When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`. */ linkOnly?: pulumi.Input; /** @@ -440,46 +408,43 @@ export interface IdentityProviderState { */ loginHint?: pulumi.Input; /** - * Name ID Policy Format. + * Specifies the URI reference corresponding to a name identifier format. Defaults to empty. */ nameIdPolicyFormat?: pulumi.Input; /** - * Post Binding Authn Request. + * Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. */ postBindingAuthnRequest?: pulumi.Input; /** - * Post Binding Logout. + * Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. */ postBindingLogout?: pulumi.Input; /** - * Post Binding Response. + * Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. */ postBindingResponse?: pulumi.Input; /** - * Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want - * additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if - * you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that - * authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. + * Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. */ postBrokerLoginFlowAlias?: pulumi.Input; /** - * Principal Attribute + * The principal attribute. */ principalAttribute?: pulumi.Input; /** - * Principal Type + * The principal type. Can be one of `SUBJECT`, `ATTRIBUTE` or `FRIENDLY_ATTRIBUTE`. */ principalType?: pulumi.Input; /** - * provider id, is always saml, unless you have a custom implementation + * The ID of the identity provider to use. Defaults to `saml`, which should be used unless you have extended Keycloak and provided your own implementation. */ providerId?: pulumi.Input; /** - * Realm Name + * The name of the realm. This is unique across Keycloak. */ realm?: pulumi.Input; /** - * Signing Algorithm. + * Signing Algorithm. Defaults to empty. */ signatureAlgorithm?: pulumi.Input; /** @@ -487,23 +452,23 @@ export interface IdentityProviderState { */ signingCertificate?: pulumi.Input; /** - * Logout URL. + * The Url that must be used to send logout requests. */ singleLogoutServiceUrl?: pulumi.Input; /** - * SSO Logout URL. + * The Url that must be used to send authentication requests (SAML AuthnRequest). */ singleSignOnServiceUrl?: pulumi.Input; /** - * Enable/disable if tokens must be stored after authenticating users. + * When `true`, tokens will be stored after authenticating users. Defaults to `true`. */ storeToken?: pulumi.Input; /** - * Sync Mode + * The default sync mode to use for all mappers attached to this identity provider. Can be one of `IMPORT`, `FORCE`, or `LEGACY`. */ syncMode?: pulumi.Input; /** - * If enabled then email provided by this provider is not verified even if verification is enabled for the realm. + * When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`. */ trustEmail?: pulumi.Input; /** @@ -511,15 +476,15 @@ export interface IdentityProviderState { */ validateSignature?: pulumi.Input; /** - * Want Assertions Encrypted. + * Indicates whether this service provider expects an encrypted Assertion. */ wantAssertionsEncrypted?: pulumi.Input; /** - * Want Assertions Signed. + * Indicates whether this service provider expects a signed Assertion. */ wantAssertionsSigned?: pulumi.Input; /** - * Sign Key Transformer. + * The SAML signature key name. Can be one of `NONE`, `KEY_ID`, or `CERT_SUBJECT`. */ xmlSignKeyInfoKeyNameTransformer?: pulumi.Input; } @@ -529,39 +494,39 @@ export interface IdentityProviderState { */ export interface IdentityProviderArgs { /** - * Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. + * When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`. */ addReadTokenRoleOnCreate?: pulumi.Input; /** - * The alias uniquely identifies an identity provider and it is also used to build the redirect uri. + * The unique name of identity provider. */ alias: pulumi.Input; /** - * Enable/disable authenticate users by default. + * Authenticate users by default. Defaults to `false`. */ authenticateByDefault?: pulumi.Input; /** - * AuthnContext ClassRefs + * Ordered list of requested AuthnContext ClassRefs. */ authnContextClassRefs?: pulumi.Input[]>; /** - * AuthnContext Comparison + * Specifies the comparison method used to evaluate the requested context classes or statements. */ authnContextComparisonType?: pulumi.Input; /** - * AuthnContext DeclRefs + * Ordered list of requested AuthnContext DeclRefs. */ authnContextDeclRefs?: pulumi.Input[]>; /** - * Does the external IDP support backchannel logout? + * Does the external IDP support backchannel logout?. Defaults to `false`. */ backchannelSupported?: pulumi.Input; /** - * Friendly name for Identity Providers. + * The display name for the realm that is shown when logging in to the admin console. */ displayName?: pulumi.Input; /** - * Enable/disable this identity provider. + * When `false`, users and clients will not be able to access this realm. Defaults to `true`. */ enabled?: pulumi.Input; /** @@ -570,25 +535,23 @@ export interface IdentityProviderArgs { entityId: pulumi.Input; extraConfig?: pulumi.Input<{[key: string]: pulumi.Input}>; /** - * Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means - * that there is not yet existing Keycloak account linked with the authenticated identity provider account. + * Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. */ firstBrokerLoginFlowAlias?: pulumi.Input; /** - * Require Force Authn. + * Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. */ forceAuthn?: pulumi.Input; /** - * GUI Order + * A number defining the order of this identity provider in the GUI. */ guiOrder?: pulumi.Input; /** - * Hide On Login Page. + * If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. */ hideOnLoginPage?: pulumi.Input; /** - * If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't - * want to allow login from the provider, but want to integrate with a provider + * When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`. */ linkOnly?: pulumi.Input; /** @@ -596,46 +559,43 @@ export interface IdentityProviderArgs { */ loginHint?: pulumi.Input; /** - * Name ID Policy Format. + * Specifies the URI reference corresponding to a name identifier format. Defaults to empty. */ nameIdPolicyFormat?: pulumi.Input; /** - * Post Binding Authn Request. + * Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. */ postBindingAuthnRequest?: pulumi.Input; /** - * Post Binding Logout. + * Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. */ postBindingLogout?: pulumi.Input; /** - * Post Binding Response. + * Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. */ postBindingResponse?: pulumi.Input; /** - * Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want - * additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if - * you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that - * authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. + * Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. */ postBrokerLoginFlowAlias?: pulumi.Input; /** - * Principal Attribute + * The principal attribute. */ principalAttribute?: pulumi.Input; /** - * Principal Type + * The principal type. Can be one of `SUBJECT`, `ATTRIBUTE` or `FRIENDLY_ATTRIBUTE`. */ principalType?: pulumi.Input; /** - * provider id, is always saml, unless you have a custom implementation + * The ID of the identity provider to use. Defaults to `saml`, which should be used unless you have extended Keycloak and provided your own implementation. */ providerId?: pulumi.Input; /** - * Realm Name + * The name of the realm. This is unique across Keycloak. */ realm: pulumi.Input; /** - * Signing Algorithm. + * Signing Algorithm. Defaults to empty. */ signatureAlgorithm?: pulumi.Input; /** @@ -643,23 +603,23 @@ export interface IdentityProviderArgs { */ signingCertificate?: pulumi.Input; /** - * Logout URL. + * The Url that must be used to send logout requests. */ singleLogoutServiceUrl?: pulumi.Input; /** - * SSO Logout URL. + * The Url that must be used to send authentication requests (SAML AuthnRequest). */ singleSignOnServiceUrl: pulumi.Input; /** - * Enable/disable if tokens must be stored after authenticating users. + * When `true`, tokens will be stored after authenticating users. Defaults to `true`. */ storeToken?: pulumi.Input; /** - * Sync Mode + * The default sync mode to use for all mappers attached to this identity provider. Can be one of `IMPORT`, `FORCE`, or `LEGACY`. */ syncMode?: pulumi.Input; /** - * If enabled then email provided by this provider is not verified even if verification is enabled for the realm. + * When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`. */ trustEmail?: pulumi.Input; /** @@ -667,15 +627,15 @@ export interface IdentityProviderArgs { */ validateSignature?: pulumi.Input; /** - * Want Assertions Encrypted. + * Indicates whether this service provider expects an encrypted Assertion. */ wantAssertionsEncrypted?: pulumi.Input; /** - * Want Assertions Signed. + * Indicates whether this service provider expects a signed Assertion. */ wantAssertionsSigned?: pulumi.Input; /** - * Sign Key Transformer. + * The SAML signature key name. Can be one of `NONE`, `KEY_ID`, or `CERT_SUBJECT`. */ xmlSignKeyInfoKeyNameTransformer?: pulumi.Input; } diff --git a/sdk/nodejs/saml/userAttributeProtocolMapper.ts b/sdk/nodejs/saml/userAttributeProtocolMapper.ts index 41b7d4ac..b5c5c0be 100644 --- a/sdk/nodejs/saml/userAttributeProtocolMapper.ts +++ b/sdk/nodejs/saml/userAttributeProtocolMapper.ts @@ -5,17 +5,15 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "../utilities"; /** - * ## # keycloak.saml.UserAttributeProtocolMapper + * Allows for creating and managing user attribute protocol mappers for SAML clients within Keycloak. * - * Allows for creating and managing user attribute protocol mappers for - * SAML clients within Keycloak. + * SAML user attribute protocol mappers allow you to map custom attributes defined for a user within Keycloak to an attribute + * in a SAML assertion. * - * SAML user attribute protocol mappers allow you to map custom attributes defined - * for a user within Keycloak to an attribute in a SAML assertion. Protocol mappers - * can be defined for a single client, or they can be defined for a client scope which - * can be shared between multiple different clients. + * Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + * multiple different clients. * - * ### Example Usage (Client) + * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; @@ -26,12 +24,12 @@ import * as utilities from "../utilities"; * enabled: true, * }); * const samlClient = new keycloak.saml.Client("saml_client", { - * realmId: test.id, - * clientId: "test-saml-client", - * name: "test-saml-client", + * realmId: realm.id, + * clientId: "saml-client", + * name: "saml-client", * }); * const samlUserAttributeMapper = new keycloak.saml.UserAttributeProtocolMapper("saml_user_attribute_mapper", { - * realmId: test.id, + * realmId: realm.id, * clientId: samlClient.id, * name: "displayname-user-attribute-mapper", * userAttribute: "displayName", @@ -40,26 +38,25 @@ import * as utilities from "../utilities"; * }); * ``` * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realmId` - (Required) The realm this protocol mapper exists within. - * - `clientId` - (Required if `clientScopeId` is not specified) The SAML client this protocol mapper is attached to. - * - `clientScopeId` - (Required if `clientId` is not specified) The SAML client scope this protocol mapper is attached to. - * - `name` - (Required) The display name of this protocol mapper in the GUI. - * - `userAttribute` - (Required) The custom user attribute to map. - * - `friendlyName` - (Optional) An optional human-friendly name for this attribute. - * - `samlAttributeName` - (Required) The name of the SAML attribute. - * - `samlAttributeNameFormat` - (Required) The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. - * - * ### Import + * ## Import * * Protocol mappers can be imported using one of the following formats: + * * - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + * * - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` * * Example: + * + * bash + * + * ```sh + * $ pulumi import keycloak:saml/userAttributeProtocolMapper:UserAttributeProtocolMapper saml_user_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` + * + * ```sh + * $ pulumi import keycloak:saml/userAttributeProtocolMapper:UserAttributeProtocolMapper saml_user_attribute_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` */ export class UserAttributeProtocolMapper extends pulumi.CustomResource { /** @@ -89,13 +86,37 @@ export class UserAttributeProtocolMapper extends pulumi.CustomResource { return obj['__pulumiType'] === UserAttributeProtocolMapper.__pulumiType; } + /** + * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. + */ public readonly clientId!: pulumi.Output; + /** + * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. + */ public readonly clientScopeId!: pulumi.Output; + /** + * An optional human-friendly name for this attribute. + */ public readonly friendlyName!: pulumi.Output; + /** + * The display name of this protocol mapper in the GUI. + */ public readonly name!: pulumi.Output; + /** + * The realm this protocol mapper exists within. + */ public readonly realmId!: pulumi.Output; + /** + * The name of the SAML attribute. + */ public readonly samlAttributeName!: pulumi.Output; + /** + * The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + */ public readonly samlAttributeNameFormat!: pulumi.Output; + /** + * The custom user attribute to map. + */ public readonly userAttribute!: pulumi.Output; /** @@ -151,13 +172,37 @@ export class UserAttributeProtocolMapper extends pulumi.CustomResource { * Input properties used for looking up and filtering UserAttributeProtocolMapper resources. */ export interface UserAttributeProtocolMapperState { + /** + * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. + */ clientId?: pulumi.Input; + /** + * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. + */ clientScopeId?: pulumi.Input; + /** + * An optional human-friendly name for this attribute. + */ friendlyName?: pulumi.Input; + /** + * The display name of this protocol mapper in the GUI. + */ name?: pulumi.Input; + /** + * The realm this protocol mapper exists within. + */ realmId?: pulumi.Input; + /** + * The name of the SAML attribute. + */ samlAttributeName?: pulumi.Input; + /** + * The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + */ samlAttributeNameFormat?: pulumi.Input; + /** + * The custom user attribute to map. + */ userAttribute?: pulumi.Input; } @@ -165,12 +210,36 @@ export interface UserAttributeProtocolMapperState { * The set of arguments for constructing a UserAttributeProtocolMapper resource. */ export interface UserAttributeProtocolMapperArgs { + /** + * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. + */ clientId?: pulumi.Input; + /** + * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. + */ clientScopeId?: pulumi.Input; + /** + * An optional human-friendly name for this attribute. + */ friendlyName?: pulumi.Input; + /** + * The display name of this protocol mapper in the GUI. + */ name?: pulumi.Input; + /** + * The realm this protocol mapper exists within. + */ realmId: pulumi.Input; + /** + * The name of the SAML attribute. + */ samlAttributeName: pulumi.Input; + /** + * The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + */ samlAttributeNameFormat: pulumi.Input; + /** + * The custom user attribute to map. + */ userAttribute: pulumi.Input; } diff --git a/sdk/nodejs/saml/userPropertyProtocolMapper.ts b/sdk/nodejs/saml/userPropertyProtocolMapper.ts index be74d276..c3ab5f89 100644 --- a/sdk/nodejs/saml/userPropertyProtocolMapper.ts +++ b/sdk/nodejs/saml/userPropertyProtocolMapper.ts @@ -5,17 +5,15 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "../utilities"; /** - * ## # keycloak.saml.UserPropertyProtocolMapper - * - * Allows for creating and managing user property protocol mappers for - * SAML clients within Keycloak. + * Allows for creating and managing user property protocol mappers for SAML clients within Keycloak. * * SAML user property protocol mappers allow you to map properties of the Keycloak - * user model to an attribute in a SAML assertion. Protocol mappers - * can be defined for a single client, or they can be defined for a client scope which - * can be shared between multiple different clients. + * user model to an attribute in a SAML assertion. + * + * Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + * multiple different clients. * - * ### Example Usage (Client) + * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; @@ -26,12 +24,12 @@ import * as utilities from "../utilities"; * enabled: true, * }); * const samlClient = new keycloak.saml.Client("saml_client", { - * realmId: test.id, - * clientId: "test-saml-client", - * name: "test-saml-client", + * realmId: realm.id, + * clientId: "saml-client", + * name: "saml-client", * }); * const samlUserPropertyMapper = new keycloak.saml.UserPropertyProtocolMapper("saml_user_property_mapper", { - * realmId: test.id, + * realmId: realm.id, * clientId: samlClient.id, * name: "email-user-property-mapper", * userProperty: "email", @@ -40,26 +38,25 @@ import * as utilities from "../utilities"; * }); * ``` * - * ### Argument Reference - * - * The following arguments are supported: - * - * - `realmId` - (Required) The realm this protocol mapper exists within. - * - `clientId` - (Required if `clientScopeId` is not specified) The SAML client this protocol mapper is attached to. - * - `clientScopeId` - (Required if `clientId` is not specified) The SAML client scope this protocol mapper is attached to. - * - `name` - (Required) The display name of this protocol mapper in the GUI. - * - `userProperty` - (Required) The property of the Keycloak user model to map. - * - `friendlyName` - (Optional) An optional human-friendly name for this attribute. - * - `samlAttributeName` - (Required) The name of the SAML attribute. - * - `samlAttributeNameFormat` - (Required) The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. - * - * ### Import + * ## Import * * Protocol mappers can be imported using one of the following formats: + * * - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + * * - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` * * Example: + * + * bash + * + * ```sh + * $ pulumi import keycloak:saml/userPropertyProtocolMapper:UserPropertyProtocolMapper saml_user_property_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` + * + * ```sh + * $ pulumi import keycloak:saml/userPropertyProtocolMapper:UserPropertyProtocolMapper saml_user_property_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` */ export class UserPropertyProtocolMapper extends pulumi.CustomResource { /** @@ -89,13 +86,37 @@ export class UserPropertyProtocolMapper extends pulumi.CustomResource { return obj['__pulumiType'] === UserPropertyProtocolMapper.__pulumiType; } + /** + * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. + */ public readonly clientId!: pulumi.Output; + /** + * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. + */ public readonly clientScopeId!: pulumi.Output; + /** + * An optional human-friendly name for this attribute. + */ public readonly friendlyName!: pulumi.Output; + /** + * The display name of this protocol mapper in the GUI. + */ public readonly name!: pulumi.Output; + /** + * The realm this protocol mapper exists within. + */ public readonly realmId!: pulumi.Output; + /** + * The name of the SAML attribute. + */ public readonly samlAttributeName!: pulumi.Output; + /** + * The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + */ public readonly samlAttributeNameFormat!: pulumi.Output; + /** + * The property of the Keycloak user model to map. + */ public readonly userProperty!: pulumi.Output; /** @@ -151,13 +172,37 @@ export class UserPropertyProtocolMapper extends pulumi.CustomResource { * Input properties used for looking up and filtering UserPropertyProtocolMapper resources. */ export interface UserPropertyProtocolMapperState { + /** + * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. + */ clientId?: pulumi.Input; + /** + * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. + */ clientScopeId?: pulumi.Input; + /** + * An optional human-friendly name for this attribute. + */ friendlyName?: pulumi.Input; + /** + * The display name of this protocol mapper in the GUI. + */ name?: pulumi.Input; + /** + * The realm this protocol mapper exists within. + */ realmId?: pulumi.Input; + /** + * The name of the SAML attribute. + */ samlAttributeName?: pulumi.Input; + /** + * The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + */ samlAttributeNameFormat?: pulumi.Input; + /** + * The property of the Keycloak user model to map. + */ userProperty?: pulumi.Input; } @@ -165,12 +210,36 @@ export interface UserPropertyProtocolMapperState { * The set of arguments for constructing a UserPropertyProtocolMapper resource. */ export interface UserPropertyProtocolMapperArgs { + /** + * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. + */ clientId?: pulumi.Input; + /** + * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. + */ clientScopeId?: pulumi.Input; + /** + * An optional human-friendly name for this attribute. + */ friendlyName?: pulumi.Input; + /** + * The display name of this protocol mapper in the GUI. + */ name?: pulumi.Input; + /** + * The realm this protocol mapper exists within. + */ realmId: pulumi.Input; + /** + * The name of the SAML attribute. + */ samlAttributeName: pulumi.Input; + /** + * The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + */ samlAttributeNameFormat: pulumi.Input; + /** + * The property of the Keycloak user model to map. + */ userProperty: pulumi.Input; } diff --git a/sdk/nodejs/types/input.ts b/sdk/nodejs/types/input.ts index cea1d701..f2f20440 100644 --- a/sdk/nodejs/types/input.ts +++ b/sdk/nodejs/types/input.ts @@ -264,21 +264,39 @@ export interface GroupPermissionsViewScope { } export interface RealmInternationalization { + /** + * The locale to use by default. This locale code must be present within the `supportedLocales` list. + */ defaultLocale: pulumi.Input; + /** + * A list of [ISO 639-1](https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes) locale codes that the realm should support. + */ supportedLocales: pulumi.Input[]>; } export interface RealmOtpPolicy { /** - * What hashing algorithm should be used to generate the OTP. + * What hashing algorithm should be used to generate the OTP, Valid options are `HmacSHA1`,`HmacSHA256` and `HmacSHA512`. Defaults to `HmacSHA1`. */ algorithm?: pulumi.Input; + /** + * How many digits the OTP have. Defaults to `6`. + */ digits?: pulumi.Input; + /** + * What should the initial counter value be. Defaults to `2`. + */ initialCounter?: pulumi.Input; + /** + * How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to `1`. + */ lookAheadWindow?: pulumi.Input; + /** + * How many seconds should an OTP token be valid. Defaults to `30`. + */ period?: pulumi.Input; /** - * OTP Type, totp for Time-Based One Time Password or hotp for counter base one time password + * One Time Password Type, supported Values are `totp` for Time-Based One Time Password and `hotp` for Counter Based. Defaults to `totp`. */ type?: pulumi.Input; } @@ -289,41 +307,120 @@ export interface RealmSecurityDefenses { } export interface RealmSecurityDefensesBruteForceDetection { + /** + * When will failure count be reset? + */ failureResetTimeSeconds?: pulumi.Input; maxFailureWaitSeconds?: pulumi.Input; + /** + * How many failures before wait is triggered. + */ maxLoginFailures?: pulumi.Input; + /** + * How long to wait after a quick login failure. + * - `maxFailureWaitSeconds ` - (Optional) Max. time a user will be locked out. + */ minimumQuickLoginWaitSeconds?: pulumi.Input; + /** + * When `true`, this will lock the user permanently when the user exceeds the maximum login failures. + */ permanentLockout?: pulumi.Input; + /** + * Configures the amount of time, in milliseconds, for consecutive failures to lock a user out. + */ quickLoginCheckMilliSeconds?: pulumi.Input; + /** + * This represents the amount of time a user should be locked out when the login failure threshold has been met. + */ waitIncrementSeconds?: pulumi.Input; } export interface RealmSecurityDefensesHeaders { + /** + * Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the [W3C-CSP](https://www.w3.org/TR/CSP/) Abstract. + */ contentSecurityPolicy?: pulumi.Input; + /** + * Used for testing Content Security Policies. + */ contentSecurityPolicyReportOnly?: pulumi.Input; + /** + * The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests. + */ referrerPolicy?: pulumi.Input; + /** + * The Script-Transport-Security HTTP header tells browsers to always use HTTPS. + */ strictTransportSecurity?: pulumi.Input; + /** + * Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type + */ xContentTypeOptions?: pulumi.Input; + /** + * Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the [RFC7034](https://tools.ietf.org/html/rfc7034) + */ xFrameOptions?: pulumi.Input; + /** + * Prevent pages from appearing in search engines. + */ xRobotsTag?: pulumi.Input; + /** + * This header configures the Cross-site scripting (XSS) filter in your browser. + */ xXssProtection?: pulumi.Input; } export interface RealmSmtpServer { + /** + * Enables authentication to the SMTP server. This block supports the following arguments: + */ auth?: pulumi.Input; + /** + * The email address uses for bounces. + */ envelopeFrom?: pulumi.Input; + /** + * The email address for the sender. + */ from: pulumi.Input; + /** + * The display name of the sender email address. + */ fromDisplayName?: pulumi.Input; + /** + * The host of the SMTP server. + */ host: pulumi.Input; + /** + * The port of the SMTP server (defaults to 25). + */ port?: pulumi.Input; + /** + * The "reply to" email address. + */ replyTo?: pulumi.Input; + /** + * The display name of the "reply to" email address. + */ replyToDisplayName?: pulumi.Input; + /** + * When `true`, enables SSL. Defaults to `false`. + */ ssl?: pulumi.Input; + /** + * When `true`, enables StartTLS. Defaults to `false`. + */ starttls?: pulumi.Input; } export interface RealmSmtpServerAuth { + /** + * The SMTP server password. + */ password: pulumi.Input; + /** + * The SMTP server username. + */ username: pulumi.Input; } @@ -393,6 +490,9 @@ export interface RealmUserProfileGroup { } export interface RealmWebAuthnPasswordlessPolicy { + /** + * A set of AAGUIDs for which an authenticator can be registered. + */ acceptableAaguids?: pulumi.Input[]>; /** * Either none, indirect or direct @@ -402,9 +502,21 @@ export interface RealmWebAuthnPasswordlessPolicy { * Either platform or cross-platform */ authenticatorAttachment?: pulumi.Input; + /** + * When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + */ avoidSameAuthenticatorRegister?: pulumi.Input; + /** + * The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + */ createTimeout?: pulumi.Input; + /** + * A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + */ relyingPartyEntityName?: pulumi.Input; + /** + * The WebAuthn relying party ID. + */ relyingPartyId?: pulumi.Input; /** * Either Yes or No @@ -421,6 +533,9 @@ export interface RealmWebAuthnPasswordlessPolicy { } export interface RealmWebAuthnPolicy { + /** + * A set of AAGUIDs for which an authenticator can be registered. + */ acceptableAaguids?: pulumi.Input[]>; /** * Either none, indirect or direct @@ -430,9 +545,21 @@ export interface RealmWebAuthnPolicy { * Either platform or cross-platform */ authenticatorAttachment?: pulumi.Input; + /** + * When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + */ avoidSameAuthenticatorRegister?: pulumi.Input; + /** + * The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + */ createTimeout?: pulumi.Input; + /** + * A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + */ relyingPartyEntityName?: pulumi.Input; + /** + * The WebAuthn relying party ID. + */ relyingPartyId?: pulumi.Input; /** * Either Yes or No @@ -449,13 +576,28 @@ export interface RealmWebAuthnPolicy { } export interface UserFederatedIdentity { + /** + * The name of the identity provider + */ identityProvider: pulumi.Input; + /** + * The ID of the user defined in the identity provider + */ userId: pulumi.Input; + /** + * The user name of the user defined in the identity provider + */ userName: pulumi.Input; } export interface UserInitialPassword { + /** + * If set to `true`, the initial password is set up for renewal on first use. Default to `false`. + */ temporary?: pulumi.Input; + /** + * The initial password. + */ value: pulumi.Input; } @@ -497,7 +639,7 @@ export interface UsersPermissionsViewScope { export namespace ldap { export interface UserFederationCache { /** - * Day of the week the entry will become invalid on. + * Day of the week the entry will become invalid on */ evictionDay?: pulumi.Input; /** @@ -512,12 +654,15 @@ export namespace ldap { * Max lifespan of cache entry (duration string). */ maxLifespan?: pulumi.Input; + /** + * Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + */ policy?: pulumi.Input; } export interface UserFederationKerberos { /** - * The name of the kerberos realm, e.g. FOO.LOCAL + * The name of the kerberos realm, e.g. FOO.LOCAL. */ kerberosRealm: pulumi.Input; /** @@ -537,14 +682,32 @@ export namespace ldap { export namespace openid { export interface ClientAuthenticationFlowBindingOverrides { + /** + * Browser flow id, (flow needs to exist) + */ browserId?: pulumi.Input; + /** + * Direct grant flow id (flow needs to exist) + */ directGrantId?: pulumi.Input; } export interface ClientAuthorization { + /** + * When `true`, resources can be managed remotely by the resource server. Defaults to `false`. + */ allowRemoteResourceManagement?: pulumi.Input; + /** + * Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of `AFFIRMATIVE`, `CONSENSUS`, or `UNANIMOUS`. Applies to permissions. + */ decisionStrategy?: pulumi.Input; + /** + * When `true`, defaults set by Keycloak will be respected. Defaults to `false`. + */ keepDefaults?: pulumi.Input; + /** + * Dictates how policies are enforced when evaluating authorization requests. Can be one of `ENFORCING`, `PERMISSIVE`, or `DISABLED`. + */ policyEnforcementMode: pulumi.Input; } @@ -605,7 +768,13 @@ export namespace openid { export namespace saml { export interface ClientAuthenticationFlowBindingOverrides { + /** + * Browser flow id, (flow needs to exist) + */ browserId?: pulumi.Input; + /** + * Direct grant flow id (flow needs to exist) + */ directGrantId?: pulumi.Input; } diff --git a/sdk/nodejs/types/output.ts b/sdk/nodejs/types/output.ts index 20ca642a..f088b39e 100644 --- a/sdk/nodejs/types/output.ts +++ b/sdk/nodejs/types/output.ts @@ -19,13 +19,37 @@ export interface GetRealmInternationalization { } export interface GetRealmKeysKey { + /** + * Key algorithm (string) + */ algorithm: string; + /** + * Key certificate (string) + */ certificate: string; + /** + * Key ID (string) + */ kid: string; + /** + * Key provider ID (string) + */ providerId: string; + /** + * Key provider priority (int64) + */ providerPriority: number; + /** + * Key public key (string) + */ publicKey: string; + /** + * When specified, keys will be filtered by status. The statuses can be any of `ACTIVE`, `DISABLED` and `PASSIVE`. + */ status: string; + /** + * Key type (string) + */ type: string; } @@ -169,21 +193,39 @@ export interface GroupPermissionsViewScope { } export interface RealmInternationalization { + /** + * The locale to use by default. This locale code must be present within the `supportedLocales` list. + */ defaultLocale: string; + /** + * A list of [ISO 639-1](https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes) locale codes that the realm should support. + */ supportedLocales: string[]; } export interface RealmOtpPolicy { /** - * What hashing algorithm should be used to generate the OTP. + * What hashing algorithm should be used to generate the OTP, Valid options are `HmacSHA1`,`HmacSHA256` and `HmacSHA512`. Defaults to `HmacSHA1`. */ algorithm?: string; + /** + * How many digits the OTP have. Defaults to `6`. + */ digits?: number; + /** + * What should the initial counter value be. Defaults to `2`. + */ initialCounter?: number; + /** + * How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to `1`. + */ lookAheadWindow?: number; + /** + * How many seconds should an OTP token be valid. Defaults to `30`. + */ period?: number; /** - * OTP Type, totp for Time-Based One Time Password or hotp for counter base one time password + * One Time Password Type, supported Values are `totp` for Time-Based One Time Password and `hotp` for Counter Based. Defaults to `totp`. */ type?: string; } @@ -194,41 +236,120 @@ export interface RealmSecurityDefenses { } export interface RealmSecurityDefensesBruteForceDetection { + /** + * When will failure count be reset? + */ failureResetTimeSeconds?: number; maxFailureWaitSeconds?: number; + /** + * How many failures before wait is triggered. + */ maxLoginFailures?: number; + /** + * How long to wait after a quick login failure. + * - `maxFailureWaitSeconds ` - (Optional) Max. time a user will be locked out. + */ minimumQuickLoginWaitSeconds?: number; + /** + * When `true`, this will lock the user permanently when the user exceeds the maximum login failures. + */ permanentLockout?: boolean; + /** + * Configures the amount of time, in milliseconds, for consecutive failures to lock a user out. + */ quickLoginCheckMilliSeconds?: number; + /** + * This represents the amount of time a user should be locked out when the login failure threshold has been met. + */ waitIncrementSeconds?: number; } export interface RealmSecurityDefensesHeaders { + /** + * Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the [W3C-CSP](https://www.w3.org/TR/CSP/) Abstract. + */ contentSecurityPolicy?: string; + /** + * Used for testing Content Security Policies. + */ contentSecurityPolicyReportOnly?: string; + /** + * The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests. + */ referrerPolicy?: string; + /** + * The Script-Transport-Security HTTP header tells browsers to always use HTTPS. + */ strictTransportSecurity?: string; + /** + * Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type + */ xContentTypeOptions?: string; + /** + * Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the [RFC7034](https://tools.ietf.org/html/rfc7034) + */ xFrameOptions?: string; + /** + * Prevent pages from appearing in search engines. + */ xRobotsTag?: string; + /** + * This header configures the Cross-site scripting (XSS) filter in your browser. + */ xXssProtection?: string; } export interface RealmSmtpServer { + /** + * Enables authentication to the SMTP server. This block supports the following arguments: + */ auth?: outputs.RealmSmtpServerAuth; + /** + * The email address uses for bounces. + */ envelopeFrom?: string; + /** + * The email address for the sender. + */ from: string; + /** + * The display name of the sender email address. + */ fromDisplayName?: string; + /** + * The host of the SMTP server. + */ host: string; + /** + * The port of the SMTP server (defaults to 25). + */ port?: string; + /** + * The "reply to" email address. + */ replyTo?: string; + /** + * The display name of the "reply to" email address. + */ replyToDisplayName?: string; + /** + * When `true`, enables SSL. Defaults to `false`. + */ ssl?: boolean; + /** + * When `true`, enables StartTLS. Defaults to `false`. + */ starttls?: boolean; } export interface RealmSmtpServerAuth { + /** + * The SMTP server password. + */ password: string; + /** + * The SMTP server username. + */ username: string; } @@ -298,6 +419,9 @@ export interface RealmUserProfileGroup { } export interface RealmWebAuthnPasswordlessPolicy { + /** + * A set of AAGUIDs for which an authenticator can be registered. + */ acceptableAaguids?: string[]; /** * Either none, indirect or direct @@ -307,9 +431,21 @@ export interface RealmWebAuthnPasswordlessPolicy { * Either platform or cross-platform */ authenticatorAttachment?: string; + /** + * When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + */ avoidSameAuthenticatorRegister?: boolean; + /** + * The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + */ createTimeout?: number; + /** + * A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + */ relyingPartyEntityName?: string; + /** + * The WebAuthn relying party ID. + */ relyingPartyId?: string; /** * Either Yes or No @@ -326,6 +462,9 @@ export interface RealmWebAuthnPasswordlessPolicy { } export interface RealmWebAuthnPolicy { + /** + * A set of AAGUIDs for which an authenticator can be registered. + */ acceptableAaguids?: string[]; /** * Either none, indirect or direct @@ -335,9 +474,21 @@ export interface RealmWebAuthnPolicy { * Either platform or cross-platform */ authenticatorAttachment?: string; + /** + * When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + */ avoidSameAuthenticatorRegister?: boolean; + /** + * The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + */ createTimeout?: number; + /** + * A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + */ relyingPartyEntityName?: string; + /** + * The WebAuthn relying party ID. + */ relyingPartyId?: string; /** * Either Yes or No @@ -354,13 +505,28 @@ export interface RealmWebAuthnPolicy { } export interface UserFederatedIdentity { + /** + * The name of the identity provider + */ identityProvider: string; + /** + * The ID of the user defined in the identity provider + */ userId: string; + /** + * The user name of the user defined in the identity provider + */ userName: string; } export interface UserInitialPassword { + /** + * If set to `true`, the initial password is set up for renewal on first use. Default to `false`. + */ temporary?: boolean; + /** + * The initial password. + */ value: string; } @@ -403,7 +569,7 @@ export interface UsersPermissionsViewScope { export namespace ldap { export interface UserFederationCache { /** - * Day of the week the entry will become invalid on. + * Day of the week the entry will become invalid on */ evictionDay?: number; /** @@ -418,12 +584,15 @@ export namespace ldap { * Max lifespan of cache entry (duration string). */ maxLifespan?: string; + /** + * Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + */ policy?: string; } export interface UserFederationKerberos { /** - * The name of the kerberos realm, e.g. FOO.LOCAL + * The name of the kerberos realm, e.g. FOO.LOCAL. */ kerberosRealm: string; /** @@ -444,14 +613,32 @@ export namespace ldap { export namespace openid { export interface ClientAuthenticationFlowBindingOverrides { + /** + * Browser flow id, (flow needs to exist) + */ browserId?: string; + /** + * Direct grant flow id (flow needs to exist) + */ directGrantId?: string; } export interface ClientAuthorization { + /** + * When `true`, resources can be managed remotely by the resource server. Defaults to `false`. + */ allowRemoteResourceManagement?: boolean; + /** + * Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of `AFFIRMATIVE`, `CONSENSUS`, or `UNANIMOUS`. Applies to permissions. + */ decisionStrategy?: string; + /** + * When `true`, defaults set by Keycloak will be respected. Defaults to `false`. + */ keepDefaults?: boolean; + /** + * Dictates how policies are enforced when evaluating authorization requests. Can be one of `ENFORCING`, `PERMISSIVE`, or `DISABLED`. + */ policyEnforcementMode: string; } @@ -530,7 +717,13 @@ export namespace openid { export namespace saml { export interface ClientAuthenticationFlowBindingOverrides { + /** + * Browser flow id, (flow needs to exist) + */ browserId?: string; + /** + * Direct grant flow id (flow needs to exist) + */ directGrantId?: string; } diff --git a/sdk/nodejs/user.ts b/sdk/nodejs/user.ts index 4f3092c5..ea6492db 100644 --- a/sdk/nodejs/user.ts +++ b/sdk/nodejs/user.ts @@ -7,15 +7,13 @@ import * as outputs from "./types/output"; import * as utilities from "./utilities"; /** - * ## # keycloak.User - * * Allows for creating and managing Users within Keycloak. * - * This resource was created primarily to enable the acceptance tests for the `keycloak.Group` resource. - * Creating users within Keycloak is not recommended. Instead, users should be federated from external sources - * by configuring user federation providers or identity providers. + * This resource was created primarily to enable the acceptance tests for the `keycloak.Group` resource. Creating users within + * Keycloak is not recommended. Instead, users should be federated from external sources by configuring user federation providers + * or identity providers. * - * ### Example Usage + * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; @@ -40,6 +38,10 @@ import * as utilities from "./utilities"; * email: "alice@domain.com", * firstName: "Alice", * lastName: "Aliceberg", + * attributes: { + * foo: "bar", + * multivalue: "value1##value2", + * }, * initialPassword: { * value: "some password", * temporary: true, @@ -47,27 +49,19 @@ import * as utilities from "./utilities"; * }); * ``` * - * ### Argument Reference - * - * The following arguments are supported: + * ## Import * - * - `realmId` - (Required) The realm this user belongs to. - * - `username` - (Required) The unique username of this user. - * - `initialPassword` (Optional) When given, the user's initial password will be set. - * This attribute is only respected during initial user creation. - * - `value` (Required) The initial password. - * - `temporary` (Optional) If set to `true`, the initial password is set up for renewal on first use. Default to `false`. - * - `enabled` - (Optional) When false, this user cannot log in. Defaults to `true`. - * - `email` - (Optional) The user's email. - * - `firstName` - (Optional) The user's first name. - * - `lastName` - (Optional) The user's last name. + * Users can be imported using the format `{{realm_id}}/{{user_id}}`, where `user_id` is the unique ID that Keycloak * - * ### Import - * - * Users can be imported using the format `{{realm_id}}/{{user_id}}`, where `userId` is the unique ID that Keycloak * assigns to the user upon creation. This value can be found in the GUI when editing the user. * * Example: + * + * bash + * + * ```sh + * $ pulumi import keycloak:index/user:User user my-realm/60c3f971-b1d3-4b3a-9035-d16d7540a5e4 + * ``` */ export class User extends pulumi.CustomResource { /** @@ -97,16 +91,49 @@ export class User extends pulumi.CustomResource { return obj['__pulumiType'] === User.__pulumiType; } + /** + * A map representing attributes for the user. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + */ public readonly attributes!: pulumi.Output<{[key: string]: string} | undefined>; + /** + * The user's email. + */ public readonly email!: pulumi.Output; + /** + * Whether the email address was validated or not. Default to `false`. + */ public readonly emailVerified!: pulumi.Output; + /** + * When false, this user cannot log in. Defaults to `true`. + */ public readonly enabled!: pulumi.Output; + /** + * When specified, the user will be linked to a federated identity provider. Refer to the federated user example for more details. + */ public readonly federatedIdentities!: pulumi.Output; + /** + * The user's first name. + */ public readonly firstName!: pulumi.Output; + /** + * When given, the user's initial password will be set. This attribute is only respected during initial user creation. + */ public readonly initialPassword!: pulumi.Output; + /** + * The user's last name. + */ public readonly lastName!: pulumi.Output; + /** + * The realm this user belongs to. + */ public readonly realmId!: pulumi.Output; + /** + * A list of required user actions. + */ public readonly requiredActions!: pulumi.Output; + /** + * The unique username of this user. + */ public readonly username!: pulumi.Output; /** @@ -162,16 +189,49 @@ export class User extends pulumi.CustomResource { * Input properties used for looking up and filtering User resources. */ export interface UserState { + /** + * A map representing attributes for the user. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + */ attributes?: pulumi.Input<{[key: string]: pulumi.Input}>; + /** + * The user's email. + */ email?: pulumi.Input; + /** + * Whether the email address was validated or not. Default to `false`. + */ emailVerified?: pulumi.Input; + /** + * When false, this user cannot log in. Defaults to `true`. + */ enabled?: pulumi.Input; + /** + * When specified, the user will be linked to a federated identity provider. Refer to the federated user example for more details. + */ federatedIdentities?: pulumi.Input[]>; + /** + * The user's first name. + */ firstName?: pulumi.Input; + /** + * When given, the user's initial password will be set. This attribute is only respected during initial user creation. + */ initialPassword?: pulumi.Input; + /** + * The user's last name. + */ lastName?: pulumi.Input; + /** + * The realm this user belongs to. + */ realmId?: pulumi.Input; + /** + * A list of required user actions. + */ requiredActions?: pulumi.Input[]>; + /** + * The unique username of this user. + */ username?: pulumi.Input; } @@ -179,15 +239,48 @@ export interface UserState { * The set of arguments for constructing a User resource. */ export interface UserArgs { + /** + * A map representing attributes for the user. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + */ attributes?: pulumi.Input<{[key: string]: pulumi.Input}>; + /** + * The user's email. + */ email?: pulumi.Input; + /** + * Whether the email address was validated or not. Default to `false`. + */ emailVerified?: pulumi.Input; + /** + * When false, this user cannot log in. Defaults to `true`. + */ enabled?: pulumi.Input; + /** + * When specified, the user will be linked to a federated identity provider. Refer to the federated user example for more details. + */ federatedIdentities?: pulumi.Input[]>; + /** + * The user's first name. + */ firstName?: pulumi.Input; + /** + * When given, the user's initial password will be set. This attribute is only respected during initial user creation. + */ initialPassword?: pulumi.Input; + /** + * The user's last name. + */ lastName?: pulumi.Input; + /** + * The realm this user belongs to. + */ realmId: pulumi.Input; + /** + * A list of required user actions. + */ requiredActions?: pulumi.Input[]>; + /** + * The unique username of this user. + */ username: pulumi.Input; } diff --git a/sdk/python/pulumi_keycloak/_inputs.py b/sdk/python/pulumi_keycloak/_inputs.py index 28f35417..17a9f047 100644 --- a/sdk/python/pulumi_keycloak/_inputs.py +++ b/sdk/python/pulumi_keycloak/_inputs.py @@ -337,7 +337,13 @@ def policies(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]): if not MYPY: class RealmInternationalizationArgsDict(TypedDict): default_locale: pulumi.Input[str] + """ + The locale to use by default. This locale code must be present within the `supported_locales` list. + """ supported_locales: pulumi.Input[Sequence[pulumi.Input[str]]] + """ + A list of [ISO 639-1](https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes) locale codes that the realm should support. + """ elif False: RealmInternationalizationArgsDict: TypeAlias = Mapping[str, Any] @@ -346,12 +352,19 @@ class RealmInternationalizationArgs: def __init__(__self__, *, default_locale: pulumi.Input[str], supported_locales: pulumi.Input[Sequence[pulumi.Input[str]]]): + """ + :param pulumi.Input[str] default_locale: The locale to use by default. This locale code must be present within the `supported_locales` list. + :param pulumi.Input[Sequence[pulumi.Input[str]]] supported_locales: A list of [ISO 639-1](https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes) locale codes that the realm should support. + """ pulumi.set(__self__, "default_locale", default_locale) pulumi.set(__self__, "supported_locales", supported_locales) @property @pulumi.getter(name="defaultLocale") def default_locale(self) -> pulumi.Input[str]: + """ + The locale to use by default. This locale code must be present within the `supported_locales` list. + """ return pulumi.get(self, "default_locale") @default_locale.setter @@ -361,6 +374,9 @@ def default_locale(self, value: pulumi.Input[str]): @property @pulumi.getter(name="supportedLocales") def supported_locales(self) -> pulumi.Input[Sequence[pulumi.Input[str]]]: + """ + A list of [ISO 639-1](https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes) locale codes that the realm should support. + """ return pulumi.get(self, "supported_locales") @supported_locales.setter @@ -372,15 +388,27 @@ def supported_locales(self, value: pulumi.Input[Sequence[pulumi.Input[str]]]): class RealmOtpPolicyArgsDict(TypedDict): algorithm: NotRequired[pulumi.Input[str]] """ - What hashing algorithm should be used to generate the OTP. + What hashing algorithm should be used to generate the OTP, Valid options are `HmacSHA1`,`HmacSHA256` and `HmacSHA512`. Defaults to `HmacSHA1`. """ digits: NotRequired[pulumi.Input[int]] + """ + How many digits the OTP have. Defaults to `6`. + """ initial_counter: NotRequired[pulumi.Input[int]] + """ + What should the initial counter value be. Defaults to `2`. + """ look_ahead_window: NotRequired[pulumi.Input[int]] + """ + How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to `1`. + """ period: NotRequired[pulumi.Input[int]] + """ + How many seconds should an OTP token be valid. Defaults to `30`. + """ type: NotRequired[pulumi.Input[str]] """ - OTP Type, totp for Time-Based One Time Password or hotp for counter base one time password + One Time Password Type, supported Values are `totp` for Time-Based One Time Password and `hotp` for Counter Based. Defaults to `totp`. """ elif False: RealmOtpPolicyArgsDict: TypeAlias = Mapping[str, Any] @@ -395,8 +423,12 @@ def __init__(__self__, *, period: Optional[pulumi.Input[int]] = None, type: Optional[pulumi.Input[str]] = None): """ - :param pulumi.Input[str] algorithm: What hashing algorithm should be used to generate the OTP. - :param pulumi.Input[str] type: OTP Type, totp for Time-Based One Time Password or hotp for counter base one time password + :param pulumi.Input[str] algorithm: What hashing algorithm should be used to generate the OTP, Valid options are `HmacSHA1`,`HmacSHA256` and `HmacSHA512`. Defaults to `HmacSHA1`. + :param pulumi.Input[int] digits: How many digits the OTP have. Defaults to `6`. + :param pulumi.Input[int] initial_counter: What should the initial counter value be. Defaults to `2`. + :param pulumi.Input[int] look_ahead_window: How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to `1`. + :param pulumi.Input[int] period: How many seconds should an OTP token be valid. Defaults to `30`. + :param pulumi.Input[str] type: One Time Password Type, supported Values are `totp` for Time-Based One Time Password and `hotp` for Counter Based. Defaults to `totp`. """ if algorithm is not None: pulumi.set(__self__, "algorithm", algorithm) @@ -415,7 +447,7 @@ def __init__(__self__, *, @pulumi.getter def algorithm(self) -> Optional[pulumi.Input[str]]: """ - What hashing algorithm should be used to generate the OTP. + What hashing algorithm should be used to generate the OTP, Valid options are `HmacSHA1`,`HmacSHA256` and `HmacSHA512`. Defaults to `HmacSHA1`. """ return pulumi.get(self, "algorithm") @@ -426,6 +458,9 @@ def algorithm(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter def digits(self) -> Optional[pulumi.Input[int]]: + """ + How many digits the OTP have. Defaults to `6`. + """ return pulumi.get(self, "digits") @digits.setter @@ -435,6 +470,9 @@ def digits(self, value: Optional[pulumi.Input[int]]): @property @pulumi.getter(name="initialCounter") def initial_counter(self) -> Optional[pulumi.Input[int]]: + """ + What should the initial counter value be. Defaults to `2`. + """ return pulumi.get(self, "initial_counter") @initial_counter.setter @@ -444,6 +482,9 @@ def initial_counter(self, value: Optional[pulumi.Input[int]]): @property @pulumi.getter(name="lookAheadWindow") def look_ahead_window(self) -> Optional[pulumi.Input[int]]: + """ + How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to `1`. + """ return pulumi.get(self, "look_ahead_window") @look_ahead_window.setter @@ -453,6 +494,9 @@ def look_ahead_window(self, value: Optional[pulumi.Input[int]]): @property @pulumi.getter def period(self) -> Optional[pulumi.Input[int]]: + """ + How many seconds should an OTP token be valid. Defaults to `30`. + """ return pulumi.get(self, "period") @period.setter @@ -463,7 +507,7 @@ def period(self, value: Optional[pulumi.Input[int]]): @pulumi.getter def type(self) -> Optional[pulumi.Input[str]]: """ - OTP Type, totp for Time-Based One Time Password or hotp for counter base one time password + One Time Password Type, supported Values are `totp` for Time-Based One Time Password and `hotp` for Counter Based. Defaults to `totp`. """ return pulumi.get(self, "type") @@ -511,12 +555,31 @@ def headers(self, value: Optional[pulumi.Input['RealmSecurityDefensesHeadersArgs if not MYPY: class RealmSecurityDefensesBruteForceDetectionArgsDict(TypedDict): failure_reset_time_seconds: NotRequired[pulumi.Input[int]] + """ + When will failure count be reset? + """ max_failure_wait_seconds: NotRequired[pulumi.Input[int]] max_login_failures: NotRequired[pulumi.Input[int]] + """ + How many failures before wait is triggered. + """ minimum_quick_login_wait_seconds: NotRequired[pulumi.Input[int]] + """ + How long to wait after a quick login failure. + - `max_failure_wait_seconds ` - (Optional) Max. time a user will be locked out. + """ permanent_lockout: NotRequired[pulumi.Input[bool]] + """ + When `true`, this will lock the user permanently when the user exceeds the maximum login failures. + """ quick_login_check_milli_seconds: NotRequired[pulumi.Input[int]] + """ + Configures the amount of time, in milliseconds, for consecutive failures to lock a user out. + """ wait_increment_seconds: NotRequired[pulumi.Input[int]] + """ + This represents the amount of time a user should be locked out when the login failure threshold has been met. + """ elif False: RealmSecurityDefensesBruteForceDetectionArgsDict: TypeAlias = Mapping[str, Any] @@ -530,6 +593,15 @@ def __init__(__self__, *, permanent_lockout: Optional[pulumi.Input[bool]] = None, quick_login_check_milli_seconds: Optional[pulumi.Input[int]] = None, wait_increment_seconds: Optional[pulumi.Input[int]] = None): + """ + :param pulumi.Input[int] failure_reset_time_seconds: When will failure count be reset? + :param pulumi.Input[int] max_login_failures: How many failures before wait is triggered. + :param pulumi.Input[int] minimum_quick_login_wait_seconds: How long to wait after a quick login failure. + - `max_failure_wait_seconds ` - (Optional) Max. time a user will be locked out. + :param pulumi.Input[bool] permanent_lockout: When `true`, this will lock the user permanently when the user exceeds the maximum login failures. + :param pulumi.Input[int] quick_login_check_milli_seconds: Configures the amount of time, in milliseconds, for consecutive failures to lock a user out. + :param pulumi.Input[int] wait_increment_seconds: This represents the amount of time a user should be locked out when the login failure threshold has been met. + """ if failure_reset_time_seconds is not None: pulumi.set(__self__, "failure_reset_time_seconds", failure_reset_time_seconds) if max_failure_wait_seconds is not None: @@ -548,6 +620,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="failureResetTimeSeconds") def failure_reset_time_seconds(self) -> Optional[pulumi.Input[int]]: + """ + When will failure count be reset? + """ return pulumi.get(self, "failure_reset_time_seconds") @failure_reset_time_seconds.setter @@ -566,6 +641,9 @@ def max_failure_wait_seconds(self, value: Optional[pulumi.Input[int]]): @property @pulumi.getter(name="maxLoginFailures") def max_login_failures(self) -> Optional[pulumi.Input[int]]: + """ + How many failures before wait is triggered. + """ return pulumi.get(self, "max_login_failures") @max_login_failures.setter @@ -575,6 +653,10 @@ def max_login_failures(self, value: Optional[pulumi.Input[int]]): @property @pulumi.getter(name="minimumQuickLoginWaitSeconds") def minimum_quick_login_wait_seconds(self) -> Optional[pulumi.Input[int]]: + """ + How long to wait after a quick login failure. + - `max_failure_wait_seconds ` - (Optional) Max. time a user will be locked out. + """ return pulumi.get(self, "minimum_quick_login_wait_seconds") @minimum_quick_login_wait_seconds.setter @@ -584,6 +666,9 @@ def minimum_quick_login_wait_seconds(self, value: Optional[pulumi.Input[int]]): @property @pulumi.getter(name="permanentLockout") def permanent_lockout(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, this will lock the user permanently when the user exceeds the maximum login failures. + """ return pulumi.get(self, "permanent_lockout") @permanent_lockout.setter @@ -593,6 +678,9 @@ def permanent_lockout(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="quickLoginCheckMilliSeconds") def quick_login_check_milli_seconds(self) -> Optional[pulumi.Input[int]]: + """ + Configures the amount of time, in milliseconds, for consecutive failures to lock a user out. + """ return pulumi.get(self, "quick_login_check_milli_seconds") @quick_login_check_milli_seconds.setter @@ -602,6 +690,9 @@ def quick_login_check_milli_seconds(self, value: Optional[pulumi.Input[int]]): @property @pulumi.getter(name="waitIncrementSeconds") def wait_increment_seconds(self) -> Optional[pulumi.Input[int]]: + """ + This represents the amount of time a user should be locked out when the login failure threshold has been met. + """ return pulumi.get(self, "wait_increment_seconds") @wait_increment_seconds.setter @@ -612,13 +703,37 @@ def wait_increment_seconds(self, value: Optional[pulumi.Input[int]]): if not MYPY: class RealmSecurityDefensesHeadersArgsDict(TypedDict): content_security_policy: NotRequired[pulumi.Input[str]] + """ + Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the [W3C-CSP](https://www.w3.org/TR/CSP/) Abstract. + """ content_security_policy_report_only: NotRequired[pulumi.Input[str]] + """ + Used for testing Content Security Policies. + """ referrer_policy: NotRequired[pulumi.Input[str]] + """ + The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests. + """ strict_transport_security: NotRequired[pulumi.Input[str]] + """ + The Script-Transport-Security HTTP header tells browsers to always use HTTPS. + """ x_content_type_options: NotRequired[pulumi.Input[str]] + """ + Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type + """ x_frame_options: NotRequired[pulumi.Input[str]] + """ + Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the [RFC7034](https://tools.ietf.org/html/rfc7034) + """ x_robots_tag: NotRequired[pulumi.Input[str]] + """ + Prevent pages from appearing in search engines. + """ x_xss_protection: NotRequired[pulumi.Input[str]] + """ + This header configures the Cross-site scripting (XSS) filter in your browser. + """ elif False: RealmSecurityDefensesHeadersArgsDict: TypeAlias = Mapping[str, Any] @@ -633,6 +748,16 @@ def __init__(__self__, *, x_frame_options: Optional[pulumi.Input[str]] = None, x_robots_tag: Optional[pulumi.Input[str]] = None, x_xss_protection: Optional[pulumi.Input[str]] = None): + """ + :param pulumi.Input[str] content_security_policy: Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the [W3C-CSP](https://www.w3.org/TR/CSP/) Abstract. + :param pulumi.Input[str] content_security_policy_report_only: Used for testing Content Security Policies. + :param pulumi.Input[str] referrer_policy: The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests. + :param pulumi.Input[str] strict_transport_security: The Script-Transport-Security HTTP header tells browsers to always use HTTPS. + :param pulumi.Input[str] x_content_type_options: Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type + :param pulumi.Input[str] x_frame_options: Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the [RFC7034](https://tools.ietf.org/html/rfc7034) + :param pulumi.Input[str] x_robots_tag: Prevent pages from appearing in search engines. + :param pulumi.Input[str] x_xss_protection: This header configures the Cross-site scripting (XSS) filter in your browser. + """ if content_security_policy is not None: pulumi.set(__self__, "content_security_policy", content_security_policy) if content_security_policy_report_only is not None: @@ -653,6 +778,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="contentSecurityPolicy") def content_security_policy(self) -> Optional[pulumi.Input[str]]: + """ + Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the [W3C-CSP](https://www.w3.org/TR/CSP/) Abstract. + """ return pulumi.get(self, "content_security_policy") @content_security_policy.setter @@ -662,6 +790,9 @@ def content_security_policy(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="contentSecurityPolicyReportOnly") def content_security_policy_report_only(self) -> Optional[pulumi.Input[str]]: + """ + Used for testing Content Security Policies. + """ return pulumi.get(self, "content_security_policy_report_only") @content_security_policy_report_only.setter @@ -671,6 +802,9 @@ def content_security_policy_report_only(self, value: Optional[pulumi.Input[str]] @property @pulumi.getter(name="referrerPolicy") def referrer_policy(self) -> Optional[pulumi.Input[str]]: + """ + The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests. + """ return pulumi.get(self, "referrer_policy") @referrer_policy.setter @@ -680,6 +814,9 @@ def referrer_policy(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="strictTransportSecurity") def strict_transport_security(self) -> Optional[pulumi.Input[str]]: + """ + The Script-Transport-Security HTTP header tells browsers to always use HTTPS. + """ return pulumi.get(self, "strict_transport_security") @strict_transport_security.setter @@ -689,6 +826,9 @@ def strict_transport_security(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="xContentTypeOptions") def x_content_type_options(self) -> Optional[pulumi.Input[str]]: + """ + Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type + """ return pulumi.get(self, "x_content_type_options") @x_content_type_options.setter @@ -698,6 +838,9 @@ def x_content_type_options(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="xFrameOptions") def x_frame_options(self) -> Optional[pulumi.Input[str]]: + """ + Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the [RFC7034](https://tools.ietf.org/html/rfc7034) + """ return pulumi.get(self, "x_frame_options") @x_frame_options.setter @@ -707,6 +850,9 @@ def x_frame_options(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="xRobotsTag") def x_robots_tag(self) -> Optional[pulumi.Input[str]]: + """ + Prevent pages from appearing in search engines. + """ return pulumi.get(self, "x_robots_tag") @x_robots_tag.setter @@ -716,6 +862,9 @@ def x_robots_tag(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="xXssProtection") def x_xss_protection(self) -> Optional[pulumi.Input[str]]: + """ + This header configures the Cross-site scripting (XSS) filter in your browser. + """ return pulumi.get(self, "x_xss_protection") @x_xss_protection.setter @@ -726,15 +875,45 @@ def x_xss_protection(self, value: Optional[pulumi.Input[str]]): if not MYPY: class RealmSmtpServerArgsDict(TypedDict): from_: pulumi.Input[str] + """ + The email address for the sender. + """ host: pulumi.Input[str] + """ + The host of the SMTP server. + """ auth: NotRequired[pulumi.Input['RealmSmtpServerAuthArgsDict']] + """ + Enables authentication to the SMTP server. This block supports the following arguments: + """ envelope_from: NotRequired[pulumi.Input[str]] + """ + The email address uses for bounces. + """ from_display_name: NotRequired[pulumi.Input[str]] + """ + The display name of the sender email address. + """ port: NotRequired[pulumi.Input[str]] + """ + The port of the SMTP server (defaults to 25). + """ reply_to: NotRequired[pulumi.Input[str]] + """ + The "reply to" email address. + """ reply_to_display_name: NotRequired[pulumi.Input[str]] + """ + The display name of the "reply to" email address. + """ ssl: NotRequired[pulumi.Input[bool]] + """ + When `true`, enables SSL. Defaults to `false`. + """ starttls: NotRequired[pulumi.Input[bool]] + """ + When `true`, enables StartTLS. Defaults to `false`. + """ elif False: RealmSmtpServerArgsDict: TypeAlias = Mapping[str, Any] @@ -751,6 +930,18 @@ def __init__(__self__, *, reply_to_display_name: Optional[pulumi.Input[str]] = None, ssl: Optional[pulumi.Input[bool]] = None, starttls: Optional[pulumi.Input[bool]] = None): + """ + :param pulumi.Input[str] from_: The email address for the sender. + :param pulumi.Input[str] host: The host of the SMTP server. + :param pulumi.Input['RealmSmtpServerAuthArgs'] auth: Enables authentication to the SMTP server. This block supports the following arguments: + :param pulumi.Input[str] envelope_from: The email address uses for bounces. + :param pulumi.Input[str] from_display_name: The display name of the sender email address. + :param pulumi.Input[str] port: The port of the SMTP server (defaults to 25). + :param pulumi.Input[str] reply_to: The "reply to" email address. + :param pulumi.Input[str] reply_to_display_name: The display name of the "reply to" email address. + :param pulumi.Input[bool] ssl: When `true`, enables SSL. Defaults to `false`. + :param pulumi.Input[bool] starttls: When `true`, enables StartTLS. Defaults to `false`. + """ pulumi.set(__self__, "from_", from_) pulumi.set(__self__, "host", host) if auth is not None: @@ -773,6 +964,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="from") def from_(self) -> pulumi.Input[str]: + """ + The email address for the sender. + """ return pulumi.get(self, "from_") @from_.setter @@ -782,6 +976,9 @@ def from_(self, value: pulumi.Input[str]): @property @pulumi.getter def host(self) -> pulumi.Input[str]: + """ + The host of the SMTP server. + """ return pulumi.get(self, "host") @host.setter @@ -791,6 +988,9 @@ def host(self, value: pulumi.Input[str]): @property @pulumi.getter def auth(self) -> Optional[pulumi.Input['RealmSmtpServerAuthArgs']]: + """ + Enables authentication to the SMTP server. This block supports the following arguments: + """ return pulumi.get(self, "auth") @auth.setter @@ -800,6 +1000,9 @@ def auth(self, value: Optional[pulumi.Input['RealmSmtpServerAuthArgs']]): @property @pulumi.getter(name="envelopeFrom") def envelope_from(self) -> Optional[pulumi.Input[str]]: + """ + The email address uses for bounces. + """ return pulumi.get(self, "envelope_from") @envelope_from.setter @@ -809,6 +1012,9 @@ def envelope_from(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="fromDisplayName") def from_display_name(self) -> Optional[pulumi.Input[str]]: + """ + The display name of the sender email address. + """ return pulumi.get(self, "from_display_name") @from_display_name.setter @@ -818,6 +1024,9 @@ def from_display_name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter def port(self) -> Optional[pulumi.Input[str]]: + """ + The port of the SMTP server (defaults to 25). + """ return pulumi.get(self, "port") @port.setter @@ -827,6 +1036,9 @@ def port(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="replyTo") def reply_to(self) -> Optional[pulumi.Input[str]]: + """ + The "reply to" email address. + """ return pulumi.get(self, "reply_to") @reply_to.setter @@ -836,6 +1048,9 @@ def reply_to(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="replyToDisplayName") def reply_to_display_name(self) -> Optional[pulumi.Input[str]]: + """ + The display name of the "reply to" email address. + """ return pulumi.get(self, "reply_to_display_name") @reply_to_display_name.setter @@ -845,6 +1060,9 @@ def reply_to_display_name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter def ssl(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, enables SSL. Defaults to `false`. + """ return pulumi.get(self, "ssl") @ssl.setter @@ -854,6 +1072,9 @@ def ssl(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter def starttls(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, enables StartTLS. Defaults to `false`. + """ return pulumi.get(self, "starttls") @starttls.setter @@ -864,7 +1085,13 @@ def starttls(self, value: Optional[pulumi.Input[bool]]): if not MYPY: class RealmSmtpServerAuthArgsDict(TypedDict): password: pulumi.Input[str] + """ + The SMTP server password. + """ username: pulumi.Input[str] + """ + The SMTP server username. + """ elif False: RealmSmtpServerAuthArgsDict: TypeAlias = Mapping[str, Any] @@ -873,12 +1100,19 @@ class RealmSmtpServerAuthArgs: def __init__(__self__, *, password: pulumi.Input[str], username: pulumi.Input[str]): + """ + :param pulumi.Input[str] password: The SMTP server password. + :param pulumi.Input[str] username: The SMTP server username. + """ pulumi.set(__self__, "password", password) pulumi.set(__self__, "username", username) @property @pulumi.getter def password(self) -> pulumi.Input[str]: + """ + The SMTP server password. + """ return pulumi.get(self, "password") @password.setter @@ -888,6 +1122,9 @@ def password(self, value: pulumi.Input[str]): @property @pulumi.getter def username(self) -> pulumi.Input[str]: + """ + The SMTP server username. + """ return pulumi.get(self, "username") @username.setter @@ -1246,6 +1483,9 @@ def display_header(self, value: Optional[pulumi.Input[str]]): if not MYPY: class RealmWebAuthnPasswordlessPolicyArgsDict(TypedDict): acceptable_aaguids: NotRequired[pulumi.Input[Sequence[pulumi.Input[str]]]] + """ + A set of AAGUIDs for which an authenticator can be registered. + """ attestation_conveyance_preference: NotRequired[pulumi.Input[str]] """ Either none, indirect or direct @@ -1255,9 +1495,21 @@ class RealmWebAuthnPasswordlessPolicyArgsDict(TypedDict): Either platform or cross-platform """ avoid_same_authenticator_register: NotRequired[pulumi.Input[bool]] + """ + When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + """ create_timeout: NotRequired[pulumi.Input[int]] + """ + The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + """ relying_party_entity_name: NotRequired[pulumi.Input[str]] + """ + A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + """ relying_party_id: NotRequired[pulumi.Input[str]] + """ + The WebAuthn relying party ID. + """ require_resident_key: NotRequired[pulumi.Input[str]] """ Either Yes or No @@ -1287,8 +1539,13 @@ def __init__(__self__, *, signature_algorithms: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, user_verification_requirement: Optional[pulumi.Input[str]] = None): """ + :param pulumi.Input[Sequence[pulumi.Input[str]]] acceptable_aaguids: A set of AAGUIDs for which an authenticator can be registered. :param pulumi.Input[str] attestation_conveyance_preference: Either none, indirect or direct :param pulumi.Input[str] authenticator_attachment: Either platform or cross-platform + :param pulumi.Input[bool] avoid_same_authenticator_register: When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + :param pulumi.Input[int] create_timeout: The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + :param pulumi.Input[str] relying_party_entity_name: A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + :param pulumi.Input[str] relying_party_id: The WebAuthn relying party ID. :param pulumi.Input[str] require_resident_key: Either Yes or No :param pulumi.Input[Sequence[pulumi.Input[str]]] signature_algorithms: Keycloak lists ES256, ES384, ES512, RS256, RS384, RS512, RS1 at the time of writing :param pulumi.Input[str] user_verification_requirement: Either required, preferred or discouraged @@ -1317,6 +1574,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="acceptableAaguids") def acceptable_aaguids(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + A set of AAGUIDs for which an authenticator can be registered. + """ return pulumi.get(self, "acceptable_aaguids") @acceptable_aaguids.setter @@ -1350,6 +1610,9 @@ def authenticator_attachment(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="avoidSameAuthenticatorRegister") def avoid_same_authenticator_register(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + """ return pulumi.get(self, "avoid_same_authenticator_register") @avoid_same_authenticator_register.setter @@ -1359,6 +1622,9 @@ def avoid_same_authenticator_register(self, value: Optional[pulumi.Input[bool]]) @property @pulumi.getter(name="createTimeout") def create_timeout(self) -> Optional[pulumi.Input[int]]: + """ + The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + """ return pulumi.get(self, "create_timeout") @create_timeout.setter @@ -1368,6 +1634,9 @@ def create_timeout(self, value: Optional[pulumi.Input[int]]): @property @pulumi.getter(name="relyingPartyEntityName") def relying_party_entity_name(self) -> Optional[pulumi.Input[str]]: + """ + A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + """ return pulumi.get(self, "relying_party_entity_name") @relying_party_entity_name.setter @@ -1377,6 +1646,9 @@ def relying_party_entity_name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="relyingPartyId") def relying_party_id(self) -> Optional[pulumi.Input[str]]: + """ + The WebAuthn relying party ID. + """ return pulumi.get(self, "relying_party_id") @relying_party_id.setter @@ -1423,6 +1695,9 @@ def user_verification_requirement(self, value: Optional[pulumi.Input[str]]): if not MYPY: class RealmWebAuthnPolicyArgsDict(TypedDict): acceptable_aaguids: NotRequired[pulumi.Input[Sequence[pulumi.Input[str]]]] + """ + A set of AAGUIDs for which an authenticator can be registered. + """ attestation_conveyance_preference: NotRequired[pulumi.Input[str]] """ Either none, indirect or direct @@ -1432,9 +1707,21 @@ class RealmWebAuthnPolicyArgsDict(TypedDict): Either platform or cross-platform """ avoid_same_authenticator_register: NotRequired[pulumi.Input[bool]] + """ + When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + """ create_timeout: NotRequired[pulumi.Input[int]] + """ + The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + """ relying_party_entity_name: NotRequired[pulumi.Input[str]] + """ + A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + """ relying_party_id: NotRequired[pulumi.Input[str]] + """ + The WebAuthn relying party ID. + """ require_resident_key: NotRequired[pulumi.Input[str]] """ Either Yes or No @@ -1464,8 +1751,13 @@ def __init__(__self__, *, signature_algorithms: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, user_verification_requirement: Optional[pulumi.Input[str]] = None): """ + :param pulumi.Input[Sequence[pulumi.Input[str]]] acceptable_aaguids: A set of AAGUIDs for which an authenticator can be registered. :param pulumi.Input[str] attestation_conveyance_preference: Either none, indirect or direct :param pulumi.Input[str] authenticator_attachment: Either platform or cross-platform + :param pulumi.Input[bool] avoid_same_authenticator_register: When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + :param pulumi.Input[int] create_timeout: The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + :param pulumi.Input[str] relying_party_entity_name: A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + :param pulumi.Input[str] relying_party_id: The WebAuthn relying party ID. :param pulumi.Input[str] require_resident_key: Either Yes or No :param pulumi.Input[Sequence[pulumi.Input[str]]] signature_algorithms: Keycloak lists ES256, ES384, ES512, RS256, RS384, RS512, RS1 at the time of writing :param pulumi.Input[str] user_verification_requirement: Either required, preferred or discouraged @@ -1494,6 +1786,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="acceptableAaguids") def acceptable_aaguids(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + A set of AAGUIDs for which an authenticator can be registered. + """ return pulumi.get(self, "acceptable_aaguids") @acceptable_aaguids.setter @@ -1527,6 +1822,9 @@ def authenticator_attachment(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="avoidSameAuthenticatorRegister") def avoid_same_authenticator_register(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + """ return pulumi.get(self, "avoid_same_authenticator_register") @avoid_same_authenticator_register.setter @@ -1536,6 +1834,9 @@ def avoid_same_authenticator_register(self, value: Optional[pulumi.Input[bool]]) @property @pulumi.getter(name="createTimeout") def create_timeout(self) -> Optional[pulumi.Input[int]]: + """ + The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + """ return pulumi.get(self, "create_timeout") @create_timeout.setter @@ -1545,6 +1846,9 @@ def create_timeout(self, value: Optional[pulumi.Input[int]]): @property @pulumi.getter(name="relyingPartyEntityName") def relying_party_entity_name(self) -> Optional[pulumi.Input[str]]: + """ + A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + """ return pulumi.get(self, "relying_party_entity_name") @relying_party_entity_name.setter @@ -1554,6 +1858,9 @@ def relying_party_entity_name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="relyingPartyId") def relying_party_id(self) -> Optional[pulumi.Input[str]]: + """ + The WebAuthn relying party ID. + """ return pulumi.get(self, "relying_party_id") @relying_party_id.setter @@ -1600,8 +1907,17 @@ def user_verification_requirement(self, value: Optional[pulumi.Input[str]]): if not MYPY: class UserFederatedIdentityArgsDict(TypedDict): identity_provider: pulumi.Input[str] + """ + The name of the identity provider + """ user_id: pulumi.Input[str] + """ + The ID of the user defined in the identity provider + """ user_name: pulumi.Input[str] + """ + The user name of the user defined in the identity provider + """ elif False: UserFederatedIdentityArgsDict: TypeAlias = Mapping[str, Any] @@ -1611,6 +1927,11 @@ def __init__(__self__, *, identity_provider: pulumi.Input[str], user_id: pulumi.Input[str], user_name: pulumi.Input[str]): + """ + :param pulumi.Input[str] identity_provider: The name of the identity provider + :param pulumi.Input[str] user_id: The ID of the user defined in the identity provider + :param pulumi.Input[str] user_name: The user name of the user defined in the identity provider + """ pulumi.set(__self__, "identity_provider", identity_provider) pulumi.set(__self__, "user_id", user_id) pulumi.set(__self__, "user_name", user_name) @@ -1618,6 +1939,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="identityProvider") def identity_provider(self) -> pulumi.Input[str]: + """ + The name of the identity provider + """ return pulumi.get(self, "identity_provider") @identity_provider.setter @@ -1627,6 +1951,9 @@ def identity_provider(self, value: pulumi.Input[str]): @property @pulumi.getter(name="userId") def user_id(self) -> pulumi.Input[str]: + """ + The ID of the user defined in the identity provider + """ return pulumi.get(self, "user_id") @user_id.setter @@ -1636,6 +1963,9 @@ def user_id(self, value: pulumi.Input[str]): @property @pulumi.getter(name="userName") def user_name(self) -> pulumi.Input[str]: + """ + The user name of the user defined in the identity provider + """ return pulumi.get(self, "user_name") @user_name.setter @@ -1646,7 +1976,13 @@ def user_name(self, value: pulumi.Input[str]): if not MYPY: class UserInitialPasswordArgsDict(TypedDict): value: pulumi.Input[str] + """ + The initial password. + """ temporary: NotRequired[pulumi.Input[bool]] + """ + If set to `true`, the initial password is set up for renewal on first use. Default to `false`. + """ elif False: UserInitialPasswordArgsDict: TypeAlias = Mapping[str, Any] @@ -1655,6 +1991,10 @@ class UserInitialPasswordArgs: def __init__(__self__, *, value: pulumi.Input[str], temporary: Optional[pulumi.Input[bool]] = None): + """ + :param pulumi.Input[str] value: The initial password. + :param pulumi.Input[bool] temporary: If set to `true`, the initial password is set up for renewal on first use. Default to `false`. + """ pulumi.set(__self__, "value", value) if temporary is not None: pulumi.set(__self__, "temporary", temporary) @@ -1662,6 +2002,9 @@ def __init__(__self__, *, @property @pulumi.getter def value(self) -> pulumi.Input[str]: + """ + The initial password. + """ return pulumi.get(self, "value") @value.setter @@ -1671,6 +2014,9 @@ def value(self, value: pulumi.Input[str]): @property @pulumi.getter def temporary(self) -> Optional[pulumi.Input[bool]]: + """ + If set to `true`, the initial password is set up for renewal on first use. Default to `false`. + """ return pulumi.get(self, "temporary") @temporary.setter diff --git a/sdk/python/pulumi_keycloak/attribute_importer_identity_provider_mapper.py b/sdk/python/pulumi_keycloak/attribute_importer_identity_provider_mapper.py index 7124a8b4..3fb1c30f 100644 --- a/sdk/python/pulumi_keycloak/attribute_importer_identity_provider_mapper.py +++ b/sdk/python/pulumi_keycloak/attribute_importer_identity_provider_mapper.py @@ -29,13 +29,14 @@ def __init__(__self__, *, name: Optional[pulumi.Input[str]] = None): """ The set of arguments for constructing a AttributeImporterIdentityProviderMapper resource. - :param pulumi.Input[str] identity_provider_alias: IDP Alias - :param pulumi.Input[str] realm: Realm Name - :param pulumi.Input[str] user_attribute: User Attribute - :param pulumi.Input[str] attribute_friendly_name: Attribute Friendly Name - :param pulumi.Input[str] attribute_name: Attribute Name - :param pulumi.Input[str] claim_name: Claim Name - :param pulumi.Input[str] name: IDP Mapper Name + :param pulumi.Input[str] identity_provider_alias: The alias of the associated identity provider. + :param pulumi.Input[str] realm: The name of the realm. + :param pulumi.Input[str] user_attribute: The user attribute or property name to store the mapped result. + :param pulumi.Input[str] attribute_friendly_name: For SAML based providers, this is the friendly name of the attribute to search for in the assertion. Conflicts with `attribute_name`. + :param pulumi.Input[str] attribute_name: For SAML based providers, this is the name of the attribute to search for in the assertion. Conflicts with `attribute_friendly_name`. + :param pulumi.Input[str] claim_name: For OIDC based providers, this is the name of the claim to use. + :param pulumi.Input[Mapping[str, pulumi.Input[str]]] extra_config: Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + :param pulumi.Input[str] name: The name of the mapper. """ pulumi.set(__self__, "identity_provider_alias", identity_provider_alias) pulumi.set(__self__, "realm", realm) @@ -55,7 +56,7 @@ def __init__(__self__, *, @pulumi.getter(name="identityProviderAlias") def identity_provider_alias(self) -> pulumi.Input[str]: """ - IDP Alias + The alias of the associated identity provider. """ return pulumi.get(self, "identity_provider_alias") @@ -67,7 +68,7 @@ def identity_provider_alias(self, value: pulumi.Input[str]): @pulumi.getter def realm(self) -> pulumi.Input[str]: """ - Realm Name + The name of the realm. """ return pulumi.get(self, "realm") @@ -79,7 +80,7 @@ def realm(self, value: pulumi.Input[str]): @pulumi.getter(name="userAttribute") def user_attribute(self) -> pulumi.Input[str]: """ - User Attribute + The user attribute or property name to store the mapped result. """ return pulumi.get(self, "user_attribute") @@ -91,7 +92,7 @@ def user_attribute(self, value: pulumi.Input[str]): @pulumi.getter(name="attributeFriendlyName") def attribute_friendly_name(self) -> Optional[pulumi.Input[str]]: """ - Attribute Friendly Name + For SAML based providers, this is the friendly name of the attribute to search for in the assertion. Conflicts with `attribute_name`. """ return pulumi.get(self, "attribute_friendly_name") @@ -103,7 +104,7 @@ def attribute_friendly_name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="attributeName") def attribute_name(self) -> Optional[pulumi.Input[str]]: """ - Attribute Name + For SAML based providers, this is the name of the attribute to search for in the assertion. Conflicts with `attribute_friendly_name`. """ return pulumi.get(self, "attribute_name") @@ -115,7 +116,7 @@ def attribute_name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="claimName") def claim_name(self) -> Optional[pulumi.Input[str]]: """ - Claim Name + For OIDC based providers, this is the name of the claim to use. """ return pulumi.get(self, "claim_name") @@ -126,6 +127,9 @@ def claim_name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="extraConfig") def extra_config(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]: + """ + Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + """ return pulumi.get(self, "extra_config") @extra_config.setter @@ -136,7 +140,7 @@ def extra_config(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[st @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - IDP Mapper Name + The name of the mapper. """ return pulumi.get(self, "name") @@ -158,13 +162,14 @@ def __init__(__self__, *, user_attribute: Optional[pulumi.Input[str]] = None): """ Input properties used for looking up and filtering AttributeImporterIdentityProviderMapper resources. - :param pulumi.Input[str] attribute_friendly_name: Attribute Friendly Name - :param pulumi.Input[str] attribute_name: Attribute Name - :param pulumi.Input[str] claim_name: Claim Name - :param pulumi.Input[str] identity_provider_alias: IDP Alias - :param pulumi.Input[str] name: IDP Mapper Name - :param pulumi.Input[str] realm: Realm Name - :param pulumi.Input[str] user_attribute: User Attribute + :param pulumi.Input[str] attribute_friendly_name: For SAML based providers, this is the friendly name of the attribute to search for in the assertion. Conflicts with `attribute_name`. + :param pulumi.Input[str] attribute_name: For SAML based providers, this is the name of the attribute to search for in the assertion. Conflicts with `attribute_friendly_name`. + :param pulumi.Input[str] claim_name: For OIDC based providers, this is the name of the claim to use. + :param pulumi.Input[Mapping[str, pulumi.Input[str]]] extra_config: Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + :param pulumi.Input[str] identity_provider_alias: The alias of the associated identity provider. + :param pulumi.Input[str] name: The name of the mapper. + :param pulumi.Input[str] realm: The name of the realm. + :param pulumi.Input[str] user_attribute: The user attribute or property name to store the mapped result. """ if attribute_friendly_name is not None: pulumi.set(__self__, "attribute_friendly_name", attribute_friendly_name) @@ -187,7 +192,7 @@ def __init__(__self__, *, @pulumi.getter(name="attributeFriendlyName") def attribute_friendly_name(self) -> Optional[pulumi.Input[str]]: """ - Attribute Friendly Name + For SAML based providers, this is the friendly name of the attribute to search for in the assertion. Conflicts with `attribute_name`. """ return pulumi.get(self, "attribute_friendly_name") @@ -199,7 +204,7 @@ def attribute_friendly_name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="attributeName") def attribute_name(self) -> Optional[pulumi.Input[str]]: """ - Attribute Name + For SAML based providers, this is the name of the attribute to search for in the assertion. Conflicts with `attribute_friendly_name`. """ return pulumi.get(self, "attribute_name") @@ -211,7 +216,7 @@ def attribute_name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="claimName") def claim_name(self) -> Optional[pulumi.Input[str]]: """ - Claim Name + For OIDC based providers, this is the name of the claim to use. """ return pulumi.get(self, "claim_name") @@ -222,6 +227,9 @@ def claim_name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="extraConfig") def extra_config(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]: + """ + Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + """ return pulumi.get(self, "extra_config") @extra_config.setter @@ -232,7 +240,7 @@ def extra_config(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[st @pulumi.getter(name="identityProviderAlias") def identity_provider_alias(self) -> Optional[pulumi.Input[str]]: """ - IDP Alias + The alias of the associated identity provider. """ return pulumi.get(self, "identity_provider_alias") @@ -244,7 +252,7 @@ def identity_provider_alias(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - IDP Mapper Name + The name of the mapper. """ return pulumi.get(self, "name") @@ -256,7 +264,7 @@ def name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def realm(self) -> Optional[pulumi.Input[str]]: """ - Realm Name + The name of the realm. """ return pulumi.get(self, "realm") @@ -268,7 +276,7 @@ def realm(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="userAttribute") def user_attribute(self) -> Optional[pulumi.Input[str]]: """ - User Attribute + The user attribute or property name to store the mapped result. """ return pulumi.get(self, "user_attribute") @@ -292,52 +300,67 @@ def __init__(__self__, user_attribute: Optional[pulumi.Input[str]] = None, __props__=None): """ - ## # AttributeImporterIdentityProviderMapper + Allows for creating and managing an attribute importer identity provider mapper within Keycloak. + + The attribute importer mapper can be used to map attributes from externally defined users to attributes or properties of the imported Keycloak user: + - For the OIDC identity provider, this will map a claim on the ID or access token to an attribute for the imported Keycloak user. + - For the SAML identity provider, this will map a SAML attribute found within the assertion to an attribute for the imported Keycloak user. + - For social identity providers, this will map a JSON field from the user profile to an attribute for the imported Keycloak user. - Allows to create and manage identity provider mappers within Keycloak. + > If you are using Keycloak 10 or higher, you will need to specify the `extra_config` argument in order to define a `syncMode` for the mapper. - ### Example Usage + ## Example Usage ```python import pulumi import pulumi_keycloak as keycloak - test_mapper = keycloak.AttributeImporterIdentityProviderMapper("test_mapper", + realm = keycloak.Realm("realm", realm="my-realm", - name="my-mapper", - identity_provider_alias="idp_alias", - attribute_name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", - user_attribute="lastName") + enabled=True) + oidc = keycloak.oidc.IdentityProvider("oidc", + realm=realm.id, + alias="oidc", + authorization_url="https://example.com/auth", + token_url="https://example.com/token", + client_id="example_id", + client_secret="example_token", + default_scopes="openid random profile") + oidc_attribute_importer_identity_provider_mapper = keycloak.AttributeImporterIdentityProviderMapper("oidc", + realm=realm.id, + name="email-attribute-importer", + claim_name="my-email-claim", + identity_provider_alias=oidc.alias, + user_attribute="email", + extra_config={ + "syncMode": "INHERIT", + }) ``` - ### Argument Reference + ## Import - The following arguments are supported: + Identity provider mappers can be imported using the format `{{realm_id}}/{{idp_alias}}/{{idp_mapper_id}}`, where `idp_alias` is the identity provider alias, and `idp_mapper_id` is the unique ID that Keycloak - - `realm` - (Required) The name of the realm. - - `name` - (Required) The name of the mapper. - - `identity_provider_alias` - (Required) The alias of the associated identity provider. - - `user_attribute` - (Required) The user attribute name to store SAML attribute. - - `attribute_name` - (Optional) The Name of attribute to search for in assertion. You can leave this blank and specify a friendly name instead. - - `attribute_friendly_name` - (Optional) The friendly name of attribute to search for in assertion. You can leave this blank and specify an attribute name instead. - - `claim_name` - (Optional) The claim name. - - ### Import - - Identity provider mapper can be imported using the format `{{realm_id}}/{{idp_alias}}/{{idp_mapper_id}}`, where `idp_alias` is the identity provider alias, and `idp_mapper_id` is the unique ID that Keycloak assigns to the mapper upon creation. This value can be found in the URI when editing this mapper in the GUI, and is typically a GUID. Example: + bash + + ```sh + $ pulumi import keycloak:index/attributeImporterIdentityProviderMapper:AttributeImporterIdentityProviderMapper test_mapper my-realm/my-mapper/f446db98-7133-4e30-b18a-3d28fde7ca1b + ``` + :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[str] attribute_friendly_name: Attribute Friendly Name - :param pulumi.Input[str] attribute_name: Attribute Name - :param pulumi.Input[str] claim_name: Claim Name - :param pulumi.Input[str] identity_provider_alias: IDP Alias - :param pulumi.Input[str] name: IDP Mapper Name - :param pulumi.Input[str] realm: Realm Name - :param pulumi.Input[str] user_attribute: User Attribute + :param pulumi.Input[str] attribute_friendly_name: For SAML based providers, this is the friendly name of the attribute to search for in the assertion. Conflicts with `attribute_name`. + :param pulumi.Input[str] attribute_name: For SAML based providers, this is the name of the attribute to search for in the assertion. Conflicts with `attribute_friendly_name`. + :param pulumi.Input[str] claim_name: For OIDC based providers, this is the name of the claim to use. + :param pulumi.Input[Mapping[str, pulumi.Input[str]]] extra_config: Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + :param pulumi.Input[str] identity_provider_alias: The alias of the associated identity provider. + :param pulumi.Input[str] name: The name of the mapper. + :param pulumi.Input[str] realm: The name of the realm. + :param pulumi.Input[str] user_attribute: The user attribute or property name to store the mapped result. """ ... @overload @@ -346,43 +369,57 @@ def __init__(__self__, args: AttributeImporterIdentityProviderMapperArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - ## # AttributeImporterIdentityProviderMapper + Allows for creating and managing an attribute importer identity provider mapper within Keycloak. + + The attribute importer mapper can be used to map attributes from externally defined users to attributes or properties of the imported Keycloak user: + - For the OIDC identity provider, this will map a claim on the ID or access token to an attribute for the imported Keycloak user. + - For the SAML identity provider, this will map a SAML attribute found within the assertion to an attribute for the imported Keycloak user. + - For social identity providers, this will map a JSON field from the user profile to an attribute for the imported Keycloak user. - Allows to create and manage identity provider mappers within Keycloak. + > If you are using Keycloak 10 or higher, you will need to specify the `extra_config` argument in order to define a `syncMode` for the mapper. - ### Example Usage + ## Example Usage ```python import pulumi import pulumi_keycloak as keycloak - test_mapper = keycloak.AttributeImporterIdentityProviderMapper("test_mapper", + realm = keycloak.Realm("realm", realm="my-realm", - name="my-mapper", - identity_provider_alias="idp_alias", - attribute_name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", - user_attribute="lastName") + enabled=True) + oidc = keycloak.oidc.IdentityProvider("oidc", + realm=realm.id, + alias="oidc", + authorization_url="https://example.com/auth", + token_url="https://example.com/token", + client_id="example_id", + client_secret="example_token", + default_scopes="openid random profile") + oidc_attribute_importer_identity_provider_mapper = keycloak.AttributeImporterIdentityProviderMapper("oidc", + realm=realm.id, + name="email-attribute-importer", + claim_name="my-email-claim", + identity_provider_alias=oidc.alias, + user_attribute="email", + extra_config={ + "syncMode": "INHERIT", + }) ``` - ### Argument Reference - - The following arguments are supported: + ## Import - - `realm` - (Required) The name of the realm. - - `name` - (Required) The name of the mapper. - - `identity_provider_alias` - (Required) The alias of the associated identity provider. - - `user_attribute` - (Required) The user attribute name to store SAML attribute. - - `attribute_name` - (Optional) The Name of attribute to search for in assertion. You can leave this blank and specify a friendly name instead. - - `attribute_friendly_name` - (Optional) The friendly name of attribute to search for in assertion. You can leave this blank and specify an attribute name instead. - - `claim_name` - (Optional) The claim name. + Identity provider mappers can be imported using the format `{{realm_id}}/{{idp_alias}}/{{idp_mapper_id}}`, where `idp_alias` is the identity provider alias, and `idp_mapper_id` is the unique ID that Keycloak - ### Import - - Identity provider mapper can be imported using the format `{{realm_id}}/{{idp_alias}}/{{idp_mapper_id}}`, where `idp_alias` is the identity provider alias, and `idp_mapper_id` is the unique ID that Keycloak assigns to the mapper upon creation. This value can be found in the URI when editing this mapper in the GUI, and is typically a GUID. Example: + bash + + ```sh + $ pulumi import keycloak:index/attributeImporterIdentityProviderMapper:AttributeImporterIdentityProviderMapper test_mapper my-realm/my-mapper/f446db98-7133-4e30-b18a-3d28fde7ca1b + ``` + :param str resource_name: The name of the resource. :param AttributeImporterIdentityProviderMapperArgs args: The arguments to use to populate this resource's properties. :param pulumi.ResourceOptions opts: Options for the resource. @@ -454,13 +491,14 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[str] attribute_friendly_name: Attribute Friendly Name - :param pulumi.Input[str] attribute_name: Attribute Name - :param pulumi.Input[str] claim_name: Claim Name - :param pulumi.Input[str] identity_provider_alias: IDP Alias - :param pulumi.Input[str] name: IDP Mapper Name - :param pulumi.Input[str] realm: Realm Name - :param pulumi.Input[str] user_attribute: User Attribute + :param pulumi.Input[str] attribute_friendly_name: For SAML based providers, this is the friendly name of the attribute to search for in the assertion. Conflicts with `attribute_name`. + :param pulumi.Input[str] attribute_name: For SAML based providers, this is the name of the attribute to search for in the assertion. Conflicts with `attribute_friendly_name`. + :param pulumi.Input[str] claim_name: For OIDC based providers, this is the name of the claim to use. + :param pulumi.Input[Mapping[str, pulumi.Input[str]]] extra_config: Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + :param pulumi.Input[str] identity_provider_alias: The alias of the associated identity provider. + :param pulumi.Input[str] name: The name of the mapper. + :param pulumi.Input[str] realm: The name of the realm. + :param pulumi.Input[str] user_attribute: The user attribute or property name to store the mapped result. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -480,7 +518,7 @@ def get(resource_name: str, @pulumi.getter(name="attributeFriendlyName") def attribute_friendly_name(self) -> pulumi.Output[Optional[str]]: """ - Attribute Friendly Name + For SAML based providers, this is the friendly name of the attribute to search for in the assertion. Conflicts with `attribute_name`. """ return pulumi.get(self, "attribute_friendly_name") @@ -488,7 +526,7 @@ def attribute_friendly_name(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="attributeName") def attribute_name(self) -> pulumi.Output[Optional[str]]: """ - Attribute Name + For SAML based providers, this is the name of the attribute to search for in the assertion. Conflicts with `attribute_friendly_name`. """ return pulumi.get(self, "attribute_name") @@ -496,20 +534,23 @@ def attribute_name(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="claimName") def claim_name(self) -> pulumi.Output[Optional[str]]: """ - Claim Name + For OIDC based providers, this is the name of the claim to use. """ return pulumi.get(self, "claim_name") @property @pulumi.getter(name="extraConfig") def extra_config(self) -> pulumi.Output[Optional[Mapping[str, str]]]: + """ + Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + """ return pulumi.get(self, "extra_config") @property @pulumi.getter(name="identityProviderAlias") def identity_provider_alias(self) -> pulumi.Output[str]: """ - IDP Alias + The alias of the associated identity provider. """ return pulumi.get(self, "identity_provider_alias") @@ -517,7 +558,7 @@ def identity_provider_alias(self) -> pulumi.Output[str]: @pulumi.getter def name(self) -> pulumi.Output[str]: """ - IDP Mapper Name + The name of the mapper. """ return pulumi.get(self, "name") @@ -525,7 +566,7 @@ def name(self) -> pulumi.Output[str]: @pulumi.getter def realm(self) -> pulumi.Output[str]: """ - Realm Name + The name of the realm. """ return pulumi.get(self, "realm") @@ -533,7 +574,7 @@ def realm(self) -> pulumi.Output[str]: @pulumi.getter(name="userAttribute") def user_attribute(self) -> pulumi.Output[str]: """ - User Attribute + The user attribute or property name to store the mapped result. """ return pulumi.get(self, "user_attribute") diff --git a/sdk/python/pulumi_keycloak/custom_user_federation.py b/sdk/python/pulumi_keycloak/custom_user_federation.py index cc66fa2f..98c1bb06 100644 --- a/sdk/python/pulumi_keycloak/custom_user_federation.py +++ b/sdk/python/pulumi_keycloak/custom_user_federation.py @@ -31,16 +31,16 @@ def __init__(__self__, *, priority: Optional[pulumi.Input[int]] = None): """ The set of arguments for constructing a CustomUserFederation resource. - :param pulumi.Input[str] provider_id: The unique ID of the custom provider, specified in the `getId` implementation for the UserStorageProviderFactory - interface - :param pulumi.Input[str] realm_id: The realm (name) this provider will provide user federation for. - :param pulumi.Input[int] changed_sync_period: How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users - sync. - :param pulumi.Input[bool] enabled: When false, this provider will not be used when performing queries for users. + :param pulumi.Input[str] provider_id: The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. + :param pulumi.Input[str] realm_id: The realm that this provider will provide user federation for. + :param pulumi.Input[str] cache_policy: Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + :param pulumi.Input[int] changed_sync_period: How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users sync. + :param pulumi.Input[Mapping[str, pulumi.Input[str]]] config: The provider configuration handed over to your custom user federation provider. In order to add multivalue settings, use `##` to seperate the values. + :param pulumi.Input[bool] enabled: When `false`, this provider will not be used when performing queries for users. Defaults to `true`. :param pulumi.Input[int] full_sync_period: How frequently Keycloak should sync all users, in seconds. Omit this property to disable periodic full sync. :param pulumi.Input[str] name: Display name of the provider when displayed in the console. - :param pulumi.Input[str] parent_id: The parent_id of the generated component. will use realm_id if not specified. - :param pulumi.Input[int] priority: Priority of this provider when looking up users. Lower values are first. + :param pulumi.Input[str] parent_id: Must be set to the realms' `internal_id` when it differs from the realm. This can happen when existing resources are imported into the state. + :param pulumi.Input[int] priority: Priority of this provider when looking up users. Lower values are first. Defaults to `0`. """ pulumi.set(__self__, "provider_id", provider_id) pulumi.set(__self__, "realm_id", realm_id) @@ -65,8 +65,7 @@ def __init__(__self__, *, @pulumi.getter(name="providerId") def provider_id(self) -> pulumi.Input[str]: """ - The unique ID of the custom provider, specified in the `getId` implementation for the UserStorageProviderFactory - interface + The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. """ return pulumi.get(self, "provider_id") @@ -78,7 +77,7 @@ def provider_id(self, value: pulumi.Input[str]): @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Input[str]: """ - The realm (name) this provider will provide user federation for. + The realm that this provider will provide user federation for. """ return pulumi.get(self, "realm_id") @@ -89,6 +88,9 @@ def realm_id(self, value: pulumi.Input[str]): @property @pulumi.getter(name="cachePolicy") def cache_policy(self) -> Optional[pulumi.Input[str]]: + """ + Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + """ return pulumi.get(self, "cache_policy") @cache_policy.setter @@ -99,8 +101,7 @@ def cache_policy(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="changedSyncPeriod") def changed_sync_period(self) -> Optional[pulumi.Input[int]]: """ - How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users - sync. + How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users sync. """ return pulumi.get(self, "changed_sync_period") @@ -111,6 +112,9 @@ def changed_sync_period(self, value: Optional[pulumi.Input[int]]): @property @pulumi.getter def config(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]: + """ + The provider configuration handed over to your custom user federation provider. In order to add multivalue settings, use `##` to seperate the values. + """ return pulumi.get(self, "config") @config.setter @@ -121,7 +125,7 @@ def config(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]) @pulumi.getter def enabled(self) -> Optional[pulumi.Input[bool]]: """ - When false, this provider will not be used when performing queries for users. + When `false`, this provider will not be used when performing queries for users. Defaults to `true`. """ return pulumi.get(self, "enabled") @@ -157,7 +161,7 @@ def name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="parentId") def parent_id(self) -> Optional[pulumi.Input[str]]: """ - The parent_id of the generated component. will use realm_id if not specified. + Must be set to the realms' `internal_id` when it differs from the realm. This can happen when existing resources are imported into the state. """ return pulumi.get(self, "parent_id") @@ -169,7 +173,7 @@ def parent_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def priority(self) -> Optional[pulumi.Input[int]]: """ - Priority of this provider when looking up users. Lower values are first. + Priority of this provider when looking up users. Lower values are first. Defaults to `0`. """ return pulumi.get(self, "priority") @@ -193,16 +197,16 @@ def __init__(__self__, *, realm_id: Optional[pulumi.Input[str]] = None): """ Input properties used for looking up and filtering CustomUserFederation resources. - :param pulumi.Input[int] changed_sync_period: How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users - sync. - :param pulumi.Input[bool] enabled: When false, this provider will not be used when performing queries for users. + :param pulumi.Input[str] cache_policy: Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + :param pulumi.Input[int] changed_sync_period: How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users sync. + :param pulumi.Input[Mapping[str, pulumi.Input[str]]] config: The provider configuration handed over to your custom user federation provider. In order to add multivalue settings, use `##` to seperate the values. + :param pulumi.Input[bool] enabled: When `false`, this provider will not be used when performing queries for users. Defaults to `true`. :param pulumi.Input[int] full_sync_period: How frequently Keycloak should sync all users, in seconds. Omit this property to disable periodic full sync. :param pulumi.Input[str] name: Display name of the provider when displayed in the console. - :param pulumi.Input[str] parent_id: The parent_id of the generated component. will use realm_id if not specified. - :param pulumi.Input[int] priority: Priority of this provider when looking up users. Lower values are first. - :param pulumi.Input[str] provider_id: The unique ID of the custom provider, specified in the `getId` implementation for the UserStorageProviderFactory - interface - :param pulumi.Input[str] realm_id: The realm (name) this provider will provide user federation for. + :param pulumi.Input[str] parent_id: Must be set to the realms' `internal_id` when it differs from the realm. This can happen when existing resources are imported into the state. + :param pulumi.Input[int] priority: Priority of this provider when looking up users. Lower values are first. Defaults to `0`. + :param pulumi.Input[str] provider_id: The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. + :param pulumi.Input[str] realm_id: The realm that this provider will provide user federation for. """ if cache_policy is not None: pulumi.set(__self__, "cache_policy", cache_policy) @@ -228,6 +232,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="cachePolicy") def cache_policy(self) -> Optional[pulumi.Input[str]]: + """ + Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + """ return pulumi.get(self, "cache_policy") @cache_policy.setter @@ -238,8 +245,7 @@ def cache_policy(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="changedSyncPeriod") def changed_sync_period(self) -> Optional[pulumi.Input[int]]: """ - How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users - sync. + How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users sync. """ return pulumi.get(self, "changed_sync_period") @@ -250,6 +256,9 @@ def changed_sync_period(self, value: Optional[pulumi.Input[int]]): @property @pulumi.getter def config(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]: + """ + The provider configuration handed over to your custom user federation provider. In order to add multivalue settings, use `##` to seperate the values. + """ return pulumi.get(self, "config") @config.setter @@ -260,7 +269,7 @@ def config(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]) @pulumi.getter def enabled(self) -> Optional[pulumi.Input[bool]]: """ - When false, this provider will not be used when performing queries for users. + When `false`, this provider will not be used when performing queries for users. Defaults to `true`. """ return pulumi.get(self, "enabled") @@ -296,7 +305,7 @@ def name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="parentId") def parent_id(self) -> Optional[pulumi.Input[str]]: """ - The parent_id of the generated component. will use realm_id if not specified. + Must be set to the realms' `internal_id` when it differs from the realm. This can happen when existing resources are imported into the state. """ return pulumi.get(self, "parent_id") @@ -308,7 +317,7 @@ def parent_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def priority(self) -> Optional[pulumi.Input[int]]: """ - Priority of this provider when looking up users. Lower values are first. + Priority of this provider when looking up users. Lower values are first. Defaults to `0`. """ return pulumi.get(self, "priority") @@ -320,8 +329,7 @@ def priority(self, value: Optional[pulumi.Input[int]]): @pulumi.getter(name="providerId") def provider_id(self) -> Optional[pulumi.Input[str]]: """ - The unique ID of the custom provider, specified in the `getId` implementation for the UserStorageProviderFactory - interface + The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. """ return pulumi.get(self, "provider_id") @@ -333,7 +341,7 @@ def provider_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="realmId") def realm_id(self) -> Optional[pulumi.Input[str]]: """ - The realm (name) this provider will provide user federation for. + The realm that this provider will provide user federation for. """ return pulumi.get(self, "realm_id") @@ -359,15 +367,12 @@ def __init__(__self__, realm_id: Optional[pulumi.Input[str]] = None, __props__=None): """ - ## # CustomUserFederation - Allows for creating and managing custom user federation providers within Keycloak. - A custom user federation provider is an implementation of Keycloak's - [User Storage SPI](https://www.keycloak.org/docs/4.2/server_development/index.html#_user-storage-spi). + A custom user federation provider is an implementation of Keycloak's [User Storage SPI](https://www.keycloak.org/docs/4.2/server_development/index.html#_user-storage-spi). An example of this implementation can be found here. - ### Example Usage + ## Example Usage ```python import pulumi @@ -380,37 +385,38 @@ def __init__(__self__, name="custom", realm_id=realm.id, provider_id="custom", - enabled=True) + enabled=True, + config={ + "dummyString": "foobar", + "dummyBool": "true", + "multivalue": "value1##value2", + }) ``` - ### Argument Reference + ## Import - The following arguments are supported: + Custom user federation providers can be imported using the format `{{realm_id}}/{{custom_user_federation_id}}`. - - `realm_id` - (Required) The realm that this provider will provide user federation for. - - `name` - (Required) Display name of the provider when displayed in the console. - - `provider_id` - (Required) The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. - - `enabled` - (Optional) When `false`, this provider will not be used when performing queries for users. Defaults to `true`. - - `priority` - (Optional) Priority of this provider when looking up users. Lower values are first. Defaults to `0`. - - `cache_policy` - (Optional) Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + The ID of the custom user federation provider can be found within the Keycloak GUI and is typically a GUID: - ### Import + bash - Custom user federation providers can be imported using the format `{{realm_id}}/{{custom_user_federation_id}}`. - The ID of the custom user federation provider can be found within the Keycloak GUI and is typically a GUID: + ```sh + $ pulumi import keycloak:index/customUserFederation:CustomUserFederation custom_user_federation my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860 + ``` :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[int] changed_sync_period: How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users - sync. - :param pulumi.Input[bool] enabled: When false, this provider will not be used when performing queries for users. + :param pulumi.Input[str] cache_policy: Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + :param pulumi.Input[int] changed_sync_period: How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users sync. + :param pulumi.Input[Mapping[str, pulumi.Input[str]]] config: The provider configuration handed over to your custom user federation provider. In order to add multivalue settings, use `##` to seperate the values. + :param pulumi.Input[bool] enabled: When `false`, this provider will not be used when performing queries for users. Defaults to `true`. :param pulumi.Input[int] full_sync_period: How frequently Keycloak should sync all users, in seconds. Omit this property to disable periodic full sync. :param pulumi.Input[str] name: Display name of the provider when displayed in the console. - :param pulumi.Input[str] parent_id: The parent_id of the generated component. will use realm_id if not specified. - :param pulumi.Input[int] priority: Priority of this provider when looking up users. Lower values are first. - :param pulumi.Input[str] provider_id: The unique ID of the custom provider, specified in the `getId` implementation for the UserStorageProviderFactory - interface - :param pulumi.Input[str] realm_id: The realm (name) this provider will provide user federation for. + :param pulumi.Input[str] parent_id: Must be set to the realms' `internal_id` when it differs from the realm. This can happen when existing resources are imported into the state. + :param pulumi.Input[int] priority: Priority of this provider when looking up users. Lower values are first. Defaults to `0`. + :param pulumi.Input[str] provider_id: The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. + :param pulumi.Input[str] realm_id: The realm that this provider will provide user federation for. """ ... @overload @@ -419,15 +425,12 @@ def __init__(__self__, args: CustomUserFederationArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - ## # CustomUserFederation - Allows for creating and managing custom user federation providers within Keycloak. - A custom user federation provider is an implementation of Keycloak's - [User Storage SPI](https://www.keycloak.org/docs/4.2/server_development/index.html#_user-storage-spi). + A custom user federation provider is an implementation of Keycloak's [User Storage SPI](https://www.keycloak.org/docs/4.2/server_development/index.html#_user-storage-spi). An example of this implementation can be found here. - ### Example Usage + ## Example Usage ```python import pulumi @@ -440,24 +443,25 @@ def __init__(__self__, name="custom", realm_id=realm.id, provider_id="custom", - enabled=True) + enabled=True, + config={ + "dummyString": "foobar", + "dummyBool": "true", + "multivalue": "value1##value2", + }) ``` - ### Argument Reference + ## Import - The following arguments are supported: + Custom user federation providers can be imported using the format `{{realm_id}}/{{custom_user_federation_id}}`. - - `realm_id` - (Required) The realm that this provider will provide user federation for. - - `name` - (Required) Display name of the provider when displayed in the console. - - `provider_id` - (Required) The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. - - `enabled` - (Optional) When `false`, this provider will not be used when performing queries for users. Defaults to `true`. - - `priority` - (Optional) Priority of this provider when looking up users. Lower values are first. Defaults to `0`. - - `cache_policy` - (Optional) Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + The ID of the custom user federation provider can be found within the Keycloak GUI and is typically a GUID: - ### Import + bash - Custom user federation providers can be imported using the format `{{realm_id}}/{{custom_user_federation_id}}`. - The ID of the custom user federation provider can be found within the Keycloak GUI and is typically a GUID: + ```sh + $ pulumi import keycloak:index/customUserFederation:CustomUserFederation custom_user_federation my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860 + ``` :param str resource_name: The name of the resource. :param CustomUserFederationArgs args: The arguments to use to populate this resource's properties. @@ -534,16 +538,16 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[int] changed_sync_period: How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users - sync. - :param pulumi.Input[bool] enabled: When false, this provider will not be used when performing queries for users. + :param pulumi.Input[str] cache_policy: Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + :param pulumi.Input[int] changed_sync_period: How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users sync. + :param pulumi.Input[Mapping[str, pulumi.Input[str]]] config: The provider configuration handed over to your custom user federation provider. In order to add multivalue settings, use `##` to seperate the values. + :param pulumi.Input[bool] enabled: When `false`, this provider will not be used when performing queries for users. Defaults to `true`. :param pulumi.Input[int] full_sync_period: How frequently Keycloak should sync all users, in seconds. Omit this property to disable periodic full sync. :param pulumi.Input[str] name: Display name of the provider when displayed in the console. - :param pulumi.Input[str] parent_id: The parent_id of the generated component. will use realm_id if not specified. - :param pulumi.Input[int] priority: Priority of this provider when looking up users. Lower values are first. - :param pulumi.Input[str] provider_id: The unique ID of the custom provider, specified in the `getId` implementation for the UserStorageProviderFactory - interface - :param pulumi.Input[str] realm_id: The realm (name) this provider will provide user federation for. + :param pulumi.Input[str] parent_id: Must be set to the realms' `internal_id` when it differs from the realm. This can happen when existing resources are imported into the state. + :param pulumi.Input[int] priority: Priority of this provider when looking up users. Lower values are first. Defaults to `0`. + :param pulumi.Input[str] provider_id: The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. + :param pulumi.Input[str] realm_id: The realm that this provider will provide user federation for. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -564,27 +568,32 @@ def get(resource_name: str, @property @pulumi.getter(name="cachePolicy") def cache_policy(self) -> pulumi.Output[Optional[str]]: + """ + Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + """ return pulumi.get(self, "cache_policy") @property @pulumi.getter(name="changedSyncPeriod") def changed_sync_period(self) -> pulumi.Output[Optional[int]]: """ - How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users - sync. + How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users sync. """ return pulumi.get(self, "changed_sync_period") @property @pulumi.getter def config(self) -> pulumi.Output[Optional[Mapping[str, str]]]: + """ + The provider configuration handed over to your custom user federation provider. In order to add multivalue settings, use `##` to seperate the values. + """ return pulumi.get(self, "config") @property @pulumi.getter def enabled(self) -> pulumi.Output[Optional[bool]]: """ - When false, this provider will not be used when performing queries for users. + When `false`, this provider will not be used when performing queries for users. Defaults to `true`. """ return pulumi.get(self, "enabled") @@ -608,7 +617,7 @@ def name(self) -> pulumi.Output[str]: @pulumi.getter(name="parentId") def parent_id(self) -> pulumi.Output[str]: """ - The parent_id of the generated component. will use realm_id if not specified. + Must be set to the realms' `internal_id` when it differs from the realm. This can happen when existing resources are imported into the state. """ return pulumi.get(self, "parent_id") @@ -616,7 +625,7 @@ def parent_id(self) -> pulumi.Output[str]: @pulumi.getter def priority(self) -> pulumi.Output[Optional[int]]: """ - Priority of this provider when looking up users. Lower values are first. + Priority of this provider when looking up users. Lower values are first. Defaults to `0`. """ return pulumi.get(self, "priority") @@ -624,8 +633,7 @@ def priority(self) -> pulumi.Output[Optional[int]]: @pulumi.getter(name="providerId") def provider_id(self) -> pulumi.Output[str]: """ - The unique ID of the custom provider, specified in the `getId` implementation for the UserStorageProviderFactory - interface + The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. """ return pulumi.get(self, "provider_id") @@ -633,7 +641,7 @@ def provider_id(self) -> pulumi.Output[str]: @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Output[str]: """ - The realm (name) this provider will provide user federation for. + The realm that this provider will provide user federation for. """ return pulumi.get(self, "realm_id") diff --git a/sdk/python/pulumi_keycloak/default_groups.py b/sdk/python/pulumi_keycloak/default_groups.py index 5a6e79d6..cf85060e 100644 --- a/sdk/python/pulumi_keycloak/default_groups.py +++ b/sdk/python/pulumi_keycloak/default_groups.py @@ -23,6 +23,8 @@ def __init__(__self__, *, realm_id: pulumi.Input[str]): """ The set of arguments for constructing a DefaultGroups resource. + :param pulumi.Input[Sequence[pulumi.Input[str]]] group_ids: A set of group ids that should be default groups on the realm referenced by `realm_id`. + :param pulumi.Input[str] realm_id: The realm this group exists in. """ pulumi.set(__self__, "group_ids", group_ids) pulumi.set(__self__, "realm_id", realm_id) @@ -30,6 +32,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="groupIds") def group_ids(self) -> pulumi.Input[Sequence[pulumi.Input[str]]]: + """ + A set of group ids that should be default groups on the realm referenced by `realm_id`. + """ return pulumi.get(self, "group_ids") @group_ids.setter @@ -39,6 +44,9 @@ def group_ids(self, value: pulumi.Input[Sequence[pulumi.Input[str]]]): @property @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Input[str]: + """ + The realm this group exists in. + """ return pulumi.get(self, "realm_id") @realm_id.setter @@ -53,6 +61,8 @@ def __init__(__self__, *, realm_id: Optional[pulumi.Input[str]] = None): """ Input properties used for looking up and filtering DefaultGroups resources. + :param pulumi.Input[Sequence[pulumi.Input[str]]] group_ids: A set of group ids that should be default groups on the realm referenced by `realm_id`. + :param pulumi.Input[str] realm_id: The realm this group exists in. """ if group_ids is not None: pulumi.set(__self__, "group_ids", group_ids) @@ -62,6 +72,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="groupIds") def group_ids(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + A set of group ids that should be default groups on the realm referenced by `realm_id`. + """ return pulumi.get(self, "group_ids") @group_ids.setter @@ -71,6 +84,9 @@ def group_ids(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]): @property @pulumi.getter(name="realmId") def realm_id(self) -> Optional[pulumi.Input[str]]: + """ + The realm this group exists in. + """ return pulumi.get(self, "realm_id") @realm_id.setter @@ -87,14 +103,11 @@ def __init__(__self__, realm_id: Optional[pulumi.Input[str]] = None, __props__=None): """ - ## # DefaultGroups - Allows for managing a realm's default groups. - Note that you should not use `DefaultGroups` with a group with memberships managed - by `GroupMemberships`. + > You should not use `DefaultGroups` with a group whose members are managed by `GroupMemberships`. - ### Example Usage + ## Example Usage ```python import pulumi @@ -111,21 +124,22 @@ def __init__(__self__, group_ids=[group.id]) ``` - ### Argument Reference + ## Import - The following arguments are supported: + Default groups can be imported using the format `{{realm_id}}` where `realm_id` is the realm the group exists in. - - `realm_id` - (Required) The realm this group exists in. - - `group_ids` - (Required) A set of group ids that should be default groups on the realm referenced by `realm_id`. - - ### Import + Example: - Groups can be imported using the format `{{realm_id}}` where `realm_id` is the realm the group exists in. + bash - Example: + ```sh + $ pulumi import keycloak:index/defaultGroups:DefaultGroups default my-realm + ``` :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[Sequence[pulumi.Input[str]]] group_ids: A set of group ids that should be default groups on the realm referenced by `realm_id`. + :param pulumi.Input[str] realm_id: The realm this group exists in. """ ... @overload @@ -134,14 +148,11 @@ def __init__(__self__, args: DefaultGroupsArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - ## # DefaultGroups - Allows for managing a realm's default groups. - Note that you should not use `DefaultGroups` with a group with memberships managed - by `GroupMemberships`. + > You should not use `DefaultGroups` with a group whose members are managed by `GroupMemberships`. - ### Example Usage + ## Example Usage ```python import pulumi @@ -158,18 +169,17 @@ def __init__(__self__, group_ids=[group.id]) ``` - ### Argument Reference + ## Import - The following arguments are supported: + Default groups can be imported using the format `{{realm_id}}` where `realm_id` is the realm the group exists in. - - `realm_id` - (Required) The realm this group exists in. - - `group_ids` - (Required) A set of group ids that should be default groups on the realm referenced by `realm_id`. - - ### Import + Example: - Groups can be imported using the format `{{realm_id}}` where `realm_id` is the realm the group exists in. + bash - Example: + ```sh + $ pulumi import keycloak:index/defaultGroups:DefaultGroups default my-realm + ``` :param str resource_name: The name of the resource. :param DefaultGroupsArgs args: The arguments to use to populate this resource's properties. @@ -222,6 +232,8 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[Sequence[pulumi.Input[str]]] group_ids: A set of group ids that should be default groups on the realm referenced by `realm_id`. + :param pulumi.Input[str] realm_id: The realm this group exists in. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -234,10 +246,16 @@ def get(resource_name: str, @property @pulumi.getter(name="groupIds") def group_ids(self) -> pulumi.Output[Sequence[str]]: + """ + A set of group ids that should be default groups on the realm referenced by `realm_id`. + """ return pulumi.get(self, "group_ids") @property @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Output[str]: + """ + The realm this group exists in. + """ return pulumi.get(self, "realm_id") diff --git a/sdk/python/pulumi_keycloak/generic_client_protocol_mapper.py b/sdk/python/pulumi_keycloak/generic_client_protocol_mapper.py index b900e56c..0e21d5ae 100644 --- a/sdk/python/pulumi_keycloak/generic_client_protocol_mapper.py +++ b/sdk/python/pulumi_keycloak/generic_client_protocol_mapper.py @@ -28,12 +28,13 @@ def __init__(__self__, *, name: Optional[pulumi.Input[str]] = None): """ The set of arguments for constructing a GenericClientProtocolMapper resource. - :param pulumi.Input[str] protocol: The protocol of the client (openid-connect / saml). - :param pulumi.Input[str] protocol_mapper: The type of the protocol mapper. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. + :param pulumi.Input[Mapping[str, pulumi.Input[str]]] config: A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. + :param pulumi.Input[str] protocol: The type of client (either `openid-connect` or `saml`). The type must match the type of the client. + :param pulumi.Input[str] protocol_mapper: The name of the protocol mapper. The protocol mapper must be compatible with the specified client. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + :param pulumi.Input[str] client_id: The client this protocol mapper is attached to. :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. """ pulumi.set(__self__, "config", config) pulumi.set(__self__, "protocol", protocol) @@ -49,6 +50,9 @@ def __init__(__self__, *, @property @pulumi.getter def config(self) -> pulumi.Input[Mapping[str, pulumi.Input[str]]]: + """ + A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. + """ return pulumi.get(self, "config") @config.setter @@ -59,7 +63,7 @@ def config(self, value: pulumi.Input[Mapping[str, pulumi.Input[str]]]): @pulumi.getter def protocol(self) -> pulumi.Input[str]: """ - The protocol of the client (openid-connect / saml). + The type of client (either `openid-connect` or `saml`). The type must match the type of the client. """ return pulumi.get(self, "protocol") @@ -71,7 +75,7 @@ def protocol(self, value: pulumi.Input[str]): @pulumi.getter(name="protocolMapper") def protocol_mapper(self) -> pulumi.Input[str]: """ - The type of the protocol mapper. + The name of the protocol mapper. The protocol mapper must be compatible with the specified client. """ return pulumi.get(self, "protocol_mapper") @@ -83,7 +87,7 @@ def protocol_mapper(self, value: pulumi.Input[str]): @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Input[str]: """ - The realm id where the associated client or client scope exists. + The realm this protocol mapper exists within. """ return pulumi.get(self, "realm_id") @@ -95,7 +99,7 @@ def realm_id(self, value: pulumi.Input[str]): @pulumi.getter(name="clientId") def client_id(self) -> Optional[pulumi.Input[str]]: """ - The mapper's associated client. Cannot be used at the same time as client_scope_id. + The client this protocol mapper is attached to. """ return pulumi.get(self, "client_id") @@ -119,7 +123,7 @@ def client_scope_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - A human-friendly name that will appear in the Keycloak console. + The display name of this protocol mapper in the GUI. """ return pulumi.get(self, "name") @@ -140,12 +144,13 @@ def __init__(__self__, *, realm_id: Optional[pulumi.Input[str]] = None): """ Input properties used for looking up and filtering GenericClientProtocolMapper resources. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. + :param pulumi.Input[str] client_id: The client this protocol mapper is attached to. :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. - :param pulumi.Input[str] protocol: The protocol of the client (openid-connect / saml). - :param pulumi.Input[str] protocol_mapper: The type of the protocol mapper. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. + :param pulumi.Input[Mapping[str, pulumi.Input[str]]] config: A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. + :param pulumi.Input[str] protocol: The type of client (either `openid-connect` or `saml`). The type must match the type of the client. + :param pulumi.Input[str] protocol_mapper: The name of the protocol mapper. The protocol mapper must be compatible with the specified client. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. """ if client_id is not None: pulumi.set(__self__, "client_id", client_id) @@ -166,7 +171,7 @@ def __init__(__self__, *, @pulumi.getter(name="clientId") def client_id(self) -> Optional[pulumi.Input[str]]: """ - The mapper's associated client. Cannot be used at the same time as client_scope_id. + The client this protocol mapper is attached to. """ return pulumi.get(self, "client_id") @@ -189,6 +194,9 @@ def client_scope_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter def config(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]: + """ + A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. + """ return pulumi.get(self, "config") @config.setter @@ -199,7 +207,7 @@ def config(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]) @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - A human-friendly name that will appear in the Keycloak console. + The display name of this protocol mapper in the GUI. """ return pulumi.get(self, "name") @@ -211,7 +219,7 @@ def name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def protocol(self) -> Optional[pulumi.Input[str]]: """ - The protocol of the client (openid-connect / saml). + The type of client (either `openid-connect` or `saml`). The type must match the type of the client. """ return pulumi.get(self, "protocol") @@ -223,7 +231,7 @@ def protocol(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="protocolMapper") def protocol_mapper(self) -> Optional[pulumi.Input[str]]: """ - The type of the protocol mapper. + The name of the protocol mapper. The protocol mapper must be compatible with the specified client. """ return pulumi.get(self, "protocol_mapper") @@ -235,7 +243,7 @@ def protocol_mapper(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="realmId") def realm_id(self) -> Optional[pulumi.Input[str]]: """ - The realm id where the associated client or client scope exists. + The realm this protocol mapper exists within. """ return pulumi.get(self, "realm_id") @@ -258,9 +266,9 @@ def __init__(__self__, realm_id: Optional[pulumi.Input[str]] = None, __props__=None): """ - ## # GenericClientProtocolMapper + !> **WARNING:** This resource is deprecated and will be removed in the next major version. Please use `GenericProtocolMapper` instead. - Allows for creating and managing protocol mapper for both types of clients (openid-connect and saml) within Keycloak. + Allows for creating and managing protocol mappers for both types of clients (openid-connect and saml) within Keycloak. There are two uses cases for using this resource: * If you implemented a custom protocol mapper, this resource can be used to configure it @@ -269,7 +277,7 @@ def __init__(__self__, Due to the generic nature of this mapper, it is less user-friendly and more prone to configuration errors. Therefore, if possible, a specific mapper should be used. - ### Example Usage + ## Example Usage ```python import pulumi @@ -284,7 +292,7 @@ def __init__(__self__, saml_hardcode_attribute_mapper = keycloak.GenericClientProtocolMapper("saml_hardcode_attribute_mapper", realm_id=realm.id, client_id=saml_client.id, - name="tes-mapper", + name="test-mapper", protocol="saml", protocol_mapper="saml-hardcode-attribute-mapper", config={ @@ -295,32 +303,27 @@ def __init__(__self__, }) ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this protocol mapper exists within. - - `client_id` - (Required) The client this protocol mapper is attached to. - - `name` - (Required) The display name of this protocol mapper in the GUI. - - `protocol` - (Required) The type of client (either `openid-connect` or `saml`). The type must match the type of the client. - - `protocol_mapper` - (Required) The name of the protocol mapper. The protocol mapper must be - compatible with the specified client. - - `config` - (Required) A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. - - ### Import + ## Import Protocol mappers can be imported using the following format: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` Example: + bash + + ```sh + $ pulumi import keycloak:index/genericClientProtocolMapper:GenericClientProtocolMapper saml_hardcode_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. + :param pulumi.Input[str] client_id: The client this protocol mapper is attached to. :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. - :param pulumi.Input[str] protocol: The protocol of the client (openid-connect / saml). - :param pulumi.Input[str] protocol_mapper: The type of the protocol mapper. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. + :param pulumi.Input[Mapping[str, pulumi.Input[str]]] config: A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. + :param pulumi.Input[str] protocol: The type of client (either `openid-connect` or `saml`). The type must match the type of the client. + :param pulumi.Input[str] protocol_mapper: The name of the protocol mapper. The protocol mapper must be compatible with the specified client. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. """ ... @overload @@ -329,9 +332,9 @@ def __init__(__self__, args: GenericClientProtocolMapperArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - ## # GenericClientProtocolMapper + !> **WARNING:** This resource is deprecated and will be removed in the next major version. Please use `GenericProtocolMapper` instead. - Allows for creating and managing protocol mapper for both types of clients (openid-connect and saml) within Keycloak. + Allows for creating and managing protocol mappers for both types of clients (openid-connect and saml) within Keycloak. There are two uses cases for using this resource: * If you implemented a custom protocol mapper, this resource can be used to configure it @@ -340,7 +343,7 @@ def __init__(__self__, Due to the generic nature of this mapper, it is less user-friendly and more prone to configuration errors. Therefore, if possible, a specific mapper should be used. - ### Example Usage + ## Example Usage ```python import pulumi @@ -355,7 +358,7 @@ def __init__(__self__, saml_hardcode_attribute_mapper = keycloak.GenericClientProtocolMapper("saml_hardcode_attribute_mapper", realm_id=realm.id, client_id=saml_client.id, - name="tes-mapper", + name="test-mapper", protocol="saml", protocol_mapper="saml-hardcode-attribute-mapper", config={ @@ -366,24 +369,18 @@ def __init__(__self__, }) ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this protocol mapper exists within. - - `client_id` - (Required) The client this protocol mapper is attached to. - - `name` - (Required) The display name of this protocol mapper in the GUI. - - `protocol` - (Required) The type of client (either `openid-connect` or `saml`). The type must match the type of the client. - - `protocol_mapper` - (Required) The name of the protocol mapper. The protocol mapper must be - compatible with the specified client. - - `config` - (Required) A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. - - ### Import + ## Import Protocol mappers can be imported using the following format: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` Example: + bash + + ```sh + $ pulumi import keycloak:index/genericClientProtocolMapper:GenericClientProtocolMapper saml_hardcode_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + :param str resource_name: The name of the resource. :param GenericClientProtocolMapperArgs args: The arguments to use to populate this resource's properties. :param pulumi.ResourceOptions opts: Options for the resource. @@ -454,12 +451,13 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. + :param pulumi.Input[str] client_id: The client this protocol mapper is attached to. :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. - :param pulumi.Input[str] protocol: The protocol of the client (openid-connect / saml). - :param pulumi.Input[str] protocol_mapper: The type of the protocol mapper. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. + :param pulumi.Input[Mapping[str, pulumi.Input[str]]] config: A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. + :param pulumi.Input[str] protocol: The type of client (either `openid-connect` or `saml`). The type must match the type of the client. + :param pulumi.Input[str] protocol_mapper: The name of the protocol mapper. The protocol mapper must be compatible with the specified client. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -478,7 +476,7 @@ def get(resource_name: str, @pulumi.getter(name="clientId") def client_id(self) -> pulumi.Output[Optional[str]]: """ - The mapper's associated client. Cannot be used at the same time as client_scope_id. + The client this protocol mapper is attached to. """ return pulumi.get(self, "client_id") @@ -493,13 +491,16 @@ def client_scope_id(self) -> pulumi.Output[Optional[str]]: @property @pulumi.getter def config(self) -> pulumi.Output[Mapping[str, str]]: + """ + A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. + """ return pulumi.get(self, "config") @property @pulumi.getter def name(self) -> pulumi.Output[str]: """ - A human-friendly name that will appear in the Keycloak console. + The display name of this protocol mapper in the GUI. """ return pulumi.get(self, "name") @@ -507,7 +508,7 @@ def name(self) -> pulumi.Output[str]: @pulumi.getter def protocol(self) -> pulumi.Output[str]: """ - The protocol of the client (openid-connect / saml). + The type of client (either `openid-connect` or `saml`). The type must match the type of the client. """ return pulumi.get(self, "protocol") @@ -515,7 +516,7 @@ def protocol(self) -> pulumi.Output[str]: @pulumi.getter(name="protocolMapper") def protocol_mapper(self) -> pulumi.Output[str]: """ - The type of the protocol mapper. + The name of the protocol mapper. The protocol mapper must be compatible with the specified client. """ return pulumi.get(self, "protocol_mapper") @@ -523,7 +524,7 @@ def protocol_mapper(self) -> pulumi.Output[str]: @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Output[str]: """ - The realm id where the associated client or client scope exists. + The realm this protocol mapper exists within. """ return pulumi.get(self, "realm_id") diff --git a/sdk/python/pulumi_keycloak/get_group.py b/sdk/python/pulumi_keycloak/get_group.py index fb946b24..8e66eec4 100644 --- a/sdk/python/pulumi_keycloak/get_group.py +++ b/sdk/python/pulumi_keycloak/get_group.py @@ -98,10 +98,31 @@ def get_group(name: Optional[str] = None, realm_id: Optional[str] = None, opts: Optional[pulumi.InvokeOptions] = None) -> AwaitableGetGroupResult: """ - ## # Group data source - This data source can be used to fetch properties of a Keycloak group for usage with other resources, such as `GroupRoles`. + + ## Example Usage + + ```python + import pulumi + import pulumi_keycloak as keycloak + + realm = keycloak.Realm("realm", + realm="my-realm", + enabled=True) + offline_access = keycloak.get_role_output(realm_id=realm.id, + name="offline_access") + group = keycloak.get_group_output(realm_id=realm.id, + name="group") + group_roles = keycloak.GroupRoles("group_roles", + realm_id=realm.id, + group_id=group.id, + role_ids=[offline_access.id]) + ``` + + + :param str name: The name of the group. If there are multiple groups match `name`, the first result will be returned. + :param str realm_id: The realm this group exists within. """ __args__ = dict() __args__['name'] = name @@ -120,10 +141,31 @@ def get_group_output(name: Optional[pulumi.Input[str]] = None, realm_id: Optional[pulumi.Input[str]] = None, opts: Optional[pulumi.InvokeOptions] = None) -> pulumi.Output[GetGroupResult]: """ - ## # Group data source - This data source can be used to fetch properties of a Keycloak group for usage with other resources, such as `GroupRoles`. + + ## Example Usage + + ```python + import pulumi + import pulumi_keycloak as keycloak + + realm = keycloak.Realm("realm", + realm="my-realm", + enabled=True) + offline_access = keycloak.get_role_output(realm_id=realm.id, + name="offline_access") + group = keycloak.get_group_output(realm_id=realm.id, + name="group") + group_roles = keycloak.GroupRoles("group_roles", + realm_id=realm.id, + group_id=group.id, + role_ids=[offline_access.id]) + ``` + + + :param str name: The name of the group. If there are multiple groups match `name`, the first result will be returned. + :param str realm_id: The realm this group exists within. """ __args__ = dict() __args__['name'] = name diff --git a/sdk/python/pulumi_keycloak/get_realm.py b/sdk/python/pulumi_keycloak/get_realm.py index d60cd62d..6725adeb 100644 --- a/sdk/python/pulumi_keycloak/get_realm.py +++ b/sdk/python/pulumi_keycloak/get_realm.py @@ -568,12 +568,10 @@ def get_realm(attributes: Optional[Mapping[str, str]] = None, web_authn_policy: Optional[Union['GetRealmWebAuthnPolicyArgs', 'GetRealmWebAuthnPolicyArgsDict']] = None, opts: Optional[pulumi.InvokeOptions] = None) -> AwaitableGetRealmResult: """ - ## # Realm data source - This data source can be used to fetch properties of a Keycloak realm for usage with other resources. - ### Example Usage + ## Example Usage ```python import pulumi @@ -582,19 +580,12 @@ def get_realm(attributes: Optional[Mapping[str, str]] = None, realm = keycloak.get_realm(realm="my-realm") # use the data source group = keycloak.Role("group", - realm_id=id, + realm_id=realm.id, name="group") ``` - ### Argument Reference - - The following arguments are supported: - - - `realm` - (Required) The realm name. - - ### Attributes Reference - See the docs for the `Realm` resource for details on the exported attributes. + :param str realm: The realm name. """ __args__ = dict() __args__['attributes'] = attributes @@ -682,12 +673,10 @@ def get_realm_output(attributes: Optional[pulumi.Input[Optional[Mapping[str, str web_authn_policy: Optional[pulumi.Input[Optional[Union['GetRealmWebAuthnPolicyArgs', 'GetRealmWebAuthnPolicyArgsDict']]]] = None, opts: Optional[pulumi.InvokeOptions] = None) -> pulumi.Output[GetRealmResult]: """ - ## # Realm data source - This data source can be used to fetch properties of a Keycloak realm for usage with other resources. - ### Example Usage + ## Example Usage ```python import pulumi @@ -696,19 +685,12 @@ def get_realm_output(attributes: Optional[pulumi.Input[Optional[Mapping[str, str realm = keycloak.get_realm(realm="my-realm") # use the data source group = keycloak.Role("group", - realm_id=id, + realm_id=realm.id, name="group") ``` - ### Argument Reference - - The following arguments are supported: - - - `realm` - (Required) The realm name. - - ### Attributes Reference - See the docs for the `Realm` resource for details on the exported attributes. + :param str realm: The realm name. """ __args__ = dict() __args__['attributes'] = attributes diff --git a/sdk/python/pulumi_keycloak/get_realm_keys.py b/sdk/python/pulumi_keycloak/get_realm_keys.py index 398f7c8e..3f912fb6 100644 --- a/sdk/python/pulumi_keycloak/get_realm_keys.py +++ b/sdk/python/pulumi_keycloak/get_realm_keys.py @@ -60,6 +60,9 @@ def id(self) -> str: @property @pulumi.getter def keys(self) -> Sequence['outputs.GetRealmKeysKeyResult']: + """ + (Computed) A list of keys that match the filter criteria. Each key has the following attributes: + """ return pulumi.get(self, "keys") @property @@ -70,6 +73,9 @@ def realm_id(self) -> str: @property @pulumi.getter def statuses(self) -> Optional[Sequence[str]]: + """ + Key status (string) + """ return pulumi.get(self, "statuses") @@ -91,15 +97,18 @@ def get_realm_keys(algorithms: Optional[Sequence[str]] = None, statuses: Optional[Sequence[str]] = None, opts: Optional[pulumi.InvokeOptions] = None) -> AwaitableGetRealmKeysResult: """ - ## # get_realm_keys data source - Use this data source to get the keys of a realm. Keys can be filtered by algorithm and status. Remarks: - A key must meet all filter criteria - - This datasource may return more than one value. - - If no key matches the filter criteria, then an error is returned. + - This data source may return more than one value. + - If no key matches the filter criteria, then an error will be returned. + + + :param Sequence[str] algorithms: When specified, keys will be filtered by algorithm. The algorithms can be any of `HS256`, `RS256`,`AES`, etc. + :param str realm_id: The realm from which the keys will be retrieved. + :param Sequence[str] statuses: When specified, keys will be filtered by status. The statuses can be any of `ACTIVE`, `DISABLED` and `PASSIVE`. """ __args__ = dict() __args__['algorithms'] = algorithms @@ -119,15 +128,18 @@ def get_realm_keys_output(algorithms: Optional[pulumi.Input[Optional[Sequence[st statuses: Optional[pulumi.Input[Optional[Sequence[str]]]] = None, opts: Optional[pulumi.InvokeOptions] = None) -> pulumi.Output[GetRealmKeysResult]: """ - ## # get_realm_keys data source - Use this data source to get the keys of a realm. Keys can be filtered by algorithm and status. Remarks: - A key must meet all filter criteria - - This datasource may return more than one value. - - If no key matches the filter criteria, then an error is returned. + - This data source may return more than one value. + - If no key matches the filter criteria, then an error will be returned. + + + :param Sequence[str] algorithms: When specified, keys will be filtered by algorithm. The algorithms can be any of `HS256`, `RS256`,`AES`, etc. + :param str realm_id: The realm from which the keys will be retrieved. + :param Sequence[str] statuses: When specified, keys will be filtered by status. The statuses can be any of `ACTIVE`, `DISABLED` and `PASSIVE`. """ __args__ = dict() __args__['algorithms'] = algorithms diff --git a/sdk/python/pulumi_keycloak/get_role.py b/sdk/python/pulumi_keycloak/get_role.py index 71297433..d14822b8 100644 --- a/sdk/python/pulumi_keycloak/get_role.py +++ b/sdk/python/pulumi_keycloak/get_role.py @@ -67,6 +67,9 @@ def composite_roles(self) -> Sequence[str]: @property @pulumi.getter def description(self) -> str: + """ + (Computed) The description of the role. + """ return pulumi.get(self, "description") @property @@ -108,10 +111,34 @@ def get_role(client_id: Optional[str] = None, realm_id: Optional[str] = None, opts: Optional[pulumi.InvokeOptions] = None) -> AwaitableGetRoleResult: """ - ## # Role data source - This data source can be used to fetch properties of a Keycloak role for usage with other resources, such as `GroupRoles`. + + ## Example Usage + + ```python + import pulumi + import pulumi_keycloak as keycloak + + realm = keycloak.Realm("realm", + realm="my-realm", + enabled=True) + offline_access = keycloak.get_role_output(realm_id=realm.id, + name="offline_access") + # use the data source + group = keycloak.Group("group", + realm_id=realm.id, + name="group") + group_roles = keycloak.GroupRoles("group_roles", + realm_id=realm.id, + group_id=group.id, + role_ids=[offline_access.id]) + ``` + + + :param str client_id: When specified, this role is assumed to be a client role belonging to the client with the provided ID. The `id` attribute of a `keycloak_client` resource should be used here. + :param str name: The name of the role. + :param str realm_id: The realm this role exists within. """ __args__ = dict() __args__['clientId'] = client_id @@ -133,10 +160,34 @@ def get_role_output(client_id: Optional[pulumi.Input[Optional[str]]] = None, realm_id: Optional[pulumi.Input[str]] = None, opts: Optional[pulumi.InvokeOptions] = None) -> pulumi.Output[GetRoleResult]: """ - ## # Role data source - This data source can be used to fetch properties of a Keycloak role for usage with other resources, such as `GroupRoles`. + + ## Example Usage + + ```python + import pulumi + import pulumi_keycloak as keycloak + + realm = keycloak.Realm("realm", + realm="my-realm", + enabled=True) + offline_access = keycloak.get_role_output(realm_id=realm.id, + name="offline_access") + # use the data source + group = keycloak.Group("group", + realm_id=realm.id, + name="group") + group_roles = keycloak.GroupRoles("group_roles", + realm_id=realm.id, + group_id=group.id, + role_ids=[offline_access.id]) + ``` + + + :param str client_id: When specified, this role is assumed to be a client role belonging to the client with the provided ID. The `id` attribute of a `keycloak_client` resource should be used here. + :param str name: The name of the role. + :param str realm_id: The realm this role exists within. """ __args__ = dict() __args__['clientId'] = client_id diff --git a/sdk/python/pulumi_keycloak/group.py b/sdk/python/pulumi_keycloak/group.py index c5bee381..cb1567a1 100644 --- a/sdk/python/pulumi_keycloak/group.py +++ b/sdk/python/pulumi_keycloak/group.py @@ -25,6 +25,10 @@ def __init__(__self__, *, parent_id: Optional[pulumi.Input[str]] = None): """ The set of arguments for constructing a Group resource. + :param pulumi.Input[str] realm_id: The realm this group exists in. + :param pulumi.Input[Mapping[str, pulumi.Input[str]]] attributes: A map representing attributes for the group. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + :param pulumi.Input[str] name: The name of the group. + :param pulumi.Input[str] parent_id: The ID of this group's parent. If omitted, this group will be defined at the root level. """ pulumi.set(__self__, "realm_id", realm_id) if attributes is not None: @@ -37,6 +41,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Input[str]: + """ + The realm this group exists in. + """ return pulumi.get(self, "realm_id") @realm_id.setter @@ -46,6 +53,9 @@ def realm_id(self, value: pulumi.Input[str]): @property @pulumi.getter def attributes(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]: + """ + A map representing attributes for the group. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + """ return pulumi.get(self, "attributes") @attributes.setter @@ -55,6 +65,9 @@ def attributes(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str] @property @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: + """ + The name of the group. + """ return pulumi.get(self, "name") @name.setter @@ -64,6 +77,9 @@ def name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="parentId") def parent_id(self) -> Optional[pulumi.Input[str]]: + """ + The ID of this group's parent. If omitted, this group will be defined at the root level. + """ return pulumi.get(self, "parent_id") @parent_id.setter @@ -81,6 +97,11 @@ def __init__(__self__, *, realm_id: Optional[pulumi.Input[str]] = None): """ Input properties used for looking up and filtering Group resources. + :param pulumi.Input[Mapping[str, pulumi.Input[str]]] attributes: A map representing attributes for the group. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + :param pulumi.Input[str] name: The name of the group. + :param pulumi.Input[str] parent_id: The ID of this group's parent. If omitted, this group will be defined at the root level. + :param pulumi.Input[str] path: (Computed) The complete path of the group. For example, the child group's path in the example configuration would be `/parent-group/child-group`. + :param pulumi.Input[str] realm_id: The realm this group exists in. """ if attributes is not None: pulumi.set(__self__, "attributes", attributes) @@ -96,6 +117,9 @@ def __init__(__self__, *, @property @pulumi.getter def attributes(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]: + """ + A map representing attributes for the group. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + """ return pulumi.get(self, "attributes") @attributes.setter @@ -105,6 +129,9 @@ def attributes(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str] @property @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: + """ + The name of the group. + """ return pulumi.get(self, "name") @name.setter @@ -114,6 +141,9 @@ def name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="parentId") def parent_id(self) -> Optional[pulumi.Input[str]]: + """ + The ID of this group's parent. If omitted, this group will be defined at the root level. + """ return pulumi.get(self, "parent_id") @parent_id.setter @@ -123,6 +153,9 @@ def parent_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter def path(self) -> Optional[pulumi.Input[str]]: + """ + (Computed) The complete path of the group. For example, the child group's path in the example configuration would be `/parent-group/child-group`. + """ return pulumi.get(self, "path") @path.setter @@ -132,6 +165,9 @@ def path(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="realmId") def realm_id(self) -> Optional[pulumi.Input[str]]: + """ + The realm this group exists in. + """ return pulumi.get(self, "realm_id") @realm_id.setter @@ -150,20 +186,17 @@ def __init__(__self__, realm_id: Optional[pulumi.Input[str]] = None, __props__=None): """ - ## # Group - Allows for creating and managing Groups within Keycloak. - Groups provide a logical wrapping for users within Keycloak. Users within a - group can share attributes and roles, and group membership can be mapped - to a claim. + Groups provide a logical wrapping for users within Keycloak. Users within a group can share attributes and roles, and + group membership can be mapped to a claim. Attributes can also be defined on Groups. - Groups can also be federated from external data sources, such as LDAP or Active Directory. - This resource **should not** be used to manage groups that were created this way. + Groups can also be federated from external data sources, such as LDAP or Active Directory. This resource **should not** + be used to manage groups that were created this way. - ### Example Usage + ## Example Usage ```python import pulumi @@ -184,35 +217,31 @@ def __init__(__self__, parent_id=parent_group.id, name="child-group-with-optional-attributes", attributes={ - "key1": "value1", - "key2": "value2", + "foo": "bar", + "multivalue": "value1##value2", }) ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this group exists in. - - `parent_id` - (Optional) The ID of this group's parent. If omitted, this group will be defined at the root level. - - `name` - (Required) The name of the group. - - `attributes` - (Optional) A dict of key/value pairs to set as custom attributes for the group. - - ### Attributes Reference - - In addition to the arguments listed above, the following computed attributes are exported: - - - `path` - The complete path of the group. For example, the child group's path in the example configuration would be `/parent-group/child-group`. - - ### Import + ## Import Groups can be imported using the format `{{realm_id}}/{{group_id}}`, where `group_id` is the unique ID that Keycloak + assigns to the group upon creation. This value can be found in the URI when editing this group in the GUI, and is typically a GUID. Example: + bash + + ```sh + $ pulumi import keycloak:index/group:Group child_group my-realm/934a4a4e-28bd-4703-a0fa-332df153aabd + ``` + :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[Mapping[str, pulumi.Input[str]]] attributes: A map representing attributes for the group. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + :param pulumi.Input[str] name: The name of the group. + :param pulumi.Input[str] parent_id: The ID of this group's parent. If omitted, this group will be defined at the root level. + :param pulumi.Input[str] realm_id: The realm this group exists in. """ ... @overload @@ -221,20 +250,17 @@ def __init__(__self__, args: GroupArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - ## # Group - Allows for creating and managing Groups within Keycloak. - Groups provide a logical wrapping for users within Keycloak. Users within a - group can share attributes and roles, and group membership can be mapped - to a claim. + Groups provide a logical wrapping for users within Keycloak. Users within a group can share attributes and roles, and + group membership can be mapped to a claim. Attributes can also be defined on Groups. - Groups can also be federated from external data sources, such as LDAP or Active Directory. - This resource **should not** be used to manage groups that were created this way. + Groups can also be federated from external data sources, such as LDAP or Active Directory. This resource **should not** + be used to manage groups that were created this way. - ### Example Usage + ## Example Usage ```python import pulumi @@ -255,33 +281,25 @@ def __init__(__self__, parent_id=parent_group.id, name="child-group-with-optional-attributes", attributes={ - "key1": "value1", - "key2": "value2", + "foo": "bar", + "multivalue": "value1##value2", }) ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this group exists in. - - `parent_id` - (Optional) The ID of this group's parent. If omitted, this group will be defined at the root level. - - `name` - (Required) The name of the group. - - `attributes` - (Optional) A dict of key/value pairs to set as custom attributes for the group. - - ### Attributes Reference - - In addition to the arguments listed above, the following computed attributes are exported: - - - `path` - The complete path of the group. For example, the child group's path in the example configuration would be `/parent-group/child-group`. - - ### Import + ## Import Groups can be imported using the format `{{realm_id}}/{{group_id}}`, where `group_id` is the unique ID that Keycloak + assigns to the group upon creation. This value can be found in the URI when editing this group in the GUI, and is typically a GUID. Example: + bash + + ```sh + $ pulumi import keycloak:index/group:Group child_group my-realm/934a4a4e-28bd-4703-a0fa-332df153aabd + ``` + :param str resource_name: The name of the resource. :param GroupArgs args: The arguments to use to populate this resource's properties. :param pulumi.ResourceOptions opts: Options for the resource. @@ -339,6 +357,11 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[Mapping[str, pulumi.Input[str]]] attributes: A map representing attributes for the group. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + :param pulumi.Input[str] name: The name of the group. + :param pulumi.Input[str] parent_id: The ID of this group's parent. If omitted, this group will be defined at the root level. + :param pulumi.Input[str] path: (Computed) The complete path of the group. For example, the child group's path in the example configuration would be `/parent-group/child-group`. + :param pulumi.Input[str] realm_id: The realm this group exists in. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -354,25 +377,40 @@ def get(resource_name: str, @property @pulumi.getter def attributes(self) -> pulumi.Output[Optional[Mapping[str, str]]]: + """ + A map representing attributes for the group. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + """ return pulumi.get(self, "attributes") @property @pulumi.getter def name(self) -> pulumi.Output[str]: + """ + The name of the group. + """ return pulumi.get(self, "name") @property @pulumi.getter(name="parentId") def parent_id(self) -> pulumi.Output[Optional[str]]: + """ + The ID of this group's parent. If omitted, this group will be defined at the root level. + """ return pulumi.get(self, "parent_id") @property @pulumi.getter def path(self) -> pulumi.Output[str]: + """ + (Computed) The complete path of the group. For example, the child group's path in the example configuration would be `/parent-group/child-group`. + """ return pulumi.get(self, "path") @property @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Output[str]: + """ + The realm this group exists in. + """ return pulumi.get(self, "realm_id") diff --git a/sdk/python/pulumi_keycloak/group_memberships.py b/sdk/python/pulumi_keycloak/group_memberships.py index 0e226bbb..2e954b4c 100644 --- a/sdk/python/pulumi_keycloak/group_memberships.py +++ b/sdk/python/pulumi_keycloak/group_memberships.py @@ -24,6 +24,9 @@ def __init__(__self__, *, group_id: Optional[pulumi.Input[str]] = None): """ The set of arguments for constructing a GroupMemberships resource. + :param pulumi.Input[Sequence[pulumi.Input[str]]] members: A list of usernames that belong to this group. + :param pulumi.Input[str] realm_id: The realm this group exists in. + :param pulumi.Input[str] group_id: The ID of the group this resource should manage memberships for. """ pulumi.set(__self__, "members", members) pulumi.set(__self__, "realm_id", realm_id) @@ -33,6 +36,9 @@ def __init__(__self__, *, @property @pulumi.getter def members(self) -> pulumi.Input[Sequence[pulumi.Input[str]]]: + """ + A list of usernames that belong to this group. + """ return pulumi.get(self, "members") @members.setter @@ -42,6 +48,9 @@ def members(self, value: pulumi.Input[Sequence[pulumi.Input[str]]]): @property @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Input[str]: + """ + The realm this group exists in. + """ return pulumi.get(self, "realm_id") @realm_id.setter @@ -51,6 +60,9 @@ def realm_id(self, value: pulumi.Input[str]): @property @pulumi.getter(name="groupId") def group_id(self) -> Optional[pulumi.Input[str]]: + """ + The ID of the group this resource should manage memberships for. + """ return pulumi.get(self, "group_id") @group_id.setter @@ -66,6 +78,9 @@ def __init__(__self__, *, realm_id: Optional[pulumi.Input[str]] = None): """ Input properties used for looking up and filtering GroupMemberships resources. + :param pulumi.Input[str] group_id: The ID of the group this resource should manage memberships for. + :param pulumi.Input[Sequence[pulumi.Input[str]]] members: A list of usernames that belong to this group. + :param pulumi.Input[str] realm_id: The realm this group exists in. """ if group_id is not None: pulumi.set(__self__, "group_id", group_id) @@ -77,6 +92,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="groupId") def group_id(self) -> Optional[pulumi.Input[str]]: + """ + The ID of the group this resource should manage memberships for. + """ return pulumi.get(self, "group_id") @group_id.setter @@ -86,6 +104,9 @@ def group_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter def members(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + A list of usernames that belong to this group. + """ return pulumi.get(self, "members") @members.setter @@ -95,6 +116,9 @@ def members(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]): @property @pulumi.getter(name="realmId") def realm_id(self) -> Optional[pulumi.Input[str]]: + """ + The realm this group exists in. + """ return pulumi.get(self, "realm_id") @realm_id.setter @@ -112,23 +136,23 @@ def __init__(__self__, realm_id: Optional[pulumi.Input[str]] = None, __props__=None): """ - ## # GroupMemberships - Allows for managing a Keycloak group's members. - Note that this resource attempts to be an **authoritative** source over group members. - When this resource takes control over a group's members, users that are manually added - to the group will be removed, and users that are manually removed from the group will - be added upon the next run of `pulumi up`. Eventually, a non-authoritative resource - for group membership will be added to this provider. + Note that this resource attempts to be an **authoritative** source over group members. When this resource takes control + over a group's members, users that are manually added to the group will be removed, and users that are manually removed + from the group will be added upon the next run of `pulumi up`. - Also note that you should not use `GroupMemberships` with a group has been assigned - as a default group via `DefaultGroups`. + Also note that you should not use `GroupMemberships` with a group has been assigned as a default group via + `DefaultGroups`. - This resource **should not** be used to control membership of a group that has its members - federated from an external source via group mapping. + This resource **should not** be used to control membership of a group that has its members federated from an external + source via group mapping. - ### Example Usage + To non-exclusively manage the group's of a user, see the [`UserGroups` resource][1] + + This resource paginates its data loading on refresh by 50 items. + + ## Example Usage ```python import pulumi @@ -149,21 +173,19 @@ def __init__(__self__, members=[user.username]) ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this group exists in. - - `group_id` - (Required) The ID of the group this resource should manage memberships for. - - `members` - (Required) An array of usernames that belong to this group. - - ### Import + ## Import This resource does not support import. Instead of importing, feel free to create this resource + as if it did not already exist on the server. + [1]: providers/mrparkers/keycloak/latest/docs/resources/group_memberships + :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[str] group_id: The ID of the group this resource should manage memberships for. + :param pulumi.Input[Sequence[pulumi.Input[str]]] members: A list of usernames that belong to this group. + :param pulumi.Input[str] realm_id: The realm this group exists in. """ ... @overload @@ -172,23 +194,23 @@ def __init__(__self__, args: GroupMembershipsArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - ## # GroupMemberships - Allows for managing a Keycloak group's members. - Note that this resource attempts to be an **authoritative** source over group members. - When this resource takes control over a group's members, users that are manually added - to the group will be removed, and users that are manually removed from the group will - be added upon the next run of `pulumi up`. Eventually, a non-authoritative resource - for group membership will be added to this provider. + Note that this resource attempts to be an **authoritative** source over group members. When this resource takes control + over a group's members, users that are manually added to the group will be removed, and users that are manually removed + from the group will be added upon the next run of `pulumi up`. + + Also note that you should not use `GroupMemberships` with a group has been assigned as a default group via + `DefaultGroups`. - Also note that you should not use `GroupMemberships` with a group has been assigned - as a default group via `DefaultGroups`. + This resource **should not** be used to control membership of a group that has its members federated from an external + source via group mapping. - This resource **should not** be used to control membership of a group that has its members - federated from an external source via group mapping. + To non-exclusively manage the group's of a user, see the [`UserGroups` resource][1] - ### Example Usage + This resource paginates its data loading on refresh by 50 items. + + ## Example Usage ```python import pulumi @@ -209,19 +231,14 @@ def __init__(__self__, members=[user.username]) ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this group exists in. - - `group_id` - (Required) The ID of the group this resource should manage memberships for. - - `members` - (Required) An array of usernames that belong to this group. - - ### Import + ## Import This resource does not support import. Instead of importing, feel free to create this resource + as if it did not already exist on the server. + [1]: providers/mrparkers/keycloak/latest/docs/resources/group_memberships + :param str resource_name: The name of the resource. :param GroupMembershipsArgs args: The arguments to use to populate this resource's properties. :param pulumi.ResourceOptions opts: Options for the resource. @@ -276,6 +293,9 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[str] group_id: The ID of the group this resource should manage memberships for. + :param pulumi.Input[Sequence[pulumi.Input[str]]] members: A list of usernames that belong to this group. + :param pulumi.Input[str] realm_id: The realm this group exists in. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -289,15 +309,24 @@ def get(resource_name: str, @property @pulumi.getter(name="groupId") def group_id(self) -> pulumi.Output[Optional[str]]: + """ + The ID of the group this resource should manage memberships for. + """ return pulumi.get(self, "group_id") @property @pulumi.getter def members(self) -> pulumi.Output[Sequence[str]]: + """ + A list of usernames that belong to this group. + """ return pulumi.get(self, "members") @property @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Output[str]: + """ + The realm this group exists in. + """ return pulumi.get(self, "realm_id") diff --git a/sdk/python/pulumi_keycloak/group_roles.py b/sdk/python/pulumi_keycloak/group_roles.py index d970616d..f705b4af 100644 --- a/sdk/python/pulumi_keycloak/group_roles.py +++ b/sdk/python/pulumi_keycloak/group_roles.py @@ -25,6 +25,10 @@ def __init__(__self__, *, exhaustive: Optional[pulumi.Input[bool]] = None): """ The set of arguments for constructing a GroupRoles resource. + :param pulumi.Input[str] group_id: The ID of the group this resource should manage roles for. + :param pulumi.Input[str] realm_id: The realm this group exists in. + :param pulumi.Input[Sequence[pulumi.Input[str]]] role_ids: A list of role IDs to map to the group. + :param pulumi.Input[bool] exhaustive: Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the group will be removed. Defaults to `true`. """ pulumi.set(__self__, "group_id", group_id) pulumi.set(__self__, "realm_id", realm_id) @@ -35,6 +39,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="groupId") def group_id(self) -> pulumi.Input[str]: + """ + The ID of the group this resource should manage roles for. + """ return pulumi.get(self, "group_id") @group_id.setter @@ -44,6 +51,9 @@ def group_id(self, value: pulumi.Input[str]): @property @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Input[str]: + """ + The realm this group exists in. + """ return pulumi.get(self, "realm_id") @realm_id.setter @@ -53,6 +63,9 @@ def realm_id(self, value: pulumi.Input[str]): @property @pulumi.getter(name="roleIds") def role_ids(self) -> pulumi.Input[Sequence[pulumi.Input[str]]]: + """ + A list of role IDs to map to the group. + """ return pulumi.get(self, "role_ids") @role_ids.setter @@ -62,6 +75,9 @@ def role_ids(self, value: pulumi.Input[Sequence[pulumi.Input[str]]]): @property @pulumi.getter def exhaustive(self) -> Optional[pulumi.Input[bool]]: + """ + Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the group will be removed. Defaults to `true`. + """ return pulumi.get(self, "exhaustive") @exhaustive.setter @@ -78,6 +94,10 @@ def __init__(__self__, *, role_ids: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None): """ Input properties used for looking up and filtering GroupRoles resources. + :param pulumi.Input[bool] exhaustive: Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the group will be removed. Defaults to `true`. + :param pulumi.Input[str] group_id: The ID of the group this resource should manage roles for. + :param pulumi.Input[str] realm_id: The realm this group exists in. + :param pulumi.Input[Sequence[pulumi.Input[str]]] role_ids: A list of role IDs to map to the group. """ if exhaustive is not None: pulumi.set(__self__, "exhaustive", exhaustive) @@ -91,6 +111,9 @@ def __init__(__self__, *, @property @pulumi.getter def exhaustive(self) -> Optional[pulumi.Input[bool]]: + """ + Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the group will be removed. Defaults to `true`. + """ return pulumi.get(self, "exhaustive") @exhaustive.setter @@ -100,6 +123,9 @@ def exhaustive(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="groupId") def group_id(self) -> Optional[pulumi.Input[str]]: + """ + The ID of the group this resource should manage roles for. + """ return pulumi.get(self, "group_id") @group_id.setter @@ -109,6 +135,9 @@ def group_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="realmId") def realm_id(self) -> Optional[pulumi.Input[str]]: + """ + The realm this group exists in. + """ return pulumi.get(self, "realm_id") @realm_id.setter @@ -118,6 +147,9 @@ def realm_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="roleIds") def role_ids(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + A list of role IDs to map to the group. + """ return pulumi.get(self, "role_ids") @role_ids.setter @@ -136,21 +168,18 @@ def __init__(__self__, role_ids: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, __props__=None): """ - ## # GroupRoles - Allows you to manage roles assigned to a Keycloak group. - Note that this resource attempts to be an **authoritative** source over - group roles. When this resource takes control over a group's roles, - roles that are manually added to the group will be removed, and roles - that are manually removed from the group will be added upon the next run - of `pulumi up`. + If `exhaustive` is true, this resource attempts to be an **authoritative** source over group roles: roles that are manually added to the group will be removed, and roles that are manually removed from the + group will be added upon the next run of `pulumi up`. + If `exhaustive` is false, this resource is a partial assignation of roles to a group. As a result, you can get multiple `GroupRoles` for the same `group_id`. + + Note that when assigning composite roles to a group, you may see a non-empty plan following a `pulumi up` if you + assign a role and a composite that includes that role to the same group. - Note that when assigning composite roles to a group, you may see a - non-empty plan following a `pulumi up` if you assign a role and a - composite that includes that role to the same group. + ## Example Usage - ### Example Usage + ### Exhaustive Roles) ```python import pulumi @@ -186,26 +215,67 @@ def __init__(__self__, ]) ``` - ### Argument Reference + ### Non Exhaustive Roles) + + ```python + import pulumi + import pulumi_keycloak as keycloak + + realm = keycloak.Realm("realm", + realm="my-realm", + enabled=True) + realm_role = keycloak.Role("realm_role", + realm_id=realm.id, + name="my-realm-role", + description="My Realm Role") + client = keycloak.openid.Client("client", + realm_id=realm.id, + client_id="client", + name="client", + enabled=True, + access_type="BEARER-ONLY") + client_role = keycloak.Role("client_role", + realm_id=realm.id, + client_id=client_keycloak_client["id"], + name="my-client-role", + description="My Client Role") + group = keycloak.Group("group", + realm_id=realm.id, + name="my-group") + group_role_association1 = keycloak.GroupRoles("group_role_association1", + realm_id=realm.id, + group_id=group.id, + exhaustive=False, + role_ids=[realm_role.id]) + group_role_association2 = keycloak.GroupRoles("group_role_association2", + realm_id=realm.id, + group_id=group.id, + exhaustive=False, + role_ids=[client_role.id]) + ``` - The following arguments are supported: + ## Import - - `realm_id` - (Required) The realm this group exists in. - - `group_id` - (Required) The ID of the group this resource should - manage roles for. - - `role_ids` - (Required) A list of role IDs to map to the group + This resource can be imported using the format `{{realm_id}}/{{group_id}}`, where `group_id` is the unique ID that Keycloak - ### Import + assigns to the group upon creation. This value can be found in the URI when editing this group in the GUI, and is typically - This resource can be imported using the format - `{{realm_id}}/{{group_id}}`, where `group_id` is the unique ID that - Keycloak assigns to the group upon creation. This value can be found in - the URI when editing this group in the GUI, and is typically a GUID. + a GUID. Example: + bash + + ```sh + $ pulumi import keycloak:index/groupRoles:GroupRoles group_roles my-realm/18cc6b87-2ce7-4e59-bdc8-b9d49ec98a94 + ``` + :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[bool] exhaustive: Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the group will be removed. Defaults to `true`. + :param pulumi.Input[str] group_id: The ID of the group this resource should manage roles for. + :param pulumi.Input[str] realm_id: The realm this group exists in. + :param pulumi.Input[Sequence[pulumi.Input[str]]] role_ids: A list of role IDs to map to the group. """ ... @overload @@ -214,21 +284,18 @@ def __init__(__self__, args: GroupRolesArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - ## # GroupRoles - Allows you to manage roles assigned to a Keycloak group. - Note that this resource attempts to be an **authoritative** source over - group roles. When this resource takes control over a group's roles, - roles that are manually added to the group will be removed, and roles - that are manually removed from the group will be added upon the next run - of `pulumi up`. + If `exhaustive` is true, this resource attempts to be an **authoritative** source over group roles: roles that are manually added to the group will be removed, and roles that are manually removed from the + group will be added upon the next run of `pulumi up`. + If `exhaustive` is false, this resource is a partial assignation of roles to a group. As a result, you can get multiple `GroupRoles` for the same `group_id`. + + Note that when assigning composite roles to a group, you may see a non-empty plan following a `pulumi up` if you + assign a role and a composite that includes that role to the same group. - Note that when assigning composite roles to a group, you may see a - non-empty plan following a `pulumi up` if you assign a role and a - composite that includes that role to the same group. + ## Example Usage - ### Example Usage + ### Exhaustive Roles) ```python import pulumi @@ -264,24 +331,61 @@ def __init__(__self__, ]) ``` - ### Argument Reference + ### Non Exhaustive Roles) + + ```python + import pulumi + import pulumi_keycloak as keycloak + + realm = keycloak.Realm("realm", + realm="my-realm", + enabled=True) + realm_role = keycloak.Role("realm_role", + realm_id=realm.id, + name="my-realm-role", + description="My Realm Role") + client = keycloak.openid.Client("client", + realm_id=realm.id, + client_id="client", + name="client", + enabled=True, + access_type="BEARER-ONLY") + client_role = keycloak.Role("client_role", + realm_id=realm.id, + client_id=client_keycloak_client["id"], + name="my-client-role", + description="My Client Role") + group = keycloak.Group("group", + realm_id=realm.id, + name="my-group") + group_role_association1 = keycloak.GroupRoles("group_role_association1", + realm_id=realm.id, + group_id=group.id, + exhaustive=False, + role_ids=[realm_role.id]) + group_role_association2 = keycloak.GroupRoles("group_role_association2", + realm_id=realm.id, + group_id=group.id, + exhaustive=False, + role_ids=[client_role.id]) + ``` - The following arguments are supported: + ## Import - - `realm_id` - (Required) The realm this group exists in. - - `group_id` - (Required) The ID of the group this resource should - manage roles for. - - `role_ids` - (Required) A list of role IDs to map to the group + This resource can be imported using the format `{{realm_id}}/{{group_id}}`, where `group_id` is the unique ID that Keycloak - ### Import + assigns to the group upon creation. This value can be found in the URI when editing this group in the GUI, and is typically - This resource can be imported using the format - `{{realm_id}}/{{group_id}}`, where `group_id` is the unique ID that - Keycloak assigns to the group upon creation. This value can be found in - the URI when editing this group in the GUI, and is typically a GUID. + a GUID. Example: + bash + + ```sh + $ pulumi import keycloak:index/groupRoles:GroupRoles group_roles my-realm/18cc6b87-2ce7-4e59-bdc8-b9d49ec98a94 + ``` + :param str resource_name: The name of the resource. :param GroupRolesArgs args: The arguments to use to populate this resource's properties. :param pulumi.ResourceOptions opts: Options for the resource. @@ -341,6 +445,10 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[bool] exhaustive: Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the group will be removed. Defaults to `true`. + :param pulumi.Input[str] group_id: The ID of the group this resource should manage roles for. + :param pulumi.Input[str] realm_id: The realm this group exists in. + :param pulumi.Input[Sequence[pulumi.Input[str]]] role_ids: A list of role IDs to map to the group. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -355,20 +463,32 @@ def get(resource_name: str, @property @pulumi.getter def exhaustive(self) -> pulumi.Output[Optional[bool]]: + """ + Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the group will be removed. Defaults to `true`. + """ return pulumi.get(self, "exhaustive") @property @pulumi.getter(name="groupId") def group_id(self) -> pulumi.Output[str]: + """ + The ID of the group this resource should manage roles for. + """ return pulumi.get(self, "group_id") @property @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Output[str]: + """ + The realm this group exists in. + """ return pulumi.get(self, "realm_id") @property @pulumi.getter(name="roleIds") def role_ids(self) -> pulumi.Output[Sequence[str]]: + """ + A list of role IDs to map to the group. + """ return pulumi.get(self, "role_ids") diff --git a/sdk/python/pulumi_keycloak/ldap/_inputs.py b/sdk/python/pulumi_keycloak/ldap/_inputs.py index 67b0463b..82951413 100644 --- a/sdk/python/pulumi_keycloak/ldap/_inputs.py +++ b/sdk/python/pulumi_keycloak/ldap/_inputs.py @@ -27,7 +27,7 @@ class UserFederationCacheArgsDict(TypedDict): eviction_day: NotRequired[pulumi.Input[int]] """ - Day of the week the entry will become invalid on. + Day of the week the entry will become invalid on """ eviction_hour: NotRequired[pulumi.Input[int]] """ @@ -42,6 +42,9 @@ class UserFederationCacheArgsDict(TypedDict): Max lifespan of cache entry (duration string). """ policy: NotRequired[pulumi.Input[str]] + """ + Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + """ elif False: UserFederationCacheArgsDict: TypeAlias = Mapping[str, Any] @@ -54,10 +57,11 @@ def __init__(__self__, *, max_lifespan: Optional[pulumi.Input[str]] = None, policy: Optional[pulumi.Input[str]] = None): """ - :param pulumi.Input[int] eviction_day: Day of the week the entry will become invalid on. + :param pulumi.Input[int] eviction_day: Day of the week the entry will become invalid on :param pulumi.Input[int] eviction_hour: Hour of day the entry will become invalid on. :param pulumi.Input[int] eviction_minute: Minute of day the entry will become invalid on. :param pulumi.Input[str] max_lifespan: Max lifespan of cache entry (duration string). + :param pulumi.Input[str] policy: Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. """ if eviction_day is not None: pulumi.set(__self__, "eviction_day", eviction_day) @@ -74,7 +78,7 @@ def __init__(__self__, *, @pulumi.getter(name="evictionDay") def eviction_day(self) -> Optional[pulumi.Input[int]]: """ - Day of the week the entry will become invalid on. + Day of the week the entry will become invalid on """ return pulumi.get(self, "eviction_day") @@ -121,6 +125,9 @@ def max_lifespan(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter def policy(self) -> Optional[pulumi.Input[str]]: + """ + Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + """ return pulumi.get(self, "policy") @policy.setter @@ -132,7 +139,7 @@ def policy(self, value: Optional[pulumi.Input[str]]): class UserFederationKerberosArgsDict(TypedDict): kerberos_realm: pulumi.Input[str] """ - The name of the kerberos realm, e.g. FOO.LOCAL + The name of the kerberos realm, e.g. FOO.LOCAL. """ key_tab: pulumi.Input[str] """ @@ -157,7 +164,7 @@ def __init__(__self__, *, server_principal: pulumi.Input[str], use_kerberos_for_password_authentication: Optional[pulumi.Input[bool]] = None): """ - :param pulumi.Input[str] kerberos_realm: The name of the kerberos realm, e.g. FOO.LOCAL + :param pulumi.Input[str] kerberos_realm: The name of the kerberos realm, e.g. FOO.LOCAL. :param pulumi.Input[str] key_tab: Path to the kerberos keytab file on the server with credentials of the service principal. :param pulumi.Input[str] server_principal: The kerberos server principal, e.g. 'HTTP/host.foo.com@FOO.LOCAL'. :param pulumi.Input[bool] use_kerberos_for_password_authentication: Use kerberos login module instead of ldap service api. Defaults to `false`. @@ -172,7 +179,7 @@ def __init__(__self__, *, @pulumi.getter(name="kerberosRealm") def kerberos_realm(self) -> pulumi.Input[str]: """ - The name of the kerberos realm, e.g. FOO.LOCAL + The name of the kerberos realm, e.g. FOO.LOCAL. """ return pulumi.get(self, "kerberos_realm") diff --git a/sdk/python/pulumi_keycloak/ldap/full_name_mapper.py b/sdk/python/pulumi_keycloak/ldap/full_name_mapper.py index 63d82f2b..3ef9f918 100644 --- a/sdk/python/pulumi_keycloak/ldap/full_name_mapper.py +++ b/sdk/python/pulumi_keycloak/ldap/full_name_mapper.py @@ -27,9 +27,12 @@ def __init__(__self__, *, write_only: Optional[pulumi.Input[bool]] = None): """ The set of arguments for constructing a FullNameMapper resource. - :param pulumi.Input[str] ldap_user_federation_id: The ldap user federation provider to attach this mapper to. - :param pulumi.Input[str] realm_id: The realm in which the ldap user federation provider exists. - :param pulumi.Input[str] name: Display name of the mapper when displayed in the console. + :param pulumi.Input[str] ldap_full_name_attribute: The name of the LDAP attribute containing the user's full name. + :param pulumi.Input[str] ldap_user_federation_id: The ID of the LDAP user federation provider to attach this mapper to. + :param pulumi.Input[str] realm_id: The realm that this LDAP mapper will exist in. + :param pulumi.Input[str] name: Display name of this mapper when displayed in the console. + :param pulumi.Input[bool] read_only: When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. + :param pulumi.Input[bool] write_only: When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. """ pulumi.set(__self__, "ldap_full_name_attribute", ldap_full_name_attribute) pulumi.set(__self__, "ldap_user_federation_id", ldap_user_federation_id) @@ -44,6 +47,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="ldapFullNameAttribute") def ldap_full_name_attribute(self) -> pulumi.Input[str]: + """ + The name of the LDAP attribute containing the user's full name. + """ return pulumi.get(self, "ldap_full_name_attribute") @ldap_full_name_attribute.setter @@ -54,7 +60,7 @@ def ldap_full_name_attribute(self, value: pulumi.Input[str]): @pulumi.getter(name="ldapUserFederationId") def ldap_user_federation_id(self) -> pulumi.Input[str]: """ - The ldap user federation provider to attach this mapper to. + The ID of the LDAP user federation provider to attach this mapper to. """ return pulumi.get(self, "ldap_user_federation_id") @@ -66,7 +72,7 @@ def ldap_user_federation_id(self, value: pulumi.Input[str]): @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Input[str]: """ - The realm in which the ldap user federation provider exists. + The realm that this LDAP mapper will exist in. """ return pulumi.get(self, "realm_id") @@ -78,7 +84,7 @@ def realm_id(self, value: pulumi.Input[str]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - Display name of the mapper when displayed in the console. + Display name of this mapper when displayed in the console. """ return pulumi.get(self, "name") @@ -89,6 +95,9 @@ def name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="readOnly") def read_only(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. + """ return pulumi.get(self, "read_only") @read_only.setter @@ -98,6 +107,9 @@ def read_only(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="writeOnly") def write_only(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. + """ return pulumi.get(self, "write_only") @write_only.setter @@ -116,9 +128,12 @@ def __init__(__self__, *, write_only: Optional[pulumi.Input[bool]] = None): """ Input properties used for looking up and filtering FullNameMapper resources. - :param pulumi.Input[str] ldap_user_federation_id: The ldap user federation provider to attach this mapper to. - :param pulumi.Input[str] name: Display name of the mapper when displayed in the console. - :param pulumi.Input[str] realm_id: The realm in which the ldap user federation provider exists. + :param pulumi.Input[str] ldap_full_name_attribute: The name of the LDAP attribute containing the user's full name. + :param pulumi.Input[str] ldap_user_federation_id: The ID of the LDAP user federation provider to attach this mapper to. + :param pulumi.Input[str] name: Display name of this mapper when displayed in the console. + :param pulumi.Input[bool] read_only: When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. + :param pulumi.Input[str] realm_id: The realm that this LDAP mapper will exist in. + :param pulumi.Input[bool] write_only: When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. """ if ldap_full_name_attribute is not None: pulumi.set(__self__, "ldap_full_name_attribute", ldap_full_name_attribute) @@ -136,6 +151,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="ldapFullNameAttribute") def ldap_full_name_attribute(self) -> Optional[pulumi.Input[str]]: + """ + The name of the LDAP attribute containing the user's full name. + """ return pulumi.get(self, "ldap_full_name_attribute") @ldap_full_name_attribute.setter @@ -146,7 +164,7 @@ def ldap_full_name_attribute(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="ldapUserFederationId") def ldap_user_federation_id(self) -> Optional[pulumi.Input[str]]: """ - The ldap user federation provider to attach this mapper to. + The ID of the LDAP user federation provider to attach this mapper to. """ return pulumi.get(self, "ldap_user_federation_id") @@ -158,7 +176,7 @@ def ldap_user_federation_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - Display name of the mapper when displayed in the console. + Display name of this mapper when displayed in the console. """ return pulumi.get(self, "name") @@ -169,6 +187,9 @@ def name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="readOnly") def read_only(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. + """ return pulumi.get(self, "read_only") @read_only.setter @@ -179,7 +200,7 @@ def read_only(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="realmId") def realm_id(self) -> Optional[pulumi.Input[str]]: """ - The realm in which the ldap user federation provider exists. + The realm that this LDAP mapper will exist in. """ return pulumi.get(self, "realm_id") @@ -190,6 +211,9 @@ def realm_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="writeOnly") def write_only(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. + """ return pulumi.get(self, "write_only") @write_only.setter @@ -210,22 +234,19 @@ def __init__(__self__, write_only: Optional[pulumi.Input[bool]] = None, __props__=None): """ - ## # ldap.FullNameMapper - - Allows for creating and managing full name mappers for Keycloak users federated - via LDAP. + Allows for creating and managing full name mappers for Keycloak users federated via LDAP. - The LDAP full name mapper can map a user's full name from an LDAP attribute - to the first and last name attributes of a Keycloak user. + The LDAP full name mapper can map a user's full name from an LDAP attribute to the first and last name attributes of a + Keycloak user. - ### Example Usage + ## Example Usage ```python import pulumi import pulumi_keycloak as keycloak realm = keycloak.Realm("realm", - realm="test", + realm="my-realm", enabled=True) ldap_user_federation = keycloak.ldap.UserFederation("ldap_user_federation", name="openldap", @@ -248,28 +269,28 @@ def __init__(__self__, ldap_full_name_attribute="cn") ``` - ### Argument Reference + ## Import + + LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. - The following arguments are supported: + The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. - - `realm_id` - (Required) The realm that this LDAP mapper will exist in. - - `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. - - `name` - (Required) Display name of this mapper when displayed in the console. - - `ldap_full_name_attribute` - (Required) The name of the LDAP attribute containing the user's full name. - - `read_only` - (Optional) When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. - - `write_only` - (Optional) When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. + Example: - ### Import + bash - LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. - The ID of the LDAP user federation provider and the mapper can be found within - the Keycloak GUI, and they are typically GUIDs: + ```sh + $ pulumi import keycloak:ldap/fullNameMapper:FullNameMapper ldap_full_name_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 + ``` :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[str] ldap_user_federation_id: The ldap user federation provider to attach this mapper to. - :param pulumi.Input[str] name: Display name of the mapper when displayed in the console. - :param pulumi.Input[str] realm_id: The realm in which the ldap user federation provider exists. + :param pulumi.Input[str] ldap_full_name_attribute: The name of the LDAP attribute containing the user's full name. + :param pulumi.Input[str] ldap_user_federation_id: The ID of the LDAP user federation provider to attach this mapper to. + :param pulumi.Input[str] name: Display name of this mapper when displayed in the console. + :param pulumi.Input[bool] read_only: When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. + :param pulumi.Input[str] realm_id: The realm that this LDAP mapper will exist in. + :param pulumi.Input[bool] write_only: When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. """ ... @overload @@ -278,22 +299,19 @@ def __init__(__self__, args: FullNameMapperArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - ## # ldap.FullNameMapper - - Allows for creating and managing full name mappers for Keycloak users federated - via LDAP. + Allows for creating and managing full name mappers for Keycloak users federated via LDAP. - The LDAP full name mapper can map a user's full name from an LDAP attribute - to the first and last name attributes of a Keycloak user. + The LDAP full name mapper can map a user's full name from an LDAP attribute to the first and last name attributes of a + Keycloak user. - ### Example Usage + ## Example Usage ```python import pulumi import pulumi_keycloak as keycloak realm = keycloak.Realm("realm", - realm="test", + realm="my-realm", enabled=True) ldap_user_federation = keycloak.ldap.UserFederation("ldap_user_federation", name="openldap", @@ -316,22 +334,19 @@ def __init__(__self__, ldap_full_name_attribute="cn") ``` - ### Argument Reference + ## Import - The following arguments are supported: + LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. - - `realm_id` - (Required) The realm that this LDAP mapper will exist in. - - `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. - - `name` - (Required) Display name of this mapper when displayed in the console. - - `ldap_full_name_attribute` - (Required) The name of the LDAP attribute containing the user's full name. - - `read_only` - (Optional) When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. - - `write_only` - (Optional) When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. + The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. - ### Import + Example: - LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. - The ID of the LDAP user federation provider and the mapper can be found within - the Keycloak GUI, and they are typically GUIDs: + bash + + ```sh + $ pulumi import keycloak:ldap/fullNameMapper:FullNameMapper ldap_full_name_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 + ``` :param str resource_name: The name of the resource. :param FullNameMapperArgs args: The arguments to use to populate this resource's properties. @@ -398,9 +413,12 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[str] ldap_user_federation_id: The ldap user federation provider to attach this mapper to. - :param pulumi.Input[str] name: Display name of the mapper when displayed in the console. - :param pulumi.Input[str] realm_id: The realm in which the ldap user federation provider exists. + :param pulumi.Input[str] ldap_full_name_attribute: The name of the LDAP attribute containing the user's full name. + :param pulumi.Input[str] ldap_user_federation_id: The ID of the LDAP user federation provider to attach this mapper to. + :param pulumi.Input[str] name: Display name of this mapper when displayed in the console. + :param pulumi.Input[bool] read_only: When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. + :param pulumi.Input[str] realm_id: The realm that this LDAP mapper will exist in. + :param pulumi.Input[bool] write_only: When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -417,13 +435,16 @@ def get(resource_name: str, @property @pulumi.getter(name="ldapFullNameAttribute") def ldap_full_name_attribute(self) -> pulumi.Output[str]: + """ + The name of the LDAP attribute containing the user's full name. + """ return pulumi.get(self, "ldap_full_name_attribute") @property @pulumi.getter(name="ldapUserFederationId") def ldap_user_federation_id(self) -> pulumi.Output[str]: """ - The ldap user federation provider to attach this mapper to. + The ID of the LDAP user federation provider to attach this mapper to. """ return pulumi.get(self, "ldap_user_federation_id") @@ -431,25 +452,31 @@ def ldap_user_federation_id(self) -> pulumi.Output[str]: @pulumi.getter def name(self) -> pulumi.Output[str]: """ - Display name of the mapper when displayed in the console. + Display name of this mapper when displayed in the console. """ return pulumi.get(self, "name") @property @pulumi.getter(name="readOnly") def read_only(self) -> pulumi.Output[Optional[bool]]: + """ + When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. + """ return pulumi.get(self, "read_only") @property @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Output[str]: """ - The realm in which the ldap user federation provider exists. + The realm that this LDAP mapper will exist in. """ return pulumi.get(self, "realm_id") @property @pulumi.getter(name="writeOnly") def write_only(self) -> pulumi.Output[Optional[bool]]: + """ + When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. + """ return pulumi.get(self, "write_only") diff --git a/sdk/python/pulumi_keycloak/ldap/group_mapper.py b/sdk/python/pulumi_keycloak/ldap/group_mapper.py index 5e8bb375..33ba7b2c 100644 --- a/sdk/python/pulumi_keycloak/ldap/group_mapper.py +++ b/sdk/python/pulumi_keycloak/ldap/group_mapper.py @@ -39,9 +39,24 @@ def __init__(__self__, *, user_roles_retrieve_strategy: Optional[pulumi.Input[str]] = None): """ The set of arguments for constructing a GroupMapper resource. - :param pulumi.Input[str] ldap_user_federation_id: The ldap user federation provider to attach this mapper to. - :param pulumi.Input[str] realm_id: The realm in which the ldap user federation provider exists. - :param pulumi.Input[str] name: Display name of the mapper when displayed in the console. + :param pulumi.Input[str] group_name_ldap_attribute: The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. + :param pulumi.Input[Sequence[pulumi.Input[str]]] group_object_classes: List of strings representing the object classes for the group. Must contain at least one. + :param pulumi.Input[str] ldap_groups_dn: The LDAP DN where groups can be found. + :param pulumi.Input[str] ldap_user_federation_id: The ID of the LDAP user federation provider to attach this mapper to. + :param pulumi.Input[str] membership_ldap_attribute: The name of the LDAP attribute that is used for membership mappings. + :param pulumi.Input[str] membership_user_ldap_attribute: The name of the LDAP attribute on a user that is used for membership mappings. + :param pulumi.Input[str] realm_id: The realm that this LDAP mapper will exist in. + :param pulumi.Input[bool] drop_non_existing_groups_during_sync: When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. + :param pulumi.Input[str] groups_ldap_filter: When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. + :param pulumi.Input[str] groups_path: Keycloak group path the LDAP groups are added to. For example if value `/Applications/App1` is used, then LDAP groups will be available in Keycloak under group `App1`, which is the child of top level group `Applications`. The configured group path must already exist in Keycloak when creating this mapper. + :param pulumi.Input[bool] ignore_missing_groups: When `true`, missing groups in the hierarchy will be ignored. + :param pulumi.Input[Sequence[pulumi.Input[str]]] mapped_group_attributes: Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. + :param pulumi.Input[str] memberof_ldap_attribute: Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. + :param pulumi.Input[str] membership_attribute_type: Can be one of `DN` or `UID`. Defaults to `DN`. + :param pulumi.Input[str] mode: Can be one of `READ_ONLY`, `LDAP_ONLY` or `IMPORT`. Defaults to `READ_ONLY`. + :param pulumi.Input[str] name: Display name of this mapper when displayed in the console. + :param pulumi.Input[bool] preserve_group_inheritance: When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. + :param pulumi.Input[str] user_roles_retrieve_strategy: Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. """ pulumi.set(__self__, "group_name_ldap_attribute", group_name_ldap_attribute) pulumi.set(__self__, "group_object_classes", group_object_classes) @@ -76,6 +91,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="groupNameLdapAttribute") def group_name_ldap_attribute(self) -> pulumi.Input[str]: + """ + The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. + """ return pulumi.get(self, "group_name_ldap_attribute") @group_name_ldap_attribute.setter @@ -85,6 +103,9 @@ def group_name_ldap_attribute(self, value: pulumi.Input[str]): @property @pulumi.getter(name="groupObjectClasses") def group_object_classes(self) -> pulumi.Input[Sequence[pulumi.Input[str]]]: + """ + List of strings representing the object classes for the group. Must contain at least one. + """ return pulumi.get(self, "group_object_classes") @group_object_classes.setter @@ -94,6 +115,9 @@ def group_object_classes(self, value: pulumi.Input[Sequence[pulumi.Input[str]]]) @property @pulumi.getter(name="ldapGroupsDn") def ldap_groups_dn(self) -> pulumi.Input[str]: + """ + The LDAP DN where groups can be found. + """ return pulumi.get(self, "ldap_groups_dn") @ldap_groups_dn.setter @@ -104,7 +128,7 @@ def ldap_groups_dn(self, value: pulumi.Input[str]): @pulumi.getter(name="ldapUserFederationId") def ldap_user_federation_id(self) -> pulumi.Input[str]: """ - The ldap user federation provider to attach this mapper to. + The ID of the LDAP user federation provider to attach this mapper to. """ return pulumi.get(self, "ldap_user_federation_id") @@ -115,6 +139,9 @@ def ldap_user_federation_id(self, value: pulumi.Input[str]): @property @pulumi.getter(name="membershipLdapAttribute") def membership_ldap_attribute(self) -> pulumi.Input[str]: + """ + The name of the LDAP attribute that is used for membership mappings. + """ return pulumi.get(self, "membership_ldap_attribute") @membership_ldap_attribute.setter @@ -124,6 +151,9 @@ def membership_ldap_attribute(self, value: pulumi.Input[str]): @property @pulumi.getter(name="membershipUserLdapAttribute") def membership_user_ldap_attribute(self) -> pulumi.Input[str]: + """ + The name of the LDAP attribute on a user that is used for membership mappings. + """ return pulumi.get(self, "membership_user_ldap_attribute") @membership_user_ldap_attribute.setter @@ -134,7 +164,7 @@ def membership_user_ldap_attribute(self, value: pulumi.Input[str]): @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Input[str]: """ - The realm in which the ldap user federation provider exists. + The realm that this LDAP mapper will exist in. """ return pulumi.get(self, "realm_id") @@ -145,6 +175,9 @@ def realm_id(self, value: pulumi.Input[str]): @property @pulumi.getter(name="dropNonExistingGroupsDuringSync") def drop_non_existing_groups_during_sync(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. + """ return pulumi.get(self, "drop_non_existing_groups_during_sync") @drop_non_existing_groups_during_sync.setter @@ -154,6 +187,9 @@ def drop_non_existing_groups_during_sync(self, value: Optional[pulumi.Input[bool @property @pulumi.getter(name="groupsLdapFilter") def groups_ldap_filter(self) -> Optional[pulumi.Input[str]]: + """ + When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. + """ return pulumi.get(self, "groups_ldap_filter") @groups_ldap_filter.setter @@ -163,6 +199,9 @@ def groups_ldap_filter(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="groupsPath") def groups_path(self) -> Optional[pulumi.Input[str]]: + """ + Keycloak group path the LDAP groups are added to. For example if value `/Applications/App1` is used, then LDAP groups will be available in Keycloak under group `App1`, which is the child of top level group `Applications`. The configured group path must already exist in Keycloak when creating this mapper. + """ return pulumi.get(self, "groups_path") @groups_path.setter @@ -172,6 +211,9 @@ def groups_path(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="ignoreMissingGroups") def ignore_missing_groups(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, missing groups in the hierarchy will be ignored. + """ return pulumi.get(self, "ignore_missing_groups") @ignore_missing_groups.setter @@ -181,6 +223,9 @@ def ignore_missing_groups(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="mappedGroupAttributes") def mapped_group_attributes(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. + """ return pulumi.get(self, "mapped_group_attributes") @mapped_group_attributes.setter @@ -190,6 +235,9 @@ def mapped_group_attributes(self, value: Optional[pulumi.Input[Sequence[pulumi.I @property @pulumi.getter(name="memberofLdapAttribute") def memberof_ldap_attribute(self) -> Optional[pulumi.Input[str]]: + """ + Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. + """ return pulumi.get(self, "memberof_ldap_attribute") @memberof_ldap_attribute.setter @@ -199,6 +247,9 @@ def memberof_ldap_attribute(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="membershipAttributeType") def membership_attribute_type(self) -> Optional[pulumi.Input[str]]: + """ + Can be one of `DN` or `UID`. Defaults to `DN`. + """ return pulumi.get(self, "membership_attribute_type") @membership_attribute_type.setter @@ -208,6 +259,9 @@ def membership_attribute_type(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter def mode(self) -> Optional[pulumi.Input[str]]: + """ + Can be one of `READ_ONLY`, `LDAP_ONLY` or `IMPORT`. Defaults to `READ_ONLY`. + """ return pulumi.get(self, "mode") @mode.setter @@ -218,7 +272,7 @@ def mode(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - Display name of the mapper when displayed in the console. + Display name of this mapper when displayed in the console. """ return pulumi.get(self, "name") @@ -229,6 +283,9 @@ def name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="preserveGroupInheritance") def preserve_group_inheritance(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. + """ return pulumi.get(self, "preserve_group_inheritance") @preserve_group_inheritance.setter @@ -238,6 +295,9 @@ def preserve_group_inheritance(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="userRolesRetrieveStrategy") def user_roles_retrieve_strategy(self) -> Optional[pulumi.Input[str]]: + """ + Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. + """ return pulumi.get(self, "user_roles_retrieve_strategy") @user_roles_retrieve_strategy.setter @@ -268,9 +328,24 @@ def __init__(__self__, *, user_roles_retrieve_strategy: Optional[pulumi.Input[str]] = None): """ Input properties used for looking up and filtering GroupMapper resources. - :param pulumi.Input[str] ldap_user_federation_id: The ldap user federation provider to attach this mapper to. - :param pulumi.Input[str] name: Display name of the mapper when displayed in the console. - :param pulumi.Input[str] realm_id: The realm in which the ldap user federation provider exists. + :param pulumi.Input[bool] drop_non_existing_groups_during_sync: When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. + :param pulumi.Input[str] group_name_ldap_attribute: The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. + :param pulumi.Input[Sequence[pulumi.Input[str]]] group_object_classes: List of strings representing the object classes for the group. Must contain at least one. + :param pulumi.Input[str] groups_ldap_filter: When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. + :param pulumi.Input[str] groups_path: Keycloak group path the LDAP groups are added to. For example if value `/Applications/App1` is used, then LDAP groups will be available in Keycloak under group `App1`, which is the child of top level group `Applications`. The configured group path must already exist in Keycloak when creating this mapper. + :param pulumi.Input[bool] ignore_missing_groups: When `true`, missing groups in the hierarchy will be ignored. + :param pulumi.Input[str] ldap_groups_dn: The LDAP DN where groups can be found. + :param pulumi.Input[str] ldap_user_federation_id: The ID of the LDAP user federation provider to attach this mapper to. + :param pulumi.Input[Sequence[pulumi.Input[str]]] mapped_group_attributes: Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. + :param pulumi.Input[str] memberof_ldap_attribute: Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. + :param pulumi.Input[str] membership_attribute_type: Can be one of `DN` or `UID`. Defaults to `DN`. + :param pulumi.Input[str] membership_ldap_attribute: The name of the LDAP attribute that is used for membership mappings. + :param pulumi.Input[str] membership_user_ldap_attribute: The name of the LDAP attribute on a user that is used for membership mappings. + :param pulumi.Input[str] mode: Can be one of `READ_ONLY`, `LDAP_ONLY` or `IMPORT`. Defaults to `READ_ONLY`. + :param pulumi.Input[str] name: Display name of this mapper when displayed in the console. + :param pulumi.Input[bool] preserve_group_inheritance: When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. + :param pulumi.Input[str] realm_id: The realm that this LDAP mapper will exist in. + :param pulumi.Input[str] user_roles_retrieve_strategy: Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. """ if drop_non_existing_groups_during_sync is not None: pulumi.set(__self__, "drop_non_existing_groups_during_sync", drop_non_existing_groups_during_sync) @@ -312,6 +387,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="dropNonExistingGroupsDuringSync") def drop_non_existing_groups_during_sync(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. + """ return pulumi.get(self, "drop_non_existing_groups_during_sync") @drop_non_existing_groups_during_sync.setter @@ -321,6 +399,9 @@ def drop_non_existing_groups_during_sync(self, value: Optional[pulumi.Input[bool @property @pulumi.getter(name="groupNameLdapAttribute") def group_name_ldap_attribute(self) -> Optional[pulumi.Input[str]]: + """ + The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. + """ return pulumi.get(self, "group_name_ldap_attribute") @group_name_ldap_attribute.setter @@ -330,6 +411,9 @@ def group_name_ldap_attribute(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="groupObjectClasses") def group_object_classes(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + List of strings representing the object classes for the group. Must contain at least one. + """ return pulumi.get(self, "group_object_classes") @group_object_classes.setter @@ -339,6 +423,9 @@ def group_object_classes(self, value: Optional[pulumi.Input[Sequence[pulumi.Inpu @property @pulumi.getter(name="groupsLdapFilter") def groups_ldap_filter(self) -> Optional[pulumi.Input[str]]: + """ + When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. + """ return pulumi.get(self, "groups_ldap_filter") @groups_ldap_filter.setter @@ -348,6 +435,9 @@ def groups_ldap_filter(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="groupsPath") def groups_path(self) -> Optional[pulumi.Input[str]]: + """ + Keycloak group path the LDAP groups are added to. For example if value `/Applications/App1` is used, then LDAP groups will be available in Keycloak under group `App1`, which is the child of top level group `Applications`. The configured group path must already exist in Keycloak when creating this mapper. + """ return pulumi.get(self, "groups_path") @groups_path.setter @@ -357,6 +447,9 @@ def groups_path(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="ignoreMissingGroups") def ignore_missing_groups(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, missing groups in the hierarchy will be ignored. + """ return pulumi.get(self, "ignore_missing_groups") @ignore_missing_groups.setter @@ -366,6 +459,9 @@ def ignore_missing_groups(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="ldapGroupsDn") def ldap_groups_dn(self) -> Optional[pulumi.Input[str]]: + """ + The LDAP DN where groups can be found. + """ return pulumi.get(self, "ldap_groups_dn") @ldap_groups_dn.setter @@ -376,7 +472,7 @@ def ldap_groups_dn(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="ldapUserFederationId") def ldap_user_federation_id(self) -> Optional[pulumi.Input[str]]: """ - The ldap user federation provider to attach this mapper to. + The ID of the LDAP user federation provider to attach this mapper to. """ return pulumi.get(self, "ldap_user_federation_id") @@ -387,6 +483,9 @@ def ldap_user_federation_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="mappedGroupAttributes") def mapped_group_attributes(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. + """ return pulumi.get(self, "mapped_group_attributes") @mapped_group_attributes.setter @@ -396,6 +495,9 @@ def mapped_group_attributes(self, value: Optional[pulumi.Input[Sequence[pulumi.I @property @pulumi.getter(name="memberofLdapAttribute") def memberof_ldap_attribute(self) -> Optional[pulumi.Input[str]]: + """ + Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. + """ return pulumi.get(self, "memberof_ldap_attribute") @memberof_ldap_attribute.setter @@ -405,6 +507,9 @@ def memberof_ldap_attribute(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="membershipAttributeType") def membership_attribute_type(self) -> Optional[pulumi.Input[str]]: + """ + Can be one of `DN` or `UID`. Defaults to `DN`. + """ return pulumi.get(self, "membership_attribute_type") @membership_attribute_type.setter @@ -414,6 +519,9 @@ def membership_attribute_type(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="membershipLdapAttribute") def membership_ldap_attribute(self) -> Optional[pulumi.Input[str]]: + """ + The name of the LDAP attribute that is used for membership mappings. + """ return pulumi.get(self, "membership_ldap_attribute") @membership_ldap_attribute.setter @@ -423,6 +531,9 @@ def membership_ldap_attribute(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="membershipUserLdapAttribute") def membership_user_ldap_attribute(self) -> Optional[pulumi.Input[str]]: + """ + The name of the LDAP attribute on a user that is used for membership mappings. + """ return pulumi.get(self, "membership_user_ldap_attribute") @membership_user_ldap_attribute.setter @@ -432,6 +543,9 @@ def membership_user_ldap_attribute(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter def mode(self) -> Optional[pulumi.Input[str]]: + """ + Can be one of `READ_ONLY`, `LDAP_ONLY` or `IMPORT`. Defaults to `READ_ONLY`. + """ return pulumi.get(self, "mode") @mode.setter @@ -442,7 +556,7 @@ def mode(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - Display name of the mapper when displayed in the console. + Display name of this mapper when displayed in the console. """ return pulumi.get(self, "name") @@ -453,6 +567,9 @@ def name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="preserveGroupInheritance") def preserve_group_inheritance(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. + """ return pulumi.get(self, "preserve_group_inheritance") @preserve_group_inheritance.setter @@ -463,7 +580,7 @@ def preserve_group_inheritance(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="realmId") def realm_id(self) -> Optional[pulumi.Input[str]]: """ - The realm in which the ldap user federation provider exists. + The realm that this LDAP mapper will exist in. """ return pulumi.get(self, "realm_id") @@ -474,6 +591,9 @@ def realm_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="userRolesRetrieveStrategy") def user_roles_retrieve_strategy(self) -> Optional[pulumi.Input[str]]: + """ + Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. + """ return pulumi.get(self, "user_roles_retrieve_strategy") @user_roles_retrieve_strategy.setter @@ -506,23 +626,19 @@ def __init__(__self__, user_roles_retrieve_strategy: Optional[pulumi.Input[str]] = None, __props__=None): """ - ## # ldap.GroupMapper - - Allows for creating and managing group mappers for Keycloak users federated - via LDAP. + Allows for creating and managing group mappers for Keycloak users federated via LDAP. - The LDAP group mapper can be used to map an LDAP user's groups from some DN - to Keycloak groups. This group mapper will also create the groups within Keycloak - if they do not already exist. + The LDAP group mapper can be used to map an LDAP user's groups from some DN to Keycloak groups. This group mapper will also + create the groups within Keycloak if they do not already exist. - ### Example Usage + ## Example Usage ```python import pulumi import pulumi_keycloak as keycloak realm = keycloak.Realm("realm", - realm="test", + realm="my-realm", enabled=True) ldap_user_federation = keycloak.ldap.UserFederation("ldap_user_federation", name="openldap", @@ -551,39 +667,40 @@ def __init__(__self__, memberof_ldap_attribute="memberOf") ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm that this LDAP mapper will exist in. - - `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. - - `name` - (Required) Display name of this mapper when displayed in the console. - - `ldap_groups_dn` - (Required) The LDAP DN where groups can be found. - - `group_name_ldap_attribute` - (Required) The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. - - `group_object_classes` - (Required) Array of strings representing the object classes for the group. Must contain at least one. - - `preserve_group_inheritance` - (Optional) When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. - - `ignore_missing_groups` - (Optional) When `true`, missing groups in the hierarchy will be ignored. - - `membership_ldap_attribute` - (Required) The name of the LDAP attribute that is used for membership mappings. - - `membership_attribute_type` - (Optional) Can be one of `DN` or `UID`. Defaults to `DN`. - - `membership_user_ldap_attribute` - (Required) The name of the LDAP attribute on a user that is used for membership mappings. - - `groups_ldap_filter` - (Optional) When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. - - `mode` - (Optional) Can be one of `READ_ONLY` or `LDAP_ONLY`. Defaults to `READ_ONLY`. - - `user_roles_retrieve_strategy` - (Optional) Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. - - `memberof_ldap_attribute` - (Optional) Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. - - `mapped_group_attributes` - (Optional) Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. - - `drop_non_existing_groups_during_sync` - (Optional) When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. - - ### Import + ## Import LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. - The ID of the LDAP user federation provider and the mapper can be found within - the Keycloak GUI, and they are typically GUIDs: + + The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. + + Example: + + bash + + ```sh + $ pulumi import keycloak:ldap/groupMapper:GroupMapper ldap_group_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 + ``` :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[str] ldap_user_federation_id: The ldap user federation provider to attach this mapper to. - :param pulumi.Input[str] name: Display name of the mapper when displayed in the console. - :param pulumi.Input[str] realm_id: The realm in which the ldap user federation provider exists. + :param pulumi.Input[bool] drop_non_existing_groups_during_sync: When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. + :param pulumi.Input[str] group_name_ldap_attribute: The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. + :param pulumi.Input[Sequence[pulumi.Input[str]]] group_object_classes: List of strings representing the object classes for the group. Must contain at least one. + :param pulumi.Input[str] groups_ldap_filter: When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. + :param pulumi.Input[str] groups_path: Keycloak group path the LDAP groups are added to. For example if value `/Applications/App1` is used, then LDAP groups will be available in Keycloak under group `App1`, which is the child of top level group `Applications`. The configured group path must already exist in Keycloak when creating this mapper. + :param pulumi.Input[bool] ignore_missing_groups: When `true`, missing groups in the hierarchy will be ignored. + :param pulumi.Input[str] ldap_groups_dn: The LDAP DN where groups can be found. + :param pulumi.Input[str] ldap_user_federation_id: The ID of the LDAP user federation provider to attach this mapper to. + :param pulumi.Input[Sequence[pulumi.Input[str]]] mapped_group_attributes: Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. + :param pulumi.Input[str] memberof_ldap_attribute: Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. + :param pulumi.Input[str] membership_attribute_type: Can be one of `DN` or `UID`. Defaults to `DN`. + :param pulumi.Input[str] membership_ldap_attribute: The name of the LDAP attribute that is used for membership mappings. + :param pulumi.Input[str] membership_user_ldap_attribute: The name of the LDAP attribute on a user that is used for membership mappings. + :param pulumi.Input[str] mode: Can be one of `READ_ONLY`, `LDAP_ONLY` or `IMPORT`. Defaults to `READ_ONLY`. + :param pulumi.Input[str] name: Display name of this mapper when displayed in the console. + :param pulumi.Input[bool] preserve_group_inheritance: When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. + :param pulumi.Input[str] realm_id: The realm that this LDAP mapper will exist in. + :param pulumi.Input[str] user_roles_retrieve_strategy: Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. """ ... @overload @@ -592,23 +709,19 @@ def __init__(__self__, args: GroupMapperArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - ## # ldap.GroupMapper + Allows for creating and managing group mappers for Keycloak users federated via LDAP. - Allows for creating and managing group mappers for Keycloak users federated - via LDAP. + The LDAP group mapper can be used to map an LDAP user's groups from some DN to Keycloak groups. This group mapper will also + create the groups within Keycloak if they do not already exist. - The LDAP group mapper can be used to map an LDAP user's groups from some DN - to Keycloak groups. This group mapper will also create the groups within Keycloak - if they do not already exist. - - ### Example Usage + ## Example Usage ```python import pulumi import pulumi_keycloak as keycloak realm = keycloak.Realm("realm", - realm="test", + realm="my-realm", enabled=True) ldap_user_federation = keycloak.ldap.UserFederation("ldap_user_federation", name="openldap", @@ -637,33 +750,19 @@ def __init__(__self__, memberof_ldap_attribute="memberOf") ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm that this LDAP mapper will exist in. - - `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. - - `name` - (Required) Display name of this mapper when displayed in the console. - - `ldap_groups_dn` - (Required) The LDAP DN where groups can be found. - - `group_name_ldap_attribute` - (Required) The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. - - `group_object_classes` - (Required) Array of strings representing the object classes for the group. Must contain at least one. - - `preserve_group_inheritance` - (Optional) When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. - - `ignore_missing_groups` - (Optional) When `true`, missing groups in the hierarchy will be ignored. - - `membership_ldap_attribute` - (Required) The name of the LDAP attribute that is used for membership mappings. - - `membership_attribute_type` - (Optional) Can be one of `DN` or `UID`. Defaults to `DN`. - - `membership_user_ldap_attribute` - (Required) The name of the LDAP attribute on a user that is used for membership mappings. - - `groups_ldap_filter` - (Optional) When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. - - `mode` - (Optional) Can be one of `READ_ONLY` or `LDAP_ONLY`. Defaults to `READ_ONLY`. - - `user_roles_retrieve_strategy` - (Optional) Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. - - `memberof_ldap_attribute` - (Optional) Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. - - `mapped_group_attributes` - (Optional) Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. - - `drop_non_existing_groups_during_sync` - (Optional) When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. - - ### Import + ## Import LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. - The ID of the LDAP user federation provider and the mapper can be found within - the Keycloak GUI, and they are typically GUIDs: + + The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. + + Example: + + bash + + ```sh + $ pulumi import keycloak:ldap/groupMapper:GroupMapper ldap_group_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 + ``` :param str resource_name: The name of the resource. :param GroupMapperArgs args: The arguments to use to populate this resource's properties. @@ -774,9 +873,24 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[str] ldap_user_federation_id: The ldap user federation provider to attach this mapper to. - :param pulumi.Input[str] name: Display name of the mapper when displayed in the console. - :param pulumi.Input[str] realm_id: The realm in which the ldap user federation provider exists. + :param pulumi.Input[bool] drop_non_existing_groups_during_sync: When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. + :param pulumi.Input[str] group_name_ldap_attribute: The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. + :param pulumi.Input[Sequence[pulumi.Input[str]]] group_object_classes: List of strings representing the object classes for the group. Must contain at least one. + :param pulumi.Input[str] groups_ldap_filter: When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. + :param pulumi.Input[str] groups_path: Keycloak group path the LDAP groups are added to. For example if value `/Applications/App1` is used, then LDAP groups will be available in Keycloak under group `App1`, which is the child of top level group `Applications`. The configured group path must already exist in Keycloak when creating this mapper. + :param pulumi.Input[bool] ignore_missing_groups: When `true`, missing groups in the hierarchy will be ignored. + :param pulumi.Input[str] ldap_groups_dn: The LDAP DN where groups can be found. + :param pulumi.Input[str] ldap_user_federation_id: The ID of the LDAP user federation provider to attach this mapper to. + :param pulumi.Input[Sequence[pulumi.Input[str]]] mapped_group_attributes: Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. + :param pulumi.Input[str] memberof_ldap_attribute: Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. + :param pulumi.Input[str] membership_attribute_type: Can be one of `DN` or `UID`. Defaults to `DN`. + :param pulumi.Input[str] membership_ldap_attribute: The name of the LDAP attribute that is used for membership mappings. + :param pulumi.Input[str] membership_user_ldap_attribute: The name of the LDAP attribute on a user that is used for membership mappings. + :param pulumi.Input[str] mode: Can be one of `READ_ONLY`, `LDAP_ONLY` or `IMPORT`. Defaults to `READ_ONLY`. + :param pulumi.Input[str] name: Display name of this mapper when displayed in the console. + :param pulumi.Input[bool] preserve_group_inheritance: When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. + :param pulumi.Input[str] realm_id: The realm that this LDAP mapper will exist in. + :param pulumi.Input[str] user_roles_retrieve_strategy: Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -805,99 +919,144 @@ def get(resource_name: str, @property @pulumi.getter(name="dropNonExistingGroupsDuringSync") def drop_non_existing_groups_during_sync(self) -> pulumi.Output[Optional[bool]]: + """ + When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. + """ return pulumi.get(self, "drop_non_existing_groups_during_sync") @property @pulumi.getter(name="groupNameLdapAttribute") def group_name_ldap_attribute(self) -> pulumi.Output[str]: + """ + The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. + """ return pulumi.get(self, "group_name_ldap_attribute") @property @pulumi.getter(name="groupObjectClasses") def group_object_classes(self) -> pulumi.Output[Sequence[str]]: + """ + List of strings representing the object classes for the group. Must contain at least one. + """ return pulumi.get(self, "group_object_classes") @property @pulumi.getter(name="groupsLdapFilter") def groups_ldap_filter(self) -> pulumi.Output[Optional[str]]: + """ + When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. + """ return pulumi.get(self, "groups_ldap_filter") @property @pulumi.getter(name="groupsPath") def groups_path(self) -> pulumi.Output[str]: + """ + Keycloak group path the LDAP groups are added to. For example if value `/Applications/App1` is used, then LDAP groups will be available in Keycloak under group `App1`, which is the child of top level group `Applications`. The configured group path must already exist in Keycloak when creating this mapper. + """ return pulumi.get(self, "groups_path") @property @pulumi.getter(name="ignoreMissingGroups") def ignore_missing_groups(self) -> pulumi.Output[Optional[bool]]: + """ + When `true`, missing groups in the hierarchy will be ignored. + """ return pulumi.get(self, "ignore_missing_groups") @property @pulumi.getter(name="ldapGroupsDn") def ldap_groups_dn(self) -> pulumi.Output[str]: + """ + The LDAP DN where groups can be found. + """ return pulumi.get(self, "ldap_groups_dn") @property @pulumi.getter(name="ldapUserFederationId") def ldap_user_federation_id(self) -> pulumi.Output[str]: """ - The ldap user federation provider to attach this mapper to. + The ID of the LDAP user federation provider to attach this mapper to. """ return pulumi.get(self, "ldap_user_federation_id") @property @pulumi.getter(name="mappedGroupAttributes") def mapped_group_attributes(self) -> pulumi.Output[Optional[Sequence[str]]]: + """ + Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. + """ return pulumi.get(self, "mapped_group_attributes") @property @pulumi.getter(name="memberofLdapAttribute") def memberof_ldap_attribute(self) -> pulumi.Output[Optional[str]]: + """ + Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. + """ return pulumi.get(self, "memberof_ldap_attribute") @property @pulumi.getter(name="membershipAttributeType") def membership_attribute_type(self) -> pulumi.Output[Optional[str]]: + """ + Can be one of `DN` or `UID`. Defaults to `DN`. + """ return pulumi.get(self, "membership_attribute_type") @property @pulumi.getter(name="membershipLdapAttribute") def membership_ldap_attribute(self) -> pulumi.Output[str]: + """ + The name of the LDAP attribute that is used for membership mappings. + """ return pulumi.get(self, "membership_ldap_attribute") @property @pulumi.getter(name="membershipUserLdapAttribute") def membership_user_ldap_attribute(self) -> pulumi.Output[str]: + """ + The name of the LDAP attribute on a user that is used for membership mappings. + """ return pulumi.get(self, "membership_user_ldap_attribute") @property @pulumi.getter def mode(self) -> pulumi.Output[Optional[str]]: + """ + Can be one of `READ_ONLY`, `LDAP_ONLY` or `IMPORT`. Defaults to `READ_ONLY`. + """ return pulumi.get(self, "mode") @property @pulumi.getter def name(self) -> pulumi.Output[str]: """ - Display name of the mapper when displayed in the console. + Display name of this mapper when displayed in the console. """ return pulumi.get(self, "name") @property @pulumi.getter(name="preserveGroupInheritance") def preserve_group_inheritance(self) -> pulumi.Output[Optional[bool]]: + """ + When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. + """ return pulumi.get(self, "preserve_group_inheritance") @property @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Output[str]: """ - The realm in which the ldap user federation provider exists. + The realm that this LDAP mapper will exist in. """ return pulumi.get(self, "realm_id") @property @pulumi.getter(name="userRolesRetrieveStrategy") def user_roles_retrieve_strategy(self) -> pulumi.Output[Optional[str]]: + """ + Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. + """ return pulumi.get(self, "user_roles_retrieve_strategy") diff --git a/sdk/python/pulumi_keycloak/ldap/hardcoded_role_mapper.py b/sdk/python/pulumi_keycloak/ldap/hardcoded_role_mapper.py index 1876b77c..39db61fe 100644 --- a/sdk/python/pulumi_keycloak/ldap/hardcoded_role_mapper.py +++ b/sdk/python/pulumi_keycloak/ldap/hardcoded_role_mapper.py @@ -25,10 +25,10 @@ def __init__(__self__, *, name: Optional[pulumi.Input[str]] = None): """ The set of arguments for constructing a HardcodedRoleMapper resource. - :param pulumi.Input[str] ldap_user_federation_id: The ldap user federation provider to attach this mapper to. - :param pulumi.Input[str] realm_id: The realm in which the ldap user federation provider exists. - :param pulumi.Input[str] role: Role to grant to user. - :param pulumi.Input[str] name: Display name of the mapper when displayed in the console. + :param pulumi.Input[str] ldap_user_federation_id: The ID of the LDAP user federation provider to attach this mapper to. + :param pulumi.Input[str] realm_id: The realm that this LDAP mapper will exist in. + :param pulumi.Input[str] role: The name of the role which should be assigned to the users. Client roles should use the format `{{client_id}}.{{client_role_name}}`. + :param pulumi.Input[str] name: Display name of this mapper when displayed in the console. """ pulumi.set(__self__, "ldap_user_federation_id", ldap_user_federation_id) pulumi.set(__self__, "realm_id", realm_id) @@ -40,7 +40,7 @@ def __init__(__self__, *, @pulumi.getter(name="ldapUserFederationId") def ldap_user_federation_id(self) -> pulumi.Input[str]: """ - The ldap user federation provider to attach this mapper to. + The ID of the LDAP user federation provider to attach this mapper to. """ return pulumi.get(self, "ldap_user_federation_id") @@ -52,7 +52,7 @@ def ldap_user_federation_id(self, value: pulumi.Input[str]): @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Input[str]: """ - The realm in which the ldap user federation provider exists. + The realm that this LDAP mapper will exist in. """ return pulumi.get(self, "realm_id") @@ -64,7 +64,7 @@ def realm_id(self, value: pulumi.Input[str]): @pulumi.getter def role(self) -> pulumi.Input[str]: """ - Role to grant to user. + The name of the role which should be assigned to the users. Client roles should use the format `{{client_id}}.{{client_role_name}}`. """ return pulumi.get(self, "role") @@ -76,7 +76,7 @@ def role(self, value: pulumi.Input[str]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - Display name of the mapper when displayed in the console. + Display name of this mapper when displayed in the console. """ return pulumi.get(self, "name") @@ -94,10 +94,10 @@ def __init__(__self__, *, role: Optional[pulumi.Input[str]] = None): """ Input properties used for looking up and filtering HardcodedRoleMapper resources. - :param pulumi.Input[str] ldap_user_federation_id: The ldap user federation provider to attach this mapper to. - :param pulumi.Input[str] name: Display name of the mapper when displayed in the console. - :param pulumi.Input[str] realm_id: The realm in which the ldap user federation provider exists. - :param pulumi.Input[str] role: Role to grant to user. + :param pulumi.Input[str] ldap_user_federation_id: The ID of the LDAP user federation provider to attach this mapper to. + :param pulumi.Input[str] name: Display name of this mapper when displayed in the console. + :param pulumi.Input[str] realm_id: The realm that this LDAP mapper will exist in. + :param pulumi.Input[str] role: The name of the role which should be assigned to the users. Client roles should use the format `{{client_id}}.{{client_role_name}}`. """ if ldap_user_federation_id is not None: pulumi.set(__self__, "ldap_user_federation_id", ldap_user_federation_id) @@ -112,7 +112,7 @@ def __init__(__self__, *, @pulumi.getter(name="ldapUserFederationId") def ldap_user_federation_id(self) -> Optional[pulumi.Input[str]]: """ - The ldap user federation provider to attach this mapper to. + The ID of the LDAP user federation provider to attach this mapper to. """ return pulumi.get(self, "ldap_user_federation_id") @@ -124,7 +124,7 @@ def ldap_user_federation_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - Display name of the mapper when displayed in the console. + Display name of this mapper when displayed in the console. """ return pulumi.get(self, "name") @@ -136,7 +136,7 @@ def name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="realmId") def realm_id(self) -> Optional[pulumi.Input[str]]: """ - The realm in which the ldap user federation provider exists. + The realm that this LDAP mapper will exist in. """ return pulumi.get(self, "realm_id") @@ -148,7 +148,7 @@ def realm_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def role(self) -> Optional[pulumi.Input[str]]: """ - Role to grant to user. + The name of the role which should be assigned to the users. Client roles should use the format `{{client_id}}.{{client_role_name}}`. """ return pulumi.get(self, "role") @@ -168,18 +168,20 @@ def __init__(__self__, role: Optional[pulumi.Input[str]] = None, __props__=None): """ - ## # ldap.HardcodedRoleMapper + Allows for creating and managing hardcoded role mappers for Keycloak users federated via LDAP. - This mapper will grant a specified Keycloak role to each Keycloak user linked with LDAP. + The LDAP hardcoded role mapper will grant a specified Keycloak role to each Keycloak user linked with LDAP. - ### Example Usage + ## Example Usage + + ### Realm Role) ```python import pulumi import pulumi_keycloak as keycloak realm = keycloak.Realm("realm", - realm="test", + realm="my-realm", enabled=True) ldap_user_federation = keycloak.ldap.UserFederation("ldap_user_federation", name="openldap", @@ -195,34 +197,81 @@ def __init__(__self__, users_dn="dc=example,dc=org", bind_dn="cn=admin,dc=example,dc=org", bind_credential="admin") + realm_admin_role = keycloak.Role("realm_admin_role", + realm_id=realm.id, + name="my-admin-role", + description="My Realm Role") assign_admin_role_to_all_users = keycloak.ldap.HardcodedRoleMapper("assign_admin_role_to_all_users", realm_id=realm.id, ldap_user_federation_id=ldap_user_federation.id, name="assign-admin-role-to-all-users", - role="admin") + role=realm_admin_role.name) ``` - ### Argument Reference + ### Client Role) + + ```python + import pulumi + import pulumi_keycloak as keycloak - The following arguments are supported: + realm = keycloak.Realm("realm", + realm="my-realm", + enabled=True) + ldap_user_federation = keycloak.ldap.UserFederation("ldap_user_federation", + name="openldap", + realm_id=realm.id, + username_ldap_attribute="cn", + rdn_ldap_attribute="cn", + uuid_ldap_attribute="entryDN", + user_object_classes=[ + "simpleSecurityObject", + "organizationalRole", + ], + connection_url="ldap://openldap", + users_dn="dc=example,dc=org", + bind_dn="cn=admin,dc=example,dc=org", + bind_credential="admin") + # data sources aren't technically necessary here, but they are helpful for demonstration purposes + realm_management = keycloak.openid.get_client_output(realm_id=realm.id, + client_id="realm-management") + create_client = pulumi.Output.all( + id=realm.id, + realm_management=realm_management + ).apply(lambda resolved_outputs: keycloak.get_role_output(realm_id=resolved_outputs['id'], + client_id=realm_management.id, + name="create-client")) - - `realm_id` - (Required) The realm that this LDAP mapper will exist in. - - `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. - - `name` - (Required) Display name of this mapper when displayed in the console. - - `role` - (Required) The role which should be assigned to the users. + assign_admin_role_to_all_users = keycloak.ldap.HardcodedRoleMapper("assign_admin_role_to_all_users", + realm_id=realm.id, + ldap_user_federation_id=ldap_user_federation.id, + name="assign-admin-role-to-all-users", + role=pulumi.Output.all( + realm_management=realm_management, + create_client=create_client + ).apply(lambda resolved_outputs: f"{realm_management.client_id}.{create_client.name}") + ) + ``` - ### Import + ## Import LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. - The ID of the LDAP user federation provider and the mapper can be found within - the Keycloak GUI, and they are typically GUIDs: + + The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. + + Example: + + bash + + ```sh + $ pulumi import keycloak:ldap/hardcodedRoleMapper:HardcodedRoleMapper assign_admin_role_to_all_users my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 + ``` :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[str] ldap_user_federation_id: The ldap user federation provider to attach this mapper to. - :param pulumi.Input[str] name: Display name of the mapper when displayed in the console. - :param pulumi.Input[str] realm_id: The realm in which the ldap user federation provider exists. - :param pulumi.Input[str] role: Role to grant to user. + :param pulumi.Input[str] ldap_user_federation_id: The ID of the LDAP user federation provider to attach this mapper to. + :param pulumi.Input[str] name: Display name of this mapper when displayed in the console. + :param pulumi.Input[str] realm_id: The realm that this LDAP mapper will exist in. + :param pulumi.Input[str] role: The name of the role which should be assigned to the users. Client roles should use the format `{{client_id}}.{{client_role_name}}`. """ ... @overload @@ -231,18 +280,20 @@ def __init__(__self__, args: HardcodedRoleMapperArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - ## # ldap.HardcodedRoleMapper + Allows for creating and managing hardcoded role mappers for Keycloak users federated via LDAP. - This mapper will grant a specified Keycloak role to each Keycloak user linked with LDAP. + The LDAP hardcoded role mapper will grant a specified Keycloak role to each Keycloak user linked with LDAP. - ### Example Usage + ## Example Usage + + ### Realm Role) ```python import pulumi import pulumi_keycloak as keycloak realm = keycloak.Realm("realm", - realm="test", + realm="my-realm", enabled=True) ldap_user_federation = keycloak.ldap.UserFederation("ldap_user_federation", name="openldap", @@ -258,27 +309,74 @@ def __init__(__self__, users_dn="dc=example,dc=org", bind_dn="cn=admin,dc=example,dc=org", bind_credential="admin") + realm_admin_role = keycloak.Role("realm_admin_role", + realm_id=realm.id, + name="my-admin-role", + description="My Realm Role") assign_admin_role_to_all_users = keycloak.ldap.HardcodedRoleMapper("assign_admin_role_to_all_users", realm_id=realm.id, ldap_user_federation_id=ldap_user_federation.id, name="assign-admin-role-to-all-users", - role="admin") + role=realm_admin_role.name) ``` - ### Argument Reference + ### Client Role) + + ```python + import pulumi + import pulumi_keycloak as keycloak - The following arguments are supported: + realm = keycloak.Realm("realm", + realm="my-realm", + enabled=True) + ldap_user_federation = keycloak.ldap.UserFederation("ldap_user_federation", + name="openldap", + realm_id=realm.id, + username_ldap_attribute="cn", + rdn_ldap_attribute="cn", + uuid_ldap_attribute="entryDN", + user_object_classes=[ + "simpleSecurityObject", + "organizationalRole", + ], + connection_url="ldap://openldap", + users_dn="dc=example,dc=org", + bind_dn="cn=admin,dc=example,dc=org", + bind_credential="admin") + # data sources aren't technically necessary here, but they are helpful for demonstration purposes + realm_management = keycloak.openid.get_client_output(realm_id=realm.id, + client_id="realm-management") + create_client = pulumi.Output.all( + id=realm.id, + realm_management=realm_management + ).apply(lambda resolved_outputs: keycloak.get_role_output(realm_id=resolved_outputs['id'], + client_id=realm_management.id, + name="create-client")) - - `realm_id` - (Required) The realm that this LDAP mapper will exist in. - - `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. - - `name` - (Required) Display name of this mapper when displayed in the console. - - `role` - (Required) The role which should be assigned to the users. + assign_admin_role_to_all_users = keycloak.ldap.HardcodedRoleMapper("assign_admin_role_to_all_users", + realm_id=realm.id, + ldap_user_federation_id=ldap_user_federation.id, + name="assign-admin-role-to-all-users", + role=pulumi.Output.all( + realm_management=realm_management, + create_client=create_client + ).apply(lambda resolved_outputs: f"{realm_management.client_id}.{create_client.name}") + ) + ``` - ### Import + ## Import LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. - The ID of the LDAP user federation provider and the mapper can be found within - the Keycloak GUI, and they are typically GUIDs: + + The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. + + Example: + + bash + + ```sh + $ pulumi import keycloak:ldap/hardcodedRoleMapper:HardcodedRoleMapper assign_admin_role_to_all_users my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 + ``` :param str resource_name: The name of the resource. :param HardcodedRoleMapperArgs args: The arguments to use to populate this resource's properties. @@ -339,10 +437,10 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[str] ldap_user_federation_id: The ldap user federation provider to attach this mapper to. - :param pulumi.Input[str] name: Display name of the mapper when displayed in the console. - :param pulumi.Input[str] realm_id: The realm in which the ldap user federation provider exists. - :param pulumi.Input[str] role: Role to grant to user. + :param pulumi.Input[str] ldap_user_federation_id: The ID of the LDAP user federation provider to attach this mapper to. + :param pulumi.Input[str] name: Display name of this mapper when displayed in the console. + :param pulumi.Input[str] realm_id: The realm that this LDAP mapper will exist in. + :param pulumi.Input[str] role: The name of the role which should be assigned to the users. Client roles should use the format `{{client_id}}.{{client_role_name}}`. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -358,7 +456,7 @@ def get(resource_name: str, @pulumi.getter(name="ldapUserFederationId") def ldap_user_federation_id(self) -> pulumi.Output[str]: """ - The ldap user federation provider to attach this mapper to. + The ID of the LDAP user federation provider to attach this mapper to. """ return pulumi.get(self, "ldap_user_federation_id") @@ -366,7 +464,7 @@ def ldap_user_federation_id(self) -> pulumi.Output[str]: @pulumi.getter def name(self) -> pulumi.Output[str]: """ - Display name of the mapper when displayed in the console. + Display name of this mapper when displayed in the console. """ return pulumi.get(self, "name") @@ -374,7 +472,7 @@ def name(self) -> pulumi.Output[str]: @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Output[str]: """ - The realm in which the ldap user federation provider exists. + The realm that this LDAP mapper will exist in. """ return pulumi.get(self, "realm_id") @@ -382,7 +480,7 @@ def realm_id(self) -> pulumi.Output[str]: @pulumi.getter def role(self) -> pulumi.Output[str]: """ - Role to grant to user. + The name of the role which should be assigned to the users. Client roles should use the format `{{client_id}}.{{client_role_name}}`. """ return pulumi.get(self, "role") diff --git a/sdk/python/pulumi_keycloak/ldap/msad_user_account_control_mapper.py b/sdk/python/pulumi_keycloak/ldap/msad_user_account_control_mapper.py index ba4518a7..4b9b23c4 100644 --- a/sdk/python/pulumi_keycloak/ldap/msad_user_account_control_mapper.py +++ b/sdk/python/pulumi_keycloak/ldap/msad_user_account_control_mapper.py @@ -25,9 +25,10 @@ def __init__(__self__, *, name: Optional[pulumi.Input[str]] = None): """ The set of arguments for constructing a MsadUserAccountControlMapper resource. - :param pulumi.Input[str] ldap_user_federation_id: The ldap user federation provider to attach this mapper to. - :param pulumi.Input[str] realm_id: The realm in which the ldap user federation provider exists. - :param pulumi.Input[str] name: Display name of the mapper when displayed in the console. + :param pulumi.Input[str] ldap_user_federation_id: The ID of the LDAP user federation provider to attach this mapper to. + :param pulumi.Input[str] realm_id: The realm that this LDAP mapper will exist in. + :param pulumi.Input[bool] ldap_password_policy_hints_enabled: When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. + :param pulumi.Input[str] name: Display name of this mapper when displayed in the console. """ pulumi.set(__self__, "ldap_user_federation_id", ldap_user_federation_id) pulumi.set(__self__, "realm_id", realm_id) @@ -40,7 +41,7 @@ def __init__(__self__, *, @pulumi.getter(name="ldapUserFederationId") def ldap_user_federation_id(self) -> pulumi.Input[str]: """ - The ldap user federation provider to attach this mapper to. + The ID of the LDAP user federation provider to attach this mapper to. """ return pulumi.get(self, "ldap_user_federation_id") @@ -52,7 +53,7 @@ def ldap_user_federation_id(self, value: pulumi.Input[str]): @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Input[str]: """ - The realm in which the ldap user federation provider exists. + The realm that this LDAP mapper will exist in. """ return pulumi.get(self, "realm_id") @@ -63,6 +64,9 @@ def realm_id(self, value: pulumi.Input[str]): @property @pulumi.getter(name="ldapPasswordPolicyHintsEnabled") def ldap_password_policy_hints_enabled(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. + """ return pulumi.get(self, "ldap_password_policy_hints_enabled") @ldap_password_policy_hints_enabled.setter @@ -73,7 +77,7 @@ def ldap_password_policy_hints_enabled(self, value: Optional[pulumi.Input[bool]] @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - Display name of the mapper when displayed in the console. + Display name of this mapper when displayed in the console. """ return pulumi.get(self, "name") @@ -91,9 +95,10 @@ def __init__(__self__, *, realm_id: Optional[pulumi.Input[str]] = None): """ Input properties used for looking up and filtering MsadUserAccountControlMapper resources. - :param pulumi.Input[str] ldap_user_federation_id: The ldap user federation provider to attach this mapper to. - :param pulumi.Input[str] name: Display name of the mapper when displayed in the console. - :param pulumi.Input[str] realm_id: The realm in which the ldap user federation provider exists. + :param pulumi.Input[bool] ldap_password_policy_hints_enabled: When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. + :param pulumi.Input[str] ldap_user_federation_id: The ID of the LDAP user federation provider to attach this mapper to. + :param pulumi.Input[str] name: Display name of this mapper when displayed in the console. + :param pulumi.Input[str] realm_id: The realm that this LDAP mapper will exist in. """ if ldap_password_policy_hints_enabled is not None: pulumi.set(__self__, "ldap_password_policy_hints_enabled", ldap_password_policy_hints_enabled) @@ -107,6 +112,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="ldapPasswordPolicyHintsEnabled") def ldap_password_policy_hints_enabled(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. + """ return pulumi.get(self, "ldap_password_policy_hints_enabled") @ldap_password_policy_hints_enabled.setter @@ -117,7 +125,7 @@ def ldap_password_policy_hints_enabled(self, value: Optional[pulumi.Input[bool]] @pulumi.getter(name="ldapUserFederationId") def ldap_user_federation_id(self) -> Optional[pulumi.Input[str]]: """ - The ldap user federation provider to attach this mapper to. + The ID of the LDAP user federation provider to attach this mapper to. """ return pulumi.get(self, "ldap_user_federation_id") @@ -129,7 +137,7 @@ def ldap_user_federation_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - Display name of the mapper when displayed in the console. + Display name of this mapper when displayed in the console. """ return pulumi.get(self, "name") @@ -141,7 +149,7 @@ def name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="realmId") def realm_id(self) -> Optional[pulumi.Input[str]]: """ - The realm in which the ldap user federation provider exists. + The realm that this LDAP mapper will exist in. """ return pulumi.get(self, "realm_id") @@ -161,8 +169,6 @@ def __init__(__self__, realm_id: Optional[pulumi.Input[str]] = None, __props__=None): """ - ## # ldap.MsadUserAccountControlMapper - Allows for creating and managing MSAD user account control mappers for Keycloak users federated via LDAP. @@ -171,14 +177,14 @@ def __init__(__self__, AD user state to Keycloak in order to enforce settings like expired passwords or disabled accounts. - ### Example Usage + ## Example Usage ```python import pulumi import pulumi_keycloak as keycloak realm = keycloak.Realm("realm", - realm="test", + realm="my-realm", enabled=True) ldap_user_federation = keycloak.ldap.UserFederation("ldap_user_federation", name="ad", @@ -201,26 +207,26 @@ def __init__(__self__, name="msad-user-account-control-mapper") ``` - ### Argument Reference + ## Import + + LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. - The following arguments are supported: + The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. - - `realm_id` - (Required) The realm that this LDAP mapper will exist in. - - `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. - - `name` - (Required) Display name of this mapper when displayed in the console. - - `ldap_password_policy_hints_enabled` - (Optional) When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. + Example: - ### Import + bash - LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. - The ID of the LDAP user federation provider and the mapper can be found within - the Keycloak GUI, and they are typically GUIDs: + ```sh + $ pulumi import keycloak:ldap/msadUserAccountControlMapper:MsadUserAccountControlMapper msad_user_account_control_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 + ``` :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[str] ldap_user_federation_id: The ldap user federation provider to attach this mapper to. - :param pulumi.Input[str] name: Display name of the mapper when displayed in the console. - :param pulumi.Input[str] realm_id: The realm in which the ldap user federation provider exists. + :param pulumi.Input[bool] ldap_password_policy_hints_enabled: When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. + :param pulumi.Input[str] ldap_user_federation_id: The ID of the LDAP user federation provider to attach this mapper to. + :param pulumi.Input[str] name: Display name of this mapper when displayed in the console. + :param pulumi.Input[str] realm_id: The realm that this LDAP mapper will exist in. """ ... @overload @@ -229,8 +235,6 @@ def __init__(__self__, args: MsadUserAccountControlMapperArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - ## # ldap.MsadUserAccountControlMapper - Allows for creating and managing MSAD user account control mappers for Keycloak users federated via LDAP. @@ -239,14 +243,14 @@ def __init__(__self__, AD user state to Keycloak in order to enforce settings like expired passwords or disabled accounts. - ### Example Usage + ## Example Usage ```python import pulumi import pulumi_keycloak as keycloak realm = keycloak.Realm("realm", - realm="test", + realm="my-realm", enabled=True) ldap_user_federation = keycloak.ldap.UserFederation("ldap_user_federation", name="ad", @@ -269,20 +273,19 @@ def __init__(__self__, name="msad-user-account-control-mapper") ``` - ### Argument Reference + ## Import - The following arguments are supported: + LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. - - `realm_id` - (Required) The realm that this LDAP mapper will exist in. - - `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. - - `name` - (Required) Display name of this mapper when displayed in the console. - - `ldap_password_policy_hints_enabled` - (Optional) When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. + The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. - ### Import + Example: - LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. - The ID of the LDAP user federation provider and the mapper can be found within - the Keycloak GUI, and they are typically GUIDs: + bash + + ```sh + $ pulumi import keycloak:ldap/msadUserAccountControlMapper:MsadUserAccountControlMapper msad_user_account_control_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 + ``` :param str resource_name: The name of the resource. :param MsadUserAccountControlMapperArgs args: The arguments to use to populate this resource's properties. @@ -341,9 +344,10 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[str] ldap_user_federation_id: The ldap user federation provider to attach this mapper to. - :param pulumi.Input[str] name: Display name of the mapper when displayed in the console. - :param pulumi.Input[str] realm_id: The realm in which the ldap user federation provider exists. + :param pulumi.Input[bool] ldap_password_policy_hints_enabled: When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. + :param pulumi.Input[str] ldap_user_federation_id: The ID of the LDAP user federation provider to attach this mapper to. + :param pulumi.Input[str] name: Display name of this mapper when displayed in the console. + :param pulumi.Input[str] realm_id: The realm that this LDAP mapper will exist in. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -358,13 +362,16 @@ def get(resource_name: str, @property @pulumi.getter(name="ldapPasswordPolicyHintsEnabled") def ldap_password_policy_hints_enabled(self) -> pulumi.Output[Optional[bool]]: + """ + When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. + """ return pulumi.get(self, "ldap_password_policy_hints_enabled") @property @pulumi.getter(name="ldapUserFederationId") def ldap_user_federation_id(self) -> pulumi.Output[str]: """ - The ldap user federation provider to attach this mapper to. + The ID of the LDAP user federation provider to attach this mapper to. """ return pulumi.get(self, "ldap_user_federation_id") @@ -372,7 +379,7 @@ def ldap_user_federation_id(self) -> pulumi.Output[str]: @pulumi.getter def name(self) -> pulumi.Output[str]: """ - Display name of the mapper when displayed in the console. + Display name of this mapper when displayed in the console. """ return pulumi.get(self, "name") @@ -380,7 +387,7 @@ def name(self) -> pulumi.Output[str]: @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Output[str]: """ - The realm in which the ldap user federation provider exists. + The realm that this LDAP mapper will exist in. """ return pulumi.get(self, "realm_id") diff --git a/sdk/python/pulumi_keycloak/ldap/outputs.py b/sdk/python/pulumi_keycloak/ldap/outputs.py index 0dc16adb..0a311187 100644 --- a/sdk/python/pulumi_keycloak/ldap/outputs.py +++ b/sdk/python/pulumi_keycloak/ldap/outputs.py @@ -51,10 +51,11 @@ def __init__(__self__, *, max_lifespan: Optional[str] = None, policy: Optional[str] = None): """ - :param int eviction_day: Day of the week the entry will become invalid on. + :param int eviction_day: Day of the week the entry will become invalid on :param int eviction_hour: Hour of day the entry will become invalid on. :param int eviction_minute: Minute of day the entry will become invalid on. :param str max_lifespan: Max lifespan of cache entry (duration string). + :param str policy: Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. """ if eviction_day is not None: pulumi.set(__self__, "eviction_day", eviction_day) @@ -71,7 +72,7 @@ def __init__(__self__, *, @pulumi.getter(name="evictionDay") def eviction_day(self) -> Optional[int]: """ - Day of the week the entry will become invalid on. + Day of the week the entry will become invalid on """ return pulumi.get(self, "eviction_day") @@ -102,6 +103,9 @@ def max_lifespan(self) -> Optional[str]: @property @pulumi.getter def policy(self) -> Optional[str]: + """ + Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. + """ return pulumi.get(self, "policy") @@ -136,7 +140,7 @@ def __init__(__self__, *, server_principal: str, use_kerberos_for_password_authentication: Optional[bool] = None): """ - :param str kerberos_realm: The name of the kerberos realm, e.g. FOO.LOCAL + :param str kerberos_realm: The name of the kerberos realm, e.g. FOO.LOCAL. :param str key_tab: Path to the kerberos keytab file on the server with credentials of the service principal. :param str server_principal: The kerberos server principal, e.g. 'HTTP/host.foo.com@FOO.LOCAL'. :param bool use_kerberos_for_password_authentication: Use kerberos login module instead of ldap service api. Defaults to `false`. @@ -151,7 +155,7 @@ def __init__(__self__, *, @pulumi.getter(name="kerberosRealm") def kerberos_realm(self) -> str: """ - The name of the kerberos realm, e.g. FOO.LOCAL + The name of the kerberos realm, e.g. FOO.LOCAL. """ return pulumi.get(self, "kerberos_realm") diff --git a/sdk/python/pulumi_keycloak/ldap/user_attribute_mapper.py b/sdk/python/pulumi_keycloak/ldap/user_attribute_mapper.py index 20edbb12..4712a007 100644 --- a/sdk/python/pulumi_keycloak/ldap/user_attribute_mapper.py +++ b/sdk/python/pulumi_keycloak/ldap/user_attribute_mapper.py @@ -31,16 +31,16 @@ def __init__(__self__, *, read_only: Optional[pulumi.Input[bool]] = None): """ The set of arguments for constructing a UserAttributeMapper resource. - :param pulumi.Input[str] ldap_attribute: Name of the mapped attribute on LDAP object. - :param pulumi.Input[str] ldap_user_federation_id: The ldap user federation provider to attach this mapper to. - :param pulumi.Input[str] realm_id: The realm in which the ldap user federation provider exists. - :param pulumi.Input[str] user_model_attribute: Name of the UserModel property or attribute you want to map the LDAP attribute into. - :param pulumi.Input[bool] always_read_value_from_ldap: When true, the value fetched from LDAP will override the value stored in Keycloak. - :param pulumi.Input[str] attribute_default_value: Default value to set in LDAP if is_mandatory_in_ldap and the value is empty - :param pulumi.Input[bool] is_binary_attribute: Should be true for binary LDAP attributes - :param pulumi.Input[bool] is_mandatory_in_ldap: When true, this attribute must exist in LDAP. - :param pulumi.Input[str] name: Display name of the mapper when displayed in the console. - :param pulumi.Input[bool] read_only: When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. + :param pulumi.Input[str] ldap_attribute: Name of the mapped attribute on the LDAP object. + :param pulumi.Input[str] ldap_user_federation_id: The ID of the LDAP user federation provider to attach this mapper to. + :param pulumi.Input[str] realm_id: The realm that this LDAP mapper will exist in. + :param pulumi.Input[str] user_model_attribute: Name of the user property or attribute you want to map the LDAP attribute into. + :param pulumi.Input[bool] always_read_value_from_ldap: When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. + :param pulumi.Input[str] attribute_default_value: Default value to set in LDAP if `is_mandatory_in_ldap` is true and the value is empty. + :param pulumi.Input[bool] is_binary_attribute: Should be true for binary LDAP attributes. + :param pulumi.Input[bool] is_mandatory_in_ldap: When `true`, this attribute must exist in LDAP. Defaults to `false`. + :param pulumi.Input[str] name: Display name of this mapper when displayed in the console. + :param pulumi.Input[bool] read_only: When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. """ pulumi.set(__self__, "ldap_attribute", ldap_attribute) pulumi.set(__self__, "ldap_user_federation_id", ldap_user_federation_id) @@ -63,7 +63,7 @@ def __init__(__self__, *, @pulumi.getter(name="ldapAttribute") def ldap_attribute(self) -> pulumi.Input[str]: """ - Name of the mapped attribute on LDAP object. + Name of the mapped attribute on the LDAP object. """ return pulumi.get(self, "ldap_attribute") @@ -75,7 +75,7 @@ def ldap_attribute(self, value: pulumi.Input[str]): @pulumi.getter(name="ldapUserFederationId") def ldap_user_federation_id(self) -> pulumi.Input[str]: """ - The ldap user federation provider to attach this mapper to. + The ID of the LDAP user federation provider to attach this mapper to. """ return pulumi.get(self, "ldap_user_federation_id") @@ -87,7 +87,7 @@ def ldap_user_federation_id(self, value: pulumi.Input[str]): @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Input[str]: """ - The realm in which the ldap user federation provider exists. + The realm that this LDAP mapper will exist in. """ return pulumi.get(self, "realm_id") @@ -99,7 +99,7 @@ def realm_id(self, value: pulumi.Input[str]): @pulumi.getter(name="userModelAttribute") def user_model_attribute(self) -> pulumi.Input[str]: """ - Name of the UserModel property or attribute you want to map the LDAP attribute into. + Name of the user property or attribute you want to map the LDAP attribute into. """ return pulumi.get(self, "user_model_attribute") @@ -111,7 +111,7 @@ def user_model_attribute(self, value: pulumi.Input[str]): @pulumi.getter(name="alwaysReadValueFromLdap") def always_read_value_from_ldap(self) -> Optional[pulumi.Input[bool]]: """ - When true, the value fetched from LDAP will override the value stored in Keycloak. + When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. """ return pulumi.get(self, "always_read_value_from_ldap") @@ -123,7 +123,7 @@ def always_read_value_from_ldap(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="attributeDefaultValue") def attribute_default_value(self) -> Optional[pulumi.Input[str]]: """ - Default value to set in LDAP if is_mandatory_in_ldap and the value is empty + Default value to set in LDAP if `is_mandatory_in_ldap` is true and the value is empty. """ return pulumi.get(self, "attribute_default_value") @@ -135,7 +135,7 @@ def attribute_default_value(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="isBinaryAttribute") def is_binary_attribute(self) -> Optional[pulumi.Input[bool]]: """ - Should be true for binary LDAP attributes + Should be true for binary LDAP attributes. """ return pulumi.get(self, "is_binary_attribute") @@ -147,7 +147,7 @@ def is_binary_attribute(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="isMandatoryInLdap") def is_mandatory_in_ldap(self) -> Optional[pulumi.Input[bool]]: """ - When true, this attribute must exist in LDAP. + When `true`, this attribute must exist in LDAP. Defaults to `false`. """ return pulumi.get(self, "is_mandatory_in_ldap") @@ -159,7 +159,7 @@ def is_mandatory_in_ldap(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - Display name of the mapper when displayed in the console. + Display name of this mapper when displayed in the console. """ return pulumi.get(self, "name") @@ -171,7 +171,7 @@ def name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="readOnly") def read_only(self) -> Optional[pulumi.Input[bool]]: """ - When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. + When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. """ return pulumi.get(self, "read_only") @@ -195,16 +195,16 @@ def __init__(__self__, *, user_model_attribute: Optional[pulumi.Input[str]] = None): """ Input properties used for looking up and filtering UserAttributeMapper resources. - :param pulumi.Input[bool] always_read_value_from_ldap: When true, the value fetched from LDAP will override the value stored in Keycloak. - :param pulumi.Input[str] attribute_default_value: Default value to set in LDAP if is_mandatory_in_ldap and the value is empty - :param pulumi.Input[bool] is_binary_attribute: Should be true for binary LDAP attributes - :param pulumi.Input[bool] is_mandatory_in_ldap: When true, this attribute must exist in LDAP. - :param pulumi.Input[str] ldap_attribute: Name of the mapped attribute on LDAP object. - :param pulumi.Input[str] ldap_user_federation_id: The ldap user federation provider to attach this mapper to. - :param pulumi.Input[str] name: Display name of the mapper when displayed in the console. - :param pulumi.Input[bool] read_only: When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. - :param pulumi.Input[str] realm_id: The realm in which the ldap user federation provider exists. - :param pulumi.Input[str] user_model_attribute: Name of the UserModel property or attribute you want to map the LDAP attribute into. + :param pulumi.Input[bool] always_read_value_from_ldap: When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. + :param pulumi.Input[str] attribute_default_value: Default value to set in LDAP if `is_mandatory_in_ldap` is true and the value is empty. + :param pulumi.Input[bool] is_binary_attribute: Should be true for binary LDAP attributes. + :param pulumi.Input[bool] is_mandatory_in_ldap: When `true`, this attribute must exist in LDAP. Defaults to `false`. + :param pulumi.Input[str] ldap_attribute: Name of the mapped attribute on the LDAP object. + :param pulumi.Input[str] ldap_user_federation_id: The ID of the LDAP user federation provider to attach this mapper to. + :param pulumi.Input[str] name: Display name of this mapper when displayed in the console. + :param pulumi.Input[bool] read_only: When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. + :param pulumi.Input[str] realm_id: The realm that this LDAP mapper will exist in. + :param pulumi.Input[str] user_model_attribute: Name of the user property or attribute you want to map the LDAP attribute into. """ if always_read_value_from_ldap is not None: pulumi.set(__self__, "always_read_value_from_ldap", always_read_value_from_ldap) @@ -231,7 +231,7 @@ def __init__(__self__, *, @pulumi.getter(name="alwaysReadValueFromLdap") def always_read_value_from_ldap(self) -> Optional[pulumi.Input[bool]]: """ - When true, the value fetched from LDAP will override the value stored in Keycloak. + When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. """ return pulumi.get(self, "always_read_value_from_ldap") @@ -243,7 +243,7 @@ def always_read_value_from_ldap(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="attributeDefaultValue") def attribute_default_value(self) -> Optional[pulumi.Input[str]]: """ - Default value to set in LDAP if is_mandatory_in_ldap and the value is empty + Default value to set in LDAP if `is_mandatory_in_ldap` is true and the value is empty. """ return pulumi.get(self, "attribute_default_value") @@ -255,7 +255,7 @@ def attribute_default_value(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="isBinaryAttribute") def is_binary_attribute(self) -> Optional[pulumi.Input[bool]]: """ - Should be true for binary LDAP attributes + Should be true for binary LDAP attributes. """ return pulumi.get(self, "is_binary_attribute") @@ -267,7 +267,7 @@ def is_binary_attribute(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="isMandatoryInLdap") def is_mandatory_in_ldap(self) -> Optional[pulumi.Input[bool]]: """ - When true, this attribute must exist in LDAP. + When `true`, this attribute must exist in LDAP. Defaults to `false`. """ return pulumi.get(self, "is_mandatory_in_ldap") @@ -279,7 +279,7 @@ def is_mandatory_in_ldap(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="ldapAttribute") def ldap_attribute(self) -> Optional[pulumi.Input[str]]: """ - Name of the mapped attribute on LDAP object. + Name of the mapped attribute on the LDAP object. """ return pulumi.get(self, "ldap_attribute") @@ -291,7 +291,7 @@ def ldap_attribute(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="ldapUserFederationId") def ldap_user_federation_id(self) -> Optional[pulumi.Input[str]]: """ - The ldap user federation provider to attach this mapper to. + The ID of the LDAP user federation provider to attach this mapper to. """ return pulumi.get(self, "ldap_user_federation_id") @@ -303,7 +303,7 @@ def ldap_user_federation_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - Display name of the mapper when displayed in the console. + Display name of this mapper when displayed in the console. """ return pulumi.get(self, "name") @@ -315,7 +315,7 @@ def name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="readOnly") def read_only(self) -> Optional[pulumi.Input[bool]]: """ - When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. + When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. """ return pulumi.get(self, "read_only") @@ -327,7 +327,7 @@ def read_only(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="realmId") def realm_id(self) -> Optional[pulumi.Input[str]]: """ - The realm in which the ldap user federation provider exists. + The realm that this LDAP mapper will exist in. """ return pulumi.get(self, "realm_id") @@ -339,7 +339,7 @@ def realm_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="userModelAttribute") def user_model_attribute(self) -> Optional[pulumi.Input[str]]: """ - Name of the UserModel property or attribute you want to map the LDAP attribute into. + Name of the user property or attribute you want to map the LDAP attribute into. """ return pulumi.get(self, "user_model_attribute") @@ -365,22 +365,20 @@ def __init__(__self__, user_model_attribute: Optional[pulumi.Input[str]] = None, __props__=None): """ - ## # ldap.UserAttributeMapper - Allows for creating and managing user attribute mappers for Keycloak users federated via LDAP. The LDAP user attribute mapper can be used to map a single LDAP attribute to an attribute on the Keycloak user model. - ### Example Usage + ## Example Usage ```python import pulumi import pulumi_keycloak as keycloak realm = keycloak.Realm("realm", - realm="test", + realm="my-realm", enabled=True) ldap_user_federation = keycloak.ldap.UserFederation("ldap_user_federation", name="openldap", @@ -404,37 +402,32 @@ def __init__(__self__, ldap_attribute="bar") ``` - ### Argument Reference + ## Import - The following arguments are supported: + LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. - - `realm_id` - (Required) The realm that this LDAP mapper will exist in. - - `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. - - `name` - (Required) Display name of this mapper when displayed in the console. - - `user_model_attribute` - (Required) Name of the user property or attribute you want to map the LDAP attribute into. - - `ldap_attribute` - (Required) Name of the mapped attribute on the LDAP object. - - `read_only` - (Optional) When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. - - `always_read_value_from_ldap` - (Optional) When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. - - `is_mandatory_in_ldap` - (Optional) When `true`, this attribute must exist in LDAP. Defaults to `false`. + The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. - ### Import + Example: - LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. - The ID of the LDAP user federation provider and the mapper can be found within - the Keycloak GUI, and they are typically GUIDs: + bash + + ```sh + $ pulumi import keycloak:ldap/userAttributeMapper:UserAttributeMapper ldap_user_attribute_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 + ``` :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[bool] always_read_value_from_ldap: When true, the value fetched from LDAP will override the value stored in Keycloak. - :param pulumi.Input[str] attribute_default_value: Default value to set in LDAP if is_mandatory_in_ldap and the value is empty - :param pulumi.Input[bool] is_binary_attribute: Should be true for binary LDAP attributes - :param pulumi.Input[bool] is_mandatory_in_ldap: When true, this attribute must exist in LDAP. - :param pulumi.Input[str] ldap_attribute: Name of the mapped attribute on LDAP object. - :param pulumi.Input[str] ldap_user_federation_id: The ldap user federation provider to attach this mapper to. - :param pulumi.Input[str] name: Display name of the mapper when displayed in the console. - :param pulumi.Input[bool] read_only: When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. - :param pulumi.Input[str] realm_id: The realm in which the ldap user federation provider exists. - :param pulumi.Input[str] user_model_attribute: Name of the UserModel property or attribute you want to map the LDAP attribute into. + :param pulumi.Input[bool] always_read_value_from_ldap: When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. + :param pulumi.Input[str] attribute_default_value: Default value to set in LDAP if `is_mandatory_in_ldap` is true and the value is empty. + :param pulumi.Input[bool] is_binary_attribute: Should be true for binary LDAP attributes. + :param pulumi.Input[bool] is_mandatory_in_ldap: When `true`, this attribute must exist in LDAP. Defaults to `false`. + :param pulumi.Input[str] ldap_attribute: Name of the mapped attribute on the LDAP object. + :param pulumi.Input[str] ldap_user_federation_id: The ID of the LDAP user federation provider to attach this mapper to. + :param pulumi.Input[str] name: Display name of this mapper when displayed in the console. + :param pulumi.Input[bool] read_only: When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. + :param pulumi.Input[str] realm_id: The realm that this LDAP mapper will exist in. + :param pulumi.Input[str] user_model_attribute: Name of the user property or attribute you want to map the LDAP attribute into. """ ... @overload @@ -443,22 +436,20 @@ def __init__(__self__, args: UserAttributeMapperArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - ## # ldap.UserAttributeMapper - Allows for creating and managing user attribute mappers for Keycloak users federated via LDAP. The LDAP user attribute mapper can be used to map a single LDAP attribute to an attribute on the Keycloak user model. - ### Example Usage + ## Example Usage ```python import pulumi import pulumi_keycloak as keycloak realm = keycloak.Realm("realm", - realm="test", + realm="my-realm", enabled=True) ldap_user_federation = keycloak.ldap.UserFederation("ldap_user_federation", name="openldap", @@ -482,24 +473,19 @@ def __init__(__self__, ldap_attribute="bar") ``` - ### Argument Reference + ## Import - The following arguments are supported: + LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. - - `realm_id` - (Required) The realm that this LDAP mapper will exist in. - - `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. - - `name` - (Required) Display name of this mapper when displayed in the console. - - `user_model_attribute` - (Required) Name of the user property or attribute you want to map the LDAP attribute into. - - `ldap_attribute` - (Required) Name of the mapped attribute on the LDAP object. - - `read_only` - (Optional) When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. - - `always_read_value_from_ldap` - (Optional) When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. - - `is_mandatory_in_ldap` - (Optional) When `true`, this attribute must exist in LDAP. Defaults to `false`. + The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. - ### Import + Example: - LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. - The ID of the LDAP user federation provider and the mapper can be found within - the Keycloak GUI, and they are typically GUIDs: + bash + + ```sh + $ pulumi import keycloak:ldap/userAttributeMapper:UserAttributeMapper ldap_user_attribute_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 + ``` :param str resource_name: The name of the resource. :param UserAttributeMapperArgs args: The arguments to use to populate this resource's properties. @@ -580,16 +566,16 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[bool] always_read_value_from_ldap: When true, the value fetched from LDAP will override the value stored in Keycloak. - :param pulumi.Input[str] attribute_default_value: Default value to set in LDAP if is_mandatory_in_ldap and the value is empty - :param pulumi.Input[bool] is_binary_attribute: Should be true for binary LDAP attributes - :param pulumi.Input[bool] is_mandatory_in_ldap: When true, this attribute must exist in LDAP. - :param pulumi.Input[str] ldap_attribute: Name of the mapped attribute on LDAP object. - :param pulumi.Input[str] ldap_user_federation_id: The ldap user federation provider to attach this mapper to. - :param pulumi.Input[str] name: Display name of the mapper when displayed in the console. - :param pulumi.Input[bool] read_only: When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. - :param pulumi.Input[str] realm_id: The realm in which the ldap user federation provider exists. - :param pulumi.Input[str] user_model_attribute: Name of the UserModel property or attribute you want to map the LDAP attribute into. + :param pulumi.Input[bool] always_read_value_from_ldap: When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. + :param pulumi.Input[str] attribute_default_value: Default value to set in LDAP if `is_mandatory_in_ldap` is true and the value is empty. + :param pulumi.Input[bool] is_binary_attribute: Should be true for binary LDAP attributes. + :param pulumi.Input[bool] is_mandatory_in_ldap: When `true`, this attribute must exist in LDAP. Defaults to `false`. + :param pulumi.Input[str] ldap_attribute: Name of the mapped attribute on the LDAP object. + :param pulumi.Input[str] ldap_user_federation_id: The ID of the LDAP user federation provider to attach this mapper to. + :param pulumi.Input[str] name: Display name of this mapper when displayed in the console. + :param pulumi.Input[bool] read_only: When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. + :param pulumi.Input[str] realm_id: The realm that this LDAP mapper will exist in. + :param pulumi.Input[str] user_model_attribute: Name of the user property or attribute you want to map the LDAP attribute into. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -611,7 +597,7 @@ def get(resource_name: str, @pulumi.getter(name="alwaysReadValueFromLdap") def always_read_value_from_ldap(self) -> pulumi.Output[Optional[bool]]: """ - When true, the value fetched from LDAP will override the value stored in Keycloak. + When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. """ return pulumi.get(self, "always_read_value_from_ldap") @@ -619,7 +605,7 @@ def always_read_value_from_ldap(self) -> pulumi.Output[Optional[bool]]: @pulumi.getter(name="attributeDefaultValue") def attribute_default_value(self) -> pulumi.Output[Optional[str]]: """ - Default value to set in LDAP if is_mandatory_in_ldap and the value is empty + Default value to set in LDAP if `is_mandatory_in_ldap` is true and the value is empty. """ return pulumi.get(self, "attribute_default_value") @@ -627,7 +613,7 @@ def attribute_default_value(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="isBinaryAttribute") def is_binary_attribute(self) -> pulumi.Output[Optional[bool]]: """ - Should be true for binary LDAP attributes + Should be true for binary LDAP attributes. """ return pulumi.get(self, "is_binary_attribute") @@ -635,7 +621,7 @@ def is_binary_attribute(self) -> pulumi.Output[Optional[bool]]: @pulumi.getter(name="isMandatoryInLdap") def is_mandatory_in_ldap(self) -> pulumi.Output[Optional[bool]]: """ - When true, this attribute must exist in LDAP. + When `true`, this attribute must exist in LDAP. Defaults to `false`. """ return pulumi.get(self, "is_mandatory_in_ldap") @@ -643,7 +629,7 @@ def is_mandatory_in_ldap(self) -> pulumi.Output[Optional[bool]]: @pulumi.getter(name="ldapAttribute") def ldap_attribute(self) -> pulumi.Output[str]: """ - Name of the mapped attribute on LDAP object. + Name of the mapped attribute on the LDAP object. """ return pulumi.get(self, "ldap_attribute") @@ -651,7 +637,7 @@ def ldap_attribute(self) -> pulumi.Output[str]: @pulumi.getter(name="ldapUserFederationId") def ldap_user_federation_id(self) -> pulumi.Output[str]: """ - The ldap user federation provider to attach this mapper to. + The ID of the LDAP user federation provider to attach this mapper to. """ return pulumi.get(self, "ldap_user_federation_id") @@ -659,7 +645,7 @@ def ldap_user_federation_id(self) -> pulumi.Output[str]: @pulumi.getter def name(self) -> pulumi.Output[str]: """ - Display name of the mapper when displayed in the console. + Display name of this mapper when displayed in the console. """ return pulumi.get(self, "name") @@ -667,7 +653,7 @@ def name(self) -> pulumi.Output[str]: @pulumi.getter(name="readOnly") def read_only(self) -> pulumi.Output[Optional[bool]]: """ - When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. + When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. """ return pulumi.get(self, "read_only") @@ -675,7 +661,7 @@ def read_only(self) -> pulumi.Output[Optional[bool]]: @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Output[str]: """ - The realm in which the ldap user federation provider exists. + The realm that this LDAP mapper will exist in. """ return pulumi.get(self, "realm_id") @@ -683,7 +669,7 @@ def realm_id(self) -> pulumi.Output[str]: @pulumi.getter(name="userModelAttribute") def user_model_attribute(self) -> pulumi.Output[str]: """ - Name of the UserModel property or attribute you want to map the LDAP attribute into. + Name of the user property or attribute you want to map the LDAP attribute into. """ return pulumi.get(self, "user_model_attribute") diff --git a/sdk/python/pulumi_keycloak/ldap/user_federation.py b/sdk/python/pulumi_keycloak/ldap/user_federation.py index ed23b64f..abaef96f 100644 --- a/sdk/python/pulumi_keycloak/ldap/user_federation.py +++ b/sdk/python/pulumi_keycloak/ldap/user_federation.py @@ -57,37 +57,41 @@ def __init__(__self__, *, The set of arguments for constructing a UserFederation resource. :param pulumi.Input[str] connection_url: Connection URL to the LDAP server. :param pulumi.Input[str] rdn_ldap_attribute: Name of the LDAP attribute to use as the relative distinguished name. - :param pulumi.Input[str] realm_id: The realm this provider will provide user federation for. - :param pulumi.Input[Sequence[pulumi.Input[str]]] user_object_classes: All values of LDAP objectClass attribute for users in LDAP. + :param pulumi.Input[str] realm_id: The realm that this provider will provide user federation for. + :param pulumi.Input[Sequence[pulumi.Input[str]]] user_object_classes: Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. :param pulumi.Input[str] username_ldap_attribute: Name of the LDAP attribute to use as the Keycloak username. :param pulumi.Input[str] users_dn: Full DN of LDAP tree where your users are. :param pulumi.Input[str] uuid_ldap_attribute: Name of the LDAP attribute to use as a unique object identifier for objects in LDAP. - :param pulumi.Input[int] batch_size_for_sync: The number of users to sync within a single transaction. - :param pulumi.Input[str] bind_credential: Password of LDAP admin. - :param pulumi.Input[str] bind_dn: DN of LDAP admin, which will be used by Keycloak to access LDAP server. - :param pulumi.Input['UserFederationCacheArgs'] cache: Settings regarding cache policy for this realm. - :param pulumi.Input[int] changed_sync_period: How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users - sync. - :param pulumi.Input[str] connection_timeout: LDAP connection timeout (duration string) - :param pulumi.Input[str] custom_user_search_filter: Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'. - :param pulumi.Input[bool] delete_default_mappers: When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP - user federation provider. - :param pulumi.Input[str] edit_mode: READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP. - :param pulumi.Input[bool] enabled: When false, this provider will not be used when performing queries for users. + :param pulumi.Input[int] batch_size_for_sync: The number of users to sync within a single transaction. Defaults to `1000`. + :param pulumi.Input[str] bind_credential: Password of LDAP admin. This attribute must be set if `bind_dn` is set. + :param pulumi.Input[str] bind_dn: DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bind_credential` is set. + :param pulumi.Input['UserFederationCacheArgs'] cache: A block containing the cache settings. + :param pulumi.Input[int] changed_sync_period: How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. + :param pulumi.Input[str] connection_timeout: LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). + :param pulumi.Input[str] custom_user_search_filter: Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. + :param pulumi.Input[bool] delete_default_mappers: When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to `false`. + :param pulumi.Input[str] edit_mode: Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. + :param pulumi.Input[bool] enabled: When `false`, this provider will not be used when performing queries for users. Defaults to `true`. :param pulumi.Input[int] full_sync_period: How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync. - :param pulumi.Input[bool] import_enabled: When true, LDAP users will be imported into the Keycloak database. - :param pulumi.Input['UserFederationKerberosArgs'] kerberos: Settings regarding kerberos authentication for this realm. + :param pulumi.Input[bool] import_enabled: When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. + :param pulumi.Input['UserFederationKerberosArgs'] kerberos: A block containing the kerberos settings. :param pulumi.Input[str] name: Display name of the provider when displayed in the console. - :param pulumi.Input[bool] pagination: When true, Keycloak assumes the LDAP server supports pagination. - :param pulumi.Input[int] priority: Priority of this provider when looking up users. Lower values are first. - :param pulumi.Input[str] read_timeout: LDAP read timeout (duration string) - :param pulumi.Input[str] search_scope: ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree. - :param pulumi.Input[bool] start_tls: When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. - :param pulumi.Input[bool] sync_registrations: When true, newly created users will be synced back to LDAP. + :param pulumi.Input[bool] pagination: When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. + :param pulumi.Input[int] priority: Priority of this provider when looking up users. Lower values are first. Defaults to `0`. + :param pulumi.Input[str] read_timeout: LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). + :param pulumi.Input[str] search_scope: Can be one of `ONE_LEVEL` or `SUBTREE`: + - `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`. + - `SUBTREE`: Search entire LDAP subtree. + :param pulumi.Input[bool] start_tls: When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. + :param pulumi.Input[bool] sync_registrations: When `true`, newly created users will be synced back to LDAP. Defaults to `false`. :param pulumi.Input[bool] trust_email: If enabled, email provided by this provider is not verified even if verification is enabled for the realm. :param pulumi.Input[bool] use_password_modify_extended_op: When `true`, use the LDAPv3 Password Modify Extended Operation (RFC-3062). - :param pulumi.Input[bool] validate_password_policy: When true, Keycloak will validate passwords using the realm policy before updating it. - :param pulumi.Input[str] vendor: LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required. + :param pulumi.Input[str] use_truststore_spi: Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: + - `ALWAYS` - Always use the truststore SPI for LDAP connections. + - `NEVER` - Never use the truststore SPI for LDAP connections. + - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. + :param pulumi.Input[bool] validate_password_policy: When `true`, Keycloak will validate passwords using the realm policy before updating it. + :param pulumi.Input[str] vendor: Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`. """ pulumi.set(__self__, "connection_url", connection_url) pulumi.set(__self__, "rdn_ldap_attribute", rdn_ldap_attribute) @@ -175,7 +179,7 @@ def rdn_ldap_attribute(self, value: pulumi.Input[str]): @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Input[str]: """ - The realm this provider will provide user federation for. + The realm that this provider will provide user federation for. """ return pulumi.get(self, "realm_id") @@ -187,7 +191,7 @@ def realm_id(self, value: pulumi.Input[str]): @pulumi.getter(name="userObjectClasses") def user_object_classes(self) -> pulumi.Input[Sequence[pulumi.Input[str]]]: """ - All values of LDAP objectClass attribute for users in LDAP. + Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. """ return pulumi.get(self, "user_object_classes") @@ -235,7 +239,7 @@ def uuid_ldap_attribute(self, value: pulumi.Input[str]): @pulumi.getter(name="batchSizeForSync") def batch_size_for_sync(self) -> Optional[pulumi.Input[int]]: """ - The number of users to sync within a single transaction. + The number of users to sync within a single transaction. Defaults to `1000`. """ return pulumi.get(self, "batch_size_for_sync") @@ -247,7 +251,7 @@ def batch_size_for_sync(self, value: Optional[pulumi.Input[int]]): @pulumi.getter(name="bindCredential") def bind_credential(self) -> Optional[pulumi.Input[str]]: """ - Password of LDAP admin. + Password of LDAP admin. This attribute must be set if `bind_dn` is set. """ return pulumi.get(self, "bind_credential") @@ -259,7 +263,7 @@ def bind_credential(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="bindDn") def bind_dn(self) -> Optional[pulumi.Input[str]]: """ - DN of LDAP admin, which will be used by Keycloak to access LDAP server. + DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bind_credential` is set. """ return pulumi.get(self, "bind_dn") @@ -271,7 +275,7 @@ def bind_dn(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def cache(self) -> Optional[pulumi.Input['UserFederationCacheArgs']]: """ - Settings regarding cache policy for this realm. + A block containing the cache settings. """ return pulumi.get(self, "cache") @@ -283,8 +287,7 @@ def cache(self, value: Optional[pulumi.Input['UserFederationCacheArgs']]): @pulumi.getter(name="changedSyncPeriod") def changed_sync_period(self) -> Optional[pulumi.Input[int]]: """ - How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users - sync. + How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. """ return pulumi.get(self, "changed_sync_period") @@ -296,7 +299,7 @@ def changed_sync_period(self, value: Optional[pulumi.Input[int]]): @pulumi.getter(name="connectionTimeout") def connection_timeout(self) -> Optional[pulumi.Input[str]]: """ - LDAP connection timeout (duration string) + LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). """ return pulumi.get(self, "connection_timeout") @@ -308,7 +311,7 @@ def connection_timeout(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="customUserSearchFilter") def custom_user_search_filter(self) -> Optional[pulumi.Input[str]]: """ - Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'. + Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. """ return pulumi.get(self, "custom_user_search_filter") @@ -320,8 +323,7 @@ def custom_user_search_filter(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="deleteDefaultMappers") def delete_default_mappers(self) -> Optional[pulumi.Input[bool]]: """ - When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP - user federation provider. + When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to `false`. """ return pulumi.get(self, "delete_default_mappers") @@ -333,7 +335,7 @@ def delete_default_mappers(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="editMode") def edit_mode(self) -> Optional[pulumi.Input[str]]: """ - READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP. + Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. """ return pulumi.get(self, "edit_mode") @@ -345,7 +347,7 @@ def edit_mode(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def enabled(self) -> Optional[pulumi.Input[bool]]: """ - When false, this provider will not be used when performing queries for users. + When `false`, this provider will not be used when performing queries for users. Defaults to `true`. """ return pulumi.get(self, "enabled") @@ -369,7 +371,7 @@ def full_sync_period(self, value: Optional[pulumi.Input[int]]): @pulumi.getter(name="importEnabled") def import_enabled(self) -> Optional[pulumi.Input[bool]]: """ - When true, LDAP users will be imported into the Keycloak database. + When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. """ return pulumi.get(self, "import_enabled") @@ -381,7 +383,7 @@ def import_enabled(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter def kerberos(self) -> Optional[pulumi.Input['UserFederationKerberosArgs']]: """ - Settings regarding kerberos authentication for this realm. + A block containing the kerberos settings. """ return pulumi.get(self, "kerberos") @@ -405,7 +407,7 @@ def name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def pagination(self) -> Optional[pulumi.Input[bool]]: """ - When true, Keycloak assumes the LDAP server supports pagination. + When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. """ return pulumi.get(self, "pagination") @@ -417,7 +419,7 @@ def pagination(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter def priority(self) -> Optional[pulumi.Input[int]]: """ - Priority of this provider when looking up users. Lower values are first. + Priority of this provider when looking up users. Lower values are first. Defaults to `0`. """ return pulumi.get(self, "priority") @@ -429,7 +431,7 @@ def priority(self, value: Optional[pulumi.Input[int]]): @pulumi.getter(name="readTimeout") def read_timeout(self) -> Optional[pulumi.Input[str]]: """ - LDAP read timeout (duration string) + LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). """ return pulumi.get(self, "read_timeout") @@ -441,7 +443,9 @@ def read_timeout(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="searchScope") def search_scope(self) -> Optional[pulumi.Input[str]]: """ - ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree. + Can be one of `ONE_LEVEL` or `SUBTREE`: + - `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`. + - `SUBTREE`: Search entire LDAP subtree. """ return pulumi.get(self, "search_scope") @@ -453,7 +457,7 @@ def search_scope(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="startTls") def start_tls(self) -> Optional[pulumi.Input[bool]]: """ - When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. + When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. """ return pulumi.get(self, "start_tls") @@ -465,7 +469,7 @@ def start_tls(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="syncRegistrations") def sync_registrations(self) -> Optional[pulumi.Input[bool]]: """ - When true, newly created users will be synced back to LDAP. + When `true`, newly created users will be synced back to LDAP. Defaults to `false`. """ return pulumi.get(self, "sync_registrations") @@ -500,6 +504,12 @@ def use_password_modify_extended_op(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="useTruststoreSpi") def use_truststore_spi(self) -> Optional[pulumi.Input[str]]: + """ + Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: + - `ALWAYS` - Always use the truststore SPI for LDAP connections. + - `NEVER` - Never use the truststore SPI for LDAP connections. + - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. + """ return pulumi.get(self, "use_truststore_spi") @use_truststore_spi.setter @@ -510,7 +520,7 @@ def use_truststore_spi(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="validatePasswordPolicy") def validate_password_policy(self) -> Optional[pulumi.Input[bool]]: """ - When true, Keycloak will validate passwords using the realm policy before updating it. + When `true`, Keycloak will validate passwords using the realm policy before updating it. """ return pulumi.get(self, "validate_password_policy") @@ -522,7 +532,7 @@ def validate_password_policy(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter def vendor(self) -> Optional[pulumi.Input[str]]: """ - LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required. + Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`. """ return pulumi.get(self, "vendor") @@ -568,39 +578,43 @@ def __init__(__self__, *, vendor: Optional[pulumi.Input[str]] = None): """ Input properties used for looking up and filtering UserFederation resources. - :param pulumi.Input[int] batch_size_for_sync: The number of users to sync within a single transaction. - :param pulumi.Input[str] bind_credential: Password of LDAP admin. - :param pulumi.Input[str] bind_dn: DN of LDAP admin, which will be used by Keycloak to access LDAP server. - :param pulumi.Input['UserFederationCacheArgs'] cache: Settings regarding cache policy for this realm. - :param pulumi.Input[int] changed_sync_period: How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users - sync. - :param pulumi.Input[str] connection_timeout: LDAP connection timeout (duration string) + :param pulumi.Input[int] batch_size_for_sync: The number of users to sync within a single transaction. Defaults to `1000`. + :param pulumi.Input[str] bind_credential: Password of LDAP admin. This attribute must be set if `bind_dn` is set. + :param pulumi.Input[str] bind_dn: DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bind_credential` is set. + :param pulumi.Input['UserFederationCacheArgs'] cache: A block containing the cache settings. + :param pulumi.Input[int] changed_sync_period: How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. + :param pulumi.Input[str] connection_timeout: LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). :param pulumi.Input[str] connection_url: Connection URL to the LDAP server. - :param pulumi.Input[str] custom_user_search_filter: Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'. - :param pulumi.Input[bool] delete_default_mappers: When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP - user federation provider. - :param pulumi.Input[str] edit_mode: READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP. - :param pulumi.Input[bool] enabled: When false, this provider will not be used when performing queries for users. + :param pulumi.Input[str] custom_user_search_filter: Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. + :param pulumi.Input[bool] delete_default_mappers: When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to `false`. + :param pulumi.Input[str] edit_mode: Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. + :param pulumi.Input[bool] enabled: When `false`, this provider will not be used when performing queries for users. Defaults to `true`. :param pulumi.Input[int] full_sync_period: How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync. - :param pulumi.Input[bool] import_enabled: When true, LDAP users will be imported into the Keycloak database. - :param pulumi.Input['UserFederationKerberosArgs'] kerberos: Settings regarding kerberos authentication for this realm. + :param pulumi.Input[bool] import_enabled: When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. + :param pulumi.Input['UserFederationKerberosArgs'] kerberos: A block containing the kerberos settings. :param pulumi.Input[str] name: Display name of the provider when displayed in the console. - :param pulumi.Input[bool] pagination: When true, Keycloak assumes the LDAP server supports pagination. - :param pulumi.Input[int] priority: Priority of this provider when looking up users. Lower values are first. + :param pulumi.Input[bool] pagination: When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. + :param pulumi.Input[int] priority: Priority of this provider when looking up users. Lower values are first. Defaults to `0`. :param pulumi.Input[str] rdn_ldap_attribute: Name of the LDAP attribute to use as the relative distinguished name. - :param pulumi.Input[str] read_timeout: LDAP read timeout (duration string) - :param pulumi.Input[str] realm_id: The realm this provider will provide user federation for. - :param pulumi.Input[str] search_scope: ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree. - :param pulumi.Input[bool] start_tls: When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. - :param pulumi.Input[bool] sync_registrations: When true, newly created users will be synced back to LDAP. + :param pulumi.Input[str] read_timeout: LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). + :param pulumi.Input[str] realm_id: The realm that this provider will provide user federation for. + :param pulumi.Input[str] search_scope: Can be one of `ONE_LEVEL` or `SUBTREE`: + - `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`. + - `SUBTREE`: Search entire LDAP subtree. + :param pulumi.Input[bool] start_tls: When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. + :param pulumi.Input[bool] sync_registrations: When `true`, newly created users will be synced back to LDAP. Defaults to `false`. :param pulumi.Input[bool] trust_email: If enabled, email provided by this provider is not verified even if verification is enabled for the realm. :param pulumi.Input[bool] use_password_modify_extended_op: When `true`, use the LDAPv3 Password Modify Extended Operation (RFC-3062). - :param pulumi.Input[Sequence[pulumi.Input[str]]] user_object_classes: All values of LDAP objectClass attribute for users in LDAP. + :param pulumi.Input[str] use_truststore_spi: Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: + - `ALWAYS` - Always use the truststore SPI for LDAP connections. + - `NEVER` - Never use the truststore SPI for LDAP connections. + - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. + :param pulumi.Input[Sequence[pulumi.Input[str]]] user_object_classes: Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. :param pulumi.Input[str] username_ldap_attribute: Name of the LDAP attribute to use as the Keycloak username. :param pulumi.Input[str] users_dn: Full DN of LDAP tree where your users are. :param pulumi.Input[str] uuid_ldap_attribute: Name of the LDAP attribute to use as a unique object identifier for objects in LDAP. - :param pulumi.Input[bool] validate_password_policy: When true, Keycloak will validate passwords using the realm policy before updating it. - :param pulumi.Input[str] vendor: LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required. + :param pulumi.Input[bool] validate_password_policy: When `true`, Keycloak will validate passwords using the realm policy before updating it. + :param pulumi.Input[str] vendor: Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`. """ if batch_size_for_sync is not None: pulumi.set(__self__, "batch_size_for_sync", batch_size_for_sync) @@ -671,7 +685,7 @@ def __init__(__self__, *, @pulumi.getter(name="batchSizeForSync") def batch_size_for_sync(self) -> Optional[pulumi.Input[int]]: """ - The number of users to sync within a single transaction. + The number of users to sync within a single transaction. Defaults to `1000`. """ return pulumi.get(self, "batch_size_for_sync") @@ -683,7 +697,7 @@ def batch_size_for_sync(self, value: Optional[pulumi.Input[int]]): @pulumi.getter(name="bindCredential") def bind_credential(self) -> Optional[pulumi.Input[str]]: """ - Password of LDAP admin. + Password of LDAP admin. This attribute must be set if `bind_dn` is set. """ return pulumi.get(self, "bind_credential") @@ -695,7 +709,7 @@ def bind_credential(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="bindDn") def bind_dn(self) -> Optional[pulumi.Input[str]]: """ - DN of LDAP admin, which will be used by Keycloak to access LDAP server. + DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bind_credential` is set. """ return pulumi.get(self, "bind_dn") @@ -707,7 +721,7 @@ def bind_dn(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def cache(self) -> Optional[pulumi.Input['UserFederationCacheArgs']]: """ - Settings regarding cache policy for this realm. + A block containing the cache settings. """ return pulumi.get(self, "cache") @@ -719,8 +733,7 @@ def cache(self, value: Optional[pulumi.Input['UserFederationCacheArgs']]): @pulumi.getter(name="changedSyncPeriod") def changed_sync_period(self) -> Optional[pulumi.Input[int]]: """ - How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users - sync. + How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. """ return pulumi.get(self, "changed_sync_period") @@ -732,7 +745,7 @@ def changed_sync_period(self, value: Optional[pulumi.Input[int]]): @pulumi.getter(name="connectionTimeout") def connection_timeout(self) -> Optional[pulumi.Input[str]]: """ - LDAP connection timeout (duration string) + LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). """ return pulumi.get(self, "connection_timeout") @@ -756,7 +769,7 @@ def connection_url(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="customUserSearchFilter") def custom_user_search_filter(self) -> Optional[pulumi.Input[str]]: """ - Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'. + Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. """ return pulumi.get(self, "custom_user_search_filter") @@ -768,8 +781,7 @@ def custom_user_search_filter(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="deleteDefaultMappers") def delete_default_mappers(self) -> Optional[pulumi.Input[bool]]: """ - When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP - user federation provider. + When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to `false`. """ return pulumi.get(self, "delete_default_mappers") @@ -781,7 +793,7 @@ def delete_default_mappers(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="editMode") def edit_mode(self) -> Optional[pulumi.Input[str]]: """ - READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP. + Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. """ return pulumi.get(self, "edit_mode") @@ -793,7 +805,7 @@ def edit_mode(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def enabled(self) -> Optional[pulumi.Input[bool]]: """ - When false, this provider will not be used when performing queries for users. + When `false`, this provider will not be used when performing queries for users. Defaults to `true`. """ return pulumi.get(self, "enabled") @@ -817,7 +829,7 @@ def full_sync_period(self, value: Optional[pulumi.Input[int]]): @pulumi.getter(name="importEnabled") def import_enabled(self) -> Optional[pulumi.Input[bool]]: """ - When true, LDAP users will be imported into the Keycloak database. + When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. """ return pulumi.get(self, "import_enabled") @@ -829,7 +841,7 @@ def import_enabled(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter def kerberos(self) -> Optional[pulumi.Input['UserFederationKerberosArgs']]: """ - Settings regarding kerberos authentication for this realm. + A block containing the kerberos settings. """ return pulumi.get(self, "kerberos") @@ -853,7 +865,7 @@ def name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def pagination(self) -> Optional[pulumi.Input[bool]]: """ - When true, Keycloak assumes the LDAP server supports pagination. + When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. """ return pulumi.get(self, "pagination") @@ -865,7 +877,7 @@ def pagination(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter def priority(self) -> Optional[pulumi.Input[int]]: """ - Priority of this provider when looking up users. Lower values are first. + Priority of this provider when looking up users. Lower values are first. Defaults to `0`. """ return pulumi.get(self, "priority") @@ -889,7 +901,7 @@ def rdn_ldap_attribute(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="readTimeout") def read_timeout(self) -> Optional[pulumi.Input[str]]: """ - LDAP read timeout (duration string) + LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). """ return pulumi.get(self, "read_timeout") @@ -901,7 +913,7 @@ def read_timeout(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="realmId") def realm_id(self) -> Optional[pulumi.Input[str]]: """ - The realm this provider will provide user federation for. + The realm that this provider will provide user federation for. """ return pulumi.get(self, "realm_id") @@ -913,7 +925,9 @@ def realm_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="searchScope") def search_scope(self) -> Optional[pulumi.Input[str]]: """ - ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree. + Can be one of `ONE_LEVEL` or `SUBTREE`: + - `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`. + - `SUBTREE`: Search entire LDAP subtree. """ return pulumi.get(self, "search_scope") @@ -925,7 +939,7 @@ def search_scope(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="startTls") def start_tls(self) -> Optional[pulumi.Input[bool]]: """ - When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. + When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. """ return pulumi.get(self, "start_tls") @@ -937,7 +951,7 @@ def start_tls(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="syncRegistrations") def sync_registrations(self) -> Optional[pulumi.Input[bool]]: """ - When true, newly created users will be synced back to LDAP. + When `true`, newly created users will be synced back to LDAP. Defaults to `false`. """ return pulumi.get(self, "sync_registrations") @@ -972,6 +986,12 @@ def use_password_modify_extended_op(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="useTruststoreSpi") def use_truststore_spi(self) -> Optional[pulumi.Input[str]]: + """ + Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: + - `ALWAYS` - Always use the truststore SPI for LDAP connections. + - `NEVER` - Never use the truststore SPI for LDAP connections. + - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. + """ return pulumi.get(self, "use_truststore_spi") @use_truststore_spi.setter @@ -982,7 +1002,7 @@ def use_truststore_spi(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="userObjectClasses") def user_object_classes(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: """ - All values of LDAP objectClass attribute for users in LDAP. + Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. """ return pulumi.get(self, "user_object_classes") @@ -1030,7 +1050,7 @@ def uuid_ldap_attribute(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="validatePasswordPolicy") def validate_password_policy(self) -> Optional[pulumi.Input[bool]]: """ - When true, Keycloak will validate passwords using the realm policy before updating it. + When `true`, Keycloak will validate passwords using the realm policy before updating it. """ return pulumi.get(self, "validate_password_policy") @@ -1042,7 +1062,7 @@ def validate_password_policy(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter def vendor(self) -> Optional[pulumi.Input[str]]: """ - LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required. + Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`. """ return pulumi.get(self, "vendor") @@ -1090,8 +1110,6 @@ def __init__(__self__, vendor: Optional[pulumi.Input[str]] = None, __props__=None): """ - ## # ldap.UserFederation - Allows for creating and managing LDAP user federation providers within Keycloak. Keycloak can use an LDAP user federation provider to federate users to Keycloak @@ -1099,14 +1117,14 @@ def __init__(__self__, will exist within the realm and will be able to log in to clients. Federated users can have their attributes defined using mappers. - ### Example Usage + ## Example Usage ```python import pulumi import pulumi_keycloak as keycloak realm = keycloak.Realm("realm", - realm="test", + realm="my-realm", enabled=True) ldap_user_federation = keycloak.ldap.UserFederation("ldap_user_federation", name="openldap", @@ -1124,86 +1142,65 @@ def __init__(__self__, bind_dn="cn=admin,dc=example,dc=org", bind_credential="admin", connection_timeout="5s", - read_timeout="10s") + read_timeout="10s", + kerberos={ + "kerberos_realm": "FOO.LOCAL", + "server_principal": "HTTP/host.foo.com@FOO.LOCAL", + "key_tab": "/etc/host.keytab", + }) ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm that this provider will provide user federation for. - - `name` - (Required) Display name of the provider when displayed in the console. - - `enabled` - (Optional) When `false`, this provider will not be used when performing queries for users. Defaults to `true`. - - `priority` - (Optional) Priority of this provider when looking up users. Lower values are first. Defaults to `0`. - - `import_enabled` - (Optional) When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. - - `edit_mode` - (Optional) Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. - - `sync_registrations` - (Optional) When `true`, newly created users will be synced back to LDAP. Defaults to `false`. - - `vendor` - (Optional) Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OPTIONAL`. - - `username_ldap_attribute` - (Required) Name of the LDAP attribute to use as the Keycloak username. - - `rdn_ldap_attribute` - (Required) Name of the LDAP attribute to use as the relative distinguished name. - - `uuid_ldap_attribute` - (Required) Name of the LDAP attribute to use as a unique object identifier for objects in LDAP. - - `user_object_classes` - (Required) Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. - - `connection_url` - (Required) Connection URL to the LDAP server. - - `users_dn` - (Required) Full DN of LDAP tree where your users are. - - `bind_dn` - (Optional) DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bind_credential` is set. - - `bind_credential` - (Optional) Password of LDAP admin. This attribute must be set if `bind_dn` is set. - - `custom_user_search_filter` - (Optional) Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. - - `search_scope` - (Optional) Can be one of `ONE_LEVEL` or `SUBTREE`: - - `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`. - - `SUBTREE`: Search entire LDAP subtree. - - `validate_password_policy` - (Optional) When `true`, Keycloak will validate passwords using the realm policy before updating it. - - `use_truststore_spi` - (Optional) Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: - - `ALWAYS` - Always use the truststore SPI for LDAP connections. - - `NEVER` - Never use the truststore SPI for LDAP connections. - - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. - - `connection_timeout` - (Optional) LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). - - `read_timeout` - (Optional) LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). - - `pagination` - (Optional) When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. - - `batch_size_for_sync` - (Optional) The number of users to sync within a single transaction. Defaults to `1000`. - - `full_sync_period` - (Optional) How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync. - - `changed_sync_period` - (Optional) How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. - - `cache_policy` - (Optional) Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. - - ### Import + ## Import LDAP user federation providers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}`. + The ID of the LDAP user federation provider can be found within the Keycloak GUI and is typically a GUID: + bash + + ```sh + $ pulumi import keycloak:ldap/userFederation:UserFederation ldap_user_federation my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860 + ``` + :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[int] batch_size_for_sync: The number of users to sync within a single transaction. - :param pulumi.Input[str] bind_credential: Password of LDAP admin. - :param pulumi.Input[str] bind_dn: DN of LDAP admin, which will be used by Keycloak to access LDAP server. - :param pulumi.Input[Union['UserFederationCacheArgs', 'UserFederationCacheArgsDict']] cache: Settings regarding cache policy for this realm. - :param pulumi.Input[int] changed_sync_period: How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users - sync. - :param pulumi.Input[str] connection_timeout: LDAP connection timeout (duration string) + :param pulumi.Input[int] batch_size_for_sync: The number of users to sync within a single transaction. Defaults to `1000`. + :param pulumi.Input[str] bind_credential: Password of LDAP admin. This attribute must be set if `bind_dn` is set. + :param pulumi.Input[str] bind_dn: DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bind_credential` is set. + :param pulumi.Input[Union['UserFederationCacheArgs', 'UserFederationCacheArgsDict']] cache: A block containing the cache settings. + :param pulumi.Input[int] changed_sync_period: How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. + :param pulumi.Input[str] connection_timeout: LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). :param pulumi.Input[str] connection_url: Connection URL to the LDAP server. - :param pulumi.Input[str] custom_user_search_filter: Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'. - :param pulumi.Input[bool] delete_default_mappers: When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP - user federation provider. - :param pulumi.Input[str] edit_mode: READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP. - :param pulumi.Input[bool] enabled: When false, this provider will not be used when performing queries for users. + :param pulumi.Input[str] custom_user_search_filter: Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. + :param pulumi.Input[bool] delete_default_mappers: When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to `false`. + :param pulumi.Input[str] edit_mode: Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. + :param pulumi.Input[bool] enabled: When `false`, this provider will not be used when performing queries for users. Defaults to `true`. :param pulumi.Input[int] full_sync_period: How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync. - :param pulumi.Input[bool] import_enabled: When true, LDAP users will be imported into the Keycloak database. - :param pulumi.Input[Union['UserFederationKerberosArgs', 'UserFederationKerberosArgsDict']] kerberos: Settings regarding kerberos authentication for this realm. + :param pulumi.Input[bool] import_enabled: When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. + :param pulumi.Input[Union['UserFederationKerberosArgs', 'UserFederationKerberosArgsDict']] kerberos: A block containing the kerberos settings. :param pulumi.Input[str] name: Display name of the provider when displayed in the console. - :param pulumi.Input[bool] pagination: When true, Keycloak assumes the LDAP server supports pagination. - :param pulumi.Input[int] priority: Priority of this provider when looking up users. Lower values are first. + :param pulumi.Input[bool] pagination: When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. + :param pulumi.Input[int] priority: Priority of this provider when looking up users. Lower values are first. Defaults to `0`. :param pulumi.Input[str] rdn_ldap_attribute: Name of the LDAP attribute to use as the relative distinguished name. - :param pulumi.Input[str] read_timeout: LDAP read timeout (duration string) - :param pulumi.Input[str] realm_id: The realm this provider will provide user federation for. - :param pulumi.Input[str] search_scope: ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree. - :param pulumi.Input[bool] start_tls: When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. - :param pulumi.Input[bool] sync_registrations: When true, newly created users will be synced back to LDAP. + :param pulumi.Input[str] read_timeout: LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). + :param pulumi.Input[str] realm_id: The realm that this provider will provide user federation for. + :param pulumi.Input[str] search_scope: Can be one of `ONE_LEVEL` or `SUBTREE`: + - `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`. + - `SUBTREE`: Search entire LDAP subtree. + :param pulumi.Input[bool] start_tls: When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. + :param pulumi.Input[bool] sync_registrations: When `true`, newly created users will be synced back to LDAP. Defaults to `false`. :param pulumi.Input[bool] trust_email: If enabled, email provided by this provider is not verified even if verification is enabled for the realm. :param pulumi.Input[bool] use_password_modify_extended_op: When `true`, use the LDAPv3 Password Modify Extended Operation (RFC-3062). - :param pulumi.Input[Sequence[pulumi.Input[str]]] user_object_classes: All values of LDAP objectClass attribute for users in LDAP. + :param pulumi.Input[str] use_truststore_spi: Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: + - `ALWAYS` - Always use the truststore SPI for LDAP connections. + - `NEVER` - Never use the truststore SPI for LDAP connections. + - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. + :param pulumi.Input[Sequence[pulumi.Input[str]]] user_object_classes: Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. :param pulumi.Input[str] username_ldap_attribute: Name of the LDAP attribute to use as the Keycloak username. :param pulumi.Input[str] users_dn: Full DN of LDAP tree where your users are. :param pulumi.Input[str] uuid_ldap_attribute: Name of the LDAP attribute to use as a unique object identifier for objects in LDAP. - :param pulumi.Input[bool] validate_password_policy: When true, Keycloak will validate passwords using the realm policy before updating it. - :param pulumi.Input[str] vendor: LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required. + :param pulumi.Input[bool] validate_password_policy: When `true`, Keycloak will validate passwords using the realm policy before updating it. + :param pulumi.Input[str] vendor: Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`. """ ... @overload @@ -1212,8 +1209,6 @@ def __init__(__self__, args: UserFederationArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - ## # ldap.UserFederation - Allows for creating and managing LDAP user federation providers within Keycloak. Keycloak can use an LDAP user federation provider to federate users to Keycloak @@ -1221,14 +1216,14 @@ def __init__(__self__, will exist within the realm and will be able to log in to clients. Federated users can have their attributes defined using mappers. - ### Example Usage + ## Example Usage ```python import pulumi import pulumi_keycloak as keycloak realm = keycloak.Realm("realm", - realm="test", + realm="my-realm", enabled=True) ldap_user_federation = keycloak.ldap.UserFederation("ldap_user_federation", name="openldap", @@ -1246,51 +1241,26 @@ def __init__(__self__, bind_dn="cn=admin,dc=example,dc=org", bind_credential="admin", connection_timeout="5s", - read_timeout="10s") + read_timeout="10s", + kerberos={ + "kerberos_realm": "FOO.LOCAL", + "server_principal": "HTTP/host.foo.com@FOO.LOCAL", + "key_tab": "/etc/host.keytab", + }) ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm that this provider will provide user federation for. - - `name` - (Required) Display name of the provider when displayed in the console. - - `enabled` - (Optional) When `false`, this provider will not be used when performing queries for users. Defaults to `true`. - - `priority` - (Optional) Priority of this provider when looking up users. Lower values are first. Defaults to `0`. - - `import_enabled` - (Optional) When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. - - `edit_mode` - (Optional) Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. - - `sync_registrations` - (Optional) When `true`, newly created users will be synced back to LDAP. Defaults to `false`. - - `vendor` - (Optional) Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OPTIONAL`. - - `username_ldap_attribute` - (Required) Name of the LDAP attribute to use as the Keycloak username. - - `rdn_ldap_attribute` - (Required) Name of the LDAP attribute to use as the relative distinguished name. - - `uuid_ldap_attribute` - (Required) Name of the LDAP attribute to use as a unique object identifier for objects in LDAP. - - `user_object_classes` - (Required) Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. - - `connection_url` - (Required) Connection URL to the LDAP server. - - `users_dn` - (Required) Full DN of LDAP tree where your users are. - - `bind_dn` - (Optional) DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bind_credential` is set. - - `bind_credential` - (Optional) Password of LDAP admin. This attribute must be set if `bind_dn` is set. - - `custom_user_search_filter` - (Optional) Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. - - `search_scope` - (Optional) Can be one of `ONE_LEVEL` or `SUBTREE`: - - `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`. - - `SUBTREE`: Search entire LDAP subtree. - - `validate_password_policy` - (Optional) When `true`, Keycloak will validate passwords using the realm policy before updating it. - - `use_truststore_spi` - (Optional) Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: - - `ALWAYS` - Always use the truststore SPI for LDAP connections. - - `NEVER` - Never use the truststore SPI for LDAP connections. - - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. - - `connection_timeout` - (Optional) LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). - - `read_timeout` - (Optional) LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). - - `pagination` - (Optional) When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. - - `batch_size_for_sync` - (Optional) The number of users to sync within a single transaction. Defaults to `1000`. - - `full_sync_period` - (Optional) How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync. - - `changed_sync_period` - (Optional) How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. - - `cache_policy` - (Optional) Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. - - ### Import + ## Import LDAP user federation providers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}`. + The ID of the LDAP user federation provider can be found within the Keycloak GUI and is typically a GUID: + bash + + ```sh + $ pulumi import keycloak:ldap/userFederation:UserFederation ldap_user_federation my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860 + ``` + :param str resource_name: The name of the resource. :param UserFederationArgs args: The arguments to use to populate this resource's properties. :param pulumi.ResourceOptions opts: Options for the resource. @@ -1444,39 +1414,43 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[int] batch_size_for_sync: The number of users to sync within a single transaction. - :param pulumi.Input[str] bind_credential: Password of LDAP admin. - :param pulumi.Input[str] bind_dn: DN of LDAP admin, which will be used by Keycloak to access LDAP server. - :param pulumi.Input[Union['UserFederationCacheArgs', 'UserFederationCacheArgsDict']] cache: Settings regarding cache policy for this realm. - :param pulumi.Input[int] changed_sync_period: How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users - sync. - :param pulumi.Input[str] connection_timeout: LDAP connection timeout (duration string) + :param pulumi.Input[int] batch_size_for_sync: The number of users to sync within a single transaction. Defaults to `1000`. + :param pulumi.Input[str] bind_credential: Password of LDAP admin. This attribute must be set if `bind_dn` is set. + :param pulumi.Input[str] bind_dn: DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bind_credential` is set. + :param pulumi.Input[Union['UserFederationCacheArgs', 'UserFederationCacheArgsDict']] cache: A block containing the cache settings. + :param pulumi.Input[int] changed_sync_period: How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. + :param pulumi.Input[str] connection_timeout: LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). :param pulumi.Input[str] connection_url: Connection URL to the LDAP server. - :param pulumi.Input[str] custom_user_search_filter: Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'. - :param pulumi.Input[bool] delete_default_mappers: When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP - user federation provider. - :param pulumi.Input[str] edit_mode: READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP. - :param pulumi.Input[bool] enabled: When false, this provider will not be used when performing queries for users. + :param pulumi.Input[str] custom_user_search_filter: Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. + :param pulumi.Input[bool] delete_default_mappers: When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to `false`. + :param pulumi.Input[str] edit_mode: Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. + :param pulumi.Input[bool] enabled: When `false`, this provider will not be used when performing queries for users. Defaults to `true`. :param pulumi.Input[int] full_sync_period: How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync. - :param pulumi.Input[bool] import_enabled: When true, LDAP users will be imported into the Keycloak database. - :param pulumi.Input[Union['UserFederationKerberosArgs', 'UserFederationKerberosArgsDict']] kerberos: Settings regarding kerberos authentication for this realm. + :param pulumi.Input[bool] import_enabled: When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. + :param pulumi.Input[Union['UserFederationKerberosArgs', 'UserFederationKerberosArgsDict']] kerberos: A block containing the kerberos settings. :param pulumi.Input[str] name: Display name of the provider when displayed in the console. - :param pulumi.Input[bool] pagination: When true, Keycloak assumes the LDAP server supports pagination. - :param pulumi.Input[int] priority: Priority of this provider when looking up users. Lower values are first. + :param pulumi.Input[bool] pagination: When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. + :param pulumi.Input[int] priority: Priority of this provider when looking up users. Lower values are first. Defaults to `0`. :param pulumi.Input[str] rdn_ldap_attribute: Name of the LDAP attribute to use as the relative distinguished name. - :param pulumi.Input[str] read_timeout: LDAP read timeout (duration string) - :param pulumi.Input[str] realm_id: The realm this provider will provide user federation for. - :param pulumi.Input[str] search_scope: ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree. - :param pulumi.Input[bool] start_tls: When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. - :param pulumi.Input[bool] sync_registrations: When true, newly created users will be synced back to LDAP. + :param pulumi.Input[str] read_timeout: LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). + :param pulumi.Input[str] realm_id: The realm that this provider will provide user federation for. + :param pulumi.Input[str] search_scope: Can be one of `ONE_LEVEL` or `SUBTREE`: + - `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`. + - `SUBTREE`: Search entire LDAP subtree. + :param pulumi.Input[bool] start_tls: When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. + :param pulumi.Input[bool] sync_registrations: When `true`, newly created users will be synced back to LDAP. Defaults to `false`. :param pulumi.Input[bool] trust_email: If enabled, email provided by this provider is not verified even if verification is enabled for the realm. :param pulumi.Input[bool] use_password_modify_extended_op: When `true`, use the LDAPv3 Password Modify Extended Operation (RFC-3062). - :param pulumi.Input[Sequence[pulumi.Input[str]]] user_object_classes: All values of LDAP objectClass attribute for users in LDAP. + :param pulumi.Input[str] use_truststore_spi: Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: + - `ALWAYS` - Always use the truststore SPI for LDAP connections. + - `NEVER` - Never use the truststore SPI for LDAP connections. + - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. + :param pulumi.Input[Sequence[pulumi.Input[str]]] user_object_classes: Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. :param pulumi.Input[str] username_ldap_attribute: Name of the LDAP attribute to use as the Keycloak username. :param pulumi.Input[str] users_dn: Full DN of LDAP tree where your users are. :param pulumi.Input[str] uuid_ldap_attribute: Name of the LDAP attribute to use as a unique object identifier for objects in LDAP. - :param pulumi.Input[bool] validate_password_policy: When true, Keycloak will validate passwords using the realm policy before updating it. - :param pulumi.Input[str] vendor: LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required. + :param pulumi.Input[bool] validate_password_policy: When `true`, Keycloak will validate passwords using the realm policy before updating it. + :param pulumi.Input[str] vendor: Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -1520,7 +1494,7 @@ def get(resource_name: str, @pulumi.getter(name="batchSizeForSync") def batch_size_for_sync(self) -> pulumi.Output[Optional[int]]: """ - The number of users to sync within a single transaction. + The number of users to sync within a single transaction. Defaults to `1000`. """ return pulumi.get(self, "batch_size_for_sync") @@ -1528,7 +1502,7 @@ def batch_size_for_sync(self) -> pulumi.Output[Optional[int]]: @pulumi.getter(name="bindCredential") def bind_credential(self) -> pulumi.Output[Optional[str]]: """ - Password of LDAP admin. + Password of LDAP admin. This attribute must be set if `bind_dn` is set. """ return pulumi.get(self, "bind_credential") @@ -1536,7 +1510,7 @@ def bind_credential(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="bindDn") def bind_dn(self) -> pulumi.Output[Optional[str]]: """ - DN of LDAP admin, which will be used by Keycloak to access LDAP server. + DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bind_credential` is set. """ return pulumi.get(self, "bind_dn") @@ -1544,7 +1518,7 @@ def bind_dn(self) -> pulumi.Output[Optional[str]]: @pulumi.getter def cache(self) -> pulumi.Output[Optional['outputs.UserFederationCache']]: """ - Settings regarding cache policy for this realm. + A block containing the cache settings. """ return pulumi.get(self, "cache") @@ -1552,8 +1526,7 @@ def cache(self) -> pulumi.Output[Optional['outputs.UserFederationCache']]: @pulumi.getter(name="changedSyncPeriod") def changed_sync_period(self) -> pulumi.Output[Optional[int]]: """ - How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users - sync. + How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. """ return pulumi.get(self, "changed_sync_period") @@ -1561,7 +1534,7 @@ def changed_sync_period(self) -> pulumi.Output[Optional[int]]: @pulumi.getter(name="connectionTimeout") def connection_timeout(self) -> pulumi.Output[Optional[str]]: """ - LDAP connection timeout (duration string) + LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). """ return pulumi.get(self, "connection_timeout") @@ -1577,7 +1550,7 @@ def connection_url(self) -> pulumi.Output[str]: @pulumi.getter(name="customUserSearchFilter") def custom_user_search_filter(self) -> pulumi.Output[Optional[str]]: """ - Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'. + Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. """ return pulumi.get(self, "custom_user_search_filter") @@ -1585,8 +1558,7 @@ def custom_user_search_filter(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="deleteDefaultMappers") def delete_default_mappers(self) -> pulumi.Output[Optional[bool]]: """ - When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP - user federation provider. + When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to `false`. """ return pulumi.get(self, "delete_default_mappers") @@ -1594,7 +1566,7 @@ def delete_default_mappers(self) -> pulumi.Output[Optional[bool]]: @pulumi.getter(name="editMode") def edit_mode(self) -> pulumi.Output[Optional[str]]: """ - READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP. + Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. """ return pulumi.get(self, "edit_mode") @@ -1602,7 +1574,7 @@ def edit_mode(self) -> pulumi.Output[Optional[str]]: @pulumi.getter def enabled(self) -> pulumi.Output[Optional[bool]]: """ - When false, this provider will not be used when performing queries for users. + When `false`, this provider will not be used when performing queries for users. Defaults to `true`. """ return pulumi.get(self, "enabled") @@ -1618,7 +1590,7 @@ def full_sync_period(self) -> pulumi.Output[Optional[int]]: @pulumi.getter(name="importEnabled") def import_enabled(self) -> pulumi.Output[Optional[bool]]: """ - When true, LDAP users will be imported into the Keycloak database. + When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. """ return pulumi.get(self, "import_enabled") @@ -1626,7 +1598,7 @@ def import_enabled(self) -> pulumi.Output[Optional[bool]]: @pulumi.getter def kerberos(self) -> pulumi.Output[Optional['outputs.UserFederationKerberos']]: """ - Settings regarding kerberos authentication for this realm. + A block containing the kerberos settings. """ return pulumi.get(self, "kerberos") @@ -1642,7 +1614,7 @@ def name(self) -> pulumi.Output[str]: @pulumi.getter def pagination(self) -> pulumi.Output[Optional[bool]]: """ - When true, Keycloak assumes the LDAP server supports pagination. + When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. """ return pulumi.get(self, "pagination") @@ -1650,7 +1622,7 @@ def pagination(self) -> pulumi.Output[Optional[bool]]: @pulumi.getter def priority(self) -> pulumi.Output[Optional[int]]: """ - Priority of this provider when looking up users. Lower values are first. + Priority of this provider when looking up users. Lower values are first. Defaults to `0`. """ return pulumi.get(self, "priority") @@ -1666,7 +1638,7 @@ def rdn_ldap_attribute(self) -> pulumi.Output[str]: @pulumi.getter(name="readTimeout") def read_timeout(self) -> pulumi.Output[Optional[str]]: """ - LDAP read timeout (duration string) + LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). """ return pulumi.get(self, "read_timeout") @@ -1674,7 +1646,7 @@ def read_timeout(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Output[str]: """ - The realm this provider will provide user federation for. + The realm that this provider will provide user federation for. """ return pulumi.get(self, "realm_id") @@ -1682,7 +1654,9 @@ def realm_id(self) -> pulumi.Output[str]: @pulumi.getter(name="searchScope") def search_scope(self) -> pulumi.Output[Optional[str]]: """ - ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree. + Can be one of `ONE_LEVEL` or `SUBTREE`: + - `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`. + - `SUBTREE`: Search entire LDAP subtree. """ return pulumi.get(self, "search_scope") @@ -1690,7 +1664,7 @@ def search_scope(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="startTls") def start_tls(self) -> pulumi.Output[Optional[bool]]: """ - When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. + When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. """ return pulumi.get(self, "start_tls") @@ -1698,7 +1672,7 @@ def start_tls(self) -> pulumi.Output[Optional[bool]]: @pulumi.getter(name="syncRegistrations") def sync_registrations(self) -> pulumi.Output[Optional[bool]]: """ - When true, newly created users will be synced back to LDAP. + When `true`, newly created users will be synced back to LDAP. Defaults to `false`. """ return pulumi.get(self, "sync_registrations") @@ -1721,13 +1695,19 @@ def use_password_modify_extended_op(self) -> pulumi.Output[Optional[bool]]: @property @pulumi.getter(name="useTruststoreSpi") def use_truststore_spi(self) -> pulumi.Output[Optional[str]]: + """ + Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: + - `ALWAYS` - Always use the truststore SPI for LDAP connections. + - `NEVER` - Never use the truststore SPI for LDAP connections. + - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. + """ return pulumi.get(self, "use_truststore_spi") @property @pulumi.getter(name="userObjectClasses") def user_object_classes(self) -> pulumi.Output[Sequence[str]]: """ - All values of LDAP objectClass attribute for users in LDAP. + Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. """ return pulumi.get(self, "user_object_classes") @@ -1759,7 +1739,7 @@ def uuid_ldap_attribute(self) -> pulumi.Output[str]: @pulumi.getter(name="validatePasswordPolicy") def validate_password_policy(self) -> pulumi.Output[Optional[bool]]: """ - When true, Keycloak will validate passwords using the realm policy before updating it. + When `true`, Keycloak will validate passwords using the realm policy before updating it. """ return pulumi.get(self, "validate_password_policy") @@ -1767,7 +1747,7 @@ def validate_password_policy(self) -> pulumi.Output[Optional[bool]]: @pulumi.getter def vendor(self) -> pulumi.Output[Optional[str]]: """ - LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required. + Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`. """ return pulumi.get(self, "vendor") diff --git a/sdk/python/pulumi_keycloak/openid/_inputs.py b/sdk/python/pulumi_keycloak/openid/_inputs.py index 437e5dc9..7f2cc25c 100644 --- a/sdk/python/pulumi_keycloak/openid/_inputs.py +++ b/sdk/python/pulumi_keycloak/openid/_inputs.py @@ -44,7 +44,13 @@ if not MYPY: class ClientAuthenticationFlowBindingOverridesArgsDict(TypedDict): browser_id: NotRequired[pulumi.Input[str]] + """ + Browser flow id, (flow needs to exist) + """ direct_grant_id: NotRequired[pulumi.Input[str]] + """ + Direct grant flow id (flow needs to exist) + """ elif False: ClientAuthenticationFlowBindingOverridesArgsDict: TypeAlias = Mapping[str, Any] @@ -53,6 +59,10 @@ class ClientAuthenticationFlowBindingOverridesArgs: def __init__(__self__, *, browser_id: Optional[pulumi.Input[str]] = None, direct_grant_id: Optional[pulumi.Input[str]] = None): + """ + :param pulumi.Input[str] browser_id: Browser flow id, (flow needs to exist) + :param pulumi.Input[str] direct_grant_id: Direct grant flow id (flow needs to exist) + """ if browser_id is not None: pulumi.set(__self__, "browser_id", browser_id) if direct_grant_id is not None: @@ -61,6 +71,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="browserId") def browser_id(self) -> Optional[pulumi.Input[str]]: + """ + Browser flow id, (flow needs to exist) + """ return pulumi.get(self, "browser_id") @browser_id.setter @@ -70,6 +83,9 @@ def browser_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="directGrantId") def direct_grant_id(self) -> Optional[pulumi.Input[str]]: + """ + Direct grant flow id (flow needs to exist) + """ return pulumi.get(self, "direct_grant_id") @direct_grant_id.setter @@ -80,9 +96,21 @@ def direct_grant_id(self, value: Optional[pulumi.Input[str]]): if not MYPY: class ClientAuthorizationArgsDict(TypedDict): policy_enforcement_mode: pulumi.Input[str] + """ + Dictates how policies are enforced when evaluating authorization requests. Can be one of `ENFORCING`, `PERMISSIVE`, or `DISABLED`. + """ allow_remote_resource_management: NotRequired[pulumi.Input[bool]] + """ + When `true`, resources can be managed remotely by the resource server. Defaults to `false`. + """ decision_strategy: NotRequired[pulumi.Input[str]] + """ + Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of `AFFIRMATIVE`, `CONSENSUS`, or `UNANIMOUS`. Applies to permissions. + """ keep_defaults: NotRequired[pulumi.Input[bool]] + """ + When `true`, defaults set by Keycloak will be respected. Defaults to `false`. + """ elif False: ClientAuthorizationArgsDict: TypeAlias = Mapping[str, Any] @@ -93,6 +121,12 @@ def __init__(__self__, *, allow_remote_resource_management: Optional[pulumi.Input[bool]] = None, decision_strategy: Optional[pulumi.Input[str]] = None, keep_defaults: Optional[pulumi.Input[bool]] = None): + """ + :param pulumi.Input[str] policy_enforcement_mode: Dictates how policies are enforced when evaluating authorization requests. Can be one of `ENFORCING`, `PERMISSIVE`, or `DISABLED`. + :param pulumi.Input[bool] allow_remote_resource_management: When `true`, resources can be managed remotely by the resource server. Defaults to `false`. + :param pulumi.Input[str] decision_strategy: Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of `AFFIRMATIVE`, `CONSENSUS`, or `UNANIMOUS`. Applies to permissions. + :param pulumi.Input[bool] keep_defaults: When `true`, defaults set by Keycloak will be respected. Defaults to `false`. + """ pulumi.set(__self__, "policy_enforcement_mode", policy_enforcement_mode) if allow_remote_resource_management is not None: pulumi.set(__self__, "allow_remote_resource_management", allow_remote_resource_management) @@ -104,6 +138,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="policyEnforcementMode") def policy_enforcement_mode(self) -> pulumi.Input[str]: + """ + Dictates how policies are enforced when evaluating authorization requests. Can be one of `ENFORCING`, `PERMISSIVE`, or `DISABLED`. + """ return pulumi.get(self, "policy_enforcement_mode") @policy_enforcement_mode.setter @@ -113,6 +150,9 @@ def policy_enforcement_mode(self, value: pulumi.Input[str]): @property @pulumi.getter(name="allowRemoteResourceManagement") def allow_remote_resource_management(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, resources can be managed remotely by the resource server. Defaults to `false`. + """ return pulumi.get(self, "allow_remote_resource_management") @allow_remote_resource_management.setter @@ -122,6 +162,9 @@ def allow_remote_resource_management(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="decisionStrategy") def decision_strategy(self) -> Optional[pulumi.Input[str]]: + """ + Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of `AFFIRMATIVE`, `CONSENSUS`, or `UNANIMOUS`. Applies to permissions. + """ return pulumi.get(self, "decision_strategy") @decision_strategy.setter @@ -131,6 +174,9 @@ def decision_strategy(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="keepDefaults") def keep_defaults(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, defaults set by Keycloak will be respected. Defaults to `false`. + """ return pulumi.get(self, "keep_defaults") @keep_defaults.setter diff --git a/sdk/python/pulumi_keycloak/openid/audience_protocol_mapper.py b/sdk/python/pulumi_keycloak/openid/audience_protocol_mapper.py index 22fcdc70..400cced5 100644 --- a/sdk/python/pulumi_keycloak/openid/audience_protocol_mapper.py +++ b/sdk/python/pulumi_keycloak/openid/audience_protocol_mapper.py @@ -29,14 +29,14 @@ def __init__(__self__, *, name: Optional[pulumi.Input[str]] = None): """ The set of arguments for constructing a AudienceProtocolMapper resource. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. - :param pulumi.Input[bool] add_to_access_token: Indicates if this claim should be added to the access token. - :param pulumi.Input[bool] add_to_id_token: Indicates if this claim should be added to the id token. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. - :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[str] included_client_audience: A client ID to include within the token's `aud` claim. Cannot be used with included_custom_audience - :param pulumi.Input[str] included_custom_audience: A custom audience to include within the token's `aud` claim. Cannot be used with included_custom_audience - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + :param pulumi.Input[bool] add_to_access_token: Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. + :param pulumi.Input[bool] add_to_id_token: Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] included_client_audience: A client ID to include within the token's `aud` claim. Conflicts with `included_custom_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. + :param pulumi.Input[str] included_custom_audience: A custom audience to include within the token's `aud` claim. Conflicts with `included_client_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. """ pulumi.set(__self__, "realm_id", realm_id) if add_to_access_token is not None: @@ -58,7 +58,7 @@ def __init__(__self__, *, @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Input[str]: """ - The realm id where the associated client or client scope exists. + The realm this protocol mapper exists within. """ return pulumi.get(self, "realm_id") @@ -70,7 +70,7 @@ def realm_id(self, value: pulumi.Input[str]): @pulumi.getter(name="addToAccessToken") def add_to_access_token(self) -> Optional[pulumi.Input[bool]]: """ - Indicates if this claim should be added to the access token. + Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. """ return pulumi.get(self, "add_to_access_token") @@ -82,7 +82,7 @@ def add_to_access_token(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="addToIdToken") def add_to_id_token(self) -> Optional[pulumi.Input[bool]]: """ - Indicates if this claim should be added to the id token. + Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. """ return pulumi.get(self, "add_to_id_token") @@ -94,7 +94,7 @@ def add_to_id_token(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="clientId") def client_id(self) -> Optional[pulumi.Input[str]]: """ - The mapper's associated client. Cannot be used at the same time as client_scope_id. + The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_id") @@ -106,7 +106,7 @@ def client_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="clientScopeId") def client_scope_id(self) -> Optional[pulumi.Input[str]]: """ - The mapper's associated client scope. Cannot be used at the same time as client_id. + The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_scope_id") @@ -118,7 +118,7 @@ def client_scope_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="includedClientAudience") def included_client_audience(self) -> Optional[pulumi.Input[str]]: """ - A client ID to include within the token's `aud` claim. Cannot be used with included_custom_audience + A client ID to include within the token's `aud` claim. Conflicts with `included_custom_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. """ return pulumi.get(self, "included_client_audience") @@ -130,7 +130,7 @@ def included_client_audience(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="includedCustomAudience") def included_custom_audience(self) -> Optional[pulumi.Input[str]]: """ - A custom audience to include within the token's `aud` claim. Cannot be used with included_custom_audience + A custom audience to include within the token's `aud` claim. Conflicts with `included_client_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. """ return pulumi.get(self, "included_custom_audience") @@ -142,7 +142,7 @@ def included_custom_audience(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - A human-friendly name that will appear in the Keycloak console. + The display name of this protocol mapper in the GUI. """ return pulumi.get(self, "name") @@ -164,14 +164,14 @@ def __init__(__self__, *, realm_id: Optional[pulumi.Input[str]] = None): """ Input properties used for looking up and filtering AudienceProtocolMapper resources. - :param pulumi.Input[bool] add_to_access_token: Indicates if this claim should be added to the access token. - :param pulumi.Input[bool] add_to_id_token: Indicates if this claim should be added to the id token. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. - :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[str] included_client_audience: A client ID to include within the token's `aud` claim. Cannot be used with included_custom_audience - :param pulumi.Input[str] included_custom_audience: A custom audience to include within the token's `aud` claim. Cannot be used with included_custom_audience - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. + :param pulumi.Input[bool] add_to_access_token: Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. + :param pulumi.Input[bool] add_to_id_token: Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] included_client_audience: A client ID to include within the token's `aud` claim. Conflicts with `included_custom_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. + :param pulumi.Input[str] included_custom_audience: A custom audience to include within the token's `aud` claim. Conflicts with `included_client_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. """ if add_to_access_token is not None: pulumi.set(__self__, "add_to_access_token", add_to_access_token) @@ -194,7 +194,7 @@ def __init__(__self__, *, @pulumi.getter(name="addToAccessToken") def add_to_access_token(self) -> Optional[pulumi.Input[bool]]: """ - Indicates if this claim should be added to the access token. + Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. """ return pulumi.get(self, "add_to_access_token") @@ -206,7 +206,7 @@ def add_to_access_token(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="addToIdToken") def add_to_id_token(self) -> Optional[pulumi.Input[bool]]: """ - Indicates if this claim should be added to the id token. + Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. """ return pulumi.get(self, "add_to_id_token") @@ -218,7 +218,7 @@ def add_to_id_token(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="clientId") def client_id(self) -> Optional[pulumi.Input[str]]: """ - The mapper's associated client. Cannot be used at the same time as client_scope_id. + The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_id") @@ -230,7 +230,7 @@ def client_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="clientScopeId") def client_scope_id(self) -> Optional[pulumi.Input[str]]: """ - The mapper's associated client scope. Cannot be used at the same time as client_id. + The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_scope_id") @@ -242,7 +242,7 @@ def client_scope_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="includedClientAudience") def included_client_audience(self) -> Optional[pulumi.Input[str]]: """ - A client ID to include within the token's `aud` claim. Cannot be used with included_custom_audience + A client ID to include within the token's `aud` claim. Conflicts with `included_custom_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. """ return pulumi.get(self, "included_client_audience") @@ -254,7 +254,7 @@ def included_client_audience(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="includedCustomAudience") def included_custom_audience(self) -> Optional[pulumi.Input[str]]: """ - A custom audience to include within the token's `aud` claim. Cannot be used with included_custom_audience + A custom audience to include within the token's `aud` claim. Conflicts with `included_client_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. """ return pulumi.get(self, "included_custom_audience") @@ -266,7 +266,7 @@ def included_custom_audience(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - A human-friendly name that will appear in the Keycloak console. + The display name of this protocol mapper in the GUI. """ return pulumi.get(self, "name") @@ -278,7 +278,7 @@ def name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="realmId") def realm_id(self) -> Optional[pulumi.Input[str]]: """ - The realm id where the associated client or client scope exists. + The realm this protocol mapper exists within. """ return pulumi.get(self, "realm_id") @@ -302,16 +302,14 @@ def __init__(__self__, realm_id: Optional[pulumi.Input[str]] = None, __props__=None): """ - ## # openid.AudienceProtocolMapper + Allows for creating and managing audience protocol mappers within Keycloak. - Allows for creating and managing audience protocol mappers within - Keycloak. This mapper was added in Keycloak v4.6.0.Final. + Audience protocol mappers allow you add audiences to the `aud` claim within issued tokens. The audience can be a custom + string, or it can be mapped to the ID of a pre-existing client. - Audience protocol mappers allow you add audiences to the `aud` claim - within issued tokens. The audience can be a custom string, or it can be - mapped to the ID of a pre-existing client. + ## Example Usage - ### Example Usage (Client) + ### Client) ```python import pulumi @@ -322,8 +320,8 @@ def __init__(__self__, enabled=True) openid_client = keycloak.openid.Client("openid_client", realm_id=realm.id, - client_id="test-client", - name="test client", + client_id="client", + name="client", enabled=True, access_type="CONFIDENTIAL", valid_redirect_uris=["http://localhost:8080/openid-callback"]) @@ -334,7 +332,7 @@ def __init__(__self__, included_custom_audience="foo") ``` - ### Example Usage (Client Scope) + ### Client Scope) ```python import pulumi @@ -353,37 +351,36 @@ def __init__(__self__, included_custom_audience="foo") ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this protocol mapper exists within. - - `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. - - `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. - - `name` - (Required) The display name of this protocol mapper in the GUI. - - `included_client_audience` - (Required if `included_custom_audience` is not specified) A client ID to include within the token's `aud` claim. - - `included_custom_audience` - (Required if `included_client_audience` is not specified) A custom audience to include within the token's `aud` claim. - - `add_to_id_token` - (Optional) Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. - - `add_to_access_token` - (Optional) Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. - - ### Import + ## Import Protocol mappers can be imported using one of the following formats: + - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` Example: + bash + + ```sh + $ pulumi import keycloak:openid/audienceProtocolMapper:AudienceProtocolMapper audience_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + + ```sh + $ pulumi import keycloak:openid/audienceProtocolMapper:AudienceProtocolMapper audience_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[bool] add_to_access_token: Indicates if this claim should be added to the access token. - :param pulumi.Input[bool] add_to_id_token: Indicates if this claim should be added to the id token. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. - :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[str] included_client_audience: A client ID to include within the token's `aud` claim. Cannot be used with included_custom_audience - :param pulumi.Input[str] included_custom_audience: A custom audience to include within the token's `aud` claim. Cannot be used with included_custom_audience - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. + :param pulumi.Input[bool] add_to_access_token: Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. + :param pulumi.Input[bool] add_to_id_token: Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] included_client_audience: A client ID to include within the token's `aud` claim. Conflicts with `included_custom_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. + :param pulumi.Input[str] included_custom_audience: A custom audience to include within the token's `aud` claim. Conflicts with `included_client_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. """ ... @overload @@ -392,16 +389,14 @@ def __init__(__self__, args: AudienceProtocolMapperArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - ## # openid.AudienceProtocolMapper + Allows for creating and managing audience protocol mappers within Keycloak. - Allows for creating and managing audience protocol mappers within - Keycloak. This mapper was added in Keycloak v4.6.0.Final. + Audience protocol mappers allow you add audiences to the `aud` claim within issued tokens. The audience can be a custom + string, or it can be mapped to the ID of a pre-existing client. - Audience protocol mappers allow you add audiences to the `aud` claim - within issued tokens. The audience can be a custom string, or it can be - mapped to the ID of a pre-existing client. + ## Example Usage - ### Example Usage (Client) + ### Client) ```python import pulumi @@ -412,8 +407,8 @@ def __init__(__self__, enabled=True) openid_client = keycloak.openid.Client("openid_client", realm_id=realm.id, - client_id="test-client", - name="test client", + client_id="client", + name="client", enabled=True, access_type="CONFIDENTIAL", valid_redirect_uris=["http://localhost:8080/openid-callback"]) @@ -424,7 +419,7 @@ def __init__(__self__, included_custom_audience="foo") ``` - ### Example Usage (Client Scope) + ### Client Scope) ```python import pulumi @@ -443,27 +438,26 @@ def __init__(__self__, included_custom_audience="foo") ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this protocol mapper exists within. - - `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. - - `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. - - `name` - (Required) The display name of this protocol mapper in the GUI. - - `included_client_audience` - (Required if `included_custom_audience` is not specified) A client ID to include within the token's `aud` claim. - - `included_custom_audience` - (Required if `included_client_audience` is not specified) A custom audience to include within the token's `aud` claim. - - `add_to_id_token` - (Optional) Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. - - `add_to_access_token` - (Optional) Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. - - ### Import + ## Import Protocol mappers can be imported using one of the following formats: + - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` Example: + bash + + ```sh + $ pulumi import keycloak:openid/audienceProtocolMapper:AudienceProtocolMapper audience_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + + ```sh + $ pulumi import keycloak:openid/audienceProtocolMapper:AudienceProtocolMapper audience_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + :param str resource_name: The name of the resource. :param AudienceProtocolMapperArgs args: The arguments to use to populate this resource's properties. :param pulumi.ResourceOptions opts: Options for the resource. @@ -531,14 +525,14 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[bool] add_to_access_token: Indicates if this claim should be added to the access token. - :param pulumi.Input[bool] add_to_id_token: Indicates if this claim should be added to the id token. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. - :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[str] included_client_audience: A client ID to include within the token's `aud` claim. Cannot be used with included_custom_audience - :param pulumi.Input[str] included_custom_audience: A custom audience to include within the token's `aud` claim. Cannot be used with included_custom_audience - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. + :param pulumi.Input[bool] add_to_access_token: Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. + :param pulumi.Input[bool] add_to_id_token: Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] included_client_audience: A client ID to include within the token's `aud` claim. Conflicts with `included_custom_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. + :param pulumi.Input[str] included_custom_audience: A custom audience to include within the token's `aud` claim. Conflicts with `included_client_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -558,7 +552,7 @@ def get(resource_name: str, @pulumi.getter(name="addToAccessToken") def add_to_access_token(self) -> pulumi.Output[Optional[bool]]: """ - Indicates if this claim should be added to the access token. + Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. """ return pulumi.get(self, "add_to_access_token") @@ -566,7 +560,7 @@ def add_to_access_token(self) -> pulumi.Output[Optional[bool]]: @pulumi.getter(name="addToIdToken") def add_to_id_token(self) -> pulumi.Output[Optional[bool]]: """ - Indicates if this claim should be added to the id token. + Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. """ return pulumi.get(self, "add_to_id_token") @@ -574,7 +568,7 @@ def add_to_id_token(self) -> pulumi.Output[Optional[bool]]: @pulumi.getter(name="clientId") def client_id(self) -> pulumi.Output[Optional[str]]: """ - The mapper's associated client. Cannot be used at the same time as client_scope_id. + The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_id") @@ -582,7 +576,7 @@ def client_id(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="clientScopeId") def client_scope_id(self) -> pulumi.Output[Optional[str]]: """ - The mapper's associated client scope. Cannot be used at the same time as client_id. + The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_scope_id") @@ -590,7 +584,7 @@ def client_scope_id(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="includedClientAudience") def included_client_audience(self) -> pulumi.Output[Optional[str]]: """ - A client ID to include within the token's `aud` claim. Cannot be used with included_custom_audience + A client ID to include within the token's `aud` claim. Conflicts with `included_custom_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. """ return pulumi.get(self, "included_client_audience") @@ -598,7 +592,7 @@ def included_client_audience(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="includedCustomAudience") def included_custom_audience(self) -> pulumi.Output[Optional[str]]: """ - A custom audience to include within the token's `aud` claim. Cannot be used with included_custom_audience + A custom audience to include within the token's `aud` claim. Conflicts with `included_client_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. """ return pulumi.get(self, "included_custom_audience") @@ -606,7 +600,7 @@ def included_custom_audience(self) -> pulumi.Output[Optional[str]]: @pulumi.getter def name(self) -> pulumi.Output[str]: """ - A human-friendly name that will appear in the Keycloak console. + The display name of this protocol mapper in the GUI. """ return pulumi.get(self, "name") @@ -614,7 +608,7 @@ def name(self) -> pulumi.Output[str]: @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Output[str]: """ - The realm id where the associated client or client scope exists. + The realm this protocol mapper exists within. """ return pulumi.get(self, "realm_id") diff --git a/sdk/python/pulumi_keycloak/openid/client.py b/sdk/python/pulumi_keycloak/openid/client.py index bb9a28c9..37418b05 100644 --- a/sdk/python/pulumi_keycloak/openid/client.py +++ b/sdk/python/pulumi_keycloak/openid/client.py @@ -67,6 +67,60 @@ def __init__(__self__, *, web_origins: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None): """ The set of arguments for constructing a Client resource. + :param pulumi.Input[str] access_type: Specifies the type of client, which can be one of the following: + - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. + This client should be used for applications using the Authorization Code or Client Credentials grant flows. + - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect + URIs for security. This client should be used for applications using the Implicit grant flow. + - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. + :param pulumi.Input[str] client_id: The Client ID for this client, referenced in the URI during authentication and in issued tokens. + :param pulumi.Input[str] realm_id: The realm this client is attached to. + :param pulumi.Input[str] access_token_lifespan: The amount of time in seconds before an access token expires. This will override the default for the realm. + :param pulumi.Input[str] admin_url: URL to the admin interface of the client. + :param pulumi.Input['ClientAuthenticationFlowBindingOverridesArgs'] authentication_flow_binding_overrides: Override realm authentication flow bindings + :param pulumi.Input['ClientAuthorizationArgs'] authorization: When this block is present, fine-grained authorization will be enabled for this client. The client's `access_type` must be `CONFIDENTIAL`, and `service_accounts_enabled` must be `true`. This block has the following arguments: + :param pulumi.Input[bool] backchannel_logout_revoke_offline_sessions: Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event. + :param pulumi.Input[bool] backchannel_logout_session_required: When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`. + :param pulumi.Input[str] backchannel_logout_url: The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case. + :param pulumi.Input[str] base_url: Default URL to use when the auth server needs to redirect or link back to the client. + :param pulumi.Input[str] client_authenticator_type: Defaults to `client-secret`. The authenticator type for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types: + - `client-secret` (Default) Use client id and client secret to authenticate client. + - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = ` + - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extra_config` with `attributes.x509.subjectdn = ` + - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = ` + :param pulumi.Input[str] client_offline_session_idle_timeout: Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value. + :param pulumi.Input[str] client_offline_session_max_lifespan: Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value. + :param pulumi.Input[str] client_secret: The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. + :param pulumi.Input[str] client_session_idle_timeout: Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value. + :param pulumi.Input[str] client_session_max_lifespan: Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value. + :param pulumi.Input[bool] consent_required: When `true`, users have to consent to client access. Defaults to `false`. + :param pulumi.Input[str] consent_screen_text: The text to display on the consent screen about permissions specific to this client. This is applicable only when `display_on_consent_screen` is `true`. + :param pulumi.Input[str] description: The description of this client in the GUI. + :param pulumi.Input[bool] direct_access_grants_enabled: When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. + :param pulumi.Input[bool] display_on_consent_screen: When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consent_required` is `true`. + :param pulumi.Input[bool] enabled: When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + :param pulumi.Input[bool] exclude_session_state_from_auth_response: When `true`, the parameter `session_state` will not be included in OpenID Connect Authentication Response. + :param pulumi.Input[bool] frontchannel_logout_enabled: When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannel_logout_url`. Defaults to `false`. + :param pulumi.Input[str] frontchannel_logout_url: The frontchannel logout url. This is applicable only when `frontchannel_logout_enabled` is `true`. + :param pulumi.Input[bool] full_scope_allowed: Allow to include all roles mappings in the access token. + :param pulumi.Input[bool] implicit_flow_enabled: When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. + :param pulumi.Input[bool] import_: When `true`, the client with the specified `client_id` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`. + :param pulumi.Input[str] login_theme: The client login theme. This will override the default theme for the realm. + :param pulumi.Input[str] name: The display name of this client in the GUI. + :param pulumi.Input[bool] oauth2_device_authorization_grant_enabled: Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser. + :param pulumi.Input[str] oauth2_device_code_lifespan: The maximum amount of time a client has to finish the device code flow before it expires. + :param pulumi.Input[str] oauth2_device_polling_interval: The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint. + :param pulumi.Input[str] pkce_code_challenge_method: The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. + :param pulumi.Input[str] root_url: When specified, this URL is prepended to any relative URLs found within `valid_redirect_uris`, `web_origins`, and `admin_url`. NOTE: Due to limitations in the Keycloak API, when the `root_url` attribute is used, the `valid_redirect_uris`, `web_origins`, and `admin_url` attributes will be required. + :param pulumi.Input[bool] service_accounts_enabled: When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. + :param pulumi.Input[bool] standard_flow_enabled: When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. + :param pulumi.Input[bool] use_refresh_tokens: If this is `true`, a refresh_token will be created and added to the token response. If this is `false` then no refresh_token will be generated. Defaults to `true`. + :param pulumi.Input[bool] use_refresh_tokens_client_credentials: If this is `true`, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is `false` then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`. + :param pulumi.Input[Sequence[pulumi.Input[str]]] valid_post_logout_redirect_uris: A list of valid URIs a browser is permitted to redirect to after a successful logout. + :param pulumi.Input[Sequence[pulumi.Input[str]]] valid_redirect_uris: A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple + wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled` + is set to `true`. + :param pulumi.Input[Sequence[pulumi.Input[str]]] web_origins: A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`." """ pulumi.set(__self__, "access_type", access_type) pulumi.set(__self__, "client_id", client_id) @@ -157,6 +211,14 @@ def __init__(__self__, *, @property @pulumi.getter(name="accessType") def access_type(self) -> pulumi.Input[str]: + """ + Specifies the type of client, which can be one of the following: + - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. + This client should be used for applications using the Authorization Code or Client Credentials grant flows. + - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect + URIs for security. This client should be used for applications using the Implicit grant flow. + - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. + """ return pulumi.get(self, "access_type") @access_type.setter @@ -166,6 +228,9 @@ def access_type(self, value: pulumi.Input[str]): @property @pulumi.getter(name="clientId") def client_id(self) -> pulumi.Input[str]: + """ + The Client ID for this client, referenced in the URI during authentication and in issued tokens. + """ return pulumi.get(self, "client_id") @client_id.setter @@ -175,6 +240,9 @@ def client_id(self, value: pulumi.Input[str]): @property @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Input[str]: + """ + The realm this client is attached to. + """ return pulumi.get(self, "realm_id") @realm_id.setter @@ -184,6 +252,9 @@ def realm_id(self, value: pulumi.Input[str]): @property @pulumi.getter(name="accessTokenLifespan") def access_token_lifespan(self) -> Optional[pulumi.Input[str]]: + """ + The amount of time in seconds before an access token expires. This will override the default for the realm. + """ return pulumi.get(self, "access_token_lifespan") @access_token_lifespan.setter @@ -193,6 +264,9 @@ def access_token_lifespan(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="adminUrl") def admin_url(self) -> Optional[pulumi.Input[str]]: + """ + URL to the admin interface of the client. + """ return pulumi.get(self, "admin_url") @admin_url.setter @@ -202,6 +276,9 @@ def admin_url(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="authenticationFlowBindingOverrides") def authentication_flow_binding_overrides(self) -> Optional[pulumi.Input['ClientAuthenticationFlowBindingOverridesArgs']]: + """ + Override realm authentication flow bindings + """ return pulumi.get(self, "authentication_flow_binding_overrides") @authentication_flow_binding_overrides.setter @@ -211,6 +288,9 @@ def authentication_flow_binding_overrides(self, value: Optional[pulumi.Input['Cl @property @pulumi.getter def authorization(self) -> Optional[pulumi.Input['ClientAuthorizationArgs']]: + """ + When this block is present, fine-grained authorization will be enabled for this client. The client's `access_type` must be `CONFIDENTIAL`, and `service_accounts_enabled` must be `true`. This block has the following arguments: + """ return pulumi.get(self, "authorization") @authorization.setter @@ -220,6 +300,9 @@ def authorization(self, value: Optional[pulumi.Input['ClientAuthorizationArgs']] @property @pulumi.getter(name="backchannelLogoutRevokeOfflineSessions") def backchannel_logout_revoke_offline_sessions(self) -> Optional[pulumi.Input[bool]]: + """ + Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event. + """ return pulumi.get(self, "backchannel_logout_revoke_offline_sessions") @backchannel_logout_revoke_offline_sessions.setter @@ -229,6 +312,9 @@ def backchannel_logout_revoke_offline_sessions(self, value: Optional[pulumi.Inpu @property @pulumi.getter(name="backchannelLogoutSessionRequired") def backchannel_logout_session_required(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`. + """ return pulumi.get(self, "backchannel_logout_session_required") @backchannel_logout_session_required.setter @@ -238,6 +324,9 @@ def backchannel_logout_session_required(self, value: Optional[pulumi.Input[bool] @property @pulumi.getter(name="backchannelLogoutUrl") def backchannel_logout_url(self) -> Optional[pulumi.Input[str]]: + """ + The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case. + """ return pulumi.get(self, "backchannel_logout_url") @backchannel_logout_url.setter @@ -247,6 +336,9 @@ def backchannel_logout_url(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="baseUrl") def base_url(self) -> Optional[pulumi.Input[str]]: + """ + Default URL to use when the auth server needs to redirect or link back to the client. + """ return pulumi.get(self, "base_url") @base_url.setter @@ -256,6 +348,13 @@ def base_url(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="clientAuthenticatorType") def client_authenticator_type(self) -> Optional[pulumi.Input[str]]: + """ + Defaults to `client-secret`. The authenticator type for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types: + - `client-secret` (Default) Use client id and client secret to authenticate client. + - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = ` + - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extra_config` with `attributes.x509.subjectdn = ` + - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = ` + """ return pulumi.get(self, "client_authenticator_type") @client_authenticator_type.setter @@ -265,6 +364,9 @@ def client_authenticator_type(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="clientOfflineSessionIdleTimeout") def client_offline_session_idle_timeout(self) -> Optional[pulumi.Input[str]]: + """ + Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value. + """ return pulumi.get(self, "client_offline_session_idle_timeout") @client_offline_session_idle_timeout.setter @@ -274,6 +376,9 @@ def client_offline_session_idle_timeout(self, value: Optional[pulumi.Input[str]] @property @pulumi.getter(name="clientOfflineSessionMaxLifespan") def client_offline_session_max_lifespan(self) -> Optional[pulumi.Input[str]]: + """ + Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value. + """ return pulumi.get(self, "client_offline_session_max_lifespan") @client_offline_session_max_lifespan.setter @@ -283,6 +388,9 @@ def client_offline_session_max_lifespan(self, value: Optional[pulumi.Input[str]] @property @pulumi.getter(name="clientSecret") def client_secret(self) -> Optional[pulumi.Input[str]]: + """ + The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. + """ return pulumi.get(self, "client_secret") @client_secret.setter @@ -292,6 +400,9 @@ def client_secret(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="clientSessionIdleTimeout") def client_session_idle_timeout(self) -> Optional[pulumi.Input[str]]: + """ + Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value. + """ return pulumi.get(self, "client_session_idle_timeout") @client_session_idle_timeout.setter @@ -301,6 +412,9 @@ def client_session_idle_timeout(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="clientSessionMaxLifespan") def client_session_max_lifespan(self) -> Optional[pulumi.Input[str]]: + """ + Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value. + """ return pulumi.get(self, "client_session_max_lifespan") @client_session_max_lifespan.setter @@ -310,6 +424,9 @@ def client_session_max_lifespan(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="consentRequired") def consent_required(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, users have to consent to client access. Defaults to `false`. + """ return pulumi.get(self, "consent_required") @consent_required.setter @@ -319,6 +436,9 @@ def consent_required(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="consentScreenText") def consent_screen_text(self) -> Optional[pulumi.Input[str]]: + """ + The text to display on the consent screen about permissions specific to this client. This is applicable only when `display_on_consent_screen` is `true`. + """ return pulumi.get(self, "consent_screen_text") @consent_screen_text.setter @@ -328,6 +448,9 @@ def consent_screen_text(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter def description(self) -> Optional[pulumi.Input[str]]: + """ + The description of this client in the GUI. + """ return pulumi.get(self, "description") @description.setter @@ -337,6 +460,9 @@ def description(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="directAccessGrantsEnabled") def direct_access_grants_enabled(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. + """ return pulumi.get(self, "direct_access_grants_enabled") @direct_access_grants_enabled.setter @@ -346,6 +472,9 @@ def direct_access_grants_enabled(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="displayOnConsentScreen") def display_on_consent_screen(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consent_required` is `true`. + """ return pulumi.get(self, "display_on_consent_screen") @display_on_consent_screen.setter @@ -355,6 +484,9 @@ def display_on_consent_screen(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter def enabled(self) -> Optional[pulumi.Input[bool]]: + """ + When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + """ return pulumi.get(self, "enabled") @enabled.setter @@ -364,6 +496,9 @@ def enabled(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="excludeSessionStateFromAuthResponse") def exclude_session_state_from_auth_response(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, the parameter `session_state` will not be included in OpenID Connect Authentication Response. + """ return pulumi.get(self, "exclude_session_state_from_auth_response") @exclude_session_state_from_auth_response.setter @@ -382,6 +517,9 @@ def extra_config(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[st @property @pulumi.getter(name="frontchannelLogoutEnabled") def frontchannel_logout_enabled(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannel_logout_url`. Defaults to `false`. + """ return pulumi.get(self, "frontchannel_logout_enabled") @frontchannel_logout_enabled.setter @@ -391,6 +529,9 @@ def frontchannel_logout_enabled(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="frontchannelLogoutUrl") def frontchannel_logout_url(self) -> Optional[pulumi.Input[str]]: + """ + The frontchannel logout url. This is applicable only when `frontchannel_logout_enabled` is `true`. + """ return pulumi.get(self, "frontchannel_logout_url") @frontchannel_logout_url.setter @@ -400,6 +541,9 @@ def frontchannel_logout_url(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="fullScopeAllowed") def full_scope_allowed(self) -> Optional[pulumi.Input[bool]]: + """ + Allow to include all roles mappings in the access token. + """ return pulumi.get(self, "full_scope_allowed") @full_scope_allowed.setter @@ -409,6 +553,9 @@ def full_scope_allowed(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="implicitFlowEnabled") def implicit_flow_enabled(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. + """ return pulumi.get(self, "implicit_flow_enabled") @implicit_flow_enabled.setter @@ -418,6 +565,9 @@ def implicit_flow_enabled(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="import") def import_(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, the client with the specified `client_id` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`. + """ return pulumi.get(self, "import_") @import_.setter @@ -427,6 +577,9 @@ def import_(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="loginTheme") def login_theme(self) -> Optional[pulumi.Input[str]]: + """ + The client login theme. This will override the default theme for the realm. + """ return pulumi.get(self, "login_theme") @login_theme.setter @@ -436,6 +589,9 @@ def login_theme(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: + """ + The display name of this client in the GUI. + """ return pulumi.get(self, "name") @name.setter @@ -445,6 +601,9 @@ def name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="oauth2DeviceAuthorizationGrantEnabled") def oauth2_device_authorization_grant_enabled(self) -> Optional[pulumi.Input[bool]]: + """ + Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser. + """ return pulumi.get(self, "oauth2_device_authorization_grant_enabled") @oauth2_device_authorization_grant_enabled.setter @@ -454,6 +613,9 @@ def oauth2_device_authorization_grant_enabled(self, value: Optional[pulumi.Input @property @pulumi.getter(name="oauth2DeviceCodeLifespan") def oauth2_device_code_lifespan(self) -> Optional[pulumi.Input[str]]: + """ + The maximum amount of time a client has to finish the device code flow before it expires. + """ return pulumi.get(self, "oauth2_device_code_lifespan") @oauth2_device_code_lifespan.setter @@ -463,6 +625,9 @@ def oauth2_device_code_lifespan(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="oauth2DevicePollingInterval") def oauth2_device_polling_interval(self) -> Optional[pulumi.Input[str]]: + """ + The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint. + """ return pulumi.get(self, "oauth2_device_polling_interval") @oauth2_device_polling_interval.setter @@ -472,6 +637,9 @@ def oauth2_device_polling_interval(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="pkceCodeChallengeMethod") def pkce_code_challenge_method(self) -> Optional[pulumi.Input[str]]: + """ + The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. + """ return pulumi.get(self, "pkce_code_challenge_method") @pkce_code_challenge_method.setter @@ -481,6 +649,9 @@ def pkce_code_challenge_method(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="rootUrl") def root_url(self) -> Optional[pulumi.Input[str]]: + """ + When specified, this URL is prepended to any relative URLs found within `valid_redirect_uris`, `web_origins`, and `admin_url`. NOTE: Due to limitations in the Keycloak API, when the `root_url` attribute is used, the `valid_redirect_uris`, `web_origins`, and `admin_url` attributes will be required. + """ return pulumi.get(self, "root_url") @root_url.setter @@ -490,6 +661,9 @@ def root_url(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="serviceAccountsEnabled") def service_accounts_enabled(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. + """ return pulumi.get(self, "service_accounts_enabled") @service_accounts_enabled.setter @@ -499,6 +673,9 @@ def service_accounts_enabled(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="standardFlowEnabled") def standard_flow_enabled(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. + """ return pulumi.get(self, "standard_flow_enabled") @standard_flow_enabled.setter @@ -508,6 +685,9 @@ def standard_flow_enabled(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="useRefreshTokens") def use_refresh_tokens(self) -> Optional[pulumi.Input[bool]]: + """ + If this is `true`, a refresh_token will be created and added to the token response. If this is `false` then no refresh_token will be generated. Defaults to `true`. + """ return pulumi.get(self, "use_refresh_tokens") @use_refresh_tokens.setter @@ -517,6 +697,9 @@ def use_refresh_tokens(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="useRefreshTokensClientCredentials") def use_refresh_tokens_client_credentials(self) -> Optional[pulumi.Input[bool]]: + """ + If this is `true`, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is `false` then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`. + """ return pulumi.get(self, "use_refresh_tokens_client_credentials") @use_refresh_tokens_client_credentials.setter @@ -526,6 +709,9 @@ def use_refresh_tokens_client_credentials(self, value: Optional[pulumi.Input[boo @property @pulumi.getter(name="validPostLogoutRedirectUris") def valid_post_logout_redirect_uris(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + A list of valid URIs a browser is permitted to redirect to after a successful logout. + """ return pulumi.get(self, "valid_post_logout_redirect_uris") @valid_post_logout_redirect_uris.setter @@ -535,6 +721,11 @@ def valid_post_logout_redirect_uris(self, value: Optional[pulumi.Input[Sequence[ @property @pulumi.getter(name="validRedirectUris") def valid_redirect_uris(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple + wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled` + is set to `true`. + """ return pulumi.get(self, "valid_redirect_uris") @valid_redirect_uris.setter @@ -544,6 +735,9 @@ def valid_redirect_uris(self, value: Optional[pulumi.Input[Sequence[pulumi.Input @property @pulumi.getter(name="webOrigins") def web_origins(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`." + """ return pulumi.get(self, "web_origins") @web_origins.setter @@ -602,6 +796,62 @@ def __init__(__self__, *, web_origins: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None): """ Input properties used for looking up and filtering Client resources. + :param pulumi.Input[str] access_token_lifespan: The amount of time in seconds before an access token expires. This will override the default for the realm. + :param pulumi.Input[str] access_type: Specifies the type of client, which can be one of the following: + - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. + This client should be used for applications using the Authorization Code or Client Credentials grant flows. + - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect + URIs for security. This client should be used for applications using the Implicit grant flow. + - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. + :param pulumi.Input[str] admin_url: URL to the admin interface of the client. + :param pulumi.Input['ClientAuthenticationFlowBindingOverridesArgs'] authentication_flow_binding_overrides: Override realm authentication flow bindings + :param pulumi.Input['ClientAuthorizationArgs'] authorization: When this block is present, fine-grained authorization will be enabled for this client. The client's `access_type` must be `CONFIDENTIAL`, and `service_accounts_enabled` must be `true`. This block has the following arguments: + :param pulumi.Input[bool] backchannel_logout_revoke_offline_sessions: Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event. + :param pulumi.Input[bool] backchannel_logout_session_required: When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`. + :param pulumi.Input[str] backchannel_logout_url: The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case. + :param pulumi.Input[str] base_url: Default URL to use when the auth server needs to redirect or link back to the client. + :param pulumi.Input[str] client_authenticator_type: Defaults to `client-secret`. The authenticator type for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types: + - `client-secret` (Default) Use client id and client secret to authenticate client. + - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = ` + - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extra_config` with `attributes.x509.subjectdn = ` + - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = ` + :param pulumi.Input[str] client_id: The Client ID for this client, referenced in the URI during authentication and in issued tokens. + :param pulumi.Input[str] client_offline_session_idle_timeout: Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value. + :param pulumi.Input[str] client_offline_session_max_lifespan: Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value. + :param pulumi.Input[str] client_secret: The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. + :param pulumi.Input[str] client_session_idle_timeout: Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value. + :param pulumi.Input[str] client_session_max_lifespan: Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value. + :param pulumi.Input[bool] consent_required: When `true`, users have to consent to client access. Defaults to `false`. + :param pulumi.Input[str] consent_screen_text: The text to display on the consent screen about permissions specific to this client. This is applicable only when `display_on_consent_screen` is `true`. + :param pulumi.Input[str] description: The description of this client in the GUI. + :param pulumi.Input[bool] direct_access_grants_enabled: When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. + :param pulumi.Input[bool] display_on_consent_screen: When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consent_required` is `true`. + :param pulumi.Input[bool] enabled: When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + :param pulumi.Input[bool] exclude_session_state_from_auth_response: When `true`, the parameter `session_state` will not be included in OpenID Connect Authentication Response. + :param pulumi.Input[bool] frontchannel_logout_enabled: When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannel_logout_url`. Defaults to `false`. + :param pulumi.Input[str] frontchannel_logout_url: The frontchannel logout url. This is applicable only when `frontchannel_logout_enabled` is `true`. + :param pulumi.Input[bool] full_scope_allowed: Allow to include all roles mappings in the access token. + :param pulumi.Input[bool] implicit_flow_enabled: When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. + :param pulumi.Input[bool] import_: When `true`, the client with the specified `client_id` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`. + :param pulumi.Input[str] login_theme: The client login theme. This will override the default theme for the realm. + :param pulumi.Input[str] name: The display name of this client in the GUI. + :param pulumi.Input[bool] oauth2_device_authorization_grant_enabled: Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser. + :param pulumi.Input[str] oauth2_device_code_lifespan: The maximum amount of time a client has to finish the device code flow before it expires. + :param pulumi.Input[str] oauth2_device_polling_interval: The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint. + :param pulumi.Input[str] pkce_code_challenge_method: The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. + :param pulumi.Input[str] realm_id: The realm this client is attached to. + :param pulumi.Input[str] resource_server_id: (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the `.id` attribute). + :param pulumi.Input[str] root_url: When specified, this URL is prepended to any relative URLs found within `valid_redirect_uris`, `web_origins`, and `admin_url`. NOTE: Due to limitations in the Keycloak API, when the `root_url` attribute is used, the `valid_redirect_uris`, `web_origins`, and `admin_url` attributes will be required. + :param pulumi.Input[str] service_account_user_id: (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account. + :param pulumi.Input[bool] service_accounts_enabled: When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. + :param pulumi.Input[bool] standard_flow_enabled: When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. + :param pulumi.Input[bool] use_refresh_tokens: If this is `true`, a refresh_token will be created and added to the token response. If this is `false` then no refresh_token will be generated. Defaults to `true`. + :param pulumi.Input[bool] use_refresh_tokens_client_credentials: If this is `true`, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is `false` then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`. + :param pulumi.Input[Sequence[pulumi.Input[str]]] valid_post_logout_redirect_uris: A list of valid URIs a browser is permitted to redirect to after a successful logout. + :param pulumi.Input[Sequence[pulumi.Input[str]]] valid_redirect_uris: A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple + wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled` + is set to `true`. + :param pulumi.Input[Sequence[pulumi.Input[str]]] web_origins: A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`." """ if access_token_lifespan is not None: pulumi.set(__self__, "access_token_lifespan", access_token_lifespan) @@ -699,6 +949,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="accessTokenLifespan") def access_token_lifespan(self) -> Optional[pulumi.Input[str]]: + """ + The amount of time in seconds before an access token expires. This will override the default for the realm. + """ return pulumi.get(self, "access_token_lifespan") @access_token_lifespan.setter @@ -708,6 +961,14 @@ def access_token_lifespan(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="accessType") def access_type(self) -> Optional[pulumi.Input[str]]: + """ + Specifies the type of client, which can be one of the following: + - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. + This client should be used for applications using the Authorization Code or Client Credentials grant flows. + - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect + URIs for security. This client should be used for applications using the Implicit grant flow. + - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. + """ return pulumi.get(self, "access_type") @access_type.setter @@ -717,6 +978,9 @@ def access_type(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="adminUrl") def admin_url(self) -> Optional[pulumi.Input[str]]: + """ + URL to the admin interface of the client. + """ return pulumi.get(self, "admin_url") @admin_url.setter @@ -726,6 +990,9 @@ def admin_url(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="authenticationFlowBindingOverrides") def authentication_flow_binding_overrides(self) -> Optional[pulumi.Input['ClientAuthenticationFlowBindingOverridesArgs']]: + """ + Override realm authentication flow bindings + """ return pulumi.get(self, "authentication_flow_binding_overrides") @authentication_flow_binding_overrides.setter @@ -735,6 +1002,9 @@ def authentication_flow_binding_overrides(self, value: Optional[pulumi.Input['Cl @property @pulumi.getter def authorization(self) -> Optional[pulumi.Input['ClientAuthorizationArgs']]: + """ + When this block is present, fine-grained authorization will be enabled for this client. The client's `access_type` must be `CONFIDENTIAL`, and `service_accounts_enabled` must be `true`. This block has the following arguments: + """ return pulumi.get(self, "authorization") @authorization.setter @@ -744,6 +1014,9 @@ def authorization(self, value: Optional[pulumi.Input['ClientAuthorizationArgs']] @property @pulumi.getter(name="backchannelLogoutRevokeOfflineSessions") def backchannel_logout_revoke_offline_sessions(self) -> Optional[pulumi.Input[bool]]: + """ + Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event. + """ return pulumi.get(self, "backchannel_logout_revoke_offline_sessions") @backchannel_logout_revoke_offline_sessions.setter @@ -753,6 +1026,9 @@ def backchannel_logout_revoke_offline_sessions(self, value: Optional[pulumi.Inpu @property @pulumi.getter(name="backchannelLogoutSessionRequired") def backchannel_logout_session_required(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`. + """ return pulumi.get(self, "backchannel_logout_session_required") @backchannel_logout_session_required.setter @@ -762,6 +1038,9 @@ def backchannel_logout_session_required(self, value: Optional[pulumi.Input[bool] @property @pulumi.getter(name="backchannelLogoutUrl") def backchannel_logout_url(self) -> Optional[pulumi.Input[str]]: + """ + The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case. + """ return pulumi.get(self, "backchannel_logout_url") @backchannel_logout_url.setter @@ -771,6 +1050,9 @@ def backchannel_logout_url(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="baseUrl") def base_url(self) -> Optional[pulumi.Input[str]]: + """ + Default URL to use when the auth server needs to redirect or link back to the client. + """ return pulumi.get(self, "base_url") @base_url.setter @@ -780,6 +1062,13 @@ def base_url(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="clientAuthenticatorType") def client_authenticator_type(self) -> Optional[pulumi.Input[str]]: + """ + Defaults to `client-secret`. The authenticator type for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types: + - `client-secret` (Default) Use client id and client secret to authenticate client. + - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = ` + - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extra_config` with `attributes.x509.subjectdn = ` + - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = ` + """ return pulumi.get(self, "client_authenticator_type") @client_authenticator_type.setter @@ -789,6 +1078,9 @@ def client_authenticator_type(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="clientId") def client_id(self) -> Optional[pulumi.Input[str]]: + """ + The Client ID for this client, referenced in the URI during authentication and in issued tokens. + """ return pulumi.get(self, "client_id") @client_id.setter @@ -798,6 +1090,9 @@ def client_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="clientOfflineSessionIdleTimeout") def client_offline_session_idle_timeout(self) -> Optional[pulumi.Input[str]]: + """ + Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value. + """ return pulumi.get(self, "client_offline_session_idle_timeout") @client_offline_session_idle_timeout.setter @@ -807,6 +1102,9 @@ def client_offline_session_idle_timeout(self, value: Optional[pulumi.Input[str]] @property @pulumi.getter(name="clientOfflineSessionMaxLifespan") def client_offline_session_max_lifespan(self) -> Optional[pulumi.Input[str]]: + """ + Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value. + """ return pulumi.get(self, "client_offline_session_max_lifespan") @client_offline_session_max_lifespan.setter @@ -816,6 +1114,9 @@ def client_offline_session_max_lifespan(self, value: Optional[pulumi.Input[str]] @property @pulumi.getter(name="clientSecret") def client_secret(self) -> Optional[pulumi.Input[str]]: + """ + The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. + """ return pulumi.get(self, "client_secret") @client_secret.setter @@ -825,6 +1126,9 @@ def client_secret(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="clientSessionIdleTimeout") def client_session_idle_timeout(self) -> Optional[pulumi.Input[str]]: + """ + Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value. + """ return pulumi.get(self, "client_session_idle_timeout") @client_session_idle_timeout.setter @@ -834,6 +1138,9 @@ def client_session_idle_timeout(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="clientSessionMaxLifespan") def client_session_max_lifespan(self) -> Optional[pulumi.Input[str]]: + """ + Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value. + """ return pulumi.get(self, "client_session_max_lifespan") @client_session_max_lifespan.setter @@ -843,6 +1150,9 @@ def client_session_max_lifespan(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="consentRequired") def consent_required(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, users have to consent to client access. Defaults to `false`. + """ return pulumi.get(self, "consent_required") @consent_required.setter @@ -852,6 +1162,9 @@ def consent_required(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="consentScreenText") def consent_screen_text(self) -> Optional[pulumi.Input[str]]: + """ + The text to display on the consent screen about permissions specific to this client. This is applicable only when `display_on_consent_screen` is `true`. + """ return pulumi.get(self, "consent_screen_text") @consent_screen_text.setter @@ -861,6 +1174,9 @@ def consent_screen_text(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter def description(self) -> Optional[pulumi.Input[str]]: + """ + The description of this client in the GUI. + """ return pulumi.get(self, "description") @description.setter @@ -870,6 +1186,9 @@ def description(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="directAccessGrantsEnabled") def direct_access_grants_enabled(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. + """ return pulumi.get(self, "direct_access_grants_enabled") @direct_access_grants_enabled.setter @@ -879,6 +1198,9 @@ def direct_access_grants_enabled(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="displayOnConsentScreen") def display_on_consent_screen(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consent_required` is `true`. + """ return pulumi.get(self, "display_on_consent_screen") @display_on_consent_screen.setter @@ -888,6 +1210,9 @@ def display_on_consent_screen(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter def enabled(self) -> Optional[pulumi.Input[bool]]: + """ + When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + """ return pulumi.get(self, "enabled") @enabled.setter @@ -897,6 +1222,9 @@ def enabled(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="excludeSessionStateFromAuthResponse") def exclude_session_state_from_auth_response(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, the parameter `session_state` will not be included in OpenID Connect Authentication Response. + """ return pulumi.get(self, "exclude_session_state_from_auth_response") @exclude_session_state_from_auth_response.setter @@ -915,6 +1243,9 @@ def extra_config(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[st @property @pulumi.getter(name="frontchannelLogoutEnabled") def frontchannel_logout_enabled(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannel_logout_url`. Defaults to `false`. + """ return pulumi.get(self, "frontchannel_logout_enabled") @frontchannel_logout_enabled.setter @@ -924,6 +1255,9 @@ def frontchannel_logout_enabled(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="frontchannelLogoutUrl") def frontchannel_logout_url(self) -> Optional[pulumi.Input[str]]: + """ + The frontchannel logout url. This is applicable only when `frontchannel_logout_enabled` is `true`. + """ return pulumi.get(self, "frontchannel_logout_url") @frontchannel_logout_url.setter @@ -933,6 +1267,9 @@ def frontchannel_logout_url(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="fullScopeAllowed") def full_scope_allowed(self) -> Optional[pulumi.Input[bool]]: + """ + Allow to include all roles mappings in the access token. + """ return pulumi.get(self, "full_scope_allowed") @full_scope_allowed.setter @@ -942,6 +1279,9 @@ def full_scope_allowed(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="implicitFlowEnabled") def implicit_flow_enabled(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. + """ return pulumi.get(self, "implicit_flow_enabled") @implicit_flow_enabled.setter @@ -951,6 +1291,9 @@ def implicit_flow_enabled(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="import") def import_(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, the client with the specified `client_id` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`. + """ return pulumi.get(self, "import_") @import_.setter @@ -960,6 +1303,9 @@ def import_(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="loginTheme") def login_theme(self) -> Optional[pulumi.Input[str]]: + """ + The client login theme. This will override the default theme for the realm. + """ return pulumi.get(self, "login_theme") @login_theme.setter @@ -969,6 +1315,9 @@ def login_theme(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: + """ + The display name of this client in the GUI. + """ return pulumi.get(self, "name") @name.setter @@ -978,6 +1327,9 @@ def name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="oauth2DeviceAuthorizationGrantEnabled") def oauth2_device_authorization_grant_enabled(self) -> Optional[pulumi.Input[bool]]: + """ + Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser. + """ return pulumi.get(self, "oauth2_device_authorization_grant_enabled") @oauth2_device_authorization_grant_enabled.setter @@ -987,6 +1339,9 @@ def oauth2_device_authorization_grant_enabled(self, value: Optional[pulumi.Input @property @pulumi.getter(name="oauth2DeviceCodeLifespan") def oauth2_device_code_lifespan(self) -> Optional[pulumi.Input[str]]: + """ + The maximum amount of time a client has to finish the device code flow before it expires. + """ return pulumi.get(self, "oauth2_device_code_lifespan") @oauth2_device_code_lifespan.setter @@ -996,6 +1351,9 @@ def oauth2_device_code_lifespan(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="oauth2DevicePollingInterval") def oauth2_device_polling_interval(self) -> Optional[pulumi.Input[str]]: + """ + The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint. + """ return pulumi.get(self, "oauth2_device_polling_interval") @oauth2_device_polling_interval.setter @@ -1005,6 +1363,9 @@ def oauth2_device_polling_interval(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="pkceCodeChallengeMethod") def pkce_code_challenge_method(self) -> Optional[pulumi.Input[str]]: + """ + The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. + """ return pulumi.get(self, "pkce_code_challenge_method") @pkce_code_challenge_method.setter @@ -1014,6 +1375,9 @@ def pkce_code_challenge_method(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="realmId") def realm_id(self) -> Optional[pulumi.Input[str]]: + """ + The realm this client is attached to. + """ return pulumi.get(self, "realm_id") @realm_id.setter @@ -1023,6 +1387,9 @@ def realm_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="resourceServerId") def resource_server_id(self) -> Optional[pulumi.Input[str]]: + """ + (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the `.id` attribute). + """ return pulumi.get(self, "resource_server_id") @resource_server_id.setter @@ -1032,6 +1399,9 @@ def resource_server_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="rootUrl") def root_url(self) -> Optional[pulumi.Input[str]]: + """ + When specified, this URL is prepended to any relative URLs found within `valid_redirect_uris`, `web_origins`, and `admin_url`. NOTE: Due to limitations in the Keycloak API, when the `root_url` attribute is used, the `valid_redirect_uris`, `web_origins`, and `admin_url` attributes will be required. + """ return pulumi.get(self, "root_url") @root_url.setter @@ -1041,6 +1411,9 @@ def root_url(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="serviceAccountUserId") def service_account_user_id(self) -> Optional[pulumi.Input[str]]: + """ + (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account. + """ return pulumi.get(self, "service_account_user_id") @service_account_user_id.setter @@ -1050,6 +1423,9 @@ def service_account_user_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="serviceAccountsEnabled") def service_accounts_enabled(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. + """ return pulumi.get(self, "service_accounts_enabled") @service_accounts_enabled.setter @@ -1059,6 +1435,9 @@ def service_accounts_enabled(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="standardFlowEnabled") def standard_flow_enabled(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. + """ return pulumi.get(self, "standard_flow_enabled") @standard_flow_enabled.setter @@ -1068,6 +1447,9 @@ def standard_flow_enabled(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="useRefreshTokens") def use_refresh_tokens(self) -> Optional[pulumi.Input[bool]]: + """ + If this is `true`, a refresh_token will be created and added to the token response. If this is `false` then no refresh_token will be generated. Defaults to `true`. + """ return pulumi.get(self, "use_refresh_tokens") @use_refresh_tokens.setter @@ -1077,6 +1459,9 @@ def use_refresh_tokens(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="useRefreshTokensClientCredentials") def use_refresh_tokens_client_credentials(self) -> Optional[pulumi.Input[bool]]: + """ + If this is `true`, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is `false` then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`. + """ return pulumi.get(self, "use_refresh_tokens_client_credentials") @use_refresh_tokens_client_credentials.setter @@ -1086,6 +1471,9 @@ def use_refresh_tokens_client_credentials(self, value: Optional[pulumi.Input[boo @property @pulumi.getter(name="validPostLogoutRedirectUris") def valid_post_logout_redirect_uris(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + A list of valid URIs a browser is permitted to redirect to after a successful logout. + """ return pulumi.get(self, "valid_post_logout_redirect_uris") @valid_post_logout_redirect_uris.setter @@ -1095,6 +1483,11 @@ def valid_post_logout_redirect_uris(self, value: Optional[pulumi.Input[Sequence[ @property @pulumi.getter(name="validRedirectUris") def valid_redirect_uris(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple + wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled` + is set to `true`. + """ return pulumi.get(self, "valid_redirect_uris") @valid_redirect_uris.setter @@ -1104,6 +1497,9 @@ def valid_redirect_uris(self, value: Optional[pulumi.Input[Sequence[pulumi.Input @property @pulumi.getter(name="webOrigins") def web_origins(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`." + """ return pulumi.get(self, "web_origins") @web_origins.setter @@ -1162,15 +1558,13 @@ def __init__(__self__, web_origins: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, __props__=None): """ - ## # openid.Client - Allows for creating and managing Keycloak clients that use the OpenID Connect protocol. Clients are entities that can use Keycloak for user authentication. Typically, clients are applications that redirect users to Keycloak for authentication in order to take advantage of Keycloak's user sessions for SSO. - ### Example Usage + ## Example Usage ```python import pulumi @@ -1185,54 +1579,84 @@ def __init__(__self__, name="test client", enabled=True, access_type="CONFIDENTIAL", - valid_redirect_uris=["http://localhost:8080/openid-callback"]) + valid_redirect_uris=["http://localhost:8080/openid-callback"], + login_theme="keycloak", + extra_config={ + "key1": "value1", + "key2": "value2", + }) ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this client is attached to. - - `client_id` - (Required) The unique ID of this client, referenced in the URI during authentication and in issued tokens. - - `name` - (Optional) The display name of this client in the GUI. - - `enabled` - (Optional) When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. - - `description` - (Optional) The description of this client in the GUI. - - `access_type` - (Required) Specifies the type of client, which can be one of the following: - - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. - This client should be used for applications using the Authorization Code or Client Credentials grant flows. - - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect - URIs for security. This client should be used for applications using the Implicit grant flow. - - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. - - `client_secret` - (Optional) The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and - should be treated with the same care as a password. If omitted, Keycloak will generate a GUID for this attribute. - - `standard_flow_enabled` - (Optional) When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. - - `implicit_flow_enabled` - (Optional) When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. - - `direct_access_grants_enabled` - (Optional) When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. - - `service_accounts_enabled` - (Optional) When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. - - `valid_redirect_uris` - (Optional) A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple - wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled` - is set to `true`. - - `web_origins` - (Optional) A list of allowed CORS origins. `+` can be used to permit all valid redirect URIs, and `*` can be used to permit all origins. - - `admin_url` - (Optional) URL to the admin interface of the client. - - `base_url` - (Optional) Default URL to use when the auth server needs to redirect or link back to the client. - - `pkce_code_challenge_method` - (Optional) The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. - - `full_scope_allowed` - (Optional) - Allow to include all roles mappings in the access token. - - ### Attributes Reference - - In addition to the arguments listed above, the following computed attributes are exported: - - - `service_account_user_id` - When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account. - - ### Import + ## Import Clients can be imported using the format `{{realm_id}}/{{client_keycloak_id}}`, where `client_keycloak_id` is the unique ID that Keycloak + assigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID. Example: + bash + + ```sh + $ pulumi import keycloak:openid/client:Client openid_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352 + ``` + :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[str] access_token_lifespan: The amount of time in seconds before an access token expires. This will override the default for the realm. + :param pulumi.Input[str] access_type: Specifies the type of client, which can be one of the following: + - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. + This client should be used for applications using the Authorization Code or Client Credentials grant flows. + - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect + URIs for security. This client should be used for applications using the Implicit grant flow. + - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. + :param pulumi.Input[str] admin_url: URL to the admin interface of the client. + :param pulumi.Input[Union['ClientAuthenticationFlowBindingOverridesArgs', 'ClientAuthenticationFlowBindingOverridesArgsDict']] authentication_flow_binding_overrides: Override realm authentication flow bindings + :param pulumi.Input[Union['ClientAuthorizationArgs', 'ClientAuthorizationArgsDict']] authorization: When this block is present, fine-grained authorization will be enabled for this client. The client's `access_type` must be `CONFIDENTIAL`, and `service_accounts_enabled` must be `true`. This block has the following arguments: + :param pulumi.Input[bool] backchannel_logout_revoke_offline_sessions: Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event. + :param pulumi.Input[bool] backchannel_logout_session_required: When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`. + :param pulumi.Input[str] backchannel_logout_url: The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case. + :param pulumi.Input[str] base_url: Default URL to use when the auth server needs to redirect or link back to the client. + :param pulumi.Input[str] client_authenticator_type: Defaults to `client-secret`. The authenticator type for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types: + - `client-secret` (Default) Use client id and client secret to authenticate client. + - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = ` + - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extra_config` with `attributes.x509.subjectdn = ` + - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = ` + :param pulumi.Input[str] client_id: The Client ID for this client, referenced in the URI during authentication and in issued tokens. + :param pulumi.Input[str] client_offline_session_idle_timeout: Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value. + :param pulumi.Input[str] client_offline_session_max_lifespan: Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value. + :param pulumi.Input[str] client_secret: The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. + :param pulumi.Input[str] client_session_idle_timeout: Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value. + :param pulumi.Input[str] client_session_max_lifespan: Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value. + :param pulumi.Input[bool] consent_required: When `true`, users have to consent to client access. Defaults to `false`. + :param pulumi.Input[str] consent_screen_text: The text to display on the consent screen about permissions specific to this client. This is applicable only when `display_on_consent_screen` is `true`. + :param pulumi.Input[str] description: The description of this client in the GUI. + :param pulumi.Input[bool] direct_access_grants_enabled: When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. + :param pulumi.Input[bool] display_on_consent_screen: When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consent_required` is `true`. + :param pulumi.Input[bool] enabled: When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + :param pulumi.Input[bool] exclude_session_state_from_auth_response: When `true`, the parameter `session_state` will not be included in OpenID Connect Authentication Response. + :param pulumi.Input[bool] frontchannel_logout_enabled: When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannel_logout_url`. Defaults to `false`. + :param pulumi.Input[str] frontchannel_logout_url: The frontchannel logout url. This is applicable only when `frontchannel_logout_enabled` is `true`. + :param pulumi.Input[bool] full_scope_allowed: Allow to include all roles mappings in the access token. + :param pulumi.Input[bool] implicit_flow_enabled: When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. + :param pulumi.Input[bool] import_: When `true`, the client with the specified `client_id` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`. + :param pulumi.Input[str] login_theme: The client login theme. This will override the default theme for the realm. + :param pulumi.Input[str] name: The display name of this client in the GUI. + :param pulumi.Input[bool] oauth2_device_authorization_grant_enabled: Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser. + :param pulumi.Input[str] oauth2_device_code_lifespan: The maximum amount of time a client has to finish the device code flow before it expires. + :param pulumi.Input[str] oauth2_device_polling_interval: The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint. + :param pulumi.Input[str] pkce_code_challenge_method: The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. + :param pulumi.Input[str] realm_id: The realm this client is attached to. + :param pulumi.Input[str] root_url: When specified, this URL is prepended to any relative URLs found within `valid_redirect_uris`, `web_origins`, and `admin_url`. NOTE: Due to limitations in the Keycloak API, when the `root_url` attribute is used, the `valid_redirect_uris`, `web_origins`, and `admin_url` attributes will be required. + :param pulumi.Input[bool] service_accounts_enabled: When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. + :param pulumi.Input[bool] standard_flow_enabled: When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. + :param pulumi.Input[bool] use_refresh_tokens: If this is `true`, a refresh_token will be created and added to the token response. If this is `false` then no refresh_token will be generated. Defaults to `true`. + :param pulumi.Input[bool] use_refresh_tokens_client_credentials: If this is `true`, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is `false` then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`. + :param pulumi.Input[Sequence[pulumi.Input[str]]] valid_post_logout_redirect_uris: A list of valid URIs a browser is permitted to redirect to after a successful logout. + :param pulumi.Input[Sequence[pulumi.Input[str]]] valid_redirect_uris: A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple + wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled` + is set to `true`. + :param pulumi.Input[Sequence[pulumi.Input[str]]] web_origins: A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`." """ ... @overload @@ -1241,15 +1665,13 @@ def __init__(__self__, args: ClientArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - ## # openid.Client - Allows for creating and managing Keycloak clients that use the OpenID Connect protocol. Clients are entities that can use Keycloak for user authentication. Typically, clients are applications that redirect users to Keycloak for authentication in order to take advantage of Keycloak's user sessions for SSO. - ### Example Usage + ## Example Usage ```python import pulumi @@ -1264,52 +1686,28 @@ def __init__(__self__, name="test client", enabled=True, access_type="CONFIDENTIAL", - valid_redirect_uris=["http://localhost:8080/openid-callback"]) + valid_redirect_uris=["http://localhost:8080/openid-callback"], + login_theme="keycloak", + extra_config={ + "key1": "value1", + "key2": "value2", + }) ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this client is attached to. - - `client_id` - (Required) The unique ID of this client, referenced in the URI during authentication and in issued tokens. - - `name` - (Optional) The display name of this client in the GUI. - - `enabled` - (Optional) When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. - - `description` - (Optional) The description of this client in the GUI. - - `access_type` - (Required) Specifies the type of client, which can be one of the following: - - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. - This client should be used for applications using the Authorization Code or Client Credentials grant flows. - - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect - URIs for security. This client should be used for applications using the Implicit grant flow. - - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. - - `client_secret` - (Optional) The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and - should be treated with the same care as a password. If omitted, Keycloak will generate a GUID for this attribute. - - `standard_flow_enabled` - (Optional) When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. - - `implicit_flow_enabled` - (Optional) When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. - - `direct_access_grants_enabled` - (Optional) When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. - - `service_accounts_enabled` - (Optional) When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. - - `valid_redirect_uris` - (Optional) A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple - wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled` - is set to `true`. - - `web_origins` - (Optional) A list of allowed CORS origins. `+` can be used to permit all valid redirect URIs, and `*` can be used to permit all origins. - - `admin_url` - (Optional) URL to the admin interface of the client. - - `base_url` - (Optional) Default URL to use when the auth server needs to redirect or link back to the client. - - `pkce_code_challenge_method` - (Optional) The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. - - `full_scope_allowed` - (Optional) - Allow to include all roles mappings in the access token. - - ### Attributes Reference - - In addition to the arguments listed above, the following computed attributes are exported: - - - `service_account_user_id` - When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account. - - ### Import + ## Import Clients can be imported using the format `{{realm_id}}/{{client_keycloak_id}}`, where `client_keycloak_id` is the unique ID that Keycloak + assigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID. Example: + bash + + ```sh + $ pulumi import keycloak:openid/client:Client openid_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352 + ``` + :param str resource_name: The name of the resource. :param ClientArgs args: The arguments to use to populate this resource's properties. :param pulumi.ResourceOptions opts: Options for the resource. @@ -1495,6 +1893,62 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[str] access_token_lifespan: The amount of time in seconds before an access token expires. This will override the default for the realm. + :param pulumi.Input[str] access_type: Specifies the type of client, which can be one of the following: + - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. + This client should be used for applications using the Authorization Code or Client Credentials grant flows. + - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect + URIs for security. This client should be used for applications using the Implicit grant flow. + - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. + :param pulumi.Input[str] admin_url: URL to the admin interface of the client. + :param pulumi.Input[Union['ClientAuthenticationFlowBindingOverridesArgs', 'ClientAuthenticationFlowBindingOverridesArgsDict']] authentication_flow_binding_overrides: Override realm authentication flow bindings + :param pulumi.Input[Union['ClientAuthorizationArgs', 'ClientAuthorizationArgsDict']] authorization: When this block is present, fine-grained authorization will be enabled for this client. The client's `access_type` must be `CONFIDENTIAL`, and `service_accounts_enabled` must be `true`. This block has the following arguments: + :param pulumi.Input[bool] backchannel_logout_revoke_offline_sessions: Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event. + :param pulumi.Input[bool] backchannel_logout_session_required: When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`. + :param pulumi.Input[str] backchannel_logout_url: The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case. + :param pulumi.Input[str] base_url: Default URL to use when the auth server needs to redirect or link back to the client. + :param pulumi.Input[str] client_authenticator_type: Defaults to `client-secret`. The authenticator type for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types: + - `client-secret` (Default) Use client id and client secret to authenticate client. + - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = ` + - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extra_config` with `attributes.x509.subjectdn = ` + - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = ` + :param pulumi.Input[str] client_id: The Client ID for this client, referenced in the URI during authentication and in issued tokens. + :param pulumi.Input[str] client_offline_session_idle_timeout: Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value. + :param pulumi.Input[str] client_offline_session_max_lifespan: Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value. + :param pulumi.Input[str] client_secret: The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. + :param pulumi.Input[str] client_session_idle_timeout: Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value. + :param pulumi.Input[str] client_session_max_lifespan: Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value. + :param pulumi.Input[bool] consent_required: When `true`, users have to consent to client access. Defaults to `false`. + :param pulumi.Input[str] consent_screen_text: The text to display on the consent screen about permissions specific to this client. This is applicable only when `display_on_consent_screen` is `true`. + :param pulumi.Input[str] description: The description of this client in the GUI. + :param pulumi.Input[bool] direct_access_grants_enabled: When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. + :param pulumi.Input[bool] display_on_consent_screen: When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consent_required` is `true`. + :param pulumi.Input[bool] enabled: When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + :param pulumi.Input[bool] exclude_session_state_from_auth_response: When `true`, the parameter `session_state` will not be included in OpenID Connect Authentication Response. + :param pulumi.Input[bool] frontchannel_logout_enabled: When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannel_logout_url`. Defaults to `false`. + :param pulumi.Input[str] frontchannel_logout_url: The frontchannel logout url. This is applicable only when `frontchannel_logout_enabled` is `true`. + :param pulumi.Input[bool] full_scope_allowed: Allow to include all roles mappings in the access token. + :param pulumi.Input[bool] implicit_flow_enabled: When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. + :param pulumi.Input[bool] import_: When `true`, the client with the specified `client_id` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`. + :param pulumi.Input[str] login_theme: The client login theme. This will override the default theme for the realm. + :param pulumi.Input[str] name: The display name of this client in the GUI. + :param pulumi.Input[bool] oauth2_device_authorization_grant_enabled: Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser. + :param pulumi.Input[str] oauth2_device_code_lifespan: The maximum amount of time a client has to finish the device code flow before it expires. + :param pulumi.Input[str] oauth2_device_polling_interval: The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint. + :param pulumi.Input[str] pkce_code_challenge_method: The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. + :param pulumi.Input[str] realm_id: The realm this client is attached to. + :param pulumi.Input[str] resource_server_id: (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the `.id` attribute). + :param pulumi.Input[str] root_url: When specified, this URL is prepended to any relative URLs found within `valid_redirect_uris`, `web_origins`, and `admin_url`. NOTE: Due to limitations in the Keycloak API, when the `root_url` attribute is used, the `valid_redirect_uris`, `web_origins`, and `admin_url` attributes will be required. + :param pulumi.Input[str] service_account_user_id: (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account. + :param pulumi.Input[bool] service_accounts_enabled: When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. + :param pulumi.Input[bool] standard_flow_enabled: When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. + :param pulumi.Input[bool] use_refresh_tokens: If this is `true`, a refresh_token will be created and added to the token response. If this is `false` then no refresh_token will be generated. Defaults to `true`. + :param pulumi.Input[bool] use_refresh_tokens_client_credentials: If this is `true`, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is `false` then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`. + :param pulumi.Input[Sequence[pulumi.Input[str]]] valid_post_logout_redirect_uris: A list of valid URIs a browser is permitted to redirect to after a successful logout. + :param pulumi.Input[Sequence[pulumi.Input[str]]] valid_redirect_uris: A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple + wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled` + is set to `true`. + :param pulumi.Input[Sequence[pulumi.Input[str]]] web_origins: A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`." """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -1551,116 +2005,194 @@ def get(resource_name: str, @property @pulumi.getter(name="accessTokenLifespan") def access_token_lifespan(self) -> pulumi.Output[str]: + """ + The amount of time in seconds before an access token expires. This will override the default for the realm. + """ return pulumi.get(self, "access_token_lifespan") @property @pulumi.getter(name="accessType") def access_type(self) -> pulumi.Output[str]: + """ + Specifies the type of client, which can be one of the following: + - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. + This client should be used for applications using the Authorization Code or Client Credentials grant flows. + - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect + URIs for security. This client should be used for applications using the Implicit grant flow. + - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. + """ return pulumi.get(self, "access_type") @property @pulumi.getter(name="adminUrl") def admin_url(self) -> pulumi.Output[str]: + """ + URL to the admin interface of the client. + """ return pulumi.get(self, "admin_url") @property @pulumi.getter(name="authenticationFlowBindingOverrides") def authentication_flow_binding_overrides(self) -> pulumi.Output[Optional['outputs.ClientAuthenticationFlowBindingOverrides']]: + """ + Override realm authentication flow bindings + """ return pulumi.get(self, "authentication_flow_binding_overrides") @property @pulumi.getter def authorization(self) -> pulumi.Output[Optional['outputs.ClientAuthorization']]: + """ + When this block is present, fine-grained authorization will be enabled for this client. The client's `access_type` must be `CONFIDENTIAL`, and `service_accounts_enabled` must be `true`. This block has the following arguments: + """ return pulumi.get(self, "authorization") @property @pulumi.getter(name="backchannelLogoutRevokeOfflineSessions") def backchannel_logout_revoke_offline_sessions(self) -> pulumi.Output[Optional[bool]]: + """ + Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event. + """ return pulumi.get(self, "backchannel_logout_revoke_offline_sessions") @property @pulumi.getter(name="backchannelLogoutSessionRequired") def backchannel_logout_session_required(self) -> pulumi.Output[Optional[bool]]: + """ + When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`. + """ return pulumi.get(self, "backchannel_logout_session_required") @property @pulumi.getter(name="backchannelLogoutUrl") def backchannel_logout_url(self) -> pulumi.Output[Optional[str]]: + """ + The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case. + """ return pulumi.get(self, "backchannel_logout_url") @property @pulumi.getter(name="baseUrl") def base_url(self) -> pulumi.Output[str]: + """ + Default URL to use when the auth server needs to redirect or link back to the client. + """ return pulumi.get(self, "base_url") @property @pulumi.getter(name="clientAuthenticatorType") def client_authenticator_type(self) -> pulumi.Output[Optional[str]]: + """ + Defaults to `client-secret`. The authenticator type for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types: + - `client-secret` (Default) Use client id and client secret to authenticate client. + - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = ` + - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extra_config` with `attributes.x509.subjectdn = ` + - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = ` + """ return pulumi.get(self, "client_authenticator_type") @property @pulumi.getter(name="clientId") def client_id(self) -> pulumi.Output[str]: + """ + The Client ID for this client, referenced in the URI during authentication and in issued tokens. + """ return pulumi.get(self, "client_id") @property @pulumi.getter(name="clientOfflineSessionIdleTimeout") def client_offline_session_idle_timeout(self) -> pulumi.Output[str]: + """ + Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value. + """ return pulumi.get(self, "client_offline_session_idle_timeout") @property @pulumi.getter(name="clientOfflineSessionMaxLifespan") def client_offline_session_max_lifespan(self) -> pulumi.Output[str]: + """ + Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value. + """ return pulumi.get(self, "client_offline_session_max_lifespan") @property @pulumi.getter(name="clientSecret") def client_secret(self) -> pulumi.Output[str]: + """ + The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. + """ return pulumi.get(self, "client_secret") @property @pulumi.getter(name="clientSessionIdleTimeout") def client_session_idle_timeout(self) -> pulumi.Output[str]: + """ + Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value. + """ return pulumi.get(self, "client_session_idle_timeout") @property @pulumi.getter(name="clientSessionMaxLifespan") def client_session_max_lifespan(self) -> pulumi.Output[str]: + """ + Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value. + """ return pulumi.get(self, "client_session_max_lifespan") @property @pulumi.getter(name="consentRequired") def consent_required(self) -> pulumi.Output[bool]: + """ + When `true`, users have to consent to client access. Defaults to `false`. + """ return pulumi.get(self, "consent_required") @property @pulumi.getter(name="consentScreenText") def consent_screen_text(self) -> pulumi.Output[str]: + """ + The text to display on the consent screen about permissions specific to this client. This is applicable only when `display_on_consent_screen` is `true`. + """ return pulumi.get(self, "consent_screen_text") @property @pulumi.getter def description(self) -> pulumi.Output[str]: + """ + The description of this client in the GUI. + """ return pulumi.get(self, "description") @property @pulumi.getter(name="directAccessGrantsEnabled") def direct_access_grants_enabled(self) -> pulumi.Output[bool]: + """ + When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. + """ return pulumi.get(self, "direct_access_grants_enabled") @property @pulumi.getter(name="displayOnConsentScreen") def display_on_consent_screen(self) -> pulumi.Output[bool]: + """ + When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consent_required` is `true`. + """ return pulumi.get(self, "display_on_consent_screen") @property @pulumi.getter def enabled(self) -> pulumi.Output[Optional[bool]]: + """ + When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + """ return pulumi.get(self, "enabled") @property @pulumi.getter(name="excludeSessionStateFromAuthResponse") def exclude_session_state_from_auth_response(self) -> pulumi.Output[bool]: + """ + When `true`, the parameter `session_state` will not be included in OpenID Connect Authentication Response. + """ return pulumi.get(self, "exclude_session_state_from_auth_response") @property @@ -1671,110 +2203,178 @@ def extra_config(self) -> pulumi.Output[Optional[Mapping[str, str]]]: @property @pulumi.getter(name="frontchannelLogoutEnabled") def frontchannel_logout_enabled(self) -> pulumi.Output[bool]: + """ + When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannel_logout_url`. Defaults to `false`. + """ return pulumi.get(self, "frontchannel_logout_enabled") @property @pulumi.getter(name="frontchannelLogoutUrl") def frontchannel_logout_url(self) -> pulumi.Output[Optional[str]]: + """ + The frontchannel logout url. This is applicable only when `frontchannel_logout_enabled` is `true`. + """ return pulumi.get(self, "frontchannel_logout_url") @property @pulumi.getter(name="fullScopeAllowed") def full_scope_allowed(self) -> pulumi.Output[Optional[bool]]: + """ + Allow to include all roles mappings in the access token. + """ return pulumi.get(self, "full_scope_allowed") @property @pulumi.getter(name="implicitFlowEnabled") def implicit_flow_enabled(self) -> pulumi.Output[bool]: + """ + When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. + """ return pulumi.get(self, "implicit_flow_enabled") @property @pulumi.getter(name="import") def import_(self) -> pulumi.Output[Optional[bool]]: + """ + When `true`, the client with the specified `client_id` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`. + """ return pulumi.get(self, "import_") @property @pulumi.getter(name="loginTheme") def login_theme(self) -> pulumi.Output[Optional[str]]: + """ + The client login theme. This will override the default theme for the realm. + """ return pulumi.get(self, "login_theme") @property @pulumi.getter def name(self) -> pulumi.Output[str]: + """ + The display name of this client in the GUI. + """ return pulumi.get(self, "name") @property @pulumi.getter(name="oauth2DeviceAuthorizationGrantEnabled") def oauth2_device_authorization_grant_enabled(self) -> pulumi.Output[Optional[bool]]: + """ + Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser. + """ return pulumi.get(self, "oauth2_device_authorization_grant_enabled") @property @pulumi.getter(name="oauth2DeviceCodeLifespan") def oauth2_device_code_lifespan(self) -> pulumi.Output[Optional[str]]: + """ + The maximum amount of time a client has to finish the device code flow before it expires. + """ return pulumi.get(self, "oauth2_device_code_lifespan") @property @pulumi.getter(name="oauth2DevicePollingInterval") def oauth2_device_polling_interval(self) -> pulumi.Output[Optional[str]]: + """ + The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint. + """ return pulumi.get(self, "oauth2_device_polling_interval") @property @pulumi.getter(name="pkceCodeChallengeMethod") def pkce_code_challenge_method(self) -> pulumi.Output[Optional[str]]: + """ + The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. + """ return pulumi.get(self, "pkce_code_challenge_method") @property @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Output[str]: + """ + The realm this client is attached to. + """ return pulumi.get(self, "realm_id") @property @pulumi.getter(name="resourceServerId") def resource_server_id(self) -> pulumi.Output[str]: + """ + (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the `.id` attribute). + """ return pulumi.get(self, "resource_server_id") @property @pulumi.getter(name="rootUrl") def root_url(self) -> pulumi.Output[str]: + """ + When specified, this URL is prepended to any relative URLs found within `valid_redirect_uris`, `web_origins`, and `admin_url`. NOTE: Due to limitations in the Keycloak API, when the `root_url` attribute is used, the `valid_redirect_uris`, `web_origins`, and `admin_url` attributes will be required. + """ return pulumi.get(self, "root_url") @property @pulumi.getter(name="serviceAccountUserId") def service_account_user_id(self) -> pulumi.Output[str]: + """ + (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account. + """ return pulumi.get(self, "service_account_user_id") @property @pulumi.getter(name="serviceAccountsEnabled") def service_accounts_enabled(self) -> pulumi.Output[bool]: + """ + When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. + """ return pulumi.get(self, "service_accounts_enabled") @property @pulumi.getter(name="standardFlowEnabled") def standard_flow_enabled(self) -> pulumi.Output[bool]: + """ + When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. + """ return pulumi.get(self, "standard_flow_enabled") @property @pulumi.getter(name="useRefreshTokens") def use_refresh_tokens(self) -> pulumi.Output[Optional[bool]]: + """ + If this is `true`, a refresh_token will be created and added to the token response. If this is `false` then no refresh_token will be generated. Defaults to `true`. + """ return pulumi.get(self, "use_refresh_tokens") @property @pulumi.getter(name="useRefreshTokensClientCredentials") def use_refresh_tokens_client_credentials(self) -> pulumi.Output[Optional[bool]]: + """ + If this is `true`, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is `false` then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`. + """ return pulumi.get(self, "use_refresh_tokens_client_credentials") @property @pulumi.getter(name="validPostLogoutRedirectUris") def valid_post_logout_redirect_uris(self) -> pulumi.Output[Sequence[str]]: + """ + A list of valid URIs a browser is permitted to redirect to after a successful logout. + """ return pulumi.get(self, "valid_post_logout_redirect_uris") @property @pulumi.getter(name="validRedirectUris") def valid_redirect_uris(self) -> pulumi.Output[Sequence[str]]: + """ + A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple + wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled` + is set to `true`. + """ return pulumi.get(self, "valid_redirect_uris") @property @pulumi.getter(name="webOrigins") def web_origins(self) -> pulumi.Output[Sequence[str]]: + """ + A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`." + """ return pulumi.get(self, "web_origins") diff --git a/sdk/python/pulumi_keycloak/openid/client_default_scopes.py b/sdk/python/pulumi_keycloak/openid/client_default_scopes.py index 22d5dc50..d546513b 100644 --- a/sdk/python/pulumi_keycloak/openid/client_default_scopes.py +++ b/sdk/python/pulumi_keycloak/openid/client_default_scopes.py @@ -24,6 +24,9 @@ def __init__(__self__, *, realm_id: pulumi.Input[str]): """ The set of arguments for constructing a ClientDefaultScopes resource. + :param pulumi.Input[str] client_id: The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. + :param pulumi.Input[Sequence[pulumi.Input[str]]] default_scopes: An array of client scope names to attach to this client. + :param pulumi.Input[str] realm_id: The realm this client and scopes exists in. """ pulumi.set(__self__, "client_id", client_id) pulumi.set(__self__, "default_scopes", default_scopes) @@ -32,6 +35,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="clientId") def client_id(self) -> pulumi.Input[str]: + """ + The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. + """ return pulumi.get(self, "client_id") @client_id.setter @@ -41,6 +47,9 @@ def client_id(self, value: pulumi.Input[str]): @property @pulumi.getter(name="defaultScopes") def default_scopes(self) -> pulumi.Input[Sequence[pulumi.Input[str]]]: + """ + An array of client scope names to attach to this client. + """ return pulumi.get(self, "default_scopes") @default_scopes.setter @@ -50,6 +59,9 @@ def default_scopes(self, value: pulumi.Input[Sequence[pulumi.Input[str]]]): @property @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Input[str]: + """ + The realm this client and scopes exists in. + """ return pulumi.get(self, "realm_id") @realm_id.setter @@ -65,6 +77,9 @@ def __init__(__self__, *, realm_id: Optional[pulumi.Input[str]] = None): """ Input properties used for looking up and filtering ClientDefaultScopes resources. + :param pulumi.Input[str] client_id: The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. + :param pulumi.Input[Sequence[pulumi.Input[str]]] default_scopes: An array of client scope names to attach to this client. + :param pulumi.Input[str] realm_id: The realm this client and scopes exists in. """ if client_id is not None: pulumi.set(__self__, "client_id", client_id) @@ -76,6 +91,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="clientId") def client_id(self) -> Optional[pulumi.Input[str]]: + """ + The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. + """ return pulumi.get(self, "client_id") @client_id.setter @@ -85,6 +103,9 @@ def client_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="defaultScopes") def default_scopes(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + An array of client scope names to attach to this client. + """ return pulumi.get(self, "default_scopes") @default_scopes.setter @@ -94,6 +115,9 @@ def default_scopes(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str] @property @pulumi.getter(name="realmId") def realm_id(self) -> Optional[pulumi.Input[str]]: + """ + The realm this client and scopes exists in. + """ return pulumi.get(self, "realm_id") @realm_id.setter @@ -139,21 +163,17 @@ def __init__(__self__, ]) ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this client and scopes exists in. - - `client_id` - (Required) The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. - - `default_scopes` - (Required) An array of client scope names to attach to this client. - - ### Import + ## Import This resource does not support import. Instead of importing, feel free to create this resource + as if it did not already exist on the server. :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[str] client_id: The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. + :param pulumi.Input[Sequence[pulumi.Input[str]]] default_scopes: An array of client scope names to attach to this client. + :param pulumi.Input[str] realm_id: The realm this client and scopes exists in. """ ... @overload @@ -190,17 +210,10 @@ def __init__(__self__, ]) ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this client and scopes exists in. - - `client_id` - (Required) The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. - - `default_scopes` - (Required) An array of client scope names to attach to this client. - - ### Import + ## Import This resource does not support import. Instead of importing, feel free to create this resource + as if it did not already exist on the server. :param str resource_name: The name of the resource. @@ -259,6 +272,9 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[str] client_id: The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. + :param pulumi.Input[Sequence[pulumi.Input[str]]] default_scopes: An array of client scope names to attach to this client. + :param pulumi.Input[str] realm_id: The realm this client and scopes exists in. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -272,15 +288,24 @@ def get(resource_name: str, @property @pulumi.getter(name="clientId") def client_id(self) -> pulumi.Output[str]: + """ + The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. + """ return pulumi.get(self, "client_id") @property @pulumi.getter(name="defaultScopes") def default_scopes(self) -> pulumi.Output[Sequence[str]]: + """ + An array of client scope names to attach to this client. + """ return pulumi.get(self, "default_scopes") @property @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Output[str]: + """ + The realm this client and scopes exists in. + """ return pulumi.get(self, "realm_id") diff --git a/sdk/python/pulumi_keycloak/openid/client_optional_scopes.py b/sdk/python/pulumi_keycloak/openid/client_optional_scopes.py index 821d3414..5a32b916 100644 --- a/sdk/python/pulumi_keycloak/openid/client_optional_scopes.py +++ b/sdk/python/pulumi_keycloak/openid/client_optional_scopes.py @@ -24,6 +24,9 @@ def __init__(__self__, *, realm_id: pulumi.Input[str]): """ The set of arguments for constructing a ClientOptionalScopes resource. + :param pulumi.Input[str] client_id: The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. + :param pulumi.Input[Sequence[pulumi.Input[str]]] optional_scopes: An array of client scope names to attach to this client as optional scopes. + :param pulumi.Input[str] realm_id: The realm this client and scopes exists in. """ pulumi.set(__self__, "client_id", client_id) pulumi.set(__self__, "optional_scopes", optional_scopes) @@ -32,6 +35,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="clientId") def client_id(self) -> pulumi.Input[str]: + """ + The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. + """ return pulumi.get(self, "client_id") @client_id.setter @@ -41,6 +47,9 @@ def client_id(self, value: pulumi.Input[str]): @property @pulumi.getter(name="optionalScopes") def optional_scopes(self) -> pulumi.Input[Sequence[pulumi.Input[str]]]: + """ + An array of client scope names to attach to this client as optional scopes. + """ return pulumi.get(self, "optional_scopes") @optional_scopes.setter @@ -50,6 +59,9 @@ def optional_scopes(self, value: pulumi.Input[Sequence[pulumi.Input[str]]]): @property @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Input[str]: + """ + The realm this client and scopes exists in. + """ return pulumi.get(self, "realm_id") @realm_id.setter @@ -65,6 +77,9 @@ def __init__(__self__, *, realm_id: Optional[pulumi.Input[str]] = None): """ Input properties used for looking up and filtering ClientOptionalScopes resources. + :param pulumi.Input[str] client_id: The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. + :param pulumi.Input[Sequence[pulumi.Input[str]]] optional_scopes: An array of client scope names to attach to this client as optional scopes. + :param pulumi.Input[str] realm_id: The realm this client and scopes exists in. """ if client_id is not None: pulumi.set(__self__, "client_id", client_id) @@ -76,6 +91,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="clientId") def client_id(self) -> Optional[pulumi.Input[str]]: + """ + The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. + """ return pulumi.get(self, "client_id") @client_id.setter @@ -85,6 +103,9 @@ def client_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="optionalScopes") def optional_scopes(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + An array of client scope names to attach to this client as optional scopes. + """ return pulumi.get(self, "optional_scopes") @optional_scopes.setter @@ -94,6 +115,9 @@ def optional_scopes(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str @property @pulumi.getter(name="realmId") def realm_id(self) -> Optional[pulumi.Input[str]]: + """ + The realm this client and scopes exists in. + """ return pulumi.get(self, "realm_id") @realm_id.setter @@ -134,25 +158,22 @@ def __init__(__self__, "address", "phone", "offline_access", + "microprofile-jwt", client_scope.name, ]) ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this client and scopes exists in. - - `client_id` - (Required) The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. - - `optional_scopes` - (Required) An array of client scope names to attach to this client as optional scopes. - - ### Import + ## Import This resource does not support import. Instead of importing, feel free to create this resource + as if it did not already exist on the server. :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[str] client_id: The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. + :param pulumi.Input[Sequence[pulumi.Input[str]]] optional_scopes: An array of client scope names to attach to this client as optional scopes. + :param pulumi.Input[str] realm_id: The realm this client and scopes exists in. """ ... @overload @@ -184,21 +205,15 @@ def __init__(__self__, "address", "phone", "offline_access", + "microprofile-jwt", client_scope.name, ]) ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this client and scopes exists in. - - `client_id` - (Required) The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. - - `optional_scopes` - (Required) An array of client scope names to attach to this client as optional scopes. - - ### Import + ## Import This resource does not support import. Instead of importing, feel free to create this resource + as if it did not already exist on the server. :param str resource_name: The name of the resource. @@ -257,6 +272,9 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[str] client_id: The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. + :param pulumi.Input[Sequence[pulumi.Input[str]]] optional_scopes: An array of client scope names to attach to this client as optional scopes. + :param pulumi.Input[str] realm_id: The realm this client and scopes exists in. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -270,15 +288,24 @@ def get(resource_name: str, @property @pulumi.getter(name="clientId") def client_id(self) -> pulumi.Output[str]: + """ + The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. + """ return pulumi.get(self, "client_id") @property @pulumi.getter(name="optionalScopes") def optional_scopes(self) -> pulumi.Output[Sequence[str]]: + """ + An array of client scope names to attach to this client as optional scopes. + """ return pulumi.get(self, "optional_scopes") @property @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Output[str]: + """ + The realm this client and scopes exists in. + """ return pulumi.get(self, "realm_id") diff --git a/sdk/python/pulumi_keycloak/openid/client_scope.py b/sdk/python/pulumi_keycloak/openid/client_scope.py index ac74ac7b..9eee722b 100644 --- a/sdk/python/pulumi_keycloak/openid/client_scope.py +++ b/sdk/python/pulumi_keycloak/openid/client_scope.py @@ -27,6 +27,12 @@ def __init__(__self__, *, name: Optional[pulumi.Input[str]] = None): """ The set of arguments for constructing a ClientScope resource. + :param pulumi.Input[str] realm_id: The realm this client scope belongs to. + :param pulumi.Input[str] consent_screen_text: When set, a consent screen will be displayed to users authenticating to clients with this scope attached. The consent screen will display the string value of this attribute. + :param pulumi.Input[str] description: The description of this client scope in the GUI. + :param pulumi.Input[int] gui_order: Specify order of the client scope in GUI (such as in Consent page) as integer. + :param pulumi.Input[bool] include_in_token_scope: When `true`, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response. + :param pulumi.Input[str] name: The display name of this client scope in the GUI. """ pulumi.set(__self__, "realm_id", realm_id) if consent_screen_text is not None: @@ -43,6 +49,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Input[str]: + """ + The realm this client scope belongs to. + """ return pulumi.get(self, "realm_id") @realm_id.setter @@ -52,6 +61,9 @@ def realm_id(self, value: pulumi.Input[str]): @property @pulumi.getter(name="consentScreenText") def consent_screen_text(self) -> Optional[pulumi.Input[str]]: + """ + When set, a consent screen will be displayed to users authenticating to clients with this scope attached. The consent screen will display the string value of this attribute. + """ return pulumi.get(self, "consent_screen_text") @consent_screen_text.setter @@ -61,6 +73,9 @@ def consent_screen_text(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter def description(self) -> Optional[pulumi.Input[str]]: + """ + The description of this client scope in the GUI. + """ return pulumi.get(self, "description") @description.setter @@ -70,6 +85,9 @@ def description(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="guiOrder") def gui_order(self) -> Optional[pulumi.Input[int]]: + """ + Specify order of the client scope in GUI (such as in Consent page) as integer. + """ return pulumi.get(self, "gui_order") @gui_order.setter @@ -79,6 +97,9 @@ def gui_order(self, value: Optional[pulumi.Input[int]]): @property @pulumi.getter(name="includeInTokenScope") def include_in_token_scope(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response. + """ return pulumi.get(self, "include_in_token_scope") @include_in_token_scope.setter @@ -88,6 +109,9 @@ def include_in_token_scope(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: + """ + The display name of this client scope in the GUI. + """ return pulumi.get(self, "name") @name.setter @@ -106,6 +130,12 @@ def __init__(__self__, *, realm_id: Optional[pulumi.Input[str]] = None): """ Input properties used for looking up and filtering ClientScope resources. + :param pulumi.Input[str] consent_screen_text: When set, a consent screen will be displayed to users authenticating to clients with this scope attached. The consent screen will display the string value of this attribute. + :param pulumi.Input[str] description: The description of this client scope in the GUI. + :param pulumi.Input[int] gui_order: Specify order of the client scope in GUI (such as in Consent page) as integer. + :param pulumi.Input[bool] include_in_token_scope: When `true`, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response. + :param pulumi.Input[str] name: The display name of this client scope in the GUI. + :param pulumi.Input[str] realm_id: The realm this client scope belongs to. """ if consent_screen_text is not None: pulumi.set(__self__, "consent_screen_text", consent_screen_text) @@ -123,6 +153,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="consentScreenText") def consent_screen_text(self) -> Optional[pulumi.Input[str]]: + """ + When set, a consent screen will be displayed to users authenticating to clients with this scope attached. The consent screen will display the string value of this attribute. + """ return pulumi.get(self, "consent_screen_text") @consent_screen_text.setter @@ -132,6 +165,9 @@ def consent_screen_text(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter def description(self) -> Optional[pulumi.Input[str]]: + """ + The description of this client scope in the GUI. + """ return pulumi.get(self, "description") @description.setter @@ -141,6 +177,9 @@ def description(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="guiOrder") def gui_order(self) -> Optional[pulumi.Input[int]]: + """ + Specify order of the client scope in GUI (such as in Consent page) as integer. + """ return pulumi.get(self, "gui_order") @gui_order.setter @@ -150,6 +189,9 @@ def gui_order(self, value: Optional[pulumi.Input[int]]): @property @pulumi.getter(name="includeInTokenScope") def include_in_token_scope(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response. + """ return pulumi.get(self, "include_in_token_scope") @include_in_token_scope.setter @@ -159,6 +201,9 @@ def include_in_token_scope(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: + """ + The display name of this client scope in the GUI. + """ return pulumi.get(self, "name") @name.setter @@ -168,6 +213,9 @@ def name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="realmId") def realm_id(self) -> Optional[pulumi.Input[str]]: + """ + The realm this client scope belongs to. + """ return pulumi.get(self, "realm_id") @realm_id.setter @@ -188,16 +236,12 @@ def __init__(__self__, realm_id: Optional[pulumi.Input[str]] = None, __props__=None): """ - ## # openid.ClientScope - - Allows for creating and managing Keycloak client scopes that can be attached to - clients that use the OpenID Connect protocol. + Allows for creating and managing Keycloak client scopes that can be attached to clients that use the OpenID Connect protocol. - Client Scopes can be used to share common protocol and role mappings between multiple - clients within a realm. They can also be used by clients to conditionally request - claims or roles for a user based on the OAuth 2.0 `scope` parameter. + Client Scopes can be used to share common protocol and role mappings between multiple clients within a realm. They can also + be used by clients to conditionally request claims or roles for a user based on the OAuth 2.0 `scope` parameter. - ### Example Usage + ## Example Usage ```python import pulumi @@ -209,29 +253,33 @@ def __init__(__self__, openid_client_scope = keycloak.openid.ClientScope("openid_client_scope", realm_id=realm.id, name="groups", - description="When requested, this scope will map a user's group memberships to a claim") + description="When requested, this scope will map a user's group memberships to a claim", + include_in_token_scope=True, + gui_order=1) ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this client scope belongs to. - - `name` - (Required) The display name of this client scope in the GUI. - - `description` - (Optional) The description of this client scope in the GUI. - - `consent_screen_text` - (Optional) When set, a consent screen will be displayed to users - authenticating to clients with this scope attached. The consent screen will display the string - value of this attribute. - - ### Import + ## Import Client scopes can be imported using the format `{{realm_id}}/{{client_scope_id}}`, where `client_scope_id` is the unique ID that Keycloak + assigns to the client scope upon creation. This value can be found in the URI when editing this client scope in the GUI, and is typically a GUID. Example: + bash + + ```sh + $ pulumi import keycloak:openid/clientScope:ClientScope openid_client_scope my-realm/8e8f7fe1-df9b-40ed-bed3-4597aa0dac52 + ``` + :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[str] consent_screen_text: When set, a consent screen will be displayed to users authenticating to clients with this scope attached. The consent screen will display the string value of this attribute. + :param pulumi.Input[str] description: The description of this client scope in the GUI. + :param pulumi.Input[int] gui_order: Specify order of the client scope in GUI (such as in Consent page) as integer. + :param pulumi.Input[bool] include_in_token_scope: When `true`, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response. + :param pulumi.Input[str] name: The display name of this client scope in the GUI. + :param pulumi.Input[str] realm_id: The realm this client scope belongs to. """ ... @overload @@ -240,16 +288,12 @@ def __init__(__self__, args: ClientScopeArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - ## # openid.ClientScope - - Allows for creating and managing Keycloak client scopes that can be attached to - clients that use the OpenID Connect protocol. + Allows for creating and managing Keycloak client scopes that can be attached to clients that use the OpenID Connect protocol. - Client Scopes can be used to share common protocol and role mappings between multiple - clients within a realm. They can also be used by clients to conditionally request - claims or roles for a user based on the OAuth 2.0 `scope` parameter. + Client Scopes can be used to share common protocol and role mappings between multiple clients within a realm. They can also + be used by clients to conditionally request claims or roles for a user based on the OAuth 2.0 `scope` parameter. - ### Example Usage + ## Example Usage ```python import pulumi @@ -261,27 +305,25 @@ def __init__(__self__, openid_client_scope = keycloak.openid.ClientScope("openid_client_scope", realm_id=realm.id, name="groups", - description="When requested, this scope will map a user's group memberships to a claim") + description="When requested, this scope will map a user's group memberships to a claim", + include_in_token_scope=True, + gui_order=1) ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this client scope belongs to. - - `name` - (Required) The display name of this client scope in the GUI. - - `description` - (Optional) The description of this client scope in the GUI. - - `consent_screen_text` - (Optional) When set, a consent screen will be displayed to users - authenticating to clients with this scope attached. The consent screen will display the string - value of this attribute. - - ### Import + ## Import Client scopes can be imported using the format `{{realm_id}}/{{client_scope_id}}`, where `client_scope_id` is the unique ID that Keycloak + assigns to the client scope upon creation. This value can be found in the URI when editing this client scope in the GUI, and is typically a GUID. Example: + bash + + ```sh + $ pulumi import keycloak:openid/clientScope:ClientScope openid_client_scope my-realm/8e8f7fe1-df9b-40ed-bed3-4597aa0dac52 + ``` + :param str resource_name: The name of the resource. :param ClientScopeArgs args: The arguments to use to populate this resource's properties. :param pulumi.ResourceOptions opts: Options for the resource. @@ -343,6 +385,12 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[str] consent_screen_text: When set, a consent screen will be displayed to users authenticating to clients with this scope attached. The consent screen will display the string value of this attribute. + :param pulumi.Input[str] description: The description of this client scope in the GUI. + :param pulumi.Input[int] gui_order: Specify order of the client scope in GUI (such as in Consent page) as integer. + :param pulumi.Input[bool] include_in_token_scope: When `true`, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response. + :param pulumi.Input[str] name: The display name of this client scope in the GUI. + :param pulumi.Input[str] realm_id: The realm this client scope belongs to. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -359,30 +407,48 @@ def get(resource_name: str, @property @pulumi.getter(name="consentScreenText") def consent_screen_text(self) -> pulumi.Output[Optional[str]]: + """ + When set, a consent screen will be displayed to users authenticating to clients with this scope attached. The consent screen will display the string value of this attribute. + """ return pulumi.get(self, "consent_screen_text") @property @pulumi.getter def description(self) -> pulumi.Output[Optional[str]]: + """ + The description of this client scope in the GUI. + """ return pulumi.get(self, "description") @property @pulumi.getter(name="guiOrder") def gui_order(self) -> pulumi.Output[Optional[int]]: + """ + Specify order of the client scope in GUI (such as in Consent page) as integer. + """ return pulumi.get(self, "gui_order") @property @pulumi.getter(name="includeInTokenScope") def include_in_token_scope(self) -> pulumi.Output[Optional[bool]]: + """ + When `true`, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response. + """ return pulumi.get(self, "include_in_token_scope") @property @pulumi.getter def name(self) -> pulumi.Output[str]: + """ + The display name of this client scope in the GUI. + """ return pulumi.get(self, "name") @property @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Output[str]: + """ + The realm this client scope belongs to. + """ return pulumi.get(self, "realm_id") diff --git a/sdk/python/pulumi_keycloak/openid/full_name_protocol_mapper.py b/sdk/python/pulumi_keycloak/openid/full_name_protocol_mapper.py index 28d5fb32..eef3fdec 100644 --- a/sdk/python/pulumi_keycloak/openid/full_name_protocol_mapper.py +++ b/sdk/python/pulumi_keycloak/openid/full_name_protocol_mapper.py @@ -28,10 +28,13 @@ def __init__(__self__, *, name: Optional[pulumi.Input[str]] = None): """ The set of arguments for constructing a FullNameProtocolMapper resource. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. - :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + :param pulumi.Input[bool] add_to_access_token: Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. + :param pulumi.Input[bool] add_to_id_token: Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. + :param pulumi.Input[bool] add_to_userinfo: Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. """ pulumi.set(__self__, "realm_id", realm_id) if add_to_access_token is not None: @@ -51,7 +54,7 @@ def __init__(__self__, *, @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Input[str]: """ - The realm id where the associated client or client scope exists. + The realm this protocol mapper exists within. """ return pulumi.get(self, "realm_id") @@ -62,6 +65,9 @@ def realm_id(self, value: pulumi.Input[str]): @property @pulumi.getter(name="addToAccessToken") def add_to_access_token(self) -> Optional[pulumi.Input[bool]]: + """ + Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. + """ return pulumi.get(self, "add_to_access_token") @add_to_access_token.setter @@ -71,6 +77,9 @@ def add_to_access_token(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="addToIdToken") def add_to_id_token(self) -> Optional[pulumi.Input[bool]]: + """ + Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. + """ return pulumi.get(self, "add_to_id_token") @add_to_id_token.setter @@ -80,6 +89,9 @@ def add_to_id_token(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="addToUserinfo") def add_to_userinfo(self) -> Optional[pulumi.Input[bool]]: + """ + Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. + """ return pulumi.get(self, "add_to_userinfo") @add_to_userinfo.setter @@ -90,7 +102,7 @@ def add_to_userinfo(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="clientId") def client_id(self) -> Optional[pulumi.Input[str]]: """ - The mapper's associated client. Cannot be used at the same time as client_scope_id. + The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_id") @@ -102,7 +114,7 @@ def client_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="clientScopeId") def client_scope_id(self) -> Optional[pulumi.Input[str]]: """ - The mapper's associated client scope. Cannot be used at the same time as client_id. + The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_scope_id") @@ -114,7 +126,7 @@ def client_scope_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - A human-friendly name that will appear in the Keycloak console. + The display name of this protocol mapper in the GUI. """ return pulumi.get(self, "name") @@ -135,10 +147,13 @@ def __init__(__self__, *, realm_id: Optional[pulumi.Input[str]] = None): """ Input properties used for looking up and filtering FullNameProtocolMapper resources. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. - :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. + :param pulumi.Input[bool] add_to_access_token: Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. + :param pulumi.Input[bool] add_to_id_token: Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. + :param pulumi.Input[bool] add_to_userinfo: Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. """ if add_to_access_token is not None: pulumi.set(__self__, "add_to_access_token", add_to_access_token) @@ -158,6 +173,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="addToAccessToken") def add_to_access_token(self) -> Optional[pulumi.Input[bool]]: + """ + Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. + """ return pulumi.get(self, "add_to_access_token") @add_to_access_token.setter @@ -167,6 +185,9 @@ def add_to_access_token(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="addToIdToken") def add_to_id_token(self) -> Optional[pulumi.Input[bool]]: + """ + Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. + """ return pulumi.get(self, "add_to_id_token") @add_to_id_token.setter @@ -176,6 +197,9 @@ def add_to_id_token(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="addToUserinfo") def add_to_userinfo(self) -> Optional[pulumi.Input[bool]]: + """ + Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. + """ return pulumi.get(self, "add_to_userinfo") @add_to_userinfo.setter @@ -186,7 +210,7 @@ def add_to_userinfo(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="clientId") def client_id(self) -> Optional[pulumi.Input[str]]: """ - The mapper's associated client. Cannot be used at the same time as client_scope_id. + The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_id") @@ -198,7 +222,7 @@ def client_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="clientScopeId") def client_scope_id(self) -> Optional[pulumi.Input[str]]: """ - The mapper's associated client scope. Cannot be used at the same time as client_id. + The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_scope_id") @@ -210,7 +234,7 @@ def client_scope_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - A human-friendly name that will appear in the Keycloak console. + The display name of this protocol mapper in the GUI. """ return pulumi.get(self, "name") @@ -222,7 +246,7 @@ def name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="realmId") def realm_id(self) -> Optional[pulumi.Input[str]]: """ - The realm id where the associated client or client scope exists. + The realm this protocol mapper exists within. """ return pulumi.get(self, "realm_id") @@ -245,17 +269,16 @@ def __init__(__self__, realm_id: Optional[pulumi.Input[str]] = None, __props__=None): """ - ## # openid.FullNameProtocolMapper + Allows for creating and managing full name protocol mappers within Keycloak. + + Full name protocol mappers allow you to map a user's first and last name to the OpenID Connect `name` claim in a token. - Allows for creating and managing full name protocol mappers within - Keycloak. + Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + multiple different clients. - Full name protocol mappers allow you to map a user's first and last name - to the OpenID Connect `name` claim in a token. Protocol mappers can be defined - for a single client, or they can be defined for a client scope which can - be shared between multiple different clients. + ## Example Usage - ### Example Usage (Client) + ### Client) ```python import pulumi @@ -266,8 +289,8 @@ def __init__(__self__, enabled=True) openid_client = keycloak.openid.Client("openid_client", realm_id=realm.id, - client_id="test-client", - name="test client", + client_id="client", + name="client", enabled=True, access_type="CONFIDENTIAL", valid_redirect_uris=["http://localhost:8080/openid-callback"]) @@ -277,7 +300,7 @@ def __init__(__self__, name="full-name-mapper") ``` - ### Example Usage (Client Scope) + ### Client Scope) ```python import pulumi @@ -288,39 +311,42 @@ def __init__(__self__, enabled=True) client_scope = keycloak.openid.ClientScope("client_scope", realm_id=realm.id, - name="test-client-scope") + name="client-scope") full_name_mapper = keycloak.openid.FullNameProtocolMapper("full_name_mapper", realm_id=realm.id, client_scope_id=client_scope.id, name="full-name-mapper") ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this protocol mapper exists within. - - `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. - - `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. - - `name` - (Required) The display name of this protocol mapper in the GUI. - - `add_to_id_token` - (Optional) Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. - - `add_to_access_token` - (Optional) Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. - - `add_to_userinfo` - (Optional) Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. - - ### Import + ## Import Protocol mappers can be imported using one of the following formats: + - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` Example: + bash + + ```sh + $ pulumi import keycloak:openid/fullNameProtocolMapper:FullNameProtocolMapper full_name_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + + ```sh + $ pulumi import keycloak:openid/fullNameProtocolMapper:FullNameProtocolMapper full_name_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. - :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. + :param pulumi.Input[bool] add_to_access_token: Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. + :param pulumi.Input[bool] add_to_id_token: Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. + :param pulumi.Input[bool] add_to_userinfo: Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. """ ... @overload @@ -329,17 +355,16 @@ def __init__(__self__, args: FullNameProtocolMapperArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - ## # openid.FullNameProtocolMapper + Allows for creating and managing full name protocol mappers within Keycloak. - Allows for creating and managing full name protocol mappers within - Keycloak. + Full name protocol mappers allow you to map a user's first and last name to the OpenID Connect `name` claim in a token. - Full name protocol mappers allow you to map a user's first and last name - to the OpenID Connect `name` claim in a token. Protocol mappers can be defined - for a single client, or they can be defined for a client scope which can - be shared between multiple different clients. + Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + multiple different clients. - ### Example Usage (Client) + ## Example Usage + + ### Client) ```python import pulumi @@ -350,8 +375,8 @@ def __init__(__self__, enabled=True) openid_client = keycloak.openid.Client("openid_client", realm_id=realm.id, - client_id="test-client", - name="test client", + client_id="client", + name="client", enabled=True, access_type="CONFIDENTIAL", valid_redirect_uris=["http://localhost:8080/openid-callback"]) @@ -361,7 +386,7 @@ def __init__(__self__, name="full-name-mapper") ``` - ### Example Usage (Client Scope) + ### Client Scope) ```python import pulumi @@ -372,33 +397,33 @@ def __init__(__self__, enabled=True) client_scope = keycloak.openid.ClientScope("client_scope", realm_id=realm.id, - name="test-client-scope") + name="client-scope") full_name_mapper = keycloak.openid.FullNameProtocolMapper("full_name_mapper", realm_id=realm.id, client_scope_id=client_scope.id, name="full-name-mapper") ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this protocol mapper exists within. - - `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. - - `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. - - `name` - (Required) The display name of this protocol mapper in the GUI. - - `add_to_id_token` - (Optional) Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. - - `add_to_access_token` - (Optional) Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. - - `add_to_userinfo` - (Optional) Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. - - ### Import + ## Import Protocol mappers can be imported using one of the following formats: + - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` Example: + bash + + ```sh + $ pulumi import keycloak:openid/fullNameProtocolMapper:FullNameProtocolMapper full_name_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + + ```sh + $ pulumi import keycloak:openid/fullNameProtocolMapper:FullNameProtocolMapper full_name_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + :param str resource_name: The name of the resource. :param FullNameProtocolMapperArgs args: The arguments to use to populate this resource's properties. :param pulumi.ResourceOptions opts: Options for the resource. @@ -463,10 +488,13 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. - :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. + :param pulumi.Input[bool] add_to_access_token: Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. + :param pulumi.Input[bool] add_to_id_token: Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. + :param pulumi.Input[bool] add_to_userinfo: Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -484,23 +512,32 @@ def get(resource_name: str, @property @pulumi.getter(name="addToAccessToken") def add_to_access_token(self) -> pulumi.Output[Optional[bool]]: + """ + Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. + """ return pulumi.get(self, "add_to_access_token") @property @pulumi.getter(name="addToIdToken") def add_to_id_token(self) -> pulumi.Output[Optional[bool]]: + """ + Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. + """ return pulumi.get(self, "add_to_id_token") @property @pulumi.getter(name="addToUserinfo") def add_to_userinfo(self) -> pulumi.Output[Optional[bool]]: + """ + Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. + """ return pulumi.get(self, "add_to_userinfo") @property @pulumi.getter(name="clientId") def client_id(self) -> pulumi.Output[Optional[str]]: """ - The mapper's associated client. Cannot be used at the same time as client_scope_id. + The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_id") @@ -508,7 +545,7 @@ def client_id(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="clientScopeId") def client_scope_id(self) -> pulumi.Output[Optional[str]]: """ - The mapper's associated client scope. Cannot be used at the same time as client_id. + The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_scope_id") @@ -516,7 +553,7 @@ def client_scope_id(self) -> pulumi.Output[Optional[str]]: @pulumi.getter def name(self) -> pulumi.Output[str]: """ - A human-friendly name that will appear in the Keycloak console. + The display name of this protocol mapper in the GUI. """ return pulumi.get(self, "name") @@ -524,7 +561,7 @@ def name(self) -> pulumi.Output[str]: @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Output[str]: """ - The realm id where the associated client or client scope exists. + The realm this protocol mapper exists within. """ return pulumi.get(self, "realm_id") diff --git a/sdk/python/pulumi_keycloak/openid/get_client.py b/sdk/python/pulumi_keycloak/openid/get_client.py index 013a3b08..641f5b45 100644 --- a/sdk/python/pulumi_keycloak/openid/get_client.py +++ b/sdk/python/pulumi_keycloak/openid/get_client.py @@ -465,11 +465,9 @@ def get_client(client_id: Optional[str] = None, realm_id: Optional[str] = None, opts: Optional[pulumi.InvokeOptions] = None) -> AwaitableGetClientResult: """ - ## # openid.Client data source - This data source can be used to fetch properties of a Keycloak OpenID client for usage with other resources. - ### Example Usage + ## Example Usage ```python import pulumi @@ -483,16 +481,9 @@ def get_client(client_id: Optional[str] = None, name="realm-admin") ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm id. - - `client_id` - (Required) The client id. - - ### Attributes Reference - See the docs for the `openid.Client` resource for details on the exported attributes. + :param str client_id: The client id (not its unique ID). + :param str realm_id: The realm id. """ __args__ = dict() __args__['clientId'] = client_id @@ -563,11 +554,9 @@ def get_client_output(client_id: Optional[pulumi.Input[str]] = None, realm_id: Optional[pulumi.Input[str]] = None, opts: Optional[pulumi.InvokeOptions] = None) -> pulumi.Output[GetClientResult]: """ - ## # openid.Client data source - This data source can be used to fetch properties of a Keycloak OpenID client for usage with other resources. - ### Example Usage + ## Example Usage ```python import pulumi @@ -581,16 +570,9 @@ def get_client_output(client_id: Optional[pulumi.Input[str]] = None, name="realm-admin") ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm id. - - `client_id` - (Required) The client id. - - ### Attributes Reference - See the docs for the `openid.Client` resource for details on the exported attributes. + :param str client_id: The client id (not its unique ID). + :param str realm_id: The realm id. """ __args__ = dict() __args__['clientId'] = client_id diff --git a/sdk/python/pulumi_keycloak/openid/group_membership_protocol_mapper.py b/sdk/python/pulumi_keycloak/openid/group_membership_protocol_mapper.py index bc67ac57..af0cfad6 100644 --- a/sdk/python/pulumi_keycloak/openid/group_membership_protocol_mapper.py +++ b/sdk/python/pulumi_keycloak/openid/group_membership_protocol_mapper.py @@ -30,10 +30,15 @@ def __init__(__self__, *, name: Optional[pulumi.Input[str]] = None): """ The set of arguments for constructing a GroupMembershipProtocolMapper resource. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. - :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. + :param pulumi.Input[str] claim_name: The name of the claim to insert into a token. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + :param pulumi.Input[bool] add_to_access_token: Indicates if the property should be added as a claim to the access token. Defaults to `true`. + :param pulumi.Input[bool] add_to_id_token: Indicates if the property should be added as a claim to the id token. Defaults to `true`. + :param pulumi.Input[bool] add_to_userinfo: Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[bool] full_path: Indicates whether the full path of the group including its parents will be used. Defaults to `true`. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. """ pulumi.set(__self__, "claim_name", claim_name) pulumi.set(__self__, "realm_id", realm_id) @@ -55,6 +60,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="claimName") def claim_name(self) -> pulumi.Input[str]: + """ + The name of the claim to insert into a token. + """ return pulumi.get(self, "claim_name") @claim_name.setter @@ -65,7 +73,7 @@ def claim_name(self, value: pulumi.Input[str]): @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Input[str]: """ - The realm id where the associated client or client scope exists. + The realm this protocol mapper exists within. """ return pulumi.get(self, "realm_id") @@ -76,6 +84,9 @@ def realm_id(self, value: pulumi.Input[str]): @property @pulumi.getter(name="addToAccessToken") def add_to_access_token(self) -> Optional[pulumi.Input[bool]]: + """ + Indicates if the property should be added as a claim to the access token. Defaults to `true`. + """ return pulumi.get(self, "add_to_access_token") @add_to_access_token.setter @@ -85,6 +96,9 @@ def add_to_access_token(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="addToIdToken") def add_to_id_token(self) -> Optional[pulumi.Input[bool]]: + """ + Indicates if the property should be added as a claim to the id token. Defaults to `true`. + """ return pulumi.get(self, "add_to_id_token") @add_to_id_token.setter @@ -94,6 +108,9 @@ def add_to_id_token(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="addToUserinfo") def add_to_userinfo(self) -> Optional[pulumi.Input[bool]]: + """ + Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + """ return pulumi.get(self, "add_to_userinfo") @add_to_userinfo.setter @@ -104,7 +121,7 @@ def add_to_userinfo(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="clientId") def client_id(self) -> Optional[pulumi.Input[str]]: """ - The mapper's associated client. Cannot be used at the same time as client_scope_id. + The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_id") @@ -116,7 +133,7 @@ def client_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="clientScopeId") def client_scope_id(self) -> Optional[pulumi.Input[str]]: """ - The mapper's associated client scope. Cannot be used at the same time as client_id. + The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_scope_id") @@ -127,6 +144,9 @@ def client_scope_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="fullPath") def full_path(self) -> Optional[pulumi.Input[bool]]: + """ + Indicates whether the full path of the group including its parents will be used. Defaults to `true`. + """ return pulumi.get(self, "full_path") @full_path.setter @@ -137,7 +157,7 @@ def full_path(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - A human-friendly name that will appear in the Keycloak console. + The display name of this protocol mapper in the GUI. """ return pulumi.get(self, "name") @@ -160,10 +180,15 @@ def __init__(__self__, *, realm_id: Optional[pulumi.Input[str]] = None): """ Input properties used for looking up and filtering GroupMembershipProtocolMapper resources. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. - :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. + :param pulumi.Input[bool] add_to_access_token: Indicates if the property should be added as a claim to the access token. Defaults to `true`. + :param pulumi.Input[bool] add_to_id_token: Indicates if the property should be added as a claim to the id token. Defaults to `true`. + :param pulumi.Input[bool] add_to_userinfo: Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + :param pulumi.Input[str] claim_name: The name of the claim to insert into a token. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[bool] full_path: Indicates whether the full path of the group including its parents will be used. Defaults to `true`. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. """ if add_to_access_token is not None: pulumi.set(__self__, "add_to_access_token", add_to_access_token) @@ -187,6 +212,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="addToAccessToken") def add_to_access_token(self) -> Optional[pulumi.Input[bool]]: + """ + Indicates if the property should be added as a claim to the access token. Defaults to `true`. + """ return pulumi.get(self, "add_to_access_token") @add_to_access_token.setter @@ -196,6 +224,9 @@ def add_to_access_token(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="addToIdToken") def add_to_id_token(self) -> Optional[pulumi.Input[bool]]: + """ + Indicates if the property should be added as a claim to the id token. Defaults to `true`. + """ return pulumi.get(self, "add_to_id_token") @add_to_id_token.setter @@ -205,6 +236,9 @@ def add_to_id_token(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="addToUserinfo") def add_to_userinfo(self) -> Optional[pulumi.Input[bool]]: + """ + Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + """ return pulumi.get(self, "add_to_userinfo") @add_to_userinfo.setter @@ -214,6 +248,9 @@ def add_to_userinfo(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="claimName") def claim_name(self) -> Optional[pulumi.Input[str]]: + """ + The name of the claim to insert into a token. + """ return pulumi.get(self, "claim_name") @claim_name.setter @@ -224,7 +261,7 @@ def claim_name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="clientId") def client_id(self) -> Optional[pulumi.Input[str]]: """ - The mapper's associated client. Cannot be used at the same time as client_scope_id. + The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_id") @@ -236,7 +273,7 @@ def client_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="clientScopeId") def client_scope_id(self) -> Optional[pulumi.Input[str]]: """ - The mapper's associated client scope. Cannot be used at the same time as client_id. + The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_scope_id") @@ -247,6 +284,9 @@ def client_scope_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="fullPath") def full_path(self) -> Optional[pulumi.Input[bool]]: + """ + Indicates whether the full path of the group including its parents will be used. Defaults to `true`. + """ return pulumi.get(self, "full_path") @full_path.setter @@ -257,7 +297,7 @@ def full_path(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - A human-friendly name that will appear in the Keycloak console. + The display name of this protocol mapper in the GUI. """ return pulumi.get(self, "name") @@ -269,7 +309,7 @@ def name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="realmId") def realm_id(self) -> Optional[pulumi.Input[str]]: """ - The realm id where the associated client or client scope exists. + The realm this protocol mapper exists within. """ return pulumi.get(self, "realm_id") @@ -294,17 +334,16 @@ def __init__(__self__, realm_id: Optional[pulumi.Input[str]] = None, __props__=None): """ - ## # openid.GroupMembershipProtocolMapper + Allows for creating and managing group membership protocol mappers within Keycloak. - Allows for creating and managing group membership protocol mappers within - Keycloak. + Group membership protocol mappers allow you to map a user's group memberships to a claim in a token. - Group membership protocol mappers allow you to map a user's group memberships - to a claim in a token. Protocol mappers can be defined for a single client, - or they can be defined for a client scope which can be shared between multiple - different clients. + Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + multiple different clients. - ### Example Usage (Client) + ## Example Usage + + ### Client) ```python import pulumi @@ -315,8 +354,8 @@ def __init__(__self__, enabled=True) openid_client = keycloak.openid.Client("openid_client", realm_id=realm.id, - client_id="test-client", - name="test client", + client_id="client", + name="client", enabled=True, access_type="CONFIDENTIAL", valid_redirect_uris=["http://localhost:8080/openid-callback"]) @@ -327,7 +366,7 @@ def __init__(__self__, claim_name="groups") ``` - ### Example Usage (Client Scope) + ### Client Scope) ```python import pulumi @@ -338,7 +377,7 @@ def __init__(__self__, enabled=True) client_scope = keycloak.openid.ClientScope("client_scope", realm_id=realm.id, - name="test-client-scope") + name="client-scope") group_membership_mapper = keycloak.openid.GroupMembershipProtocolMapper("group_membership_mapper", realm_id=realm.id, client_scope_id=client_scope.id, @@ -346,34 +385,37 @@ def __init__(__self__, claim_name="groups") ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this protocol mapper exists within. - - `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. - - `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. - - `name` - (Required) The display name of this protocol mapper in the GUI. - - `claim_name` - (Required) The name of the claim to insert into a token. - - `full_path` - (Optional) Indicates whether the full path of the group including its parents will be used. Defaults to `true`. - - `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. - - `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. - - `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. - - ### Import + ## Import Protocol mappers can be imported using one of the following formats: + - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` Example: + bash + + ```sh + $ pulumi import keycloak:openid/groupMembershipProtocolMapper:GroupMembershipProtocolMapper group_membership_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + + ```sh + $ pulumi import keycloak:openid/groupMembershipProtocolMapper:GroupMembershipProtocolMapper group_membership_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. - :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. + :param pulumi.Input[bool] add_to_access_token: Indicates if the property should be added as a claim to the access token. Defaults to `true`. + :param pulumi.Input[bool] add_to_id_token: Indicates if the property should be added as a claim to the id token. Defaults to `true`. + :param pulumi.Input[bool] add_to_userinfo: Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + :param pulumi.Input[str] claim_name: The name of the claim to insert into a token. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[bool] full_path: Indicates whether the full path of the group including its parents will be used. Defaults to `true`. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. """ ... @overload @@ -382,17 +424,16 @@ def __init__(__self__, args: GroupMembershipProtocolMapperArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - ## # openid.GroupMembershipProtocolMapper + Allows for creating and managing group membership protocol mappers within Keycloak. + + Group membership protocol mappers allow you to map a user's group memberships to a claim in a token. - Allows for creating and managing group membership protocol mappers within - Keycloak. + Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + multiple different clients. - Group membership protocol mappers allow you to map a user's group memberships - to a claim in a token. Protocol mappers can be defined for a single client, - or they can be defined for a client scope which can be shared between multiple - different clients. + ## Example Usage - ### Example Usage (Client) + ### Client) ```python import pulumi @@ -403,8 +444,8 @@ def __init__(__self__, enabled=True) openid_client = keycloak.openid.Client("openid_client", realm_id=realm.id, - client_id="test-client", - name="test client", + client_id="client", + name="client", enabled=True, access_type="CONFIDENTIAL", valid_redirect_uris=["http://localhost:8080/openid-callback"]) @@ -415,7 +456,7 @@ def __init__(__self__, claim_name="groups") ``` - ### Example Usage (Client Scope) + ### Client Scope) ```python import pulumi @@ -426,7 +467,7 @@ def __init__(__self__, enabled=True) client_scope = keycloak.openid.ClientScope("client_scope", realm_id=realm.id, - name="test-client-scope") + name="client-scope") group_membership_mapper = keycloak.openid.GroupMembershipProtocolMapper("group_membership_mapper", realm_id=realm.id, client_scope_id=client_scope.id, @@ -434,28 +475,26 @@ def __init__(__self__, claim_name="groups") ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this protocol mapper exists within. - - `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. - - `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. - - `name` - (Required) The display name of this protocol mapper in the GUI. - - `claim_name` - (Required) The name of the claim to insert into a token. - - `full_path` - (Optional) Indicates whether the full path of the group including its parents will be used. Defaults to `true`. - - `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. - - `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. - - `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. - - ### Import + ## Import Protocol mappers can be imported using one of the following formats: + - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` Example: + bash + + ```sh + $ pulumi import keycloak:openid/groupMembershipProtocolMapper:GroupMembershipProtocolMapper group_membership_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + + ```sh + $ pulumi import keycloak:openid/groupMembershipProtocolMapper:GroupMembershipProtocolMapper group_membership_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + :param str resource_name: The name of the resource. :param GroupMembershipProtocolMapperArgs args: The arguments to use to populate this resource's properties. :param pulumi.ResourceOptions opts: Options for the resource. @@ -528,10 +567,15 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. - :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. + :param pulumi.Input[bool] add_to_access_token: Indicates if the property should be added as a claim to the access token. Defaults to `true`. + :param pulumi.Input[bool] add_to_id_token: Indicates if the property should be added as a claim to the id token. Defaults to `true`. + :param pulumi.Input[bool] add_to_userinfo: Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + :param pulumi.Input[str] claim_name: The name of the claim to insert into a token. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[bool] full_path: Indicates whether the full path of the group including its parents will be used. Defaults to `true`. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -551,28 +595,40 @@ def get(resource_name: str, @property @pulumi.getter(name="addToAccessToken") def add_to_access_token(self) -> pulumi.Output[Optional[bool]]: + """ + Indicates if the property should be added as a claim to the access token. Defaults to `true`. + """ return pulumi.get(self, "add_to_access_token") @property @pulumi.getter(name="addToIdToken") def add_to_id_token(self) -> pulumi.Output[Optional[bool]]: + """ + Indicates if the property should be added as a claim to the id token. Defaults to `true`. + """ return pulumi.get(self, "add_to_id_token") @property @pulumi.getter(name="addToUserinfo") def add_to_userinfo(self) -> pulumi.Output[Optional[bool]]: + """ + Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + """ return pulumi.get(self, "add_to_userinfo") @property @pulumi.getter(name="claimName") def claim_name(self) -> pulumi.Output[str]: + """ + The name of the claim to insert into a token. + """ return pulumi.get(self, "claim_name") @property @pulumi.getter(name="clientId") def client_id(self) -> pulumi.Output[Optional[str]]: """ - The mapper's associated client. Cannot be used at the same time as client_scope_id. + The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_id") @@ -580,20 +636,23 @@ def client_id(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="clientScopeId") def client_scope_id(self) -> pulumi.Output[Optional[str]]: """ - The mapper's associated client scope. Cannot be used at the same time as client_id. + The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_scope_id") @property @pulumi.getter(name="fullPath") def full_path(self) -> pulumi.Output[Optional[bool]]: + """ + Indicates whether the full path of the group including its parents will be used. Defaults to `true`. + """ return pulumi.get(self, "full_path") @property @pulumi.getter def name(self) -> pulumi.Output[str]: """ - A human-friendly name that will appear in the Keycloak console. + The display name of this protocol mapper in the GUI. """ return pulumi.get(self, "name") @@ -601,7 +660,7 @@ def name(self) -> pulumi.Output[str]: @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Output[str]: """ - The realm id where the associated client or client scope exists. + The realm this protocol mapper exists within. """ return pulumi.get(self, "realm_id") diff --git a/sdk/python/pulumi_keycloak/openid/hardcoded_claim_protocol_mapper.py b/sdk/python/pulumi_keycloak/openid/hardcoded_claim_protocol_mapper.py index 70023994..44b208eb 100644 --- a/sdk/python/pulumi_keycloak/openid/hardcoded_claim_protocol_mapper.py +++ b/sdk/python/pulumi_keycloak/openid/hardcoded_claim_protocol_mapper.py @@ -31,14 +31,16 @@ def __init__(__self__, *, name: Optional[pulumi.Input[str]] = None): """ The set of arguments for constructing a HardcodedClaimProtocolMapper resource. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. - :param pulumi.Input[bool] add_to_access_token: Indicates if the attribute should be a claim in the access token. - :param pulumi.Input[bool] add_to_id_token: Indicates if the attribute should be a claim in the id token. - :param pulumi.Input[bool] add_to_userinfo: Indicates if the attribute should appear in the userinfo response body. - :param pulumi.Input[str] claim_value_type: Claim type used when serializing tokens. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. - :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. + :param pulumi.Input[str] claim_name: The name of the claim to insert into a token. + :param pulumi.Input[str] claim_value: The hardcoded value of the claim. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + :param pulumi.Input[bool] add_to_access_token: Indicates if the property should be added as a claim to the access token. Defaults to `true`. + :param pulumi.Input[bool] add_to_id_token: Indicates if the property should be added as a claim to the id token. Defaults to `true`. + :param pulumi.Input[bool] add_to_userinfo: Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + :param pulumi.Input[str] claim_value_type: The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. """ pulumi.set(__self__, "claim_name", claim_name) pulumi.set(__self__, "claim_value", claim_value) @@ -61,6 +63,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="claimName") def claim_name(self) -> pulumi.Input[str]: + """ + The name of the claim to insert into a token. + """ return pulumi.get(self, "claim_name") @claim_name.setter @@ -70,6 +75,9 @@ def claim_name(self, value: pulumi.Input[str]): @property @pulumi.getter(name="claimValue") def claim_value(self) -> pulumi.Input[str]: + """ + The hardcoded value of the claim. + """ return pulumi.get(self, "claim_value") @claim_value.setter @@ -80,7 +88,7 @@ def claim_value(self, value: pulumi.Input[str]): @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Input[str]: """ - The realm id where the associated client or client scope exists. + The realm this protocol mapper exists within. """ return pulumi.get(self, "realm_id") @@ -92,7 +100,7 @@ def realm_id(self, value: pulumi.Input[str]): @pulumi.getter(name="addToAccessToken") def add_to_access_token(self) -> Optional[pulumi.Input[bool]]: """ - Indicates if the attribute should be a claim in the access token. + Indicates if the property should be added as a claim to the access token. Defaults to `true`. """ return pulumi.get(self, "add_to_access_token") @@ -104,7 +112,7 @@ def add_to_access_token(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="addToIdToken") def add_to_id_token(self) -> Optional[pulumi.Input[bool]]: """ - Indicates if the attribute should be a claim in the id token. + Indicates if the property should be added as a claim to the id token. Defaults to `true`. """ return pulumi.get(self, "add_to_id_token") @@ -116,7 +124,7 @@ def add_to_id_token(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="addToUserinfo") def add_to_userinfo(self) -> Optional[pulumi.Input[bool]]: """ - Indicates if the attribute should appear in the userinfo response body. + Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. """ return pulumi.get(self, "add_to_userinfo") @@ -128,7 +136,7 @@ def add_to_userinfo(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="claimValueType") def claim_value_type(self) -> Optional[pulumi.Input[str]]: """ - Claim type used when serializing tokens. + The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. """ return pulumi.get(self, "claim_value_type") @@ -140,7 +148,7 @@ def claim_value_type(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="clientId") def client_id(self) -> Optional[pulumi.Input[str]]: """ - The mapper's associated client. Cannot be used at the same time as client_scope_id. + The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_id") @@ -152,7 +160,7 @@ def client_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="clientScopeId") def client_scope_id(self) -> Optional[pulumi.Input[str]]: """ - The mapper's associated client scope. Cannot be used at the same time as client_id. + The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_scope_id") @@ -164,7 +172,7 @@ def client_scope_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - A human-friendly name that will appear in the Keycloak console. + The display name of this protocol mapper in the GUI. """ return pulumi.get(self, "name") @@ -188,14 +196,16 @@ def __init__(__self__, *, realm_id: Optional[pulumi.Input[str]] = None): """ Input properties used for looking up and filtering HardcodedClaimProtocolMapper resources. - :param pulumi.Input[bool] add_to_access_token: Indicates if the attribute should be a claim in the access token. - :param pulumi.Input[bool] add_to_id_token: Indicates if the attribute should be a claim in the id token. - :param pulumi.Input[bool] add_to_userinfo: Indicates if the attribute should appear in the userinfo response body. - :param pulumi.Input[str] claim_value_type: Claim type used when serializing tokens. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. - :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. + :param pulumi.Input[bool] add_to_access_token: Indicates if the property should be added as a claim to the access token. Defaults to `true`. + :param pulumi.Input[bool] add_to_id_token: Indicates if the property should be added as a claim to the id token. Defaults to `true`. + :param pulumi.Input[bool] add_to_userinfo: Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + :param pulumi.Input[str] claim_name: The name of the claim to insert into a token. + :param pulumi.Input[str] claim_value: The hardcoded value of the claim. + :param pulumi.Input[str] claim_value_type: The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. """ if add_to_access_token is not None: pulumi.set(__self__, "add_to_access_token", add_to_access_token) @@ -222,7 +232,7 @@ def __init__(__self__, *, @pulumi.getter(name="addToAccessToken") def add_to_access_token(self) -> Optional[pulumi.Input[bool]]: """ - Indicates if the attribute should be a claim in the access token. + Indicates if the property should be added as a claim to the access token. Defaults to `true`. """ return pulumi.get(self, "add_to_access_token") @@ -234,7 +244,7 @@ def add_to_access_token(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="addToIdToken") def add_to_id_token(self) -> Optional[pulumi.Input[bool]]: """ - Indicates if the attribute should be a claim in the id token. + Indicates if the property should be added as a claim to the id token. Defaults to `true`. """ return pulumi.get(self, "add_to_id_token") @@ -246,7 +256,7 @@ def add_to_id_token(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="addToUserinfo") def add_to_userinfo(self) -> Optional[pulumi.Input[bool]]: """ - Indicates if the attribute should appear in the userinfo response body. + Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. """ return pulumi.get(self, "add_to_userinfo") @@ -257,6 +267,9 @@ def add_to_userinfo(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="claimName") def claim_name(self) -> Optional[pulumi.Input[str]]: + """ + The name of the claim to insert into a token. + """ return pulumi.get(self, "claim_name") @claim_name.setter @@ -266,6 +279,9 @@ def claim_name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="claimValue") def claim_value(self) -> Optional[pulumi.Input[str]]: + """ + The hardcoded value of the claim. + """ return pulumi.get(self, "claim_value") @claim_value.setter @@ -276,7 +292,7 @@ def claim_value(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="claimValueType") def claim_value_type(self) -> Optional[pulumi.Input[str]]: """ - Claim type used when serializing tokens. + The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. """ return pulumi.get(self, "claim_value_type") @@ -288,7 +304,7 @@ def claim_value_type(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="clientId") def client_id(self) -> Optional[pulumi.Input[str]]: """ - The mapper's associated client. Cannot be used at the same time as client_scope_id. + The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_id") @@ -300,7 +316,7 @@ def client_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="clientScopeId") def client_scope_id(self) -> Optional[pulumi.Input[str]]: """ - The mapper's associated client scope. Cannot be used at the same time as client_id. + The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_scope_id") @@ -312,7 +328,7 @@ def client_scope_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - A human-friendly name that will appear in the Keycloak console. + The display name of this protocol mapper in the GUI. """ return pulumi.get(self, "name") @@ -324,7 +340,7 @@ def name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="realmId") def realm_id(self) -> Optional[pulumi.Input[str]]: """ - The realm id where the associated client or client scope exists. + The realm this protocol mapper exists within. """ return pulumi.get(self, "realm_id") @@ -350,17 +366,16 @@ def __init__(__self__, realm_id: Optional[pulumi.Input[str]] = None, __props__=None): """ - ## # openid.HardcodedClaimProtocolMapper + Allows for creating and managing hardcoded claim protocol mappers within Keycloak. + + Hardcoded claim protocol mappers allow you to define a claim with a hardcoded value. - Allows for creating and managing hardcoded claim protocol mappers within - Keycloak. + Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + multiple different clients. - Hardcoded claim protocol mappers allow you to define a claim with a hardcoded - value. Protocol mappers can be defined for a single client, or they can - be defined for a client scope which can be shared between multiple different - clients. + ## Example Usage - ### Example Usage (Client) + ### Client) ```python import pulumi @@ -371,8 +386,8 @@ def __init__(__self__, enabled=True) openid_client = keycloak.openid.Client("openid_client", realm_id=realm.id, - client_id="test-client", - name="test client", + client_id="client", + name="client", enabled=True, access_type="CONFIDENTIAL", valid_redirect_uris=["http://localhost:8080/openid-callback"]) @@ -384,7 +399,7 @@ def __init__(__self__, claim_value="bar") ``` - ### Example Usage (Client Scope) + ### Client Scope) ```python import pulumi @@ -395,7 +410,7 @@ def __init__(__self__, enabled=True) client_scope = keycloak.openid.ClientScope("client_scope", realm_id=realm.id, - name="test-client-scope") + name="client-scope") hardcoded_claim_mapper = keycloak.openid.HardcodedClaimProtocolMapper("hardcoded_claim_mapper", realm_id=realm.id, client_scope_id=client_scope.id, @@ -404,39 +419,38 @@ def __init__(__self__, claim_value="bar") ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this protocol mapper exists within. - - `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. - - `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. - - `name` - (Required) The display name of this protocol mapper in the GUI. - - `claim_name` - (Required) The name of the claim to insert into a token. - - `claim_value` - (Required) The hardcoded value of the claim. - - `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`. - - `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. - - `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. - - `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. - - ### Import + ## Import Protocol mappers can be imported using one of the following formats: + - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` Example: + bash + + ```sh + $ pulumi import keycloak:openid/hardcodedClaimProtocolMapper:HardcodedClaimProtocolMapper hardcoded_claim_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + + ```sh + $ pulumi import keycloak:openid/hardcodedClaimProtocolMapper:HardcodedClaimProtocolMapper hardcoded_claim_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[bool] add_to_access_token: Indicates if the attribute should be a claim in the access token. - :param pulumi.Input[bool] add_to_id_token: Indicates if the attribute should be a claim in the id token. - :param pulumi.Input[bool] add_to_userinfo: Indicates if the attribute should appear in the userinfo response body. - :param pulumi.Input[str] claim_value_type: Claim type used when serializing tokens. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. - :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. + :param pulumi.Input[bool] add_to_access_token: Indicates if the property should be added as a claim to the access token. Defaults to `true`. + :param pulumi.Input[bool] add_to_id_token: Indicates if the property should be added as a claim to the id token. Defaults to `true`. + :param pulumi.Input[bool] add_to_userinfo: Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + :param pulumi.Input[str] claim_name: The name of the claim to insert into a token. + :param pulumi.Input[str] claim_value: The hardcoded value of the claim. + :param pulumi.Input[str] claim_value_type: The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. """ ... @overload @@ -445,17 +459,16 @@ def __init__(__self__, args: HardcodedClaimProtocolMapperArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - ## # openid.HardcodedClaimProtocolMapper + Allows for creating and managing hardcoded claim protocol mappers within Keycloak. + + Hardcoded claim protocol mappers allow you to define a claim with a hardcoded value. - Allows for creating and managing hardcoded claim protocol mappers within - Keycloak. + Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + multiple different clients. - Hardcoded claim protocol mappers allow you to define a claim with a hardcoded - value. Protocol mappers can be defined for a single client, or they can - be defined for a client scope which can be shared between multiple different - clients. + ## Example Usage - ### Example Usage (Client) + ### Client) ```python import pulumi @@ -466,8 +479,8 @@ def __init__(__self__, enabled=True) openid_client = keycloak.openid.Client("openid_client", realm_id=realm.id, - client_id="test-client", - name="test client", + client_id="client", + name="client", enabled=True, access_type="CONFIDENTIAL", valid_redirect_uris=["http://localhost:8080/openid-callback"]) @@ -479,7 +492,7 @@ def __init__(__self__, claim_value="bar") ``` - ### Example Usage (Client Scope) + ### Client Scope) ```python import pulumi @@ -490,7 +503,7 @@ def __init__(__self__, enabled=True) client_scope = keycloak.openid.ClientScope("client_scope", realm_id=realm.id, - name="test-client-scope") + name="client-scope") hardcoded_claim_mapper = keycloak.openid.HardcodedClaimProtocolMapper("hardcoded_claim_mapper", realm_id=realm.id, client_scope_id=client_scope.id, @@ -499,29 +512,26 @@ def __init__(__self__, claim_value="bar") ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this protocol mapper exists within. - - `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. - - `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. - - `name` - (Required) The display name of this protocol mapper in the GUI. - - `claim_name` - (Required) The name of the claim to insert into a token. - - `claim_value` - (Required) The hardcoded value of the claim. - - `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`. - - `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. - - `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. - - `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. - - ### Import + ## Import Protocol mappers can be imported using one of the following formats: + - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` Example: + bash + + ```sh + $ pulumi import keycloak:openid/hardcodedClaimProtocolMapper:HardcodedClaimProtocolMapper hardcoded_claim_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + + ```sh + $ pulumi import keycloak:openid/hardcodedClaimProtocolMapper:HardcodedClaimProtocolMapper hardcoded_claim_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + :param str resource_name: The name of the resource. :param HardcodedClaimProtocolMapperArgs args: The arguments to use to populate this resource's properties. :param pulumi.ResourceOptions opts: Options for the resource. @@ -599,14 +609,16 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[bool] add_to_access_token: Indicates if the attribute should be a claim in the access token. - :param pulumi.Input[bool] add_to_id_token: Indicates if the attribute should be a claim in the id token. - :param pulumi.Input[bool] add_to_userinfo: Indicates if the attribute should appear in the userinfo response body. - :param pulumi.Input[str] claim_value_type: Claim type used when serializing tokens. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. - :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. + :param pulumi.Input[bool] add_to_access_token: Indicates if the property should be added as a claim to the access token. Defaults to `true`. + :param pulumi.Input[bool] add_to_id_token: Indicates if the property should be added as a claim to the id token. Defaults to `true`. + :param pulumi.Input[bool] add_to_userinfo: Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + :param pulumi.Input[str] claim_name: The name of the claim to insert into a token. + :param pulumi.Input[str] claim_value: The hardcoded value of the claim. + :param pulumi.Input[str] claim_value_type: The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -628,7 +640,7 @@ def get(resource_name: str, @pulumi.getter(name="addToAccessToken") def add_to_access_token(self) -> pulumi.Output[Optional[bool]]: """ - Indicates if the attribute should be a claim in the access token. + Indicates if the property should be added as a claim to the access token. Defaults to `true`. """ return pulumi.get(self, "add_to_access_token") @@ -636,7 +648,7 @@ def add_to_access_token(self) -> pulumi.Output[Optional[bool]]: @pulumi.getter(name="addToIdToken") def add_to_id_token(self) -> pulumi.Output[Optional[bool]]: """ - Indicates if the attribute should be a claim in the id token. + Indicates if the property should be added as a claim to the id token. Defaults to `true`. """ return pulumi.get(self, "add_to_id_token") @@ -644,25 +656,31 @@ def add_to_id_token(self) -> pulumi.Output[Optional[bool]]: @pulumi.getter(name="addToUserinfo") def add_to_userinfo(self) -> pulumi.Output[Optional[bool]]: """ - Indicates if the attribute should appear in the userinfo response body. + Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. """ return pulumi.get(self, "add_to_userinfo") @property @pulumi.getter(name="claimName") def claim_name(self) -> pulumi.Output[str]: + """ + The name of the claim to insert into a token. + """ return pulumi.get(self, "claim_name") @property @pulumi.getter(name="claimValue") def claim_value(self) -> pulumi.Output[str]: + """ + The hardcoded value of the claim. + """ return pulumi.get(self, "claim_value") @property @pulumi.getter(name="claimValueType") def claim_value_type(self) -> pulumi.Output[Optional[str]]: """ - Claim type used when serializing tokens. + The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. """ return pulumi.get(self, "claim_value_type") @@ -670,7 +688,7 @@ def claim_value_type(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="clientId") def client_id(self) -> pulumi.Output[Optional[str]]: """ - The mapper's associated client. Cannot be used at the same time as client_scope_id. + The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_id") @@ -678,7 +696,7 @@ def client_id(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="clientScopeId") def client_scope_id(self) -> pulumi.Output[Optional[str]]: """ - The mapper's associated client scope. Cannot be used at the same time as client_id. + The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_scope_id") @@ -686,7 +704,7 @@ def client_scope_id(self) -> pulumi.Output[Optional[str]]: @pulumi.getter def name(self) -> pulumi.Output[str]: """ - A human-friendly name that will appear in the Keycloak console. + The display name of this protocol mapper in the GUI. """ return pulumi.get(self, "name") @@ -694,7 +712,7 @@ def name(self) -> pulumi.Output[str]: @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Output[str]: """ - The realm id where the associated client or client scope exists. + The realm this protocol mapper exists within. """ return pulumi.get(self, "realm_id") diff --git a/sdk/python/pulumi_keycloak/openid/hardcoded_role_protocol_mapper.py b/sdk/python/pulumi_keycloak/openid/hardcoded_role_protocol_mapper.py index 4272d527..db0a0774 100644 --- a/sdk/python/pulumi_keycloak/openid/hardcoded_role_protocol_mapper.py +++ b/sdk/python/pulumi_keycloak/openid/hardcoded_role_protocol_mapper.py @@ -26,10 +26,11 @@ def __init__(__self__, *, name: Optional[pulumi.Input[str]] = None): """ The set of arguments for constructing a HardcodedRoleProtocolMapper resource. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. - :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + :param pulumi.Input[str] role_id: The ID of the role to map to an access token. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. """ pulumi.set(__self__, "realm_id", realm_id) pulumi.set(__self__, "role_id", role_id) @@ -44,7 +45,7 @@ def __init__(__self__, *, @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Input[str]: """ - The realm id where the associated client or client scope exists. + The realm this protocol mapper exists within. """ return pulumi.get(self, "realm_id") @@ -55,6 +56,9 @@ def realm_id(self, value: pulumi.Input[str]): @property @pulumi.getter(name="roleId") def role_id(self) -> pulumi.Input[str]: + """ + The ID of the role to map to an access token. + """ return pulumi.get(self, "role_id") @role_id.setter @@ -65,7 +69,7 @@ def role_id(self, value: pulumi.Input[str]): @pulumi.getter(name="clientId") def client_id(self) -> Optional[pulumi.Input[str]]: """ - The mapper's associated client. Cannot be used at the same time as client_scope_id. + The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_id") @@ -77,7 +81,7 @@ def client_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="clientScopeId") def client_scope_id(self) -> Optional[pulumi.Input[str]]: """ - The mapper's associated client scope. Cannot be used at the same time as client_id. + The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_scope_id") @@ -89,7 +93,7 @@ def client_scope_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - A human-friendly name that will appear in the Keycloak console. + The display name of this protocol mapper in the GUI. """ return pulumi.get(self, "name") @@ -108,10 +112,11 @@ def __init__(__self__, *, role_id: Optional[pulumi.Input[str]] = None): """ Input properties used for looking up and filtering HardcodedRoleProtocolMapper resources. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. - :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + :param pulumi.Input[str] role_id: The ID of the role to map to an access token. """ if client_id is not None: pulumi.set(__self__, "client_id", client_id) @@ -128,7 +133,7 @@ def __init__(__self__, *, @pulumi.getter(name="clientId") def client_id(self) -> Optional[pulumi.Input[str]]: """ - The mapper's associated client. Cannot be used at the same time as client_scope_id. + The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_id") @@ -140,7 +145,7 @@ def client_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="clientScopeId") def client_scope_id(self) -> Optional[pulumi.Input[str]]: """ - The mapper's associated client scope. Cannot be used at the same time as client_id. + The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_scope_id") @@ -152,7 +157,7 @@ def client_scope_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - A human-friendly name that will appear in the Keycloak console. + The display name of this protocol mapper in the GUI. """ return pulumi.get(self, "name") @@ -164,7 +169,7 @@ def name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="realmId") def realm_id(self) -> Optional[pulumi.Input[str]]: """ - The realm id where the associated client or client scope exists. + The realm this protocol mapper exists within. """ return pulumi.get(self, "realm_id") @@ -175,6 +180,9 @@ def realm_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="roleId") def role_id(self) -> Optional[pulumi.Input[str]]: + """ + The ID of the role to map to an access token. + """ return pulumi.get(self, "role_id") @role_id.setter @@ -194,17 +202,16 @@ def __init__(__self__, role_id: Optional[pulumi.Input[str]] = None, __props__=None): """ - ## # openid.HardcodedRoleProtocolMapper + Allows for creating and managing hardcoded role protocol mappers within Keycloak. - Allows for creating and managing hardcoded role protocol mappers within - Keycloak. + Hardcoded role protocol mappers allow you to specify a single role to always map to an access token for a client. - Hardcoded role protocol mappers allow you to specify a single role to - always map to an access token for a client. Protocol mappers can be - defined for a single client, or they can be defined for a client scope - which can be shared between multiple different clients. + Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + multiple different clients. - ### Example Usage (Client) + ## Example Usage + + ### Client) ```python import pulumi @@ -218,8 +225,8 @@ def __init__(__self__, name="my-role") openid_client = keycloak.openid.Client("openid_client", realm_id=realm.id, - client_id="test-client", - name="test client", + client_id="client", + name="client", enabled=True, access_type="CONFIDENTIAL", valid_redirect_uris=["http://localhost:8080/openid-callback"]) @@ -230,7 +237,7 @@ def __init__(__self__, role_id=role.id) ``` - ### Example Usage (Client Scope) + ### Client Scope) ```python import pulumi @@ -244,7 +251,7 @@ def __init__(__self__, name="my-role") client_scope = keycloak.openid.ClientScope("client_scope", realm_id=realm.id, - name="test-client-scope") + name="client-scope") hardcoded_role_mapper = keycloak.openid.HardcodedRoleProtocolMapper("hardcoded_role_mapper", realm_id=realm.id, client_scope_id=client_scope.id, @@ -252,31 +259,33 @@ def __init__(__self__, role_id=role.id) ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this protocol mapper exists within. - - `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. - - `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. - - `name` - (Required) The display name of this protocol mapper in the - GUI. - - `role_id` - (Required) The ID of the role to map to an access token. - - ### Import + ## Import Protocol mappers can be imported using one of the following formats: + - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` Example: + bash + + ```sh + $ pulumi import keycloak:openid/hardcodedRoleProtocolMapper:HardcodedRoleProtocolMapper hardcoded_role_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + + ```sh + $ pulumi import keycloak:openid/hardcodedRoleProtocolMapper:HardcodedRoleProtocolMapper hardcoded_role_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. - :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + :param pulumi.Input[str] role_id: The ID of the role to map to an access token. """ ... @overload @@ -285,17 +294,16 @@ def __init__(__self__, args: HardcodedRoleProtocolMapperArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - ## # openid.HardcodedRoleProtocolMapper + Allows for creating and managing hardcoded role protocol mappers within Keycloak. + + Hardcoded role protocol mappers allow you to specify a single role to always map to an access token for a client. - Allows for creating and managing hardcoded role protocol mappers within - Keycloak. + Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + multiple different clients. - Hardcoded role protocol mappers allow you to specify a single role to - always map to an access token for a client. Protocol mappers can be - defined for a single client, or they can be defined for a client scope - which can be shared between multiple different clients. + ## Example Usage - ### Example Usage (Client) + ### Client) ```python import pulumi @@ -309,8 +317,8 @@ def __init__(__self__, name="my-role") openid_client = keycloak.openid.Client("openid_client", realm_id=realm.id, - client_id="test-client", - name="test client", + client_id="client", + name="client", enabled=True, access_type="CONFIDENTIAL", valid_redirect_uris=["http://localhost:8080/openid-callback"]) @@ -321,7 +329,7 @@ def __init__(__self__, role_id=role.id) ``` - ### Example Usage (Client Scope) + ### Client Scope) ```python import pulumi @@ -335,7 +343,7 @@ def __init__(__self__, name="my-role") client_scope = keycloak.openid.ClientScope("client_scope", realm_id=realm.id, - name="test-client-scope") + name="client-scope") hardcoded_role_mapper = keycloak.openid.HardcodedRoleProtocolMapper("hardcoded_role_mapper", realm_id=realm.id, client_scope_id=client_scope.id, @@ -343,25 +351,26 @@ def __init__(__self__, role_id=role.id) ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this protocol mapper exists within. - - `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. - - `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. - - `name` - (Required) The display name of this protocol mapper in the - GUI. - - `role_id` - (Required) The ID of the role to map to an access token. - - ### Import + ## Import Protocol mappers can be imported using one of the following formats: + - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` Example: + bash + + ```sh + $ pulumi import keycloak:openid/hardcodedRoleProtocolMapper:HardcodedRoleProtocolMapper hardcoded_role_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + + ```sh + $ pulumi import keycloak:openid/hardcodedRoleProtocolMapper:HardcodedRoleProtocolMapper hardcoded_role_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + :param str resource_name: The name of the resource. :param HardcodedRoleProtocolMapperArgs args: The arguments to use to populate this resource's properties. :param pulumi.ResourceOptions opts: Options for the resource. @@ -422,10 +431,11 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. - :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + :param pulumi.Input[str] role_id: The ID of the role to map to an access token. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -442,7 +452,7 @@ def get(resource_name: str, @pulumi.getter(name="clientId") def client_id(self) -> pulumi.Output[Optional[str]]: """ - The mapper's associated client. Cannot be used at the same time as client_scope_id. + The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_id") @@ -450,7 +460,7 @@ def client_id(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="clientScopeId") def client_scope_id(self) -> pulumi.Output[Optional[str]]: """ - The mapper's associated client scope. Cannot be used at the same time as client_id. + The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_scope_id") @@ -458,7 +468,7 @@ def client_scope_id(self) -> pulumi.Output[Optional[str]]: @pulumi.getter def name(self) -> pulumi.Output[str]: """ - A human-friendly name that will appear in the Keycloak console. + The display name of this protocol mapper in the GUI. """ return pulumi.get(self, "name") @@ -466,12 +476,15 @@ def name(self) -> pulumi.Output[str]: @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Output[str]: """ - The realm id where the associated client or client scope exists. + The realm this protocol mapper exists within. """ return pulumi.get(self, "realm_id") @property @pulumi.getter(name="roleId") def role_id(self) -> pulumi.Output[str]: + """ + The ID of the role to map to an access token. + """ return pulumi.get(self, "role_id") diff --git a/sdk/python/pulumi_keycloak/openid/outputs.py b/sdk/python/pulumi_keycloak/openid/outputs.py index 3ed482dc..9fa96a38 100644 --- a/sdk/python/pulumi_keycloak/openid/outputs.py +++ b/sdk/python/pulumi_keycloak/openid/outputs.py @@ -55,6 +55,10 @@ def get(self, key: str, default = None) -> Any: def __init__(__self__, *, browser_id: Optional[str] = None, direct_grant_id: Optional[str] = None): + """ + :param str browser_id: Browser flow id, (flow needs to exist) + :param str direct_grant_id: Direct grant flow id (flow needs to exist) + """ if browser_id is not None: pulumi.set(__self__, "browser_id", browser_id) if direct_grant_id is not None: @@ -63,11 +67,17 @@ def __init__(__self__, *, @property @pulumi.getter(name="browserId") def browser_id(self) -> Optional[str]: + """ + Browser flow id, (flow needs to exist) + """ return pulumi.get(self, "browser_id") @property @pulumi.getter(name="directGrantId") def direct_grant_id(self) -> Optional[str]: + """ + Direct grant flow id (flow needs to exist) + """ return pulumi.get(self, "direct_grant_id") @@ -101,6 +111,12 @@ def __init__(__self__, *, allow_remote_resource_management: Optional[bool] = None, decision_strategy: Optional[str] = None, keep_defaults: Optional[bool] = None): + """ + :param str policy_enforcement_mode: Dictates how policies are enforced when evaluating authorization requests. Can be one of `ENFORCING`, `PERMISSIVE`, or `DISABLED`. + :param bool allow_remote_resource_management: When `true`, resources can be managed remotely by the resource server. Defaults to `false`. + :param str decision_strategy: Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of `AFFIRMATIVE`, `CONSENSUS`, or `UNANIMOUS`. Applies to permissions. + :param bool keep_defaults: When `true`, defaults set by Keycloak will be respected. Defaults to `false`. + """ pulumi.set(__self__, "policy_enforcement_mode", policy_enforcement_mode) if allow_remote_resource_management is not None: pulumi.set(__self__, "allow_remote_resource_management", allow_remote_resource_management) @@ -112,21 +128,33 @@ def __init__(__self__, *, @property @pulumi.getter(name="policyEnforcementMode") def policy_enforcement_mode(self) -> str: + """ + Dictates how policies are enforced when evaluating authorization requests. Can be one of `ENFORCING`, `PERMISSIVE`, or `DISABLED`. + """ return pulumi.get(self, "policy_enforcement_mode") @property @pulumi.getter(name="allowRemoteResourceManagement") def allow_remote_resource_management(self) -> Optional[bool]: + """ + When `true`, resources can be managed remotely by the resource server. Defaults to `false`. + """ return pulumi.get(self, "allow_remote_resource_management") @property @pulumi.getter(name="decisionStrategy") def decision_strategy(self) -> Optional[str]: + """ + Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of `AFFIRMATIVE`, `CONSENSUS`, or `UNANIMOUS`. Applies to permissions. + """ return pulumi.get(self, "decision_strategy") @property @pulumi.getter(name="keepDefaults") def keep_defaults(self) -> Optional[bool]: + """ + When `true`, defaults set by Keycloak will be respected. Defaults to `false`. + """ return pulumi.get(self, "keep_defaults") diff --git a/sdk/python/pulumi_keycloak/openid/user_attribute_protocol_mapper.py b/sdk/python/pulumi_keycloak/openid/user_attribute_protocol_mapper.py index cd52f9c6..bdf637f2 100644 --- a/sdk/python/pulumi_keycloak/openid/user_attribute_protocol_mapper.py +++ b/sdk/python/pulumi_keycloak/openid/user_attribute_protocol_mapper.py @@ -33,16 +33,18 @@ def __init__(__self__, *, name: Optional[pulumi.Input[str]] = None): """ The set of arguments for constructing a UserAttributeProtocolMapper resource. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. - :param pulumi.Input[bool] add_to_access_token: Indicates if the attribute should be a claim in the access token. - :param pulumi.Input[bool] add_to_id_token: Indicates if the attribute should be a claim in the id token. - :param pulumi.Input[bool] add_to_userinfo: Indicates if the attribute should appear in the userinfo response body. - :param pulumi.Input[bool] aggregate_attributes: Indicates if attribute values should be aggregated within the group attributes - :param pulumi.Input[str] claim_value_type: Claim type used when serializing tokens. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. - :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[bool] multivalued: Indicates whether this attribute is a single value or an array of values. - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. + :param pulumi.Input[str] claim_name: The name of the claim to insert into a token. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + :param pulumi.Input[str] user_attribute: The custom user attribute to map a claim for. + :param pulumi.Input[bool] add_to_access_token: Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. + :param pulumi.Input[bool] add_to_id_token: Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. + :param pulumi.Input[bool] add_to_userinfo: Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. + :param pulumi.Input[bool] aggregate_attributes: Indicates whether this attribute is a single value or an array of values. Defaults to `false`. + :param pulumi.Input[str] claim_value_type: The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[bool] multivalued: Indicates whether this attribute is a single value or an array of values. Defaults to `false`. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. """ pulumi.set(__self__, "claim_name", claim_name) pulumi.set(__self__, "realm_id", realm_id) @@ -69,6 +71,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="claimName") def claim_name(self) -> pulumi.Input[str]: + """ + The name of the claim to insert into a token. + """ return pulumi.get(self, "claim_name") @claim_name.setter @@ -79,7 +84,7 @@ def claim_name(self, value: pulumi.Input[str]): @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Input[str]: """ - The realm id where the associated client or client scope exists. + The realm this protocol mapper exists within. """ return pulumi.get(self, "realm_id") @@ -90,6 +95,9 @@ def realm_id(self, value: pulumi.Input[str]): @property @pulumi.getter(name="userAttribute") def user_attribute(self) -> pulumi.Input[str]: + """ + The custom user attribute to map a claim for. + """ return pulumi.get(self, "user_attribute") @user_attribute.setter @@ -100,7 +108,7 @@ def user_attribute(self, value: pulumi.Input[str]): @pulumi.getter(name="addToAccessToken") def add_to_access_token(self) -> Optional[pulumi.Input[bool]]: """ - Indicates if the attribute should be a claim in the access token. + Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. """ return pulumi.get(self, "add_to_access_token") @@ -112,7 +120,7 @@ def add_to_access_token(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="addToIdToken") def add_to_id_token(self) -> Optional[pulumi.Input[bool]]: """ - Indicates if the attribute should be a claim in the id token. + Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. """ return pulumi.get(self, "add_to_id_token") @@ -124,7 +132,7 @@ def add_to_id_token(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="addToUserinfo") def add_to_userinfo(self) -> Optional[pulumi.Input[bool]]: """ - Indicates if the attribute should appear in the userinfo response body. + Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. """ return pulumi.get(self, "add_to_userinfo") @@ -136,7 +144,7 @@ def add_to_userinfo(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="aggregateAttributes") def aggregate_attributes(self) -> Optional[pulumi.Input[bool]]: """ - Indicates if attribute values should be aggregated within the group attributes + Indicates whether this attribute is a single value or an array of values. Defaults to `false`. """ return pulumi.get(self, "aggregate_attributes") @@ -148,7 +156,7 @@ def aggregate_attributes(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="claimValueType") def claim_value_type(self) -> Optional[pulumi.Input[str]]: """ - Claim type used when serializing tokens. + The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. """ return pulumi.get(self, "claim_value_type") @@ -160,7 +168,7 @@ def claim_value_type(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="clientId") def client_id(self) -> Optional[pulumi.Input[str]]: """ - The mapper's associated client. Cannot be used at the same time as client_scope_id. + The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_id") @@ -172,7 +180,7 @@ def client_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="clientScopeId") def client_scope_id(self) -> Optional[pulumi.Input[str]]: """ - The mapper's associated client scope. Cannot be used at the same time as client_id. + The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_scope_id") @@ -184,7 +192,7 @@ def client_scope_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def multivalued(self) -> Optional[pulumi.Input[bool]]: """ - Indicates whether this attribute is a single value or an array of values. + Indicates whether this attribute is a single value or an array of values. Defaults to `false`. """ return pulumi.get(self, "multivalued") @@ -196,7 +204,7 @@ def multivalued(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - A human-friendly name that will appear in the Keycloak console. + The display name of this protocol mapper in the GUI. """ return pulumi.get(self, "name") @@ -222,16 +230,18 @@ def __init__(__self__, *, user_attribute: Optional[pulumi.Input[str]] = None): """ Input properties used for looking up and filtering UserAttributeProtocolMapper resources. - :param pulumi.Input[bool] add_to_access_token: Indicates if the attribute should be a claim in the access token. - :param pulumi.Input[bool] add_to_id_token: Indicates if the attribute should be a claim in the id token. - :param pulumi.Input[bool] add_to_userinfo: Indicates if the attribute should appear in the userinfo response body. - :param pulumi.Input[bool] aggregate_attributes: Indicates if attribute values should be aggregated within the group attributes - :param pulumi.Input[str] claim_value_type: Claim type used when serializing tokens. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. - :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[bool] multivalued: Indicates whether this attribute is a single value or an array of values. - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. + :param pulumi.Input[bool] add_to_access_token: Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. + :param pulumi.Input[bool] add_to_id_token: Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. + :param pulumi.Input[bool] add_to_userinfo: Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. + :param pulumi.Input[bool] aggregate_attributes: Indicates whether this attribute is a single value or an array of values. Defaults to `false`. + :param pulumi.Input[str] claim_name: The name of the claim to insert into a token. + :param pulumi.Input[str] claim_value_type: The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[bool] multivalued: Indicates whether this attribute is a single value or an array of values. Defaults to `false`. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + :param pulumi.Input[str] user_attribute: The custom user attribute to map a claim for. """ if add_to_access_token is not None: pulumi.set(__self__, "add_to_access_token", add_to_access_token) @@ -262,7 +272,7 @@ def __init__(__self__, *, @pulumi.getter(name="addToAccessToken") def add_to_access_token(self) -> Optional[pulumi.Input[bool]]: """ - Indicates if the attribute should be a claim in the access token. + Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. """ return pulumi.get(self, "add_to_access_token") @@ -274,7 +284,7 @@ def add_to_access_token(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="addToIdToken") def add_to_id_token(self) -> Optional[pulumi.Input[bool]]: """ - Indicates if the attribute should be a claim in the id token. + Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. """ return pulumi.get(self, "add_to_id_token") @@ -286,7 +296,7 @@ def add_to_id_token(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="addToUserinfo") def add_to_userinfo(self) -> Optional[pulumi.Input[bool]]: """ - Indicates if the attribute should appear in the userinfo response body. + Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. """ return pulumi.get(self, "add_to_userinfo") @@ -298,7 +308,7 @@ def add_to_userinfo(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="aggregateAttributes") def aggregate_attributes(self) -> Optional[pulumi.Input[bool]]: """ - Indicates if attribute values should be aggregated within the group attributes + Indicates whether this attribute is a single value or an array of values. Defaults to `false`. """ return pulumi.get(self, "aggregate_attributes") @@ -309,6 +319,9 @@ def aggregate_attributes(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="claimName") def claim_name(self) -> Optional[pulumi.Input[str]]: + """ + The name of the claim to insert into a token. + """ return pulumi.get(self, "claim_name") @claim_name.setter @@ -319,7 +332,7 @@ def claim_name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="claimValueType") def claim_value_type(self) -> Optional[pulumi.Input[str]]: """ - Claim type used when serializing tokens. + The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. """ return pulumi.get(self, "claim_value_type") @@ -331,7 +344,7 @@ def claim_value_type(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="clientId") def client_id(self) -> Optional[pulumi.Input[str]]: """ - The mapper's associated client. Cannot be used at the same time as client_scope_id. + The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_id") @@ -343,7 +356,7 @@ def client_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="clientScopeId") def client_scope_id(self) -> Optional[pulumi.Input[str]]: """ - The mapper's associated client scope. Cannot be used at the same time as client_id. + The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_scope_id") @@ -355,7 +368,7 @@ def client_scope_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def multivalued(self) -> Optional[pulumi.Input[bool]]: """ - Indicates whether this attribute is a single value or an array of values. + Indicates whether this attribute is a single value or an array of values. Defaults to `false`. """ return pulumi.get(self, "multivalued") @@ -367,7 +380,7 @@ def multivalued(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - A human-friendly name that will appear in the Keycloak console. + The display name of this protocol mapper in the GUI. """ return pulumi.get(self, "name") @@ -379,7 +392,7 @@ def name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="realmId") def realm_id(self) -> Optional[pulumi.Input[str]]: """ - The realm id where the associated client or client scope exists. + The realm this protocol mapper exists within. """ return pulumi.get(self, "realm_id") @@ -390,6 +403,9 @@ def realm_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="userAttribute") def user_attribute(self) -> Optional[pulumi.Input[str]]: + """ + The custom user attribute to map a claim for. + """ return pulumi.get(self, "user_attribute") @user_attribute.setter @@ -416,17 +432,16 @@ def __init__(__self__, user_attribute: Optional[pulumi.Input[str]] = None, __props__=None): """ - ## # openid.UserAttributeProtocolMapper + Allows for creating and managing user attribute protocol mappers within Keycloak. + + User attribute protocol mappers allow you to map custom attributes defined for a user within Keycloak to a claim in a token. - Allows for creating and managing user attribute protocol mappers within - Keycloak. + Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + multiple different clients. - User attribute protocol mappers allow you to map custom attributes defined - for a user within Keycloak to a claim in a token. Protocol mappers can be - defined for a single client, or they can be defined for a client scope which - can be shared between multiple different clients. + ## Example Usage - ### Example Usage (Client) + ### Client) ```python import pulumi @@ -437,20 +452,20 @@ def __init__(__self__, enabled=True) openid_client = keycloak.openid.Client("openid_client", realm_id=realm.id, - client_id="test-client", - name="test client", + client_id="client", + name="client", enabled=True, access_type="CONFIDENTIAL", valid_redirect_uris=["http://localhost:8080/openid-callback"]) user_attribute_mapper = keycloak.openid.UserAttributeProtocolMapper("user_attribute_mapper", realm_id=realm.id, client_id=openid_client.id, - name="test-mapper", + name="user-attribute-mapper", user_attribute="foo", claim_name="bar") ``` - ### Example Usage (Client Scope) + ### Client Scope) ```python import pulumi @@ -461,51 +476,49 @@ def __init__(__self__, enabled=True) client_scope = keycloak.openid.ClientScope("client_scope", realm_id=realm.id, - name="test-client-scope") + name="client-scope") user_attribute_mapper = keycloak.openid.UserAttributeProtocolMapper("user_attribute_mapper", realm_id=realm.id, client_scope_id=client_scope.id, - name="test-mapper", + name="user-attribute-mapper", user_attribute="foo", claim_name="bar") ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this protocol mapper exists within. - - `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. - - `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. - - `name` - (Required) The display name of this protocol mapper in the GUI. - - `user_attribute` - (Required) The custom user attribute to map a claim for. - - `claim_name` - (Required) The name of the claim to insert into a token. - - `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`. - - `multivalued` - (Optional) Indicates whether this attribute is a single value or an array of values. Defaults to `false`. - - `add_to_id_token` - (Optional) Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. - - `add_to_access_token` - (Optional) Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. - - `add_to_userinfo` - (Optional) Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. - - ### Import + ## Import Protocol mappers can be imported using one of the following formats: + - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` Example: + bash + + ```sh + $ pulumi import keycloak:openid/userAttributeProtocolMapper:UserAttributeProtocolMapper user_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + + ```sh + $ pulumi import keycloak:openid/userAttributeProtocolMapper:UserAttributeProtocolMapper user_attribute_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[bool] add_to_access_token: Indicates if the attribute should be a claim in the access token. - :param pulumi.Input[bool] add_to_id_token: Indicates if the attribute should be a claim in the id token. - :param pulumi.Input[bool] add_to_userinfo: Indicates if the attribute should appear in the userinfo response body. - :param pulumi.Input[bool] aggregate_attributes: Indicates if attribute values should be aggregated within the group attributes - :param pulumi.Input[str] claim_value_type: Claim type used when serializing tokens. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. - :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[bool] multivalued: Indicates whether this attribute is a single value or an array of values. - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. + :param pulumi.Input[bool] add_to_access_token: Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. + :param pulumi.Input[bool] add_to_id_token: Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. + :param pulumi.Input[bool] add_to_userinfo: Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. + :param pulumi.Input[bool] aggregate_attributes: Indicates whether this attribute is a single value or an array of values. Defaults to `false`. + :param pulumi.Input[str] claim_name: The name of the claim to insert into a token. + :param pulumi.Input[str] claim_value_type: The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[bool] multivalued: Indicates whether this attribute is a single value or an array of values. Defaults to `false`. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + :param pulumi.Input[str] user_attribute: The custom user attribute to map a claim for. """ ... @overload @@ -514,17 +527,16 @@ def __init__(__self__, args: UserAttributeProtocolMapperArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - ## # openid.UserAttributeProtocolMapper + Allows for creating and managing user attribute protocol mappers within Keycloak. + + User attribute protocol mappers allow you to map custom attributes defined for a user within Keycloak to a claim in a token. - Allows for creating and managing user attribute protocol mappers within - Keycloak. + Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + multiple different clients. - User attribute protocol mappers allow you to map custom attributes defined - for a user within Keycloak to a claim in a token. Protocol mappers can be - defined for a single client, or they can be defined for a client scope which - can be shared between multiple different clients. + ## Example Usage - ### Example Usage (Client) + ### Client) ```python import pulumi @@ -535,20 +547,20 @@ def __init__(__self__, enabled=True) openid_client = keycloak.openid.Client("openid_client", realm_id=realm.id, - client_id="test-client", - name="test client", + client_id="client", + name="client", enabled=True, access_type="CONFIDENTIAL", valid_redirect_uris=["http://localhost:8080/openid-callback"]) user_attribute_mapper = keycloak.openid.UserAttributeProtocolMapper("user_attribute_mapper", realm_id=realm.id, client_id=openid_client.id, - name="test-mapper", + name="user-attribute-mapper", user_attribute="foo", claim_name="bar") ``` - ### Example Usage (Client Scope) + ### Client Scope) ```python import pulumi @@ -559,39 +571,35 @@ def __init__(__self__, enabled=True) client_scope = keycloak.openid.ClientScope("client_scope", realm_id=realm.id, - name="test-client-scope") + name="client-scope") user_attribute_mapper = keycloak.openid.UserAttributeProtocolMapper("user_attribute_mapper", realm_id=realm.id, client_scope_id=client_scope.id, - name="test-mapper", + name="user-attribute-mapper", user_attribute="foo", claim_name="bar") ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this protocol mapper exists within. - - `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. - - `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. - - `name` - (Required) The display name of this protocol mapper in the GUI. - - `user_attribute` - (Required) The custom user attribute to map a claim for. - - `claim_name` - (Required) The name of the claim to insert into a token. - - `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`. - - `multivalued` - (Optional) Indicates whether this attribute is a single value or an array of values. Defaults to `false`. - - `add_to_id_token` - (Optional) Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. - - `add_to_access_token` - (Optional) Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. - - `add_to_userinfo` - (Optional) Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. - - ### Import + ## Import Protocol mappers can be imported using one of the following formats: + - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` Example: + bash + + ```sh + $ pulumi import keycloak:openid/userAttributeProtocolMapper:UserAttributeProtocolMapper user_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + + ```sh + $ pulumi import keycloak:openid/userAttributeProtocolMapper:UserAttributeProtocolMapper user_attribute_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + :param str resource_name: The name of the resource. :param UserAttributeProtocolMapperArgs args: The arguments to use to populate this resource's properties. :param pulumi.ResourceOptions opts: Options for the resource. @@ -675,16 +683,18 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[bool] add_to_access_token: Indicates if the attribute should be a claim in the access token. - :param pulumi.Input[bool] add_to_id_token: Indicates if the attribute should be a claim in the id token. - :param pulumi.Input[bool] add_to_userinfo: Indicates if the attribute should appear in the userinfo response body. - :param pulumi.Input[bool] aggregate_attributes: Indicates if attribute values should be aggregated within the group attributes - :param pulumi.Input[str] claim_value_type: Claim type used when serializing tokens. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. - :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[bool] multivalued: Indicates whether this attribute is a single value or an array of values. - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. + :param pulumi.Input[bool] add_to_access_token: Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. + :param pulumi.Input[bool] add_to_id_token: Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. + :param pulumi.Input[bool] add_to_userinfo: Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. + :param pulumi.Input[bool] aggregate_attributes: Indicates whether this attribute is a single value or an array of values. Defaults to `false`. + :param pulumi.Input[str] claim_name: The name of the claim to insert into a token. + :param pulumi.Input[str] claim_value_type: The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[bool] multivalued: Indicates whether this attribute is a single value or an array of values. Defaults to `false`. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + :param pulumi.Input[str] user_attribute: The custom user attribute to map a claim for. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -708,7 +718,7 @@ def get(resource_name: str, @pulumi.getter(name="addToAccessToken") def add_to_access_token(self) -> pulumi.Output[Optional[bool]]: """ - Indicates if the attribute should be a claim in the access token. + Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. """ return pulumi.get(self, "add_to_access_token") @@ -716,7 +726,7 @@ def add_to_access_token(self) -> pulumi.Output[Optional[bool]]: @pulumi.getter(name="addToIdToken") def add_to_id_token(self) -> pulumi.Output[Optional[bool]]: """ - Indicates if the attribute should be a claim in the id token. + Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. """ return pulumi.get(self, "add_to_id_token") @@ -724,7 +734,7 @@ def add_to_id_token(self) -> pulumi.Output[Optional[bool]]: @pulumi.getter(name="addToUserinfo") def add_to_userinfo(self) -> pulumi.Output[Optional[bool]]: """ - Indicates if the attribute should appear in the userinfo response body. + Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. """ return pulumi.get(self, "add_to_userinfo") @@ -732,20 +742,23 @@ def add_to_userinfo(self) -> pulumi.Output[Optional[bool]]: @pulumi.getter(name="aggregateAttributes") def aggregate_attributes(self) -> pulumi.Output[Optional[bool]]: """ - Indicates if attribute values should be aggregated within the group attributes + Indicates whether this attribute is a single value or an array of values. Defaults to `false`. """ return pulumi.get(self, "aggregate_attributes") @property @pulumi.getter(name="claimName") def claim_name(self) -> pulumi.Output[str]: + """ + The name of the claim to insert into a token. + """ return pulumi.get(self, "claim_name") @property @pulumi.getter(name="claimValueType") def claim_value_type(self) -> pulumi.Output[Optional[str]]: """ - Claim type used when serializing tokens. + The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. """ return pulumi.get(self, "claim_value_type") @@ -753,7 +766,7 @@ def claim_value_type(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="clientId") def client_id(self) -> pulumi.Output[Optional[str]]: """ - The mapper's associated client. Cannot be used at the same time as client_scope_id. + The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_id") @@ -761,7 +774,7 @@ def client_id(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="clientScopeId") def client_scope_id(self) -> pulumi.Output[Optional[str]]: """ - The mapper's associated client scope. Cannot be used at the same time as client_id. + The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_scope_id") @@ -769,7 +782,7 @@ def client_scope_id(self) -> pulumi.Output[Optional[str]]: @pulumi.getter def multivalued(self) -> pulumi.Output[Optional[bool]]: """ - Indicates whether this attribute is a single value or an array of values. + Indicates whether this attribute is a single value or an array of values. Defaults to `false`. """ return pulumi.get(self, "multivalued") @@ -777,7 +790,7 @@ def multivalued(self) -> pulumi.Output[Optional[bool]]: @pulumi.getter def name(self) -> pulumi.Output[str]: """ - A human-friendly name that will appear in the Keycloak console. + The display name of this protocol mapper in the GUI. """ return pulumi.get(self, "name") @@ -785,12 +798,15 @@ def name(self) -> pulumi.Output[str]: @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Output[str]: """ - The realm id where the associated client or client scope exists. + The realm this protocol mapper exists within. """ return pulumi.get(self, "realm_id") @property @pulumi.getter(name="userAttribute") def user_attribute(self) -> pulumi.Output[str]: + """ + The custom user attribute to map a claim for. + """ return pulumi.get(self, "user_attribute") diff --git a/sdk/python/pulumi_keycloak/openid/user_property_protocol_mapper.py b/sdk/python/pulumi_keycloak/openid/user_property_protocol_mapper.py index 2f035585..e263889c 100644 --- a/sdk/python/pulumi_keycloak/openid/user_property_protocol_mapper.py +++ b/sdk/python/pulumi_keycloak/openid/user_property_protocol_mapper.py @@ -31,14 +31,16 @@ def __init__(__self__, *, name: Optional[pulumi.Input[str]] = None): """ The set of arguments for constructing a UserPropertyProtocolMapper resource. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. - :param pulumi.Input[bool] add_to_access_token: Indicates if the property should be a claim in the access token. - :param pulumi.Input[bool] add_to_id_token: Indicates if the property should be a claim in the id token. - :param pulumi.Input[bool] add_to_userinfo: Indicates if the property should appear in the userinfo response body. - :param pulumi.Input[str] claim_value_type: Claim type used when serializing tokens. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. - :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. + :param pulumi.Input[str] claim_name: The name of the claim to insert into a token. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + :param pulumi.Input[str] user_property: The built in user property (such as email) to map a claim for. + :param pulumi.Input[bool] add_to_access_token: Indicates if the property should be added as a claim to the access token. Defaults to `true`. + :param pulumi.Input[bool] add_to_id_token: Indicates if the property should be added as a claim to the id token. Defaults to `true`. + :param pulumi.Input[bool] add_to_userinfo: Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + :param pulumi.Input[str] claim_value_type: The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. """ pulumi.set(__self__, "claim_name", claim_name) pulumi.set(__self__, "realm_id", realm_id) @@ -61,6 +63,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="claimName") def claim_name(self) -> pulumi.Input[str]: + """ + The name of the claim to insert into a token. + """ return pulumi.get(self, "claim_name") @claim_name.setter @@ -71,7 +76,7 @@ def claim_name(self, value: pulumi.Input[str]): @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Input[str]: """ - The realm id where the associated client or client scope exists. + The realm this protocol mapper exists within. """ return pulumi.get(self, "realm_id") @@ -82,6 +87,9 @@ def realm_id(self, value: pulumi.Input[str]): @property @pulumi.getter(name="userProperty") def user_property(self) -> pulumi.Input[str]: + """ + The built in user property (such as email) to map a claim for. + """ return pulumi.get(self, "user_property") @user_property.setter @@ -92,7 +100,7 @@ def user_property(self, value: pulumi.Input[str]): @pulumi.getter(name="addToAccessToken") def add_to_access_token(self) -> Optional[pulumi.Input[bool]]: """ - Indicates if the property should be a claim in the access token. + Indicates if the property should be added as a claim to the access token. Defaults to `true`. """ return pulumi.get(self, "add_to_access_token") @@ -104,7 +112,7 @@ def add_to_access_token(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="addToIdToken") def add_to_id_token(self) -> Optional[pulumi.Input[bool]]: """ - Indicates if the property should be a claim in the id token. + Indicates if the property should be added as a claim to the id token. Defaults to `true`. """ return pulumi.get(self, "add_to_id_token") @@ -116,7 +124,7 @@ def add_to_id_token(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="addToUserinfo") def add_to_userinfo(self) -> Optional[pulumi.Input[bool]]: """ - Indicates if the property should appear in the userinfo response body. + Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. """ return pulumi.get(self, "add_to_userinfo") @@ -128,7 +136,7 @@ def add_to_userinfo(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="claimValueType") def claim_value_type(self) -> Optional[pulumi.Input[str]]: """ - Claim type used when serializing tokens. + The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. """ return pulumi.get(self, "claim_value_type") @@ -140,7 +148,7 @@ def claim_value_type(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="clientId") def client_id(self) -> Optional[pulumi.Input[str]]: """ - The mapper's associated client. Cannot be used at the same time as client_scope_id. + The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_id") @@ -152,7 +160,7 @@ def client_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="clientScopeId") def client_scope_id(self) -> Optional[pulumi.Input[str]]: """ - The mapper's associated client scope. Cannot be used at the same time as client_id. + The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. """ return pulumi.get(self, "client_scope_id") @@ -164,7 +172,7 @@ def client_scope_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - A human-friendly name that will appear in the Keycloak console. + The display name of this protocol mapper in the GUI. """ return pulumi.get(self, "name") @@ -188,14 +196,16 @@ def __init__(__self__, *, user_property: Optional[pulumi.Input[str]] = None): """ Input properties used for looking up and filtering UserPropertyProtocolMapper resources. - :param pulumi.Input[bool] add_to_access_token: Indicates if the property should be a claim in the access token. - :param pulumi.Input[bool] add_to_id_token: Indicates if the property should be a claim in the id token. - :param pulumi.Input[bool] add_to_userinfo: Indicates if the property should appear in the userinfo response body. - :param pulumi.Input[str] claim_value_type: Claim type used when serializing tokens. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. - :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. + :param pulumi.Input[bool] add_to_access_token: Indicates if the property should be added as a claim to the access token. Defaults to `true`. + :param pulumi.Input[bool] add_to_id_token: Indicates if the property should be added as a claim to the id token. Defaults to `true`. + :param pulumi.Input[bool] add_to_userinfo: Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + :param pulumi.Input[str] claim_name: The name of the claim to insert into a token. + :param pulumi.Input[str] claim_value_type: The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + :param pulumi.Input[str] user_property: The built in user property (such as email) to map a claim for. """ if add_to_access_token is not None: pulumi.set(__self__, "add_to_access_token", add_to_access_token) @@ -222,7 +232,7 @@ def __init__(__self__, *, @pulumi.getter(name="addToAccessToken") def add_to_access_token(self) -> Optional[pulumi.Input[bool]]: """ - Indicates if the property should be a claim in the access token. + Indicates if the property should be added as a claim to the access token. Defaults to `true`. """ return pulumi.get(self, "add_to_access_token") @@ -234,7 +244,7 @@ def add_to_access_token(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="addToIdToken") def add_to_id_token(self) -> Optional[pulumi.Input[bool]]: """ - Indicates if the property should be a claim in the id token. + Indicates if the property should be added as a claim to the id token. Defaults to `true`. """ return pulumi.get(self, "add_to_id_token") @@ -246,7 +256,7 @@ def add_to_id_token(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="addToUserinfo") def add_to_userinfo(self) -> Optional[pulumi.Input[bool]]: """ - Indicates if the property should appear in the userinfo response body. + Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. """ return pulumi.get(self, "add_to_userinfo") @@ -257,6 +267,9 @@ def add_to_userinfo(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="claimName") def claim_name(self) -> Optional[pulumi.Input[str]]: + """ + The name of the claim to insert into a token. + """ return pulumi.get(self, "claim_name") @claim_name.setter @@ -267,7 +280,7 @@ def claim_name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="claimValueType") def claim_value_type(self) -> Optional[pulumi.Input[str]]: """ - Claim type used when serializing tokens. + The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. """ return pulumi.get(self, "claim_value_type") @@ -279,7 +292,7 @@ def claim_value_type(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="clientId") def client_id(self) -> Optional[pulumi.Input[str]]: """ - The mapper's associated client. Cannot be used at the same time as client_scope_id. + The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_id") @@ -291,7 +304,7 @@ def client_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="clientScopeId") def client_scope_id(self) -> Optional[pulumi.Input[str]]: """ - The mapper's associated client scope. Cannot be used at the same time as client_id. + The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. """ return pulumi.get(self, "client_scope_id") @@ -303,7 +316,7 @@ def client_scope_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - A human-friendly name that will appear in the Keycloak console. + The display name of this protocol mapper in the GUI. """ return pulumi.get(self, "name") @@ -315,7 +328,7 @@ def name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="realmId") def realm_id(self) -> Optional[pulumi.Input[str]]: """ - The realm id where the associated client or client scope exists. + The realm this protocol mapper exists within. """ return pulumi.get(self, "realm_id") @@ -326,6 +339,9 @@ def realm_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="userProperty") def user_property(self) -> Optional[pulumi.Input[str]]: + """ + The built in user property (such as email) to map a claim for. + """ return pulumi.get(self, "user_property") @user_property.setter @@ -350,17 +366,17 @@ def __init__(__self__, user_property: Optional[pulumi.Input[str]] = None, __props__=None): """ - ## # openid.UserPropertyProtocolMapper + Allows for creating and managing user property protocol mappers within Keycloak. + + User property protocol mappers allow you to map built in properties defined on the Keycloak user interface to a claim in + a token. - Allows for creating and managing user property protocol mappers within - Keycloak. + Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + multiple different clients. - User property protocol mappers allow you to map built in properties defined - on the Keycloak user interface to a claim in a token. Protocol mappers can be - defined for a single client, or they can be defined for a client scope which - can be shared between multiple different clients. + ## Example Usage - ### Example Usage (Client) + ### Client) ```python import pulumi @@ -371,20 +387,20 @@ def __init__(__self__, enabled=True) openid_client = keycloak.openid.Client("openid_client", realm_id=realm.id, - client_id="test-client", - name="test client", + client_id="client", + name="client", enabled=True, access_type="CONFIDENTIAL", valid_redirect_uris=["http://localhost:8080/openid-callback"]) user_property_mapper = keycloak.openid.UserPropertyProtocolMapper("user_property_mapper", realm_id=realm.id, client_id=openid_client.id, - name="test-mapper", + name="user-property-mapper", user_property="email", claim_name="email") ``` - ### Example Usage (Client Scope) + ### Client Scope) ```python import pulumi @@ -395,7 +411,7 @@ def __init__(__self__, enabled=True) client_scope = keycloak.openid.ClientScope("client_scope", realm_id=realm.id, - name="test-client-scope") + name="client-scope") user_property_mapper = keycloak.openid.UserPropertyProtocolMapper("user_property_mapper", realm_id=realm.id, client_scope_id=client_scope.id, @@ -404,39 +420,38 @@ def __init__(__self__, claim_name="email") ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this protocol mapper exists within. - - `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. - - `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. - - `name` - (Required) The display name of this protocol mapper in the GUI. - - `user_property` - (Required) The built in user property (such as email) to map a claim for. - - `claim_name` - (Required) The name of the claim to insert into a token. - - `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`. - - `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. - - `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. - - `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. - - ### Import + ## Import Protocol mappers can be imported using one of the following formats: + - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` Example: + bash + + ```sh + $ pulumi import keycloak:openid/userPropertyProtocolMapper:UserPropertyProtocolMapper user_property_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + + ```sh + $ pulumi import keycloak:openid/userPropertyProtocolMapper:UserPropertyProtocolMapper user_property_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[bool] add_to_access_token: Indicates if the property should be a claim in the access token. - :param pulumi.Input[bool] add_to_id_token: Indicates if the property should be a claim in the id token. - :param pulumi.Input[bool] add_to_userinfo: Indicates if the property should appear in the userinfo response body. - :param pulumi.Input[str] claim_value_type: Claim type used when serializing tokens. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. - :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. + :param pulumi.Input[bool] add_to_access_token: Indicates if the property should be added as a claim to the access token. Defaults to `true`. + :param pulumi.Input[bool] add_to_id_token: Indicates if the property should be added as a claim to the id token. Defaults to `true`. + :param pulumi.Input[bool] add_to_userinfo: Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + :param pulumi.Input[str] claim_name: The name of the claim to insert into a token. + :param pulumi.Input[str] claim_value_type: The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + :param pulumi.Input[str] user_property: The built in user property (such as email) to map a claim for. """ ... @overload @@ -445,17 +460,17 @@ def __init__(__self__, args: UserPropertyProtocolMapperArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - ## # openid.UserPropertyProtocolMapper + Allows for creating and managing user property protocol mappers within Keycloak. + + User property protocol mappers allow you to map built in properties defined on the Keycloak user interface to a claim in + a token. - Allows for creating and managing user property protocol mappers within - Keycloak. + Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + multiple different clients. - User property protocol mappers allow you to map built in properties defined - on the Keycloak user interface to a claim in a token. Protocol mappers can be - defined for a single client, or they can be defined for a client scope which - can be shared between multiple different clients. + ## Example Usage - ### Example Usage (Client) + ### Client) ```python import pulumi @@ -466,20 +481,20 @@ def __init__(__self__, enabled=True) openid_client = keycloak.openid.Client("openid_client", realm_id=realm.id, - client_id="test-client", - name="test client", + client_id="client", + name="client", enabled=True, access_type="CONFIDENTIAL", valid_redirect_uris=["http://localhost:8080/openid-callback"]) user_property_mapper = keycloak.openid.UserPropertyProtocolMapper("user_property_mapper", realm_id=realm.id, client_id=openid_client.id, - name="test-mapper", + name="user-property-mapper", user_property="email", claim_name="email") ``` - ### Example Usage (Client Scope) + ### Client Scope) ```python import pulumi @@ -490,7 +505,7 @@ def __init__(__self__, enabled=True) client_scope = keycloak.openid.ClientScope("client_scope", realm_id=realm.id, - name="test-client-scope") + name="client-scope") user_property_mapper = keycloak.openid.UserPropertyProtocolMapper("user_property_mapper", realm_id=realm.id, client_scope_id=client_scope.id, @@ -499,29 +514,26 @@ def __init__(__self__, claim_name="email") ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this protocol mapper exists within. - - `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. - - `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. - - `name` - (Required) The display name of this protocol mapper in the GUI. - - `user_property` - (Required) The built in user property (such as email) to map a claim for. - - `claim_name` - (Required) The name of the claim to insert into a token. - - `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`. - - `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. - - `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. - - `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. - - ### Import + ## Import Protocol mappers can be imported using one of the following formats: + - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` Example: + bash + + ```sh + $ pulumi import keycloak:openid/userPropertyProtocolMapper:UserPropertyProtocolMapper user_property_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + + ```sh + $ pulumi import keycloak:openid/userPropertyProtocolMapper:UserPropertyProtocolMapper user_property_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + :param str resource_name: The name of the resource. :param UserPropertyProtocolMapperArgs args: The arguments to use to populate this resource's properties. :param pulumi.ResourceOptions opts: Options for the resource. @@ -599,14 +611,16 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[bool] add_to_access_token: Indicates if the property should be a claim in the access token. - :param pulumi.Input[bool] add_to_id_token: Indicates if the property should be a claim in the id token. - :param pulumi.Input[bool] add_to_userinfo: Indicates if the property should appear in the userinfo response body. - :param pulumi.Input[str] claim_value_type: Claim type used when serializing tokens. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. - :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. + :param pulumi.Input[bool] add_to_access_token: Indicates if the property should be added as a claim to the access token. Defaults to `true`. + :param pulumi.Input[bool] add_to_id_token: Indicates if the property should be added as a claim to the id token. Defaults to `true`. + :param pulumi.Input[bool] add_to_userinfo: Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + :param pulumi.Input[str] claim_name: The name of the claim to insert into a token. + :param pulumi.Input[str] claim_value_type: The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + :param pulumi.Input[str] user_property: The built in user property (such as email) to map a claim for. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -628,7 +642,7 @@ def get(resource_name: str, @pulumi.getter(name="addToAccessToken") def add_to_access_token(self) -> pulumi.Output[Optional[bool]]: """ - Indicates if the property should be a claim in the access token. + Indicates if the property should be added as a claim to the access token. Defaults to `true`. """ return pulumi.get(self, "add_to_access_token") @@ -636,7 +650,7 @@ def add_to_access_token(self) -> pulumi.Output[Optional[bool]]: @pulumi.getter(name="addToIdToken") def add_to_id_token(self) -> pulumi.Output[Optional[bool]]: """ - Indicates if the property should be a claim in the id token. + Indicates if the property should be added as a claim to the id token. Defaults to `true`. """ return pulumi.get(self, "add_to_id_token") @@ -644,20 +658,23 @@ def add_to_id_token(self) -> pulumi.Output[Optional[bool]]: @pulumi.getter(name="addToUserinfo") def add_to_userinfo(self) -> pulumi.Output[Optional[bool]]: """ - Indicates if the property should appear in the userinfo response body. + Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. """ return pulumi.get(self, "add_to_userinfo") @property @pulumi.getter(name="claimName") def claim_name(self) -> pulumi.Output[str]: + """ + The name of the claim to insert into a token. + """ return pulumi.get(self, "claim_name") @property @pulumi.getter(name="claimValueType") def claim_value_type(self) -> pulumi.Output[Optional[str]]: """ - Claim type used when serializing tokens. + The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. """ return pulumi.get(self, "claim_value_type") @@ -665,7 +682,7 @@ def claim_value_type(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="clientId") def client_id(self) -> pulumi.Output[Optional[str]]: """ - The mapper's associated client. Cannot be used at the same time as client_scope_id. + The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_id") @@ -673,7 +690,7 @@ def client_id(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="clientScopeId") def client_scope_id(self) -> pulumi.Output[Optional[str]]: """ - The mapper's associated client scope. Cannot be used at the same time as client_id. + The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. """ return pulumi.get(self, "client_scope_id") @@ -681,7 +698,7 @@ def client_scope_id(self) -> pulumi.Output[Optional[str]]: @pulumi.getter def name(self) -> pulumi.Output[str]: """ - A human-friendly name that will appear in the Keycloak console. + The display name of this protocol mapper in the GUI. """ return pulumi.get(self, "name") @@ -689,12 +706,15 @@ def name(self) -> pulumi.Output[str]: @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Output[str]: """ - The realm id where the associated client or client scope exists. + The realm this protocol mapper exists within. """ return pulumi.get(self, "realm_id") @property @pulumi.getter(name="userProperty") def user_property(self) -> pulumi.Output[str]: + """ + The built in user property (such as email) to map a claim for. + """ return pulumi.get(self, "user_property") diff --git a/sdk/python/pulumi_keycloak/openid/user_realm_role_protocol_mapper.py b/sdk/python/pulumi_keycloak/openid/user_realm_role_protocol_mapper.py index 83c35132..574b817c 100644 --- a/sdk/python/pulumi_keycloak/openid/user_realm_role_protocol_mapper.py +++ b/sdk/python/pulumi_keycloak/openid/user_realm_role_protocol_mapper.py @@ -32,16 +32,17 @@ def __init__(__self__, *, realm_role_prefix: Optional[pulumi.Input[str]] = None): """ The set of arguments for constructing a UserRealmRoleProtocolMapper resource. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. - :param pulumi.Input[bool] add_to_access_token: Indicates if the attribute should be a claim in the access token. - :param pulumi.Input[bool] add_to_id_token: Indicates if the attribute should be a claim in the id token. - :param pulumi.Input[bool] add_to_userinfo: Indicates if the attribute should appear in the userinfo response body. - :param pulumi.Input[str] claim_value_type: Claim type used when serializing tokens. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. - :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[bool] multivalued: Indicates whether this attribute is a single value or an array of values. - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. - :param pulumi.Input[str] realm_role_prefix: Prefix that will be added to each realm role. + :param pulumi.Input[str] claim_name: The name of the claim to insert into a token. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + :param pulumi.Input[bool] add_to_access_token: Indicates if the property should be added as a claim to the access token. Defaults to `true`. + :param pulumi.Input[bool] add_to_id_token: Indicates if the property should be added as a claim to the id token. Defaults to `true`. + :param pulumi.Input[bool] add_to_userinfo: Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + :param pulumi.Input[str] claim_value_type: The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[bool] multivalued: Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. + :param pulumi.Input[str] realm_role_prefix: A prefix for each Realm Role. """ pulumi.set(__self__, "claim_name", claim_name) pulumi.set(__self__, "realm_id", realm_id) @@ -67,6 +68,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="claimName") def claim_name(self) -> pulumi.Input[str]: + """ + The name of the claim to insert into a token. + """ return pulumi.get(self, "claim_name") @claim_name.setter @@ -77,7 +81,7 @@ def claim_name(self, value: pulumi.Input[str]): @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Input[str]: """ - The realm id where the associated client or client scope exists. + The realm this protocol mapper exists within. """ return pulumi.get(self, "realm_id") @@ -89,7 +93,7 @@ def realm_id(self, value: pulumi.Input[str]): @pulumi.getter(name="addToAccessToken") def add_to_access_token(self) -> Optional[pulumi.Input[bool]]: """ - Indicates if the attribute should be a claim in the access token. + Indicates if the property should be added as a claim to the access token. Defaults to `true`. """ return pulumi.get(self, "add_to_access_token") @@ -101,7 +105,7 @@ def add_to_access_token(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="addToIdToken") def add_to_id_token(self) -> Optional[pulumi.Input[bool]]: """ - Indicates if the attribute should be a claim in the id token. + Indicates if the property should be added as a claim to the id token. Defaults to `true`. """ return pulumi.get(self, "add_to_id_token") @@ -113,7 +117,7 @@ def add_to_id_token(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="addToUserinfo") def add_to_userinfo(self) -> Optional[pulumi.Input[bool]]: """ - Indicates if the attribute should appear in the userinfo response body. + Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. """ return pulumi.get(self, "add_to_userinfo") @@ -125,7 +129,7 @@ def add_to_userinfo(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="claimValueType") def claim_value_type(self) -> Optional[pulumi.Input[str]]: """ - Claim type used when serializing tokens. + The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. """ return pulumi.get(self, "claim_value_type") @@ -137,7 +141,7 @@ def claim_value_type(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="clientId") def client_id(self) -> Optional[pulumi.Input[str]]: """ - The mapper's associated client. Cannot be used at the same time as client_scope_id. + The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_id") @@ -149,7 +153,7 @@ def client_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="clientScopeId") def client_scope_id(self) -> Optional[pulumi.Input[str]]: """ - The mapper's associated client scope. Cannot be used at the same time as client_id. + The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_scope_id") @@ -161,7 +165,7 @@ def client_scope_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def multivalued(self) -> Optional[pulumi.Input[bool]]: """ - Indicates whether this attribute is a single value or an array of values. + Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`. """ return pulumi.get(self, "multivalued") @@ -173,7 +177,7 @@ def multivalued(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - A human-friendly name that will appear in the Keycloak console. + The display name of this protocol mapper in the GUI. """ return pulumi.get(self, "name") @@ -185,7 +189,7 @@ def name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="realmRolePrefix") def realm_role_prefix(self) -> Optional[pulumi.Input[str]]: """ - Prefix that will be added to each realm role. + A prefix for each Realm Role. """ return pulumi.get(self, "realm_role_prefix") @@ -210,16 +214,17 @@ def __init__(__self__, *, realm_role_prefix: Optional[pulumi.Input[str]] = None): """ Input properties used for looking up and filtering UserRealmRoleProtocolMapper resources. - :param pulumi.Input[bool] add_to_access_token: Indicates if the attribute should be a claim in the access token. - :param pulumi.Input[bool] add_to_id_token: Indicates if the attribute should be a claim in the id token. - :param pulumi.Input[bool] add_to_userinfo: Indicates if the attribute should appear in the userinfo response body. - :param pulumi.Input[str] claim_value_type: Claim type used when serializing tokens. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. - :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[bool] multivalued: Indicates whether this attribute is a single value or an array of values. - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. - :param pulumi.Input[str] realm_role_prefix: Prefix that will be added to each realm role. + :param pulumi.Input[bool] add_to_access_token: Indicates if the property should be added as a claim to the access token. Defaults to `true`. + :param pulumi.Input[bool] add_to_id_token: Indicates if the property should be added as a claim to the id token. Defaults to `true`. + :param pulumi.Input[bool] add_to_userinfo: Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + :param pulumi.Input[str] claim_name: The name of the claim to insert into a token. + :param pulumi.Input[str] claim_value_type: The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[bool] multivalued: Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + :param pulumi.Input[str] realm_role_prefix: A prefix for each Realm Role. """ if add_to_access_token is not None: pulumi.set(__self__, "add_to_access_token", add_to_access_token) @@ -248,7 +253,7 @@ def __init__(__self__, *, @pulumi.getter(name="addToAccessToken") def add_to_access_token(self) -> Optional[pulumi.Input[bool]]: """ - Indicates if the attribute should be a claim in the access token. + Indicates if the property should be added as a claim to the access token. Defaults to `true`. """ return pulumi.get(self, "add_to_access_token") @@ -260,7 +265,7 @@ def add_to_access_token(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="addToIdToken") def add_to_id_token(self) -> Optional[pulumi.Input[bool]]: """ - Indicates if the attribute should be a claim in the id token. + Indicates if the property should be added as a claim to the id token. Defaults to `true`. """ return pulumi.get(self, "add_to_id_token") @@ -272,7 +277,7 @@ def add_to_id_token(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="addToUserinfo") def add_to_userinfo(self) -> Optional[pulumi.Input[bool]]: """ - Indicates if the attribute should appear in the userinfo response body. + Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. """ return pulumi.get(self, "add_to_userinfo") @@ -283,6 +288,9 @@ def add_to_userinfo(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="claimName") def claim_name(self) -> Optional[pulumi.Input[str]]: + """ + The name of the claim to insert into a token. + """ return pulumi.get(self, "claim_name") @claim_name.setter @@ -293,7 +301,7 @@ def claim_name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="claimValueType") def claim_value_type(self) -> Optional[pulumi.Input[str]]: """ - Claim type used when serializing tokens. + The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. """ return pulumi.get(self, "claim_value_type") @@ -305,7 +313,7 @@ def claim_value_type(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="clientId") def client_id(self) -> Optional[pulumi.Input[str]]: """ - The mapper's associated client. Cannot be used at the same time as client_scope_id. + The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_id") @@ -317,7 +325,7 @@ def client_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="clientScopeId") def client_scope_id(self) -> Optional[pulumi.Input[str]]: """ - The mapper's associated client scope. Cannot be used at the same time as client_id. + The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_scope_id") @@ -329,7 +337,7 @@ def client_scope_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def multivalued(self) -> Optional[pulumi.Input[bool]]: """ - Indicates whether this attribute is a single value or an array of values. + Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`. """ return pulumi.get(self, "multivalued") @@ -341,7 +349,7 @@ def multivalued(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - A human-friendly name that will appear in the Keycloak console. + The display name of this protocol mapper in the GUI. """ return pulumi.get(self, "name") @@ -353,7 +361,7 @@ def name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="realmId") def realm_id(self) -> Optional[pulumi.Input[str]]: """ - The realm id where the associated client or client scope exists. + The realm this protocol mapper exists within. """ return pulumi.get(self, "realm_id") @@ -365,7 +373,7 @@ def realm_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="realmRolePrefix") def realm_role_prefix(self) -> Optional[pulumi.Input[str]]: """ - Prefix that will be added to each realm role. + A prefix for each Realm Role. """ return pulumi.get(self, "realm_role_prefix") @@ -392,17 +400,16 @@ def __init__(__self__, realm_role_prefix: Optional[pulumi.Input[str]] = None, __props__=None): """ - ## # openid.UserRealmRoleProtocolMapper - - Allows for creating and managing user realm role protocol mappers within - Keycloak. + Allows for creating and managing user realm role protocol mappers within Keycloak. User realm role protocol mappers allow you to define a claim containing the list of the realm roles. - Protocol mappers can be defined for a single client, or they can - be defined for a client scope which can be shared between multiple different - clients. - ### Example Usage (Client) + Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + multiple different clients. + + ## Example Usage + + ### Client) ```python import pulumi @@ -413,8 +420,8 @@ def __init__(__self__, enabled=True) openid_client = keycloak.openid.Client("openid_client", realm_id=realm.id, - client_id="test-client", - name="test client", + client_id="client", + name="client", enabled=True, access_type="CONFIDENTIAL", valid_redirect_uris=["http://localhost:8080/openid-callback"]) @@ -425,7 +432,7 @@ def __init__(__self__, claim_name="foo") ``` - ### Example Usage (Client Scope) + ### Client Scope) ```python import pulumi @@ -444,42 +451,39 @@ def __init__(__self__, claim_name="foo") ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this protocol mapper exists within. - - `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. - - `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. - - `name` - (Required) The display name of this protocol mapper in the GUI. - - `claim_name` - (Required) The name of the claim to insert into a token. - - `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`. - - `multivalued` - (Optional) Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `true`. - - `realm_role_prefix` - (Optional) A prefix for each Realm Role. - - `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. - - `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. - - `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. - - ### Import + ## Import Protocol mappers can be imported using one of the following formats: + - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` Example: + bash + + ```sh + $ pulumi import keycloak:openid/userRealmRoleProtocolMapper:UserRealmRoleProtocolMapper user_realm_role_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + + ```sh + $ pulumi import keycloak:openid/userRealmRoleProtocolMapper:UserRealmRoleProtocolMapper user_realm_role_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[bool] add_to_access_token: Indicates if the attribute should be a claim in the access token. - :param pulumi.Input[bool] add_to_id_token: Indicates if the attribute should be a claim in the id token. - :param pulumi.Input[bool] add_to_userinfo: Indicates if the attribute should appear in the userinfo response body. - :param pulumi.Input[str] claim_value_type: Claim type used when serializing tokens. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. - :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[bool] multivalued: Indicates whether this attribute is a single value or an array of values. - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. - :param pulumi.Input[str] realm_role_prefix: Prefix that will be added to each realm role. + :param pulumi.Input[bool] add_to_access_token: Indicates if the property should be added as a claim to the access token. Defaults to `true`. + :param pulumi.Input[bool] add_to_id_token: Indicates if the property should be added as a claim to the id token. Defaults to `true`. + :param pulumi.Input[bool] add_to_userinfo: Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + :param pulumi.Input[str] claim_name: The name of the claim to insert into a token. + :param pulumi.Input[str] claim_value_type: The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[bool] multivalued: Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + :param pulumi.Input[str] realm_role_prefix: A prefix for each Realm Role. """ ... @overload @@ -488,17 +492,16 @@ def __init__(__self__, args: UserRealmRoleProtocolMapperArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - ## # openid.UserRealmRoleProtocolMapper - - Allows for creating and managing user realm role protocol mappers within - Keycloak. + Allows for creating and managing user realm role protocol mappers within Keycloak. User realm role protocol mappers allow you to define a claim containing the list of the realm roles. - Protocol mappers can be defined for a single client, or they can - be defined for a client scope which can be shared between multiple different - clients. - ### Example Usage (Client) + Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + multiple different clients. + + ## Example Usage + + ### Client) ```python import pulumi @@ -509,8 +512,8 @@ def __init__(__self__, enabled=True) openid_client = keycloak.openid.Client("openid_client", realm_id=realm.id, - client_id="test-client", - name="test client", + client_id="client", + name="client", enabled=True, access_type="CONFIDENTIAL", valid_redirect_uris=["http://localhost:8080/openid-callback"]) @@ -521,7 +524,7 @@ def __init__(__self__, claim_name="foo") ``` - ### Example Usage (Client Scope) + ### Client Scope) ```python import pulumi @@ -540,30 +543,26 @@ def __init__(__self__, claim_name="foo") ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this protocol mapper exists within. - - `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. - - `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. - - `name` - (Required) The display name of this protocol mapper in the GUI. - - `claim_name` - (Required) The name of the claim to insert into a token. - - `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`. - - `multivalued` - (Optional) Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `true`. - - `realm_role_prefix` - (Optional) A prefix for each Realm Role. - - `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. - - `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. - - `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. - - ### Import + ## Import Protocol mappers can be imported using one of the following formats: + - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` Example: + bash + + ```sh + $ pulumi import keycloak:openid/userRealmRoleProtocolMapper:UserRealmRoleProtocolMapper user_realm_role_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + + ```sh + $ pulumi import keycloak:openid/userRealmRoleProtocolMapper:UserRealmRoleProtocolMapper user_realm_role_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + :param str resource_name: The name of the resource. :param UserRealmRoleProtocolMapperArgs args: The arguments to use to populate this resource's properties. :param pulumi.ResourceOptions opts: Options for the resource. @@ -642,16 +641,17 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[bool] add_to_access_token: Indicates if the attribute should be a claim in the access token. - :param pulumi.Input[bool] add_to_id_token: Indicates if the attribute should be a claim in the id token. - :param pulumi.Input[bool] add_to_userinfo: Indicates if the attribute should appear in the userinfo response body. - :param pulumi.Input[str] claim_value_type: Claim type used when serializing tokens. - :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. - :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. - :param pulumi.Input[bool] multivalued: Indicates whether this attribute is a single value or an array of values. - :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. - :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. - :param pulumi.Input[str] realm_role_prefix: Prefix that will be added to each realm role. + :param pulumi.Input[bool] add_to_access_token: Indicates if the property should be added as a claim to the access token. Defaults to `true`. + :param pulumi.Input[bool] add_to_id_token: Indicates if the property should be added as a claim to the id token. Defaults to `true`. + :param pulumi.Input[bool] add_to_userinfo: Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + :param pulumi.Input[str] claim_name: The name of the claim to insert into a token. + :param pulumi.Input[str] claim_value_type: The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[bool] multivalued: Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + :param pulumi.Input[str] realm_role_prefix: A prefix for each Realm Role. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -674,7 +674,7 @@ def get(resource_name: str, @pulumi.getter(name="addToAccessToken") def add_to_access_token(self) -> pulumi.Output[Optional[bool]]: """ - Indicates if the attribute should be a claim in the access token. + Indicates if the property should be added as a claim to the access token. Defaults to `true`. """ return pulumi.get(self, "add_to_access_token") @@ -682,7 +682,7 @@ def add_to_access_token(self) -> pulumi.Output[Optional[bool]]: @pulumi.getter(name="addToIdToken") def add_to_id_token(self) -> pulumi.Output[Optional[bool]]: """ - Indicates if the attribute should be a claim in the id token. + Indicates if the property should be added as a claim to the id token. Defaults to `true`. """ return pulumi.get(self, "add_to_id_token") @@ -690,20 +690,23 @@ def add_to_id_token(self) -> pulumi.Output[Optional[bool]]: @pulumi.getter(name="addToUserinfo") def add_to_userinfo(self) -> pulumi.Output[Optional[bool]]: """ - Indicates if the attribute should appear in the userinfo response body. + Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. """ return pulumi.get(self, "add_to_userinfo") @property @pulumi.getter(name="claimName") def claim_name(self) -> pulumi.Output[str]: + """ + The name of the claim to insert into a token. + """ return pulumi.get(self, "claim_name") @property @pulumi.getter(name="claimValueType") def claim_value_type(self) -> pulumi.Output[Optional[str]]: """ - Claim type used when serializing tokens. + The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. """ return pulumi.get(self, "claim_value_type") @@ -711,7 +714,7 @@ def claim_value_type(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="clientId") def client_id(self) -> pulumi.Output[Optional[str]]: """ - The mapper's associated client. Cannot be used at the same time as client_scope_id. + The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_id") @@ -719,7 +722,7 @@ def client_id(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="clientScopeId") def client_scope_id(self) -> pulumi.Output[Optional[str]]: """ - The mapper's associated client scope. Cannot be used at the same time as client_id. + The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. """ return pulumi.get(self, "client_scope_id") @@ -727,7 +730,7 @@ def client_scope_id(self) -> pulumi.Output[Optional[str]]: @pulumi.getter def multivalued(self) -> pulumi.Output[Optional[bool]]: """ - Indicates whether this attribute is a single value or an array of values. + Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`. """ return pulumi.get(self, "multivalued") @@ -735,7 +738,7 @@ def multivalued(self) -> pulumi.Output[Optional[bool]]: @pulumi.getter def name(self) -> pulumi.Output[str]: """ - A human-friendly name that will appear in the Keycloak console. + The display name of this protocol mapper in the GUI. """ return pulumi.get(self, "name") @@ -743,7 +746,7 @@ def name(self) -> pulumi.Output[str]: @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Output[str]: """ - The realm id where the associated client or client scope exists. + The realm this protocol mapper exists within. """ return pulumi.get(self, "realm_id") @@ -751,7 +754,7 @@ def realm_id(self) -> pulumi.Output[str]: @pulumi.getter(name="realmRolePrefix") def realm_role_prefix(self) -> pulumi.Output[Optional[str]]: """ - Prefix that will be added to each realm role. + A prefix for each Realm Role. """ return pulumi.get(self, "realm_role_prefix") diff --git a/sdk/python/pulumi_keycloak/outputs.py b/sdk/python/pulumi_keycloak/outputs.py index 4de3ad8f..97337845 100644 --- a/sdk/python/pulumi_keycloak/outputs.py +++ b/sdk/python/pulumi_keycloak/outputs.py @@ -309,17 +309,27 @@ def get(self, key: str, default = None) -> Any: def __init__(__self__, *, default_locale: str, supported_locales: Sequence[str]): + """ + :param str default_locale: The locale to use by default. This locale code must be present within the `supported_locales` list. + :param Sequence[str] supported_locales: A list of [ISO 639-1](https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes) locale codes that the realm should support. + """ pulumi.set(__self__, "default_locale", default_locale) pulumi.set(__self__, "supported_locales", supported_locales) @property @pulumi.getter(name="defaultLocale") def default_locale(self) -> str: + """ + The locale to use by default. This locale code must be present within the `supported_locales` list. + """ return pulumi.get(self, "default_locale") @property @pulumi.getter(name="supportedLocales") def supported_locales(self) -> Sequence[str]: + """ + A list of [ISO 639-1](https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes) locale codes that the realm should support. + """ return pulumi.get(self, "supported_locales") @@ -352,8 +362,12 @@ def __init__(__self__, *, period: Optional[int] = None, type: Optional[str] = None): """ - :param str algorithm: What hashing algorithm should be used to generate the OTP. - :param str type: OTP Type, totp for Time-Based One Time Password or hotp for counter base one time password + :param str algorithm: What hashing algorithm should be used to generate the OTP, Valid options are `HmacSHA1`,`HmacSHA256` and `HmacSHA512`. Defaults to `HmacSHA1`. + :param int digits: How many digits the OTP have. Defaults to `6`. + :param int initial_counter: What should the initial counter value be. Defaults to `2`. + :param int look_ahead_window: How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to `1`. + :param int period: How many seconds should an OTP token be valid. Defaults to `30`. + :param str type: One Time Password Type, supported Values are `totp` for Time-Based One Time Password and `hotp` for Counter Based. Defaults to `totp`. """ if algorithm is not None: pulumi.set(__self__, "algorithm", algorithm) @@ -372,35 +386,47 @@ def __init__(__self__, *, @pulumi.getter def algorithm(self) -> Optional[str]: """ - What hashing algorithm should be used to generate the OTP. + What hashing algorithm should be used to generate the OTP, Valid options are `HmacSHA1`,`HmacSHA256` and `HmacSHA512`. Defaults to `HmacSHA1`. """ return pulumi.get(self, "algorithm") @property @pulumi.getter def digits(self) -> Optional[int]: + """ + How many digits the OTP have. Defaults to `6`. + """ return pulumi.get(self, "digits") @property @pulumi.getter(name="initialCounter") def initial_counter(self) -> Optional[int]: + """ + What should the initial counter value be. Defaults to `2`. + """ return pulumi.get(self, "initial_counter") @property @pulumi.getter(name="lookAheadWindow") def look_ahead_window(self) -> Optional[int]: + """ + How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to `1`. + """ return pulumi.get(self, "look_ahead_window") @property @pulumi.getter def period(self) -> Optional[int]: + """ + How many seconds should an OTP token be valid. Defaults to `30`. + """ return pulumi.get(self, "period") @property @pulumi.getter def type(self) -> Optional[str]: """ - OTP Type, totp for Time-Based One Time Password or hotp for counter base one time password + One Time Password Type, supported Values are `totp` for Time-Based One Time Password and `hotp` for Counter Based. Defaults to `totp`. """ return pulumi.get(self, "type") @@ -482,6 +508,15 @@ def __init__(__self__, *, permanent_lockout: Optional[bool] = None, quick_login_check_milli_seconds: Optional[int] = None, wait_increment_seconds: Optional[int] = None): + """ + :param int failure_reset_time_seconds: When will failure count be reset? + :param int max_login_failures: How many failures before wait is triggered. + :param int minimum_quick_login_wait_seconds: How long to wait after a quick login failure. + - `max_failure_wait_seconds ` - (Optional) Max. time a user will be locked out. + :param bool permanent_lockout: When `true`, this will lock the user permanently when the user exceeds the maximum login failures. + :param int quick_login_check_milli_seconds: Configures the amount of time, in milliseconds, for consecutive failures to lock a user out. + :param int wait_increment_seconds: This represents the amount of time a user should be locked out when the login failure threshold has been met. + """ if failure_reset_time_seconds is not None: pulumi.set(__self__, "failure_reset_time_seconds", failure_reset_time_seconds) if max_failure_wait_seconds is not None: @@ -500,6 +535,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="failureResetTimeSeconds") def failure_reset_time_seconds(self) -> Optional[int]: + """ + When will failure count be reset? + """ return pulumi.get(self, "failure_reset_time_seconds") @property @@ -510,26 +548,42 @@ def max_failure_wait_seconds(self) -> Optional[int]: @property @pulumi.getter(name="maxLoginFailures") def max_login_failures(self) -> Optional[int]: + """ + How many failures before wait is triggered. + """ return pulumi.get(self, "max_login_failures") @property @pulumi.getter(name="minimumQuickLoginWaitSeconds") def minimum_quick_login_wait_seconds(self) -> Optional[int]: + """ + How long to wait after a quick login failure. + - `max_failure_wait_seconds ` - (Optional) Max. time a user will be locked out. + """ return pulumi.get(self, "minimum_quick_login_wait_seconds") @property @pulumi.getter(name="permanentLockout") def permanent_lockout(self) -> Optional[bool]: + """ + When `true`, this will lock the user permanently when the user exceeds the maximum login failures. + """ return pulumi.get(self, "permanent_lockout") @property @pulumi.getter(name="quickLoginCheckMilliSeconds") def quick_login_check_milli_seconds(self) -> Optional[int]: + """ + Configures the amount of time, in milliseconds, for consecutive failures to lock a user out. + """ return pulumi.get(self, "quick_login_check_milli_seconds") @property @pulumi.getter(name="waitIncrementSeconds") def wait_increment_seconds(self) -> Optional[int]: + """ + This represents the amount of time a user should be locked out when the login failure threshold has been met. + """ return pulumi.get(self, "wait_increment_seconds") @@ -575,6 +629,16 @@ def __init__(__self__, *, x_frame_options: Optional[str] = None, x_robots_tag: Optional[str] = None, x_xss_protection: Optional[str] = None): + """ + :param str content_security_policy: Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the [W3C-CSP](https://www.w3.org/TR/CSP/) Abstract. + :param str content_security_policy_report_only: Used for testing Content Security Policies. + :param str referrer_policy: The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests. + :param str strict_transport_security: The Script-Transport-Security HTTP header tells browsers to always use HTTPS. + :param str x_content_type_options: Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type + :param str x_frame_options: Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the [RFC7034](https://tools.ietf.org/html/rfc7034) + :param str x_robots_tag: Prevent pages from appearing in search engines. + :param str x_xss_protection: This header configures the Cross-site scripting (XSS) filter in your browser. + """ if content_security_policy is not None: pulumi.set(__self__, "content_security_policy", content_security_policy) if content_security_policy_report_only is not None: @@ -595,41 +659,65 @@ def __init__(__self__, *, @property @pulumi.getter(name="contentSecurityPolicy") def content_security_policy(self) -> Optional[str]: + """ + Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the [W3C-CSP](https://www.w3.org/TR/CSP/) Abstract. + """ return pulumi.get(self, "content_security_policy") @property @pulumi.getter(name="contentSecurityPolicyReportOnly") def content_security_policy_report_only(self) -> Optional[str]: + """ + Used for testing Content Security Policies. + """ return pulumi.get(self, "content_security_policy_report_only") @property @pulumi.getter(name="referrerPolicy") def referrer_policy(self) -> Optional[str]: + """ + The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests. + """ return pulumi.get(self, "referrer_policy") @property @pulumi.getter(name="strictTransportSecurity") def strict_transport_security(self) -> Optional[str]: + """ + The Script-Transport-Security HTTP header tells browsers to always use HTTPS. + """ return pulumi.get(self, "strict_transport_security") @property @pulumi.getter(name="xContentTypeOptions") def x_content_type_options(self) -> Optional[str]: + """ + Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type + """ return pulumi.get(self, "x_content_type_options") @property @pulumi.getter(name="xFrameOptions") def x_frame_options(self) -> Optional[str]: + """ + Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the [RFC7034](https://tools.ietf.org/html/rfc7034) + """ return pulumi.get(self, "x_frame_options") @property @pulumi.getter(name="xRobotsTag") def x_robots_tag(self) -> Optional[str]: + """ + Prevent pages from appearing in search engines. + """ return pulumi.get(self, "x_robots_tag") @property @pulumi.getter(name="xXssProtection") def x_xss_protection(self) -> Optional[str]: + """ + This header configures the Cross-site scripting (XSS) filter in your browser. + """ return pulumi.get(self, "x_xss_protection") @@ -671,6 +759,18 @@ def __init__(__self__, *, reply_to_display_name: Optional[str] = None, ssl: Optional[bool] = None, starttls: Optional[bool] = None): + """ + :param str from_: The email address for the sender. + :param str host: The host of the SMTP server. + :param 'RealmSmtpServerAuthArgs' auth: Enables authentication to the SMTP server. This block supports the following arguments: + :param str envelope_from: The email address uses for bounces. + :param str from_display_name: The display name of the sender email address. + :param str port: The port of the SMTP server (defaults to 25). + :param str reply_to: The "reply to" email address. + :param str reply_to_display_name: The display name of the "reply to" email address. + :param bool ssl: When `true`, enables SSL. Defaults to `false`. + :param bool starttls: When `true`, enables StartTLS. Defaults to `false`. + """ pulumi.set(__self__, "from_", from_) pulumi.set(__self__, "host", host) if auth is not None: @@ -693,51 +793,81 @@ def __init__(__self__, *, @property @pulumi.getter(name="from") def from_(self) -> str: + """ + The email address for the sender. + """ return pulumi.get(self, "from_") @property @pulumi.getter def host(self) -> str: + """ + The host of the SMTP server. + """ return pulumi.get(self, "host") @property @pulumi.getter def auth(self) -> Optional['outputs.RealmSmtpServerAuth']: + """ + Enables authentication to the SMTP server. This block supports the following arguments: + """ return pulumi.get(self, "auth") @property @pulumi.getter(name="envelopeFrom") def envelope_from(self) -> Optional[str]: + """ + The email address uses for bounces. + """ return pulumi.get(self, "envelope_from") @property @pulumi.getter(name="fromDisplayName") def from_display_name(self) -> Optional[str]: + """ + The display name of the sender email address. + """ return pulumi.get(self, "from_display_name") @property @pulumi.getter def port(self) -> Optional[str]: + """ + The port of the SMTP server (defaults to 25). + """ return pulumi.get(self, "port") @property @pulumi.getter(name="replyTo") def reply_to(self) -> Optional[str]: + """ + The "reply to" email address. + """ return pulumi.get(self, "reply_to") @property @pulumi.getter(name="replyToDisplayName") def reply_to_display_name(self) -> Optional[str]: + """ + The display name of the "reply to" email address. + """ return pulumi.get(self, "reply_to_display_name") @property @pulumi.getter def ssl(self) -> Optional[bool]: + """ + When `true`, enables SSL. Defaults to `false`. + """ return pulumi.get(self, "ssl") @property @pulumi.getter def starttls(self) -> Optional[bool]: + """ + When `true`, enables StartTLS. Defaults to `false`. + """ return pulumi.get(self, "starttls") @@ -746,17 +876,27 @@ class RealmSmtpServerAuth(dict): def __init__(__self__, *, password: str, username: str): + """ + :param str password: The SMTP server password. + :param str username: The SMTP server username. + """ pulumi.set(__self__, "password", password) pulumi.set(__self__, "username", username) @property @pulumi.getter def password(self) -> str: + """ + The SMTP server password. + """ return pulumi.get(self, "password") @property @pulumi.getter def username(self) -> str: + """ + The SMTP server username. + """ return pulumi.get(self, "username") @@ -1058,8 +1198,13 @@ def __init__(__self__, *, signature_algorithms: Optional[Sequence[str]] = None, user_verification_requirement: Optional[str] = None): """ + :param Sequence[str] acceptable_aaguids: A set of AAGUIDs for which an authenticator can be registered. :param str attestation_conveyance_preference: Either none, indirect or direct :param str authenticator_attachment: Either platform or cross-platform + :param bool avoid_same_authenticator_register: When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + :param int create_timeout: The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + :param str relying_party_entity_name: A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + :param str relying_party_id: The WebAuthn relying party ID. :param str require_resident_key: Either Yes or No :param Sequence[str] signature_algorithms: Keycloak lists ES256, ES384, ES512, RS256, RS384, RS512, RS1 at the time of writing :param str user_verification_requirement: Either required, preferred or discouraged @@ -1088,6 +1233,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="acceptableAaguids") def acceptable_aaguids(self) -> Optional[Sequence[str]]: + """ + A set of AAGUIDs for which an authenticator can be registered. + """ return pulumi.get(self, "acceptable_aaguids") @property @@ -1109,21 +1257,33 @@ def authenticator_attachment(self) -> Optional[str]: @property @pulumi.getter(name="avoidSameAuthenticatorRegister") def avoid_same_authenticator_register(self) -> Optional[bool]: + """ + When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + """ return pulumi.get(self, "avoid_same_authenticator_register") @property @pulumi.getter(name="createTimeout") def create_timeout(self) -> Optional[int]: + """ + The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + """ return pulumi.get(self, "create_timeout") @property @pulumi.getter(name="relyingPartyEntityName") def relying_party_entity_name(self) -> Optional[str]: + """ + A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + """ return pulumi.get(self, "relying_party_entity_name") @property @pulumi.getter(name="relyingPartyId") def relying_party_id(self) -> Optional[str]: + """ + The WebAuthn relying party ID. + """ return pulumi.get(self, "relying_party_id") @property @@ -1200,8 +1360,13 @@ def __init__(__self__, *, signature_algorithms: Optional[Sequence[str]] = None, user_verification_requirement: Optional[str] = None): """ + :param Sequence[str] acceptable_aaguids: A set of AAGUIDs for which an authenticator can be registered. :param str attestation_conveyance_preference: Either none, indirect or direct :param str authenticator_attachment: Either platform or cross-platform + :param bool avoid_same_authenticator_register: When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + :param int create_timeout: The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + :param str relying_party_entity_name: A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + :param str relying_party_id: The WebAuthn relying party ID. :param str require_resident_key: Either Yes or No :param Sequence[str] signature_algorithms: Keycloak lists ES256, ES384, ES512, RS256, RS384, RS512, RS1 at the time of writing :param str user_verification_requirement: Either required, preferred or discouraged @@ -1230,6 +1395,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="acceptableAaguids") def acceptable_aaguids(self) -> Optional[Sequence[str]]: + """ + A set of AAGUIDs for which an authenticator can be registered. + """ return pulumi.get(self, "acceptable_aaguids") @property @@ -1251,21 +1419,33 @@ def authenticator_attachment(self) -> Optional[str]: @property @pulumi.getter(name="avoidSameAuthenticatorRegister") def avoid_same_authenticator_register(self) -> Optional[bool]: + """ + When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`. + """ return pulumi.get(self, "avoid_same_authenticator_register") @property @pulumi.getter(name="createTimeout") def create_timeout(self) -> Optional[int]: + """ + The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`. + """ return pulumi.get(self, "create_timeout") @property @pulumi.getter(name="relyingPartyEntityName") def relying_party_entity_name(self) -> Optional[str]: + """ + A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`. + """ return pulumi.get(self, "relying_party_entity_name") @property @pulumi.getter(name="relyingPartyId") def relying_party_id(self) -> Optional[str]: + """ + The WebAuthn relying party ID. + """ return pulumi.get(self, "relying_party_id") @property @@ -1320,6 +1500,11 @@ def __init__(__self__, *, identity_provider: str, user_id: str, user_name: str): + """ + :param str identity_provider: The name of the identity provider + :param str user_id: The ID of the user defined in the identity provider + :param str user_name: The user name of the user defined in the identity provider + """ pulumi.set(__self__, "identity_provider", identity_provider) pulumi.set(__self__, "user_id", user_id) pulumi.set(__self__, "user_name", user_name) @@ -1327,16 +1512,25 @@ def __init__(__self__, *, @property @pulumi.getter(name="identityProvider") def identity_provider(self) -> str: + """ + The name of the identity provider + """ return pulumi.get(self, "identity_provider") @property @pulumi.getter(name="userId") def user_id(self) -> str: + """ + The ID of the user defined in the identity provider + """ return pulumi.get(self, "user_id") @property @pulumi.getter(name="userName") def user_name(self) -> str: + """ + The user name of the user defined in the identity provider + """ return pulumi.get(self, "user_name") @@ -1345,6 +1539,10 @@ class UserInitialPassword(dict): def __init__(__self__, *, value: str, temporary: Optional[bool] = None): + """ + :param str value: The initial password. + :param bool temporary: If set to `true`, the initial password is set up for renewal on first use. Default to `false`. + """ pulumi.set(__self__, "value", value) if temporary is not None: pulumi.set(__self__, "temporary", temporary) @@ -1352,11 +1550,17 @@ def __init__(__self__, *, @property @pulumi.getter def value(self) -> str: + """ + The initial password. + """ return pulumi.get(self, "value") @property @pulumi.getter def temporary(self) -> Optional[bool]: + """ + If set to `true`, the initial password is set up for renewal on first use. Default to `false`. + """ return pulumi.get(self, "temporary") @@ -1706,6 +1910,16 @@ def __init__(__self__, *, public_key: str, status: str, type: str): + """ + :param str algorithm: Key algorithm (string) + :param str certificate: Key certificate (string) + :param str kid: Key ID (string) + :param str provider_id: Key provider ID (string) + :param int provider_priority: Key provider priority (int64) + :param str public_key: Key public key (string) + :param str status: When specified, keys will be filtered by status. The statuses can be any of `ACTIVE`, `DISABLED` and `PASSIVE`. + :param str type: Key type (string) + """ pulumi.set(__self__, "algorithm", algorithm) pulumi.set(__self__, "certificate", certificate) pulumi.set(__self__, "kid", kid) @@ -1718,41 +1932,65 @@ def __init__(__self__, *, @property @pulumi.getter def algorithm(self) -> str: + """ + Key algorithm (string) + """ return pulumi.get(self, "algorithm") @property @pulumi.getter def certificate(self) -> str: + """ + Key certificate (string) + """ return pulumi.get(self, "certificate") @property @pulumi.getter def kid(self) -> str: + """ + Key ID (string) + """ return pulumi.get(self, "kid") @property @pulumi.getter(name="providerId") def provider_id(self) -> str: + """ + Key provider ID (string) + """ return pulumi.get(self, "provider_id") @property @pulumi.getter(name="providerPriority") def provider_priority(self) -> int: + """ + Key provider priority (int64) + """ return pulumi.get(self, "provider_priority") @property @pulumi.getter(name="publicKey") def public_key(self) -> str: + """ + Key public key (string) + """ return pulumi.get(self, "public_key") @property @pulumi.getter def status(self) -> str: + """ + When specified, keys will be filtered by status. The statuses can be any of `ACTIVE`, `DISABLED` and `PASSIVE`. + """ return pulumi.get(self, "status") @property @pulumi.getter def type(self) -> str: + """ + Key type (string) + """ return pulumi.get(self, "type") diff --git a/sdk/python/pulumi_keycloak/realm.py b/sdk/python/pulumi_keycloak/realm.py index 685be43c..7ac37657 100644 --- a/sdk/python/pulumi_keycloak/realm.py +++ b/sdk/python/pulumi_keycloak/realm.py @@ -79,16 +79,23 @@ def __init__(__self__, *, web_authn_policy: Optional[pulumi.Input['RealmWebAuthnPolicyArgs']] = None): """ The set of arguments for constructing a Realm resource. + :param pulumi.Input[str] realm: The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak. + :param pulumi.Input[Mapping[str, pulumi.Input[str]]] attributes: A map of custom attributes to add to the realm. :param pulumi.Input[str] browser_flow: Which flow should be used for BrowserFlow :param pulumi.Input[str] client_authentication_flow: Which flow should be used for ClientAuthenticationFlow :param pulumi.Input[str] direct_grant_flow: Which flow should be used for DirectGrantFlow + :param pulumi.Input[str] display_name: The display name for the realm that is shown when logging in to the admin console. + :param pulumi.Input[str] display_name_html: The display name for the realm that is rendered as HTML on the screen when logging in to the admin console. :param pulumi.Input[str] docker_authentication_flow: Which flow should be used for DockerAuthenticationFlow + :param pulumi.Input[bool] enabled: When `false`, users and clients will not be able to access this realm. Defaults to `true`. + :param pulumi.Input[str] internal_id: When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name. :param pulumi.Input[str] password_policy: String that represents the passwordPolicies that are in place. Each policy is separated with " and ". Supported policies can be found in the server-info providers page. example: "upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername(undefined)" :param pulumi.Input[str] registration_flow: Which flow should be used for RegistrationFlow :param pulumi.Input[str] reset_credentials_flow: Which flow should be used for ResetCredentialsFlow :param pulumi.Input[str] ssl_required: SSL Required: Values can be 'none', 'external' or 'all'. + :param pulumi.Input[bool] user_managed_access: When `true`, users are allowed to manage their own resources. Defaults to `false`. """ pulumi.set(__self__, "realm", realm) if access_code_lifespan is not None: @@ -205,6 +212,9 @@ def __init__(__self__, *, @property @pulumi.getter def realm(self) -> pulumi.Input[str]: + """ + The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak. + """ return pulumi.get(self, "realm") @realm.setter @@ -295,6 +305,9 @@ def admin_theme(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter def attributes(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]: + """ + A map of custom attributes to add to the realm. + """ return pulumi.get(self, "attributes") @attributes.setter @@ -385,6 +398,9 @@ def direct_grant_flow(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="displayName") def display_name(self) -> Optional[pulumi.Input[str]]: + """ + The display name for the realm that is shown when logging in to the admin console. + """ return pulumi.get(self, "display_name") @display_name.setter @@ -394,6 +410,9 @@ def display_name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="displayNameHtml") def display_name_html(self) -> Optional[pulumi.Input[str]]: + """ + The display name for the realm that is rendered as HTML on the screen when logging in to the admin console. + """ return pulumi.get(self, "display_name_html") @display_name_html.setter @@ -442,6 +461,9 @@ def email_theme(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter def enabled(self) -> Optional[pulumi.Input[bool]]: + """ + When `false`, users and clients will not be able to access this realm. Defaults to `true`. + """ return pulumi.get(self, "enabled") @enabled.setter @@ -451,6 +473,9 @@ def enabled(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="internalId") def internal_id(self) -> Optional[pulumi.Input[str]]: + """ + When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name. + """ return pulumi.get(self, "internal_id") @internal_id.setter @@ -699,6 +724,9 @@ def sso_session_max_lifespan_remember_me(self, value: Optional[pulumi.Input[str] @property @pulumi.getter(name="userManagedAccess") def user_managed_access(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, users are allowed to manage their own resources. Defaults to `false`. + """ return pulumi.get(self, "user_managed_access") @user_managed_access.setter @@ -794,16 +822,23 @@ def __init__(__self__, *, web_authn_policy: Optional[pulumi.Input['RealmWebAuthnPolicyArgs']] = None): """ Input properties used for looking up and filtering Realm resources. + :param pulumi.Input[Mapping[str, pulumi.Input[str]]] attributes: A map of custom attributes to add to the realm. :param pulumi.Input[str] browser_flow: Which flow should be used for BrowserFlow :param pulumi.Input[str] client_authentication_flow: Which flow should be used for ClientAuthenticationFlow :param pulumi.Input[str] direct_grant_flow: Which flow should be used for DirectGrantFlow + :param pulumi.Input[str] display_name: The display name for the realm that is shown when logging in to the admin console. + :param pulumi.Input[str] display_name_html: The display name for the realm that is rendered as HTML on the screen when logging in to the admin console. :param pulumi.Input[str] docker_authentication_flow: Which flow should be used for DockerAuthenticationFlow + :param pulumi.Input[bool] enabled: When `false`, users and clients will not be able to access this realm. Defaults to `true`. + :param pulumi.Input[str] internal_id: When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name. :param pulumi.Input[str] password_policy: String that represents the passwordPolicies that are in place. Each policy is separated with " and ". Supported policies can be found in the server-info providers page. example: "upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername(undefined)" + :param pulumi.Input[str] realm: The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak. :param pulumi.Input[str] registration_flow: Which flow should be used for RegistrationFlow :param pulumi.Input[str] reset_credentials_flow: Which flow should be used for ResetCredentialsFlow :param pulumi.Input[str] ssl_required: SSL Required: Values can be 'none', 'external' or 'all'. + :param pulumi.Input[bool] user_managed_access: When `true`, users are allowed to manage their own resources. Defaults to `false`. """ if access_code_lifespan is not None: pulumi.set(__self__, "access_code_lifespan", access_code_lifespan) @@ -1002,6 +1037,9 @@ def admin_theme(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter def attributes(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]: + """ + A map of custom attributes to add to the realm. + """ return pulumi.get(self, "attributes") @attributes.setter @@ -1092,6 +1130,9 @@ def direct_grant_flow(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="displayName") def display_name(self) -> Optional[pulumi.Input[str]]: + """ + The display name for the realm that is shown when logging in to the admin console. + """ return pulumi.get(self, "display_name") @display_name.setter @@ -1101,6 +1142,9 @@ def display_name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="displayNameHtml") def display_name_html(self) -> Optional[pulumi.Input[str]]: + """ + The display name for the realm that is rendered as HTML on the screen when logging in to the admin console. + """ return pulumi.get(self, "display_name_html") @display_name_html.setter @@ -1149,6 +1193,9 @@ def email_theme(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter def enabled(self) -> Optional[pulumi.Input[bool]]: + """ + When `false`, users and clients will not be able to access this realm. Defaults to `true`. + """ return pulumi.get(self, "enabled") @enabled.setter @@ -1158,6 +1205,9 @@ def enabled(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="internalId") def internal_id(self) -> Optional[pulumi.Input[str]]: + """ + When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name. + """ return pulumi.get(self, "internal_id") @internal_id.setter @@ -1262,6 +1312,9 @@ def password_policy(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter def realm(self) -> Optional[pulumi.Input[str]]: + """ + The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak. + """ return pulumi.get(self, "realm") @realm.setter @@ -1415,6 +1468,9 @@ def sso_session_max_lifespan_remember_me(self, value: Optional[pulumi.Input[str] @property @pulumi.getter(name="userManagedAccess") def user_managed_access(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, users are allowed to manage their own resources. Defaults to `false`. + """ return pulumi.get(self, "user_managed_access") @user_managed_access.setter @@ -1512,19 +1568,111 @@ def __init__(__self__, web_authn_policy: Optional[pulumi.Input[Union['RealmWebAuthnPolicyArgs', 'RealmWebAuthnPolicyArgsDict']]] = None, __props__=None): """ - Create a Realm resource with the given unique name, props, and options. + Allows for creating and managing Realms within Keycloak. + + A realm manages a logical collection of users, credentials, roles, and groups. Users log in to realms and can be federated + from multiple sources. + + ## Example Usage + + ```python + import pulumi + import pulumi_keycloak as keycloak + + realm = keycloak.Realm("realm", + realm="my-realm", + enabled=True, + display_name="my realm", + display_name_html="my realm", + login_theme="base", + access_code_lifespan="1h", + ssl_required="external", + password_policy="upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername", + attributes={ + "mycustomAttribute": "myCustomValue", + }, + smtp_server={ + "host": "smtp.example.com", + "from_": "example@example.com", + "auth": { + "username": "tom", + "password": "password", + }, + }, + internationalization={ + "supported_locales": [ + "en", + "de", + "es", + ], + "default_locale": "en", + }, + security_defenses={ + "headers": { + "x_frame_options": "DENY", + "content_security_policy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", + "content_security_policy_report_only": "", + "x_content_type_options": "nosniff", + "x_robots_tag": "none", + "x_xss_protection": "1; mode=block", + "strict_transport_security": "max-age=31536000; includeSubDomains", + }, + "brute_force_detection": { + "permanent_lockout": False, + "max_login_failures": 30, + "wait_increment_seconds": 60, + "quick_login_check_milli_seconds": 1000, + "minimum_quick_login_wait_seconds": 60, + "max_failure_wait_seconds": 900, + "failure_reset_time_seconds": 43200, + }, + }, + web_authn_policy={ + "relying_party_entity_name": "Example", + "relying_party_id": "keycloak.example.com", + "signature_algorithms": [ + "ES256", + "RS256", + ], + }) + ``` + + ## Default Client Scopes + + - `default_default_client_scopes` - (Optional) A list of default default client scopes to be used for client definitions. Defaults to `[]` or keycloak's built-in default default client-scopes. + - `default_optional_client_scopes` - (Optional) A list of default optional client scopes to be used for client definitions. Defaults to `[]` or keycloak's built-in default optional client-scopes. + + ## Import + + Realms can be imported using their name. + + Example: + + bash + + ```sh + $ pulumi import keycloak:index/realm:Realm realm my-realm + ``` + :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[Mapping[str, pulumi.Input[str]]] attributes: A map of custom attributes to add to the realm. :param pulumi.Input[str] browser_flow: Which flow should be used for BrowserFlow :param pulumi.Input[str] client_authentication_flow: Which flow should be used for ClientAuthenticationFlow :param pulumi.Input[str] direct_grant_flow: Which flow should be used for DirectGrantFlow + :param pulumi.Input[str] display_name: The display name for the realm that is shown when logging in to the admin console. + :param pulumi.Input[str] display_name_html: The display name for the realm that is rendered as HTML on the screen when logging in to the admin console. :param pulumi.Input[str] docker_authentication_flow: Which flow should be used for DockerAuthenticationFlow + :param pulumi.Input[bool] enabled: When `false`, users and clients will not be able to access this realm. Defaults to `true`. + :param pulumi.Input[str] internal_id: When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name. :param pulumi.Input[str] password_policy: String that represents the passwordPolicies that are in place. Each policy is separated with " and ". Supported policies can be found in the server-info providers page. example: "upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername(undefined)" + :param pulumi.Input[str] realm: The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak. :param pulumi.Input[str] registration_flow: Which flow should be used for RegistrationFlow :param pulumi.Input[str] reset_credentials_flow: Which flow should be used for ResetCredentialsFlow :param pulumi.Input[str] ssl_required: SSL Required: Values can be 'none', 'external' or 'all'. + :param pulumi.Input[bool] user_managed_access: When `true`, users are allowed to manage their own resources. Defaults to `false`. """ ... @overload @@ -1533,7 +1681,92 @@ def __init__(__self__, args: RealmArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - Create a Realm resource with the given unique name, props, and options. + Allows for creating and managing Realms within Keycloak. + + A realm manages a logical collection of users, credentials, roles, and groups. Users log in to realms and can be federated + from multiple sources. + + ## Example Usage + + ```python + import pulumi + import pulumi_keycloak as keycloak + + realm = keycloak.Realm("realm", + realm="my-realm", + enabled=True, + display_name="my realm", + display_name_html="my realm", + login_theme="base", + access_code_lifespan="1h", + ssl_required="external", + password_policy="upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername", + attributes={ + "mycustomAttribute": "myCustomValue", + }, + smtp_server={ + "host": "smtp.example.com", + "from_": "example@example.com", + "auth": { + "username": "tom", + "password": "password", + }, + }, + internationalization={ + "supported_locales": [ + "en", + "de", + "es", + ], + "default_locale": "en", + }, + security_defenses={ + "headers": { + "x_frame_options": "DENY", + "content_security_policy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", + "content_security_policy_report_only": "", + "x_content_type_options": "nosniff", + "x_robots_tag": "none", + "x_xss_protection": "1; mode=block", + "strict_transport_security": "max-age=31536000; includeSubDomains", + }, + "brute_force_detection": { + "permanent_lockout": False, + "max_login_failures": 30, + "wait_increment_seconds": 60, + "quick_login_check_milli_seconds": 1000, + "minimum_quick_login_wait_seconds": 60, + "max_failure_wait_seconds": 900, + "failure_reset_time_seconds": 43200, + }, + }, + web_authn_policy={ + "relying_party_entity_name": "Example", + "relying_party_id": "keycloak.example.com", + "signature_algorithms": [ + "ES256", + "RS256", + ], + }) + ``` + + ## Default Client Scopes + + - `default_default_client_scopes` - (Optional) A list of default default client scopes to be used for client definitions. Defaults to `[]` or keycloak's built-in default default client-scopes. + - `default_optional_client_scopes` - (Optional) A list of default optional client scopes to be used for client definitions. Defaults to `[]` or keycloak's built-in default optional client-scopes. + + ## Import + + Realms can be imported using their name. + + Example: + + bash + + ```sh + $ pulumi import keycloak:index/realm:Realm realm my-realm + ``` + :param str resource_name: The name of the resource. :param RealmArgs args: The arguments to use to populate this resource's properties. :param pulumi.ResourceOptions opts: Options for the resource. @@ -1745,16 +1978,23 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[Mapping[str, pulumi.Input[str]]] attributes: A map of custom attributes to add to the realm. :param pulumi.Input[str] browser_flow: Which flow should be used for BrowserFlow :param pulumi.Input[str] client_authentication_flow: Which flow should be used for ClientAuthenticationFlow :param pulumi.Input[str] direct_grant_flow: Which flow should be used for DirectGrantFlow + :param pulumi.Input[str] display_name: The display name for the realm that is shown when logging in to the admin console. + :param pulumi.Input[str] display_name_html: The display name for the realm that is rendered as HTML on the screen when logging in to the admin console. :param pulumi.Input[str] docker_authentication_flow: Which flow should be used for DockerAuthenticationFlow + :param pulumi.Input[bool] enabled: When `false`, users and clients will not be able to access this realm. Defaults to `true`. + :param pulumi.Input[str] internal_id: When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name. :param pulumi.Input[str] password_policy: String that represents the passwordPolicies that are in place. Each policy is separated with " and ". Supported policies can be found in the server-info providers page. example: "upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername(undefined)" + :param pulumi.Input[str] realm: The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak. :param pulumi.Input[str] registration_flow: Which flow should be used for RegistrationFlow :param pulumi.Input[str] reset_credentials_flow: Which flow should be used for ResetCredentialsFlow :param pulumi.Input[str] ssl_required: SSL Required: Values can be 'none', 'external' or 'all'. + :param pulumi.Input[bool] user_managed_access: When `true`, users are allowed to manage their own resources. Defaults to `false`. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -1866,6 +2106,9 @@ def admin_theme(self) -> pulumi.Output[Optional[str]]: @property @pulumi.getter def attributes(self) -> pulumi.Output[Optional[Mapping[str, str]]]: + """ + A map of custom attributes to add to the realm. + """ return pulumi.get(self, "attributes") @property @@ -1920,11 +2163,17 @@ def direct_grant_flow(self) -> pulumi.Output[str]: @property @pulumi.getter(name="displayName") def display_name(self) -> pulumi.Output[Optional[str]]: + """ + The display name for the realm that is shown when logging in to the admin console. + """ return pulumi.get(self, "display_name") @property @pulumi.getter(name="displayNameHtml") def display_name_html(self) -> pulumi.Output[Optional[str]]: + """ + The display name for the realm that is rendered as HTML on the screen when logging in to the admin console. + """ return pulumi.get(self, "display_name_html") @property @@ -1953,11 +2202,17 @@ def email_theme(self) -> pulumi.Output[Optional[str]]: @property @pulumi.getter def enabled(self) -> pulumi.Output[Optional[bool]]: + """ + When `false`, users and clients will not be able to access this realm. Defaults to `true`. + """ return pulumi.get(self, "enabled") @property @pulumi.getter(name="internalId") def internal_id(self) -> pulumi.Output[str]: + """ + When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name. + """ return pulumi.get(self, "internal_id") @property @@ -2018,6 +2273,9 @@ def password_policy(self) -> pulumi.Output[Optional[str]]: @property @pulumi.getter def realm(self) -> pulumi.Output[str]: + """ + The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak. + """ return pulumi.get(self, "realm") @property @@ -2107,6 +2365,9 @@ def sso_session_max_lifespan_remember_me(self) -> pulumi.Output[str]: @property @pulumi.getter(name="userManagedAccess") def user_managed_access(self) -> pulumi.Output[Optional[bool]]: + """ + When `true`, users are allowed to manage their own resources. Defaults to `false`. + """ return pulumi.get(self, "user_managed_access") @property diff --git a/sdk/python/pulumi_keycloak/realm_events.py b/sdk/python/pulumi_keycloak/realm_events.py index 3c500ec6..e6d57008 100644 --- a/sdk/python/pulumi_keycloak/realm_events.py +++ b/sdk/python/pulumi_keycloak/realm_events.py @@ -28,6 +28,13 @@ def __init__(__self__, *, events_listeners: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None): """ The set of arguments for constructing a RealmEvents resource. + :param pulumi.Input[str] realm_id: The name of the realm the event settings apply to. + :param pulumi.Input[bool] admin_events_details_enabled: When `true`, saved admin events will included detailed information for create/update requests. Defaults to `false`. + :param pulumi.Input[bool] admin_events_enabled: When `true`, admin events are saved to the database, making them available through the admin console. Defaults to `false`. + :param pulumi.Input[Sequence[pulumi.Input[str]]] enabled_event_types: The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. + :param pulumi.Input[bool] events_enabled: When `true`, events from `enabled_event_types` are saved to the database, making them available through the admin console. Defaults to `false`. + :param pulumi.Input[int] events_expiration: The amount of time in seconds events will be saved in the database. Defaults to `0` or never. + :param pulumi.Input[Sequence[pulumi.Input[str]]] events_listeners: The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. """ pulumi.set(__self__, "realm_id", realm_id) if admin_events_details_enabled is not None: @@ -46,6 +53,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Input[str]: + """ + The name of the realm the event settings apply to. + """ return pulumi.get(self, "realm_id") @realm_id.setter @@ -55,6 +65,9 @@ def realm_id(self, value: pulumi.Input[str]): @property @pulumi.getter(name="adminEventsDetailsEnabled") def admin_events_details_enabled(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, saved admin events will included detailed information for create/update requests. Defaults to `false`. + """ return pulumi.get(self, "admin_events_details_enabled") @admin_events_details_enabled.setter @@ -64,6 +77,9 @@ def admin_events_details_enabled(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="adminEventsEnabled") def admin_events_enabled(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, admin events are saved to the database, making them available through the admin console. Defaults to `false`. + """ return pulumi.get(self, "admin_events_enabled") @admin_events_enabled.setter @@ -73,6 +89,9 @@ def admin_events_enabled(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="enabledEventTypes") def enabled_event_types(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. + """ return pulumi.get(self, "enabled_event_types") @enabled_event_types.setter @@ -82,6 +101,9 @@ def enabled_event_types(self, value: Optional[pulumi.Input[Sequence[pulumi.Input @property @pulumi.getter(name="eventsEnabled") def events_enabled(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, events from `enabled_event_types` are saved to the database, making them available through the admin console. Defaults to `false`. + """ return pulumi.get(self, "events_enabled") @events_enabled.setter @@ -91,6 +113,9 @@ def events_enabled(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="eventsExpiration") def events_expiration(self) -> Optional[pulumi.Input[int]]: + """ + The amount of time in seconds events will be saved in the database. Defaults to `0` or never. + """ return pulumi.get(self, "events_expiration") @events_expiration.setter @@ -100,6 +125,9 @@ def events_expiration(self, value: Optional[pulumi.Input[int]]): @property @pulumi.getter(name="eventsListeners") def events_listeners(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. + """ return pulumi.get(self, "events_listeners") @events_listeners.setter @@ -119,6 +147,13 @@ def __init__(__self__, *, realm_id: Optional[pulumi.Input[str]] = None): """ Input properties used for looking up and filtering RealmEvents resources. + :param pulumi.Input[bool] admin_events_details_enabled: When `true`, saved admin events will included detailed information for create/update requests. Defaults to `false`. + :param pulumi.Input[bool] admin_events_enabled: When `true`, admin events are saved to the database, making them available through the admin console. Defaults to `false`. + :param pulumi.Input[Sequence[pulumi.Input[str]]] enabled_event_types: The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. + :param pulumi.Input[bool] events_enabled: When `true`, events from `enabled_event_types` are saved to the database, making them available through the admin console. Defaults to `false`. + :param pulumi.Input[int] events_expiration: The amount of time in seconds events will be saved in the database. Defaults to `0` or never. + :param pulumi.Input[Sequence[pulumi.Input[str]]] events_listeners: The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. + :param pulumi.Input[str] realm_id: The name of the realm the event settings apply to. """ if admin_events_details_enabled is not None: pulumi.set(__self__, "admin_events_details_enabled", admin_events_details_enabled) @@ -138,6 +173,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="adminEventsDetailsEnabled") def admin_events_details_enabled(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, saved admin events will included detailed information for create/update requests. Defaults to `false`. + """ return pulumi.get(self, "admin_events_details_enabled") @admin_events_details_enabled.setter @@ -147,6 +185,9 @@ def admin_events_details_enabled(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="adminEventsEnabled") def admin_events_enabled(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, admin events are saved to the database, making them available through the admin console. Defaults to `false`. + """ return pulumi.get(self, "admin_events_enabled") @admin_events_enabled.setter @@ -156,6 +197,9 @@ def admin_events_enabled(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="enabledEventTypes") def enabled_event_types(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. + """ return pulumi.get(self, "enabled_event_types") @enabled_event_types.setter @@ -165,6 +209,9 @@ def enabled_event_types(self, value: Optional[pulumi.Input[Sequence[pulumi.Input @property @pulumi.getter(name="eventsEnabled") def events_enabled(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, events from `enabled_event_types` are saved to the database, making them available through the admin console. Defaults to `false`. + """ return pulumi.get(self, "events_enabled") @events_enabled.setter @@ -174,6 +221,9 @@ def events_enabled(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="eventsExpiration") def events_expiration(self) -> Optional[pulumi.Input[int]]: + """ + The amount of time in seconds events will be saved in the database. Defaults to `0` or never. + """ return pulumi.get(self, "events_expiration") @events_expiration.setter @@ -183,6 +233,9 @@ def events_expiration(self, value: Optional[pulumi.Input[int]]): @property @pulumi.getter(name="eventsListeners") def events_listeners(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. + """ return pulumi.get(self, "events_listeners") @events_listeners.setter @@ -192,6 +245,9 @@ def events_listeners(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[st @property @pulumi.getter(name="realmId") def realm_id(self) -> Optional[pulumi.Input[str]]: + """ + The name of the realm the event settings apply to. + """ return pulumi.get(self, "realm_id") @realm_id.setter @@ -213,17 +269,17 @@ def __init__(__self__, realm_id: Optional[pulumi.Input[str]] = None, __props__=None): """ - ## # RealmEvents - Allows for managing Realm Events settings within Keycloak. - ### Example Usage + ## Example Usage ```python import pulumi import pulumi_keycloak as keycloak - realm = keycloak.Realm("realm", realm="test") + realm = keycloak.Realm("realm", + realm="my-realm", + enabled=True) realm_events = keycloak.RealmEvents("realm_events", realm_id=realm.id, events_enabled=True, @@ -237,20 +293,19 @@ def __init__(__self__, events_listeners=["jboss-logging"]) ``` - ### Argument Reference + ## Import - The following arguments are supported: - - - `realm_id` - (Required) The name of the realm the event settings apply to. - - `admin_events_enabled` - (Optional) When true, admin events are saved to the database, making them available through the admin console. Defaults to `false`. - - `admin_events_details_enabled` - (Optional) When true, saved admin events will included detailed information for create/update requests. Defaults to `false`. - - `events_enabled` - (Optional) When true, events from `enabled_event_types` are saved to the database, making them available through the admin console. Defaults to `false`. - - `events_expiration` - (Optional) The amount of time in seconds events will be saved in the database. Defaults to `0` or never. - - `enabled_event_types` - (Optional) The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. - - `events_listeners` - (Optional) The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. + This resource currently does not support importing. :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[bool] admin_events_details_enabled: When `true`, saved admin events will included detailed information for create/update requests. Defaults to `false`. + :param pulumi.Input[bool] admin_events_enabled: When `true`, admin events are saved to the database, making them available through the admin console. Defaults to `false`. + :param pulumi.Input[Sequence[pulumi.Input[str]]] enabled_event_types: The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. + :param pulumi.Input[bool] events_enabled: When `true`, events from `enabled_event_types` are saved to the database, making them available through the admin console. Defaults to `false`. + :param pulumi.Input[int] events_expiration: The amount of time in seconds events will be saved in the database. Defaults to `0` or never. + :param pulumi.Input[Sequence[pulumi.Input[str]]] events_listeners: The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. + :param pulumi.Input[str] realm_id: The name of the realm the event settings apply to. """ ... @overload @@ -259,17 +314,17 @@ def __init__(__self__, args: RealmEventsArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - ## # RealmEvents - Allows for managing Realm Events settings within Keycloak. - ### Example Usage + ## Example Usage ```python import pulumi import pulumi_keycloak as keycloak - realm = keycloak.Realm("realm", realm="test") + realm = keycloak.Realm("realm", + realm="my-realm", + enabled=True) realm_events = keycloak.RealmEvents("realm_events", realm_id=realm.id, events_enabled=True, @@ -283,17 +338,9 @@ def __init__(__self__, events_listeners=["jboss-logging"]) ``` - ### Argument Reference - - The following arguments are supported: + ## Import - - `realm_id` - (Required) The name of the realm the event settings apply to. - - `admin_events_enabled` - (Optional) When true, admin events are saved to the database, making them available through the admin console. Defaults to `false`. - - `admin_events_details_enabled` - (Optional) When true, saved admin events will included detailed information for create/update requests. Defaults to `false`. - - `events_enabled` - (Optional) When true, events from `enabled_event_types` are saved to the database, making them available through the admin console. Defaults to `false`. - - `events_expiration` - (Optional) The amount of time in seconds events will be saved in the database. Defaults to `0` or never. - - `enabled_event_types` - (Optional) The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. - - `events_listeners` - (Optional) The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. + This resource currently does not support importing. :param str resource_name: The name of the resource. :param RealmEventsArgs args: The arguments to use to populate this resource's properties. @@ -359,6 +406,13 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[bool] admin_events_details_enabled: When `true`, saved admin events will included detailed information for create/update requests. Defaults to `false`. + :param pulumi.Input[bool] admin_events_enabled: When `true`, admin events are saved to the database, making them available through the admin console. Defaults to `false`. + :param pulumi.Input[Sequence[pulumi.Input[str]]] enabled_event_types: The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. + :param pulumi.Input[bool] events_enabled: When `true`, events from `enabled_event_types` are saved to the database, making them available through the admin console. Defaults to `false`. + :param pulumi.Input[int] events_expiration: The amount of time in seconds events will be saved in the database. Defaults to `0` or never. + :param pulumi.Input[Sequence[pulumi.Input[str]]] events_listeners: The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. + :param pulumi.Input[str] realm_id: The name of the realm the event settings apply to. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -376,35 +430,56 @@ def get(resource_name: str, @property @pulumi.getter(name="adminEventsDetailsEnabled") def admin_events_details_enabled(self) -> pulumi.Output[Optional[bool]]: + """ + When `true`, saved admin events will included detailed information for create/update requests. Defaults to `false`. + """ return pulumi.get(self, "admin_events_details_enabled") @property @pulumi.getter(name="adminEventsEnabled") def admin_events_enabled(self) -> pulumi.Output[Optional[bool]]: + """ + When `true`, admin events are saved to the database, making them available through the admin console. Defaults to `false`. + """ return pulumi.get(self, "admin_events_enabled") @property @pulumi.getter(name="enabledEventTypes") def enabled_event_types(self) -> pulumi.Output[Optional[Sequence[str]]]: + """ + The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. + """ return pulumi.get(self, "enabled_event_types") @property @pulumi.getter(name="eventsEnabled") def events_enabled(self) -> pulumi.Output[Optional[bool]]: + """ + When `true`, events from `enabled_event_types` are saved to the database, making them available through the admin console. Defaults to `false`. + """ return pulumi.get(self, "events_enabled") @property @pulumi.getter(name="eventsExpiration") def events_expiration(self) -> pulumi.Output[Optional[int]]: + """ + The amount of time in seconds events will be saved in the database. Defaults to `0` or never. + """ return pulumi.get(self, "events_expiration") @property @pulumi.getter(name="eventsListeners") def events_listeners(self) -> pulumi.Output[Optional[Sequence[str]]]: + """ + The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. + """ return pulumi.get(self, "events_listeners") @property @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Output[str]: + """ + The name of the realm the event settings apply to. + """ return pulumi.get(self, "realm_id") diff --git a/sdk/python/pulumi_keycloak/role.py b/sdk/python/pulumi_keycloak/role.py index 28ce652d..b92f9ef4 100644 --- a/sdk/python/pulumi_keycloak/role.py +++ b/sdk/python/pulumi_keycloak/role.py @@ -27,6 +27,12 @@ def __init__(__self__, *, name: Optional[pulumi.Input[str]] = None): """ The set of arguments for constructing a Role resource. + :param pulumi.Input[str] realm_id: The realm this role exists within. + :param pulumi.Input[Mapping[str, pulumi.Input[str]]] attributes: A map representing attributes for the role. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + :param pulumi.Input[str] client_id: When specified, this role will be created as a client role attached to the client with the provided ID + :param pulumi.Input[Sequence[pulumi.Input[str]]] composite_roles: When specified, this role will be a composite role, composed of all roles that have an ID present within this list. + :param pulumi.Input[str] description: The description of the role + :param pulumi.Input[str] name: The name of the role """ pulumi.set(__self__, "realm_id", realm_id) if attributes is not None: @@ -43,6 +49,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Input[str]: + """ + The realm this role exists within. + """ return pulumi.get(self, "realm_id") @realm_id.setter @@ -52,6 +61,9 @@ def realm_id(self, value: pulumi.Input[str]): @property @pulumi.getter def attributes(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]: + """ + A map representing attributes for the role. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + """ return pulumi.get(self, "attributes") @attributes.setter @@ -61,6 +73,9 @@ def attributes(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str] @property @pulumi.getter(name="clientId") def client_id(self) -> Optional[pulumi.Input[str]]: + """ + When specified, this role will be created as a client role attached to the client with the provided ID + """ return pulumi.get(self, "client_id") @client_id.setter @@ -70,6 +85,9 @@ def client_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="compositeRoles") def composite_roles(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + When specified, this role will be a composite role, composed of all roles that have an ID present within this list. + """ return pulumi.get(self, "composite_roles") @composite_roles.setter @@ -79,6 +97,9 @@ def composite_roles(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str @property @pulumi.getter def description(self) -> Optional[pulumi.Input[str]]: + """ + The description of the role + """ return pulumi.get(self, "description") @description.setter @@ -88,6 +109,9 @@ def description(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: + """ + The name of the role + """ return pulumi.get(self, "name") @name.setter @@ -106,6 +130,12 @@ def __init__(__self__, *, realm_id: Optional[pulumi.Input[str]] = None): """ Input properties used for looking up and filtering Role resources. + :param pulumi.Input[Mapping[str, pulumi.Input[str]]] attributes: A map representing attributes for the role. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + :param pulumi.Input[str] client_id: When specified, this role will be created as a client role attached to the client with the provided ID + :param pulumi.Input[Sequence[pulumi.Input[str]]] composite_roles: When specified, this role will be a composite role, composed of all roles that have an ID present within this list. + :param pulumi.Input[str] description: The description of the role + :param pulumi.Input[str] name: The name of the role + :param pulumi.Input[str] realm_id: The realm this role exists within. """ if attributes is not None: pulumi.set(__self__, "attributes", attributes) @@ -123,6 +153,9 @@ def __init__(__self__, *, @property @pulumi.getter def attributes(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]: + """ + A map representing attributes for the role. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + """ return pulumi.get(self, "attributes") @attributes.setter @@ -132,6 +165,9 @@ def attributes(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str] @property @pulumi.getter(name="clientId") def client_id(self) -> Optional[pulumi.Input[str]]: + """ + When specified, this role will be created as a client role attached to the client with the provided ID + """ return pulumi.get(self, "client_id") @client_id.setter @@ -141,6 +177,9 @@ def client_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="compositeRoles") def composite_roles(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + When specified, this role will be a composite role, composed of all roles that have an ID present within this list. + """ return pulumi.get(self, "composite_roles") @composite_roles.setter @@ -150,6 +189,9 @@ def composite_roles(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str @property @pulumi.getter def description(self) -> Optional[pulumi.Input[str]]: + """ + The description of the role + """ return pulumi.get(self, "description") @description.setter @@ -159,6 +201,9 @@ def description(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: + """ + The name of the role + """ return pulumi.get(self, "name") @name.setter @@ -168,6 +213,9 @@ def name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="realmId") def realm_id(self) -> Optional[pulumi.Input[str]]: + """ + The realm this role exists within. + """ return pulumi.get(self, "realm_id") @realm_id.setter @@ -188,14 +236,13 @@ def __init__(__self__, realm_id: Optional[pulumi.Input[str]] = None, __props__=None): """ - ## # Role - Allows for creating and managing roles within Keycloak. - Roles allow you define privileges within Keycloak and map them to users - and groups. + Roles allow you define privileges within Keycloak and map them to users and groups. + + ## Example Usage - ### Example Usage (Realm role) + ### Realm Role) ```python import pulumi @@ -207,10 +254,14 @@ def __init__(__self__, realm_role = keycloak.Role("realm_role", realm_id=realm.id, name="my-realm-role", - description="My Realm Role") + description="My Realm Role", + attributes={ + "key": "value", + "multivalue": "value1##value2", + }) ``` - ### Example Usage (Client role) + ### Client Role) ```python import pulumi @@ -219,20 +270,24 @@ def __init__(__self__, realm = keycloak.Realm("realm", realm="my-realm", enabled=True) - client = keycloak.openid.Client("client", + openid_client = keycloak.openid.Client("openid_client", realm_id=realm.id, client_id="client", name="client", enabled=True, - access_type="BEARER-ONLY") + access_type="CONFIDENTIAL", + valid_redirect_uris=["http://localhost:8080/openid-callback"]) client_role = keycloak.Role("client_role", realm_id=realm.id, - client_id=client_keycloak_client["id"], + client_id=openid_client_keycloak_client["id"], name="my-client-role", - description="My Client Role") + description="My Client Role", + attributes={ + "key": "value", + }) ``` - ### Example Usage (Composite role) + ### Composite Role) ```python import pulumi @@ -244,64 +299,81 @@ def __init__(__self__, # realm roles create_role = keycloak.Role("create_role", realm_id=realm.id, - name="create") + name="create", + attributes={ + "key": "value", + }) read_role = keycloak.Role("read_role", realm_id=realm.id, - name="read") + name="read", + attributes={ + "key": "value", + }) update_role = keycloak.Role("update_role", realm_id=realm.id, - name="update") + name="update", + attributes={ + "key": "value", + }) delete_role = keycloak.Role("delete_role", realm_id=realm.id, - name="delete") + name="delete", + attributes={ + "key": "value", + }) # client role - client = keycloak.openid.Client("client", + openid_client = keycloak.openid.Client("openid_client", realm_id=realm.id, client_id="client", name="client", enabled=True, - access_type="BEARER-ONLY") + access_type="CONFIDENTIAL", + valid_redirect_uris=["http://localhost:8080/openid-callback"]) client_role = keycloak.Role("client_role", realm_id=realm.id, - client_id=client_keycloak_client["id"], + client_id=openid_client_keycloak_client["id"], name="my-client-role", - description="My Client Role") + description="My Client Role", + attributes={ + "key": "value", + }) admin_role = keycloak.Role("admin_role", realm_id=realm.id, name="admin", composite_roles=[ - "{keycloak_role.create_role.id}", - "{keycloak_role.read_role.id}", - "{keycloak_role.update_role.id}", - "{keycloak_role.delete_role.id}", - "{keycloak_role.client_role.id}", - ]) + create_role.id, + read_role.id, + update_role.id, + delete_role.id, + client_role.id, + ], + attributes={ + "key": "value", + }) ``` - ### Argument Reference + ## Import - The following arguments are supported: + Roles can be imported using the format `{{realm_id}}/{{role_id}}`, where `role_id` is the unique ID that Keycloak assigns - - `realm_id` - (Required) The realm this role exists within. - - `client_id` - (Optional) When specified, this role will be created as - a client role attached to the client with the provided ID - - `name` - (Required) The name of the role - - `description` - (Optional) The description of the role - - `composite_roles` - (Optional) When specified, this role will be a - composite role, composed of all roles that have an ID present within - this list. + to the role. The ID is not easy to find in the GUI, but it appears in the URL when editing the role. - ### Import + Example: - Roles can be imported using the format `{{realm_id}}/{{role_id}}`, where - `role_id` is the unique ID that Keycloak assigns to the role. The ID is - not easy to find in the GUI, but it appears in the URL when editing the - role. + bash - Example: + ```sh + $ pulumi import keycloak:index/role:Role role my-realm/7e8cf32a-8acb-4d34-89c4-04fb1d10ccad + ``` :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[Mapping[str, pulumi.Input[str]]] attributes: A map representing attributes for the role. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + :param pulumi.Input[str] client_id: When specified, this role will be created as a client role attached to the client with the provided ID + :param pulumi.Input[Sequence[pulumi.Input[str]]] composite_roles: When specified, this role will be a composite role, composed of all roles that have an ID present within this list. + :param pulumi.Input[str] description: The description of the role + :param pulumi.Input[str] name: The name of the role + :param pulumi.Input[str] realm_id: The realm this role exists within. """ ... @overload @@ -310,14 +382,13 @@ def __init__(__self__, args: RoleArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - ## # Role - Allows for creating and managing roles within Keycloak. - Roles allow you define privileges within Keycloak and map them to users - and groups. + Roles allow you define privileges within Keycloak and map them to users and groups. + + ## Example Usage - ### Example Usage (Realm role) + ### Realm Role) ```python import pulumi @@ -329,10 +400,14 @@ def __init__(__self__, realm_role = keycloak.Role("realm_role", realm_id=realm.id, name="my-realm-role", - description="My Realm Role") + description="My Realm Role", + attributes={ + "key": "value", + "multivalue": "value1##value2", + }) ``` - ### Example Usage (Client role) + ### Client Role) ```python import pulumi @@ -341,20 +416,24 @@ def __init__(__self__, realm = keycloak.Realm("realm", realm="my-realm", enabled=True) - client = keycloak.openid.Client("client", + openid_client = keycloak.openid.Client("openid_client", realm_id=realm.id, client_id="client", name="client", enabled=True, - access_type="BEARER-ONLY") + access_type="CONFIDENTIAL", + valid_redirect_uris=["http://localhost:8080/openid-callback"]) client_role = keycloak.Role("client_role", realm_id=realm.id, - client_id=client_keycloak_client["id"], + client_id=openid_client_keycloak_client["id"], name="my-client-role", - description="My Client Role") + description="My Client Role", + attributes={ + "key": "value", + }) ``` - ### Example Usage (Composite role) + ### Composite Role) ```python import pulumi @@ -366,61 +445,72 @@ def __init__(__self__, # realm roles create_role = keycloak.Role("create_role", realm_id=realm.id, - name="create") + name="create", + attributes={ + "key": "value", + }) read_role = keycloak.Role("read_role", realm_id=realm.id, - name="read") + name="read", + attributes={ + "key": "value", + }) update_role = keycloak.Role("update_role", realm_id=realm.id, - name="update") + name="update", + attributes={ + "key": "value", + }) delete_role = keycloak.Role("delete_role", realm_id=realm.id, - name="delete") + name="delete", + attributes={ + "key": "value", + }) # client role - client = keycloak.openid.Client("client", + openid_client = keycloak.openid.Client("openid_client", realm_id=realm.id, client_id="client", name="client", enabled=True, - access_type="BEARER-ONLY") + access_type="CONFIDENTIAL", + valid_redirect_uris=["http://localhost:8080/openid-callback"]) client_role = keycloak.Role("client_role", realm_id=realm.id, - client_id=client_keycloak_client["id"], + client_id=openid_client_keycloak_client["id"], name="my-client-role", - description="My Client Role") + description="My Client Role", + attributes={ + "key": "value", + }) admin_role = keycloak.Role("admin_role", realm_id=realm.id, name="admin", composite_roles=[ - "{keycloak_role.create_role.id}", - "{keycloak_role.read_role.id}", - "{keycloak_role.update_role.id}", - "{keycloak_role.delete_role.id}", - "{keycloak_role.client_role.id}", - ]) + create_role.id, + read_role.id, + update_role.id, + delete_role.id, + client_role.id, + ], + attributes={ + "key": "value", + }) ``` - ### Argument Reference + ## Import - The following arguments are supported: + Roles can be imported using the format `{{realm_id}}/{{role_id}}`, where `role_id` is the unique ID that Keycloak assigns - - `realm_id` - (Required) The realm this role exists within. - - `client_id` - (Optional) When specified, this role will be created as - a client role attached to the client with the provided ID - - `name` - (Required) The name of the role - - `description` - (Optional) The description of the role - - `composite_roles` - (Optional) When specified, this role will be a - composite role, composed of all roles that have an ID present within - this list. + to the role. The ID is not easy to find in the GUI, but it appears in the URL when editing the role. - ### Import + Example: - Roles can be imported using the format `{{realm_id}}/{{role_id}}`, where - `role_id` is the unique ID that Keycloak assigns to the role. The ID is - not easy to find in the GUI, but it appears in the URL when editing the - role. + bash - Example: + ```sh + $ pulumi import keycloak:index/role:Role role my-realm/7e8cf32a-8acb-4d34-89c4-04fb1d10ccad + ``` :param str resource_name: The name of the resource. :param RoleArgs args: The arguments to use to populate this resource's properties. @@ -483,6 +573,12 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[Mapping[str, pulumi.Input[str]]] attributes: A map representing attributes for the role. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + :param pulumi.Input[str] client_id: When specified, this role will be created as a client role attached to the client with the provided ID + :param pulumi.Input[Sequence[pulumi.Input[str]]] composite_roles: When specified, this role will be a composite role, composed of all roles that have an ID present within this list. + :param pulumi.Input[str] description: The description of the role + :param pulumi.Input[str] name: The name of the role + :param pulumi.Input[str] realm_id: The realm this role exists within. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -499,30 +595,48 @@ def get(resource_name: str, @property @pulumi.getter def attributes(self) -> pulumi.Output[Optional[Mapping[str, str]]]: + """ + A map representing attributes for the role. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + """ return pulumi.get(self, "attributes") @property @pulumi.getter(name="clientId") def client_id(self) -> pulumi.Output[Optional[str]]: + """ + When specified, this role will be created as a client role attached to the client with the provided ID + """ return pulumi.get(self, "client_id") @property @pulumi.getter(name="compositeRoles") def composite_roles(self) -> pulumi.Output[Optional[Sequence[str]]]: + """ + When specified, this role will be a composite role, composed of all roles that have an ID present within this list. + """ return pulumi.get(self, "composite_roles") @property @pulumi.getter def description(self) -> pulumi.Output[Optional[str]]: + """ + The description of the role + """ return pulumi.get(self, "description") @property @pulumi.getter def name(self) -> pulumi.Output[str]: + """ + The name of the role + """ return pulumi.get(self, "name") @property @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Output[str]: + """ + The realm this role exists within. + """ return pulumi.get(self, "realm_id") diff --git a/sdk/python/pulumi_keycloak/saml/_inputs.py b/sdk/python/pulumi_keycloak/saml/_inputs.py index a4df1f69..5d2af804 100644 --- a/sdk/python/pulumi_keycloak/saml/_inputs.py +++ b/sdk/python/pulumi_keycloak/saml/_inputs.py @@ -24,7 +24,13 @@ if not MYPY: class ClientAuthenticationFlowBindingOverridesArgsDict(TypedDict): browser_id: NotRequired[pulumi.Input[str]] + """ + Browser flow id, (flow needs to exist) + """ direct_grant_id: NotRequired[pulumi.Input[str]] + """ + Direct grant flow id (flow needs to exist) + """ elif False: ClientAuthenticationFlowBindingOverridesArgsDict: TypeAlias = Mapping[str, Any] @@ -33,6 +39,10 @@ class ClientAuthenticationFlowBindingOverridesArgs: def __init__(__self__, *, browser_id: Optional[pulumi.Input[str]] = None, direct_grant_id: Optional[pulumi.Input[str]] = None): + """ + :param pulumi.Input[str] browser_id: Browser flow id, (flow needs to exist) + :param pulumi.Input[str] direct_grant_id: Direct grant flow id (flow needs to exist) + """ if browser_id is not None: pulumi.set(__self__, "browser_id", browser_id) if direct_grant_id is not None: @@ -41,6 +51,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="browserId") def browser_id(self) -> Optional[pulumi.Input[str]]: + """ + Browser flow id, (flow needs to exist) + """ return pulumi.get(self, "browser_id") @browser_id.setter @@ -50,6 +63,9 @@ def browser_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="directGrantId") def direct_grant_id(self) -> Optional[pulumi.Input[str]]: + """ + Direct grant flow id (flow needs to exist) + """ return pulumi.get(self, "direct_grant_id") @direct_grant_id.setter diff --git a/sdk/python/pulumi_keycloak/saml/client.py b/sdk/python/pulumi_keycloak/saml/client.py index 9e2bd7b0..fa7b5a19 100644 --- a/sdk/python/pulumi_keycloak/saml/client.py +++ b/sdk/python/pulumi_keycloak/saml/client.py @@ -57,6 +57,39 @@ def __init__(__self__, *, valid_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None): """ The set of arguments for constructing a Client resource. + :param pulumi.Input[str] client_id: The unique ID of this client, referenced in the URI during authentication and in issued tokens. + :param pulumi.Input[str] realm_id: The realm this client is attached to. + :param pulumi.Input[str] assertion_consumer_post_url: SAML POST Binding URL for the client's assertion consumer service (login responses). + :param pulumi.Input[str] assertion_consumer_redirect_url: SAML Redirect Binding URL for the client's assertion consumer service (login responses). + :param pulumi.Input['ClientAuthenticationFlowBindingOverridesArgs'] authentication_flow_binding_overrides: Override realm authentication flow bindings + :param pulumi.Input[str] base_url: When specified, this URL will be used whenever Keycloak needs to link to this client. + :param pulumi.Input[str] canonicalization_method: The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE". + :param pulumi.Input[bool] client_signature_required: When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signing_certificate` and `signing_private_key`. Defaults to `true`. + :param pulumi.Input[str] description: The description of this client in the GUI. + :param pulumi.Input[bool] enabled: When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + :param pulumi.Input[bool] encrypt_assertions: When `true`, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to `false`. + :param pulumi.Input[str] encryption_certificate: If assertions for the client are encrypted, this certificate will be used for encryption. + :param pulumi.Input[bool] force_name_id_format: Ignore requested NameID subject format and use the one defined in `name_id_format` instead. Defaults to `false`. + :param pulumi.Input[bool] force_post_binding: When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to `true`. + :param pulumi.Input[bool] front_channel_logout: When `true`, this client will require a browser redirect in order to perform a logout. Defaults to `true`. + :param pulumi.Input[bool] full_scope_allowed: Allow to include all roles mappings in the access token + :param pulumi.Input[str] idp_initiated_sso_relay_state: Relay state you want to send with SAML request when you want to do IDP Initiated SSO. + :param pulumi.Input[str] idp_initiated_sso_url_name: URL fragment name to reference client when you want to do IDP Initiated SSO. + :param pulumi.Input[bool] include_authn_statement: When `true`, an `AuthnStatement` will be included in the SAML response. Defaults to `true`. + :param pulumi.Input[str] login_theme: The login theme of this client. + :param pulumi.Input[str] logout_service_post_binding_url: SAML POST Binding URL for the client's single logout service. + :param pulumi.Input[str] logout_service_redirect_binding_url: SAML Redirect Binding URL for the client's single logout service. + :param pulumi.Input[str] master_saml_processing_url: When specified, this URL will be used for all SAML requests. + :param pulumi.Input[str] name: The display name of this client in the GUI. + :param pulumi.Input[str] name_id_format: Sets the Name ID format for the subject. + :param pulumi.Input[str] root_url: When specified, this value is prepended to all relative URLs. + :param pulumi.Input[bool] sign_assertions: When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to `false`. + :param pulumi.Input[bool] sign_documents: When `true`, the SAML document will be signed by Keycloak using the realm's private key. Defaults to `true`. + :param pulumi.Input[str] signature_algorithm: The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1". + :param pulumi.Input[str] signature_key_name: The value of the `KeyName` element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID". + :param pulumi.Input[str] signing_certificate: If documents or assertions from the client are signed, this certificate will be used to verify the signature. + :param pulumi.Input[str] signing_private_key: If documents or assertions from the client are signed, this private key will be used to verify the signature. + :param pulumi.Input[Sequence[pulumi.Input[str]]] valid_redirect_uris: When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. """ pulumi.set(__self__, "client_id", client_id) pulumi.set(__self__, "realm_id", realm_id) @@ -128,6 +161,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="clientId") def client_id(self) -> pulumi.Input[str]: + """ + The unique ID of this client, referenced in the URI during authentication and in issued tokens. + """ return pulumi.get(self, "client_id") @client_id.setter @@ -137,6 +173,9 @@ def client_id(self, value: pulumi.Input[str]): @property @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Input[str]: + """ + The realm this client is attached to. + """ return pulumi.get(self, "realm_id") @realm_id.setter @@ -146,6 +185,9 @@ def realm_id(self, value: pulumi.Input[str]): @property @pulumi.getter(name="assertionConsumerPostUrl") def assertion_consumer_post_url(self) -> Optional[pulumi.Input[str]]: + """ + SAML POST Binding URL for the client's assertion consumer service (login responses). + """ return pulumi.get(self, "assertion_consumer_post_url") @assertion_consumer_post_url.setter @@ -155,6 +197,9 @@ def assertion_consumer_post_url(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="assertionConsumerRedirectUrl") def assertion_consumer_redirect_url(self) -> Optional[pulumi.Input[str]]: + """ + SAML Redirect Binding URL for the client's assertion consumer service (login responses). + """ return pulumi.get(self, "assertion_consumer_redirect_url") @assertion_consumer_redirect_url.setter @@ -164,6 +209,9 @@ def assertion_consumer_redirect_url(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="authenticationFlowBindingOverrides") def authentication_flow_binding_overrides(self) -> Optional[pulumi.Input['ClientAuthenticationFlowBindingOverridesArgs']]: + """ + Override realm authentication flow bindings + """ return pulumi.get(self, "authentication_flow_binding_overrides") @authentication_flow_binding_overrides.setter @@ -173,6 +221,9 @@ def authentication_flow_binding_overrides(self, value: Optional[pulumi.Input['Cl @property @pulumi.getter(name="baseUrl") def base_url(self) -> Optional[pulumi.Input[str]]: + """ + When specified, this URL will be used whenever Keycloak needs to link to this client. + """ return pulumi.get(self, "base_url") @base_url.setter @@ -182,6 +233,9 @@ def base_url(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="canonicalizationMethod") def canonicalization_method(self) -> Optional[pulumi.Input[str]]: + """ + The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE". + """ return pulumi.get(self, "canonicalization_method") @canonicalization_method.setter @@ -191,6 +245,9 @@ def canonicalization_method(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="clientSignatureRequired") def client_signature_required(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signing_certificate` and `signing_private_key`. Defaults to `true`. + """ return pulumi.get(self, "client_signature_required") @client_signature_required.setter @@ -200,6 +257,9 @@ def client_signature_required(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter def description(self) -> Optional[pulumi.Input[str]]: + """ + The description of this client in the GUI. + """ return pulumi.get(self, "description") @description.setter @@ -209,6 +269,9 @@ def description(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter def enabled(self) -> Optional[pulumi.Input[bool]]: + """ + When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + """ return pulumi.get(self, "enabled") @enabled.setter @@ -218,6 +281,9 @@ def enabled(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="encryptAssertions") def encrypt_assertions(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to `false`. + """ return pulumi.get(self, "encrypt_assertions") @encrypt_assertions.setter @@ -227,6 +293,9 @@ def encrypt_assertions(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="encryptionCertificate") def encryption_certificate(self) -> Optional[pulumi.Input[str]]: + """ + If assertions for the client are encrypted, this certificate will be used for encryption. + """ return pulumi.get(self, "encryption_certificate") @encryption_certificate.setter @@ -245,6 +314,9 @@ def extra_config(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[st @property @pulumi.getter(name="forceNameIdFormat") def force_name_id_format(self) -> Optional[pulumi.Input[bool]]: + """ + Ignore requested NameID subject format and use the one defined in `name_id_format` instead. Defaults to `false`. + """ return pulumi.get(self, "force_name_id_format") @force_name_id_format.setter @@ -254,6 +326,9 @@ def force_name_id_format(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="forcePostBinding") def force_post_binding(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to `true`. + """ return pulumi.get(self, "force_post_binding") @force_post_binding.setter @@ -263,6 +338,9 @@ def force_post_binding(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="frontChannelLogout") def front_channel_logout(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, this client will require a browser redirect in order to perform a logout. Defaults to `true`. + """ return pulumi.get(self, "front_channel_logout") @front_channel_logout.setter @@ -272,6 +350,9 @@ def front_channel_logout(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="fullScopeAllowed") def full_scope_allowed(self) -> Optional[pulumi.Input[bool]]: + """ + Allow to include all roles mappings in the access token + """ return pulumi.get(self, "full_scope_allowed") @full_scope_allowed.setter @@ -281,6 +362,9 @@ def full_scope_allowed(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="idpInitiatedSsoRelayState") def idp_initiated_sso_relay_state(self) -> Optional[pulumi.Input[str]]: + """ + Relay state you want to send with SAML request when you want to do IDP Initiated SSO. + """ return pulumi.get(self, "idp_initiated_sso_relay_state") @idp_initiated_sso_relay_state.setter @@ -290,6 +374,9 @@ def idp_initiated_sso_relay_state(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="idpInitiatedSsoUrlName") def idp_initiated_sso_url_name(self) -> Optional[pulumi.Input[str]]: + """ + URL fragment name to reference client when you want to do IDP Initiated SSO. + """ return pulumi.get(self, "idp_initiated_sso_url_name") @idp_initiated_sso_url_name.setter @@ -299,6 +386,9 @@ def idp_initiated_sso_url_name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="includeAuthnStatement") def include_authn_statement(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, an `AuthnStatement` will be included in the SAML response. Defaults to `true`. + """ return pulumi.get(self, "include_authn_statement") @include_authn_statement.setter @@ -308,6 +398,9 @@ def include_authn_statement(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="loginTheme") def login_theme(self) -> Optional[pulumi.Input[str]]: + """ + The login theme of this client. + """ return pulumi.get(self, "login_theme") @login_theme.setter @@ -317,6 +410,9 @@ def login_theme(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="logoutServicePostBindingUrl") def logout_service_post_binding_url(self) -> Optional[pulumi.Input[str]]: + """ + SAML POST Binding URL for the client's single logout service. + """ return pulumi.get(self, "logout_service_post_binding_url") @logout_service_post_binding_url.setter @@ -326,6 +422,9 @@ def logout_service_post_binding_url(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="logoutServiceRedirectBindingUrl") def logout_service_redirect_binding_url(self) -> Optional[pulumi.Input[str]]: + """ + SAML Redirect Binding URL for the client's single logout service. + """ return pulumi.get(self, "logout_service_redirect_binding_url") @logout_service_redirect_binding_url.setter @@ -335,6 +434,9 @@ def logout_service_redirect_binding_url(self, value: Optional[pulumi.Input[str]] @property @pulumi.getter(name="masterSamlProcessingUrl") def master_saml_processing_url(self) -> Optional[pulumi.Input[str]]: + """ + When specified, this URL will be used for all SAML requests. + """ return pulumi.get(self, "master_saml_processing_url") @master_saml_processing_url.setter @@ -344,6 +446,9 @@ def master_saml_processing_url(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: + """ + The display name of this client in the GUI. + """ return pulumi.get(self, "name") @name.setter @@ -353,6 +458,9 @@ def name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="nameIdFormat") def name_id_format(self) -> Optional[pulumi.Input[str]]: + """ + Sets the Name ID format for the subject. + """ return pulumi.get(self, "name_id_format") @name_id_format.setter @@ -362,6 +470,9 @@ def name_id_format(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="rootUrl") def root_url(self) -> Optional[pulumi.Input[str]]: + """ + When specified, this value is prepended to all relative URLs. + """ return pulumi.get(self, "root_url") @root_url.setter @@ -371,6 +482,9 @@ def root_url(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="signAssertions") def sign_assertions(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to `false`. + """ return pulumi.get(self, "sign_assertions") @sign_assertions.setter @@ -380,6 +494,9 @@ def sign_assertions(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="signDocuments") def sign_documents(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, the SAML document will be signed by Keycloak using the realm's private key. Defaults to `true`. + """ return pulumi.get(self, "sign_documents") @sign_documents.setter @@ -389,6 +506,9 @@ def sign_documents(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="signatureAlgorithm") def signature_algorithm(self) -> Optional[pulumi.Input[str]]: + """ + The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1". + """ return pulumi.get(self, "signature_algorithm") @signature_algorithm.setter @@ -398,6 +518,9 @@ def signature_algorithm(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="signatureKeyName") def signature_key_name(self) -> Optional[pulumi.Input[str]]: + """ + The value of the `KeyName` element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID". + """ return pulumi.get(self, "signature_key_name") @signature_key_name.setter @@ -407,6 +530,9 @@ def signature_key_name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="signingCertificate") def signing_certificate(self) -> Optional[pulumi.Input[str]]: + """ + If documents or assertions from the client are signed, this certificate will be used to verify the signature. + """ return pulumi.get(self, "signing_certificate") @signing_certificate.setter @@ -416,6 +542,9 @@ def signing_certificate(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="signingPrivateKey") def signing_private_key(self) -> Optional[pulumi.Input[str]]: + """ + If documents or assertions from the client are signed, this private key will be used to verify the signature. + """ return pulumi.get(self, "signing_private_key") @signing_private_key.setter @@ -425,6 +554,9 @@ def signing_private_key(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="validRedirectUris") def valid_redirect_uris(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. + """ return pulumi.get(self, "valid_redirect_uris") @valid_redirect_uris.setter @@ -474,6 +606,42 @@ def __init__(__self__, *, valid_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None): """ Input properties used for looking up and filtering Client resources. + :param pulumi.Input[str] assertion_consumer_post_url: SAML POST Binding URL for the client's assertion consumer service (login responses). + :param pulumi.Input[str] assertion_consumer_redirect_url: SAML Redirect Binding URL for the client's assertion consumer service (login responses). + :param pulumi.Input['ClientAuthenticationFlowBindingOverridesArgs'] authentication_flow_binding_overrides: Override realm authentication flow bindings + :param pulumi.Input[str] base_url: When specified, this URL will be used whenever Keycloak needs to link to this client. + :param pulumi.Input[str] canonicalization_method: The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE". + :param pulumi.Input[str] client_id: The unique ID of this client, referenced in the URI during authentication and in issued tokens. + :param pulumi.Input[bool] client_signature_required: When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signing_certificate` and `signing_private_key`. Defaults to `true`. + :param pulumi.Input[str] description: The description of this client in the GUI. + :param pulumi.Input[bool] enabled: When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + :param pulumi.Input[bool] encrypt_assertions: When `true`, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to `false`. + :param pulumi.Input[str] encryption_certificate: If assertions for the client are encrypted, this certificate will be used for encryption. + :param pulumi.Input[str] encryption_certificate_sha1: (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty. + :param pulumi.Input[bool] force_name_id_format: Ignore requested NameID subject format and use the one defined in `name_id_format` instead. Defaults to `false`. + :param pulumi.Input[bool] force_post_binding: When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to `true`. + :param pulumi.Input[bool] front_channel_logout: When `true`, this client will require a browser redirect in order to perform a logout. Defaults to `true`. + :param pulumi.Input[bool] full_scope_allowed: Allow to include all roles mappings in the access token + :param pulumi.Input[str] idp_initiated_sso_relay_state: Relay state you want to send with SAML request when you want to do IDP Initiated SSO. + :param pulumi.Input[str] idp_initiated_sso_url_name: URL fragment name to reference client when you want to do IDP Initiated SSO. + :param pulumi.Input[bool] include_authn_statement: When `true`, an `AuthnStatement` will be included in the SAML response. Defaults to `true`. + :param pulumi.Input[str] login_theme: The login theme of this client. + :param pulumi.Input[str] logout_service_post_binding_url: SAML POST Binding URL for the client's single logout service. + :param pulumi.Input[str] logout_service_redirect_binding_url: SAML Redirect Binding URL for the client's single logout service. + :param pulumi.Input[str] master_saml_processing_url: When specified, this URL will be used for all SAML requests. + :param pulumi.Input[str] name: The display name of this client in the GUI. + :param pulumi.Input[str] name_id_format: Sets the Name ID format for the subject. + :param pulumi.Input[str] realm_id: The realm this client is attached to. + :param pulumi.Input[str] root_url: When specified, this value is prepended to all relative URLs. + :param pulumi.Input[bool] sign_assertions: When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to `false`. + :param pulumi.Input[bool] sign_documents: When `true`, the SAML document will be signed by Keycloak using the realm's private key. Defaults to `true`. + :param pulumi.Input[str] signature_algorithm: The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1". + :param pulumi.Input[str] signature_key_name: The value of the `KeyName` element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID". + :param pulumi.Input[str] signing_certificate: If documents or assertions from the client are signed, this certificate will be used to verify the signature. + :param pulumi.Input[str] signing_certificate_sha1: (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty. + :param pulumi.Input[str] signing_private_key: If documents or assertions from the client are signed, this private key will be used to verify the signature. + :param pulumi.Input[str] signing_private_key_sha1: (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty. + :param pulumi.Input[Sequence[pulumi.Input[str]]] valid_redirect_uris: When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. """ if assertion_consumer_post_url is not None: pulumi.set(__self__, "assertion_consumer_post_url", assertion_consumer_post_url) @@ -553,6 +721,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="assertionConsumerPostUrl") def assertion_consumer_post_url(self) -> Optional[pulumi.Input[str]]: + """ + SAML POST Binding URL for the client's assertion consumer service (login responses). + """ return pulumi.get(self, "assertion_consumer_post_url") @assertion_consumer_post_url.setter @@ -562,6 +733,9 @@ def assertion_consumer_post_url(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="assertionConsumerRedirectUrl") def assertion_consumer_redirect_url(self) -> Optional[pulumi.Input[str]]: + """ + SAML Redirect Binding URL for the client's assertion consumer service (login responses). + """ return pulumi.get(self, "assertion_consumer_redirect_url") @assertion_consumer_redirect_url.setter @@ -571,6 +745,9 @@ def assertion_consumer_redirect_url(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="authenticationFlowBindingOverrides") def authentication_flow_binding_overrides(self) -> Optional[pulumi.Input['ClientAuthenticationFlowBindingOverridesArgs']]: + """ + Override realm authentication flow bindings + """ return pulumi.get(self, "authentication_flow_binding_overrides") @authentication_flow_binding_overrides.setter @@ -580,6 +757,9 @@ def authentication_flow_binding_overrides(self, value: Optional[pulumi.Input['Cl @property @pulumi.getter(name="baseUrl") def base_url(self) -> Optional[pulumi.Input[str]]: + """ + When specified, this URL will be used whenever Keycloak needs to link to this client. + """ return pulumi.get(self, "base_url") @base_url.setter @@ -589,6 +769,9 @@ def base_url(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="canonicalizationMethod") def canonicalization_method(self) -> Optional[pulumi.Input[str]]: + """ + The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE". + """ return pulumi.get(self, "canonicalization_method") @canonicalization_method.setter @@ -598,6 +781,9 @@ def canonicalization_method(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="clientId") def client_id(self) -> Optional[pulumi.Input[str]]: + """ + The unique ID of this client, referenced in the URI during authentication and in issued tokens. + """ return pulumi.get(self, "client_id") @client_id.setter @@ -607,6 +793,9 @@ def client_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="clientSignatureRequired") def client_signature_required(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signing_certificate` and `signing_private_key`. Defaults to `true`. + """ return pulumi.get(self, "client_signature_required") @client_signature_required.setter @@ -616,6 +805,9 @@ def client_signature_required(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter def description(self) -> Optional[pulumi.Input[str]]: + """ + The description of this client in the GUI. + """ return pulumi.get(self, "description") @description.setter @@ -625,6 +817,9 @@ def description(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter def enabled(self) -> Optional[pulumi.Input[bool]]: + """ + When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + """ return pulumi.get(self, "enabled") @enabled.setter @@ -634,6 +829,9 @@ def enabled(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="encryptAssertions") def encrypt_assertions(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to `false`. + """ return pulumi.get(self, "encrypt_assertions") @encrypt_assertions.setter @@ -643,6 +841,9 @@ def encrypt_assertions(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="encryptionCertificate") def encryption_certificate(self) -> Optional[pulumi.Input[str]]: + """ + If assertions for the client are encrypted, this certificate will be used for encryption. + """ return pulumi.get(self, "encryption_certificate") @encryption_certificate.setter @@ -652,6 +853,9 @@ def encryption_certificate(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="encryptionCertificateSha1") def encryption_certificate_sha1(self) -> Optional[pulumi.Input[str]]: + """ + (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty. + """ return pulumi.get(self, "encryption_certificate_sha1") @encryption_certificate_sha1.setter @@ -670,6 +874,9 @@ def extra_config(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[st @property @pulumi.getter(name="forceNameIdFormat") def force_name_id_format(self) -> Optional[pulumi.Input[bool]]: + """ + Ignore requested NameID subject format and use the one defined in `name_id_format` instead. Defaults to `false`. + """ return pulumi.get(self, "force_name_id_format") @force_name_id_format.setter @@ -679,6 +886,9 @@ def force_name_id_format(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="forcePostBinding") def force_post_binding(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to `true`. + """ return pulumi.get(self, "force_post_binding") @force_post_binding.setter @@ -688,6 +898,9 @@ def force_post_binding(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="frontChannelLogout") def front_channel_logout(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, this client will require a browser redirect in order to perform a logout. Defaults to `true`. + """ return pulumi.get(self, "front_channel_logout") @front_channel_logout.setter @@ -697,6 +910,9 @@ def front_channel_logout(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="fullScopeAllowed") def full_scope_allowed(self) -> Optional[pulumi.Input[bool]]: + """ + Allow to include all roles mappings in the access token + """ return pulumi.get(self, "full_scope_allowed") @full_scope_allowed.setter @@ -706,6 +922,9 @@ def full_scope_allowed(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="idpInitiatedSsoRelayState") def idp_initiated_sso_relay_state(self) -> Optional[pulumi.Input[str]]: + """ + Relay state you want to send with SAML request when you want to do IDP Initiated SSO. + """ return pulumi.get(self, "idp_initiated_sso_relay_state") @idp_initiated_sso_relay_state.setter @@ -715,6 +934,9 @@ def idp_initiated_sso_relay_state(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="idpInitiatedSsoUrlName") def idp_initiated_sso_url_name(self) -> Optional[pulumi.Input[str]]: + """ + URL fragment name to reference client when you want to do IDP Initiated SSO. + """ return pulumi.get(self, "idp_initiated_sso_url_name") @idp_initiated_sso_url_name.setter @@ -724,6 +946,9 @@ def idp_initiated_sso_url_name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="includeAuthnStatement") def include_authn_statement(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, an `AuthnStatement` will be included in the SAML response. Defaults to `true`. + """ return pulumi.get(self, "include_authn_statement") @include_authn_statement.setter @@ -733,6 +958,9 @@ def include_authn_statement(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="loginTheme") def login_theme(self) -> Optional[pulumi.Input[str]]: + """ + The login theme of this client. + """ return pulumi.get(self, "login_theme") @login_theme.setter @@ -742,6 +970,9 @@ def login_theme(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="logoutServicePostBindingUrl") def logout_service_post_binding_url(self) -> Optional[pulumi.Input[str]]: + """ + SAML POST Binding URL for the client's single logout service. + """ return pulumi.get(self, "logout_service_post_binding_url") @logout_service_post_binding_url.setter @@ -751,6 +982,9 @@ def logout_service_post_binding_url(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="logoutServiceRedirectBindingUrl") def logout_service_redirect_binding_url(self) -> Optional[pulumi.Input[str]]: + """ + SAML Redirect Binding URL for the client's single logout service. + """ return pulumi.get(self, "logout_service_redirect_binding_url") @logout_service_redirect_binding_url.setter @@ -760,6 +994,9 @@ def logout_service_redirect_binding_url(self, value: Optional[pulumi.Input[str]] @property @pulumi.getter(name="masterSamlProcessingUrl") def master_saml_processing_url(self) -> Optional[pulumi.Input[str]]: + """ + When specified, this URL will be used for all SAML requests. + """ return pulumi.get(self, "master_saml_processing_url") @master_saml_processing_url.setter @@ -769,6 +1006,9 @@ def master_saml_processing_url(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: + """ + The display name of this client in the GUI. + """ return pulumi.get(self, "name") @name.setter @@ -778,6 +1018,9 @@ def name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="nameIdFormat") def name_id_format(self) -> Optional[pulumi.Input[str]]: + """ + Sets the Name ID format for the subject. + """ return pulumi.get(self, "name_id_format") @name_id_format.setter @@ -787,6 +1030,9 @@ def name_id_format(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="realmId") def realm_id(self) -> Optional[pulumi.Input[str]]: + """ + The realm this client is attached to. + """ return pulumi.get(self, "realm_id") @realm_id.setter @@ -796,6 +1042,9 @@ def realm_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="rootUrl") def root_url(self) -> Optional[pulumi.Input[str]]: + """ + When specified, this value is prepended to all relative URLs. + """ return pulumi.get(self, "root_url") @root_url.setter @@ -805,6 +1054,9 @@ def root_url(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="signAssertions") def sign_assertions(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to `false`. + """ return pulumi.get(self, "sign_assertions") @sign_assertions.setter @@ -814,6 +1066,9 @@ def sign_assertions(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="signDocuments") def sign_documents(self) -> Optional[pulumi.Input[bool]]: + """ + When `true`, the SAML document will be signed by Keycloak using the realm's private key. Defaults to `true`. + """ return pulumi.get(self, "sign_documents") @sign_documents.setter @@ -823,6 +1078,9 @@ def sign_documents(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="signatureAlgorithm") def signature_algorithm(self) -> Optional[pulumi.Input[str]]: + """ + The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1". + """ return pulumi.get(self, "signature_algorithm") @signature_algorithm.setter @@ -832,6 +1090,9 @@ def signature_algorithm(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="signatureKeyName") def signature_key_name(self) -> Optional[pulumi.Input[str]]: + """ + The value of the `KeyName` element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID". + """ return pulumi.get(self, "signature_key_name") @signature_key_name.setter @@ -841,6 +1102,9 @@ def signature_key_name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="signingCertificate") def signing_certificate(self) -> Optional[pulumi.Input[str]]: + """ + If documents or assertions from the client are signed, this certificate will be used to verify the signature. + """ return pulumi.get(self, "signing_certificate") @signing_certificate.setter @@ -850,6 +1114,9 @@ def signing_certificate(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="signingCertificateSha1") def signing_certificate_sha1(self) -> Optional[pulumi.Input[str]]: + """ + (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty. + """ return pulumi.get(self, "signing_certificate_sha1") @signing_certificate_sha1.setter @@ -859,6 +1126,9 @@ def signing_certificate_sha1(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="signingPrivateKey") def signing_private_key(self) -> Optional[pulumi.Input[str]]: + """ + If documents or assertions from the client are signed, this private key will be used to verify the signature. + """ return pulumi.get(self, "signing_private_key") @signing_private_key.setter @@ -868,6 +1138,9 @@ def signing_private_key(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="signingPrivateKeySha1") def signing_private_key_sha1(self) -> Optional[pulumi.Input[str]]: + """ + (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty. + """ return pulumi.get(self, "signing_private_key_sha1") @signing_private_key_sha1.setter @@ -877,6 +1150,9 @@ def signing_private_key_sha1(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="validRedirectUris") def valid_redirect_uris(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. + """ return pulumi.get(self, "valid_redirect_uris") @valid_redirect_uris.setter @@ -925,23 +1201,60 @@ def __init__(__self__, valid_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, __props__=None): """ - ## # saml.Client - Allows for creating and managing Keycloak clients that use the SAML protocol. - Clients are entities that can use Keycloak for user authentication. Typically, - clients are applications that redirect users to Keycloak for authentication - in order to take advantage of Keycloak's user sessions for SSO. + Clients are entities that can use Keycloak for user authentication. Typically, clients are applications that redirect users + to Keycloak for authentication in order to take advantage of Keycloak's user sessions for SSO. - ### Import + ## Import Clients can be imported using the format `{{realm_id}}/{{client_keycloak_id}}`, where `client_keycloak_id` is the unique ID that Keycloak + assigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID. Example: + bash + + ```sh + $ pulumi import keycloak:saml/client:Client saml_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352 + ``` + :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[str] assertion_consumer_post_url: SAML POST Binding URL for the client's assertion consumer service (login responses). + :param pulumi.Input[str] assertion_consumer_redirect_url: SAML Redirect Binding URL for the client's assertion consumer service (login responses). + :param pulumi.Input[Union['ClientAuthenticationFlowBindingOverridesArgs', 'ClientAuthenticationFlowBindingOverridesArgsDict']] authentication_flow_binding_overrides: Override realm authentication flow bindings + :param pulumi.Input[str] base_url: When specified, this URL will be used whenever Keycloak needs to link to this client. + :param pulumi.Input[str] canonicalization_method: The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE". + :param pulumi.Input[str] client_id: The unique ID of this client, referenced in the URI during authentication and in issued tokens. + :param pulumi.Input[bool] client_signature_required: When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signing_certificate` and `signing_private_key`. Defaults to `true`. + :param pulumi.Input[str] description: The description of this client in the GUI. + :param pulumi.Input[bool] enabled: When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + :param pulumi.Input[bool] encrypt_assertions: When `true`, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to `false`. + :param pulumi.Input[str] encryption_certificate: If assertions for the client are encrypted, this certificate will be used for encryption. + :param pulumi.Input[bool] force_name_id_format: Ignore requested NameID subject format and use the one defined in `name_id_format` instead. Defaults to `false`. + :param pulumi.Input[bool] force_post_binding: When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to `true`. + :param pulumi.Input[bool] front_channel_logout: When `true`, this client will require a browser redirect in order to perform a logout. Defaults to `true`. + :param pulumi.Input[bool] full_scope_allowed: Allow to include all roles mappings in the access token + :param pulumi.Input[str] idp_initiated_sso_relay_state: Relay state you want to send with SAML request when you want to do IDP Initiated SSO. + :param pulumi.Input[str] idp_initiated_sso_url_name: URL fragment name to reference client when you want to do IDP Initiated SSO. + :param pulumi.Input[bool] include_authn_statement: When `true`, an `AuthnStatement` will be included in the SAML response. Defaults to `true`. + :param pulumi.Input[str] login_theme: The login theme of this client. + :param pulumi.Input[str] logout_service_post_binding_url: SAML POST Binding URL for the client's single logout service. + :param pulumi.Input[str] logout_service_redirect_binding_url: SAML Redirect Binding URL for the client's single logout service. + :param pulumi.Input[str] master_saml_processing_url: When specified, this URL will be used for all SAML requests. + :param pulumi.Input[str] name: The display name of this client in the GUI. + :param pulumi.Input[str] name_id_format: Sets the Name ID format for the subject. + :param pulumi.Input[str] realm_id: The realm this client is attached to. + :param pulumi.Input[str] root_url: When specified, this value is prepended to all relative URLs. + :param pulumi.Input[bool] sign_assertions: When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to `false`. + :param pulumi.Input[bool] sign_documents: When `true`, the SAML document will be signed by Keycloak using the realm's private key. Defaults to `true`. + :param pulumi.Input[str] signature_algorithm: The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1". + :param pulumi.Input[str] signature_key_name: The value of the `KeyName` element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID". + :param pulumi.Input[str] signing_certificate: If documents or assertions from the client are signed, this certificate will be used to verify the signature. + :param pulumi.Input[str] signing_private_key: If documents or assertions from the client are signed, this private key will be used to verify the signature. + :param pulumi.Input[Sequence[pulumi.Input[str]]] valid_redirect_uris: When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. """ ... @overload @@ -950,21 +1263,25 @@ def __init__(__self__, args: ClientArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - ## # saml.Client - Allows for creating and managing Keycloak clients that use the SAML protocol. - Clients are entities that can use Keycloak for user authentication. Typically, - clients are applications that redirect users to Keycloak for authentication - in order to take advantage of Keycloak's user sessions for SSO. + Clients are entities that can use Keycloak for user authentication. Typically, clients are applications that redirect users + to Keycloak for authentication in order to take advantage of Keycloak's user sessions for SSO. - ### Import + ## Import Clients can be imported using the format `{{realm_id}}/{{client_keycloak_id}}`, where `client_keycloak_id` is the unique ID that Keycloak + assigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID. Example: + bash + + ```sh + $ pulumi import keycloak:saml/client:Client saml_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352 + ``` + :param str resource_name: The name of the resource. :param ClientArgs args: The arguments to use to populate this resource's properties. :param pulumi.ResourceOptions opts: Options for the resource. @@ -1118,6 +1435,42 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[str] assertion_consumer_post_url: SAML POST Binding URL for the client's assertion consumer service (login responses). + :param pulumi.Input[str] assertion_consumer_redirect_url: SAML Redirect Binding URL for the client's assertion consumer service (login responses). + :param pulumi.Input[Union['ClientAuthenticationFlowBindingOverridesArgs', 'ClientAuthenticationFlowBindingOverridesArgsDict']] authentication_flow_binding_overrides: Override realm authentication flow bindings + :param pulumi.Input[str] base_url: When specified, this URL will be used whenever Keycloak needs to link to this client. + :param pulumi.Input[str] canonicalization_method: The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE". + :param pulumi.Input[str] client_id: The unique ID of this client, referenced in the URI during authentication and in issued tokens. + :param pulumi.Input[bool] client_signature_required: When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signing_certificate` and `signing_private_key`. Defaults to `true`. + :param pulumi.Input[str] description: The description of this client in the GUI. + :param pulumi.Input[bool] enabled: When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + :param pulumi.Input[bool] encrypt_assertions: When `true`, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to `false`. + :param pulumi.Input[str] encryption_certificate: If assertions for the client are encrypted, this certificate will be used for encryption. + :param pulumi.Input[str] encryption_certificate_sha1: (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty. + :param pulumi.Input[bool] force_name_id_format: Ignore requested NameID subject format and use the one defined in `name_id_format` instead. Defaults to `false`. + :param pulumi.Input[bool] force_post_binding: When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to `true`. + :param pulumi.Input[bool] front_channel_logout: When `true`, this client will require a browser redirect in order to perform a logout. Defaults to `true`. + :param pulumi.Input[bool] full_scope_allowed: Allow to include all roles mappings in the access token + :param pulumi.Input[str] idp_initiated_sso_relay_state: Relay state you want to send with SAML request when you want to do IDP Initiated SSO. + :param pulumi.Input[str] idp_initiated_sso_url_name: URL fragment name to reference client when you want to do IDP Initiated SSO. + :param pulumi.Input[bool] include_authn_statement: When `true`, an `AuthnStatement` will be included in the SAML response. Defaults to `true`. + :param pulumi.Input[str] login_theme: The login theme of this client. + :param pulumi.Input[str] logout_service_post_binding_url: SAML POST Binding URL for the client's single logout service. + :param pulumi.Input[str] logout_service_redirect_binding_url: SAML Redirect Binding URL for the client's single logout service. + :param pulumi.Input[str] master_saml_processing_url: When specified, this URL will be used for all SAML requests. + :param pulumi.Input[str] name: The display name of this client in the GUI. + :param pulumi.Input[str] name_id_format: Sets the Name ID format for the subject. + :param pulumi.Input[str] realm_id: The realm this client is attached to. + :param pulumi.Input[str] root_url: When specified, this value is prepended to all relative URLs. + :param pulumi.Input[bool] sign_assertions: When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to `false`. + :param pulumi.Input[bool] sign_documents: When `true`, the SAML document will be signed by Keycloak using the realm's private key. Defaults to `true`. + :param pulumi.Input[str] signature_algorithm: The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1". + :param pulumi.Input[str] signature_key_name: The value of the `KeyName` element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID". + :param pulumi.Input[str] signing_certificate: If documents or assertions from the client are signed, this certificate will be used to verify the signature. + :param pulumi.Input[str] signing_certificate_sha1: (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty. + :param pulumi.Input[str] signing_private_key: If documents or assertions from the client are signed, this private key will be used to verify the signature. + :param pulumi.Input[str] signing_private_key_sha1: (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty. + :param pulumi.Input[Sequence[pulumi.Input[str]]] valid_redirect_uris: When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -1165,61 +1518,97 @@ def get(resource_name: str, @property @pulumi.getter(name="assertionConsumerPostUrl") def assertion_consumer_post_url(self) -> pulumi.Output[Optional[str]]: + """ + SAML POST Binding URL for the client's assertion consumer service (login responses). + """ return pulumi.get(self, "assertion_consumer_post_url") @property @pulumi.getter(name="assertionConsumerRedirectUrl") def assertion_consumer_redirect_url(self) -> pulumi.Output[Optional[str]]: + """ + SAML Redirect Binding URL for the client's assertion consumer service (login responses). + """ return pulumi.get(self, "assertion_consumer_redirect_url") @property @pulumi.getter(name="authenticationFlowBindingOverrides") def authentication_flow_binding_overrides(self) -> pulumi.Output[Optional['outputs.ClientAuthenticationFlowBindingOverrides']]: + """ + Override realm authentication flow bindings + """ return pulumi.get(self, "authentication_flow_binding_overrides") @property @pulumi.getter(name="baseUrl") def base_url(self) -> pulumi.Output[Optional[str]]: + """ + When specified, this URL will be used whenever Keycloak needs to link to this client. + """ return pulumi.get(self, "base_url") @property @pulumi.getter(name="canonicalizationMethod") def canonicalization_method(self) -> pulumi.Output[Optional[str]]: + """ + The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE". + """ return pulumi.get(self, "canonicalization_method") @property @pulumi.getter(name="clientId") def client_id(self) -> pulumi.Output[str]: + """ + The unique ID of this client, referenced in the URI during authentication and in issued tokens. + """ return pulumi.get(self, "client_id") @property @pulumi.getter(name="clientSignatureRequired") def client_signature_required(self) -> pulumi.Output[Optional[bool]]: + """ + When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signing_certificate` and `signing_private_key`. Defaults to `true`. + """ return pulumi.get(self, "client_signature_required") @property @pulumi.getter def description(self) -> pulumi.Output[Optional[str]]: + """ + The description of this client in the GUI. + """ return pulumi.get(self, "description") @property @pulumi.getter def enabled(self) -> pulumi.Output[Optional[bool]]: + """ + When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. + """ return pulumi.get(self, "enabled") @property @pulumi.getter(name="encryptAssertions") def encrypt_assertions(self) -> pulumi.Output[Optional[bool]]: + """ + When `true`, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to `false`. + """ return pulumi.get(self, "encrypt_assertions") @property @pulumi.getter(name="encryptionCertificate") def encryption_certificate(self) -> pulumi.Output[str]: + """ + If assertions for the client are encrypted, this certificate will be used for encryption. + """ return pulumi.get(self, "encryption_certificate") @property @pulumi.getter(name="encryptionCertificateSha1") def encryption_certificate_sha1(self) -> pulumi.Output[str]: + """ + (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty. + """ return pulumi.get(self, "encryption_certificate_sha1") @property @@ -1230,120 +1619,192 @@ def extra_config(self) -> pulumi.Output[Optional[Mapping[str, str]]]: @property @pulumi.getter(name="forceNameIdFormat") def force_name_id_format(self) -> pulumi.Output[Optional[bool]]: + """ + Ignore requested NameID subject format and use the one defined in `name_id_format` instead. Defaults to `false`. + """ return pulumi.get(self, "force_name_id_format") @property @pulumi.getter(name="forcePostBinding") def force_post_binding(self) -> pulumi.Output[Optional[bool]]: + """ + When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to `true`. + """ return pulumi.get(self, "force_post_binding") @property @pulumi.getter(name="frontChannelLogout") def front_channel_logout(self) -> pulumi.Output[Optional[bool]]: + """ + When `true`, this client will require a browser redirect in order to perform a logout. Defaults to `true`. + """ return pulumi.get(self, "front_channel_logout") @property @pulumi.getter(name="fullScopeAllowed") def full_scope_allowed(self) -> pulumi.Output[Optional[bool]]: + """ + Allow to include all roles mappings in the access token + """ return pulumi.get(self, "full_scope_allowed") @property @pulumi.getter(name="idpInitiatedSsoRelayState") def idp_initiated_sso_relay_state(self) -> pulumi.Output[Optional[str]]: + """ + Relay state you want to send with SAML request when you want to do IDP Initiated SSO. + """ return pulumi.get(self, "idp_initiated_sso_relay_state") @property @pulumi.getter(name="idpInitiatedSsoUrlName") def idp_initiated_sso_url_name(self) -> pulumi.Output[Optional[str]]: + """ + URL fragment name to reference client when you want to do IDP Initiated SSO. + """ return pulumi.get(self, "idp_initiated_sso_url_name") @property @pulumi.getter(name="includeAuthnStatement") def include_authn_statement(self) -> pulumi.Output[Optional[bool]]: + """ + When `true`, an `AuthnStatement` will be included in the SAML response. Defaults to `true`. + """ return pulumi.get(self, "include_authn_statement") @property @pulumi.getter(name="loginTheme") def login_theme(self) -> pulumi.Output[Optional[str]]: + """ + The login theme of this client. + """ return pulumi.get(self, "login_theme") @property @pulumi.getter(name="logoutServicePostBindingUrl") def logout_service_post_binding_url(self) -> pulumi.Output[Optional[str]]: + """ + SAML POST Binding URL for the client's single logout service. + """ return pulumi.get(self, "logout_service_post_binding_url") @property @pulumi.getter(name="logoutServiceRedirectBindingUrl") def logout_service_redirect_binding_url(self) -> pulumi.Output[Optional[str]]: + """ + SAML Redirect Binding URL for the client's single logout service. + """ return pulumi.get(self, "logout_service_redirect_binding_url") @property @pulumi.getter(name="masterSamlProcessingUrl") def master_saml_processing_url(self) -> pulumi.Output[Optional[str]]: + """ + When specified, this URL will be used for all SAML requests. + """ return pulumi.get(self, "master_saml_processing_url") @property @pulumi.getter def name(self) -> pulumi.Output[str]: + """ + The display name of this client in the GUI. + """ return pulumi.get(self, "name") @property @pulumi.getter(name="nameIdFormat") def name_id_format(self) -> pulumi.Output[str]: + """ + Sets the Name ID format for the subject. + """ return pulumi.get(self, "name_id_format") @property @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Output[str]: + """ + The realm this client is attached to. + """ return pulumi.get(self, "realm_id") @property @pulumi.getter(name="rootUrl") def root_url(self) -> pulumi.Output[Optional[str]]: + """ + When specified, this value is prepended to all relative URLs. + """ return pulumi.get(self, "root_url") @property @pulumi.getter(name="signAssertions") def sign_assertions(self) -> pulumi.Output[Optional[bool]]: + """ + When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to `false`. + """ return pulumi.get(self, "sign_assertions") @property @pulumi.getter(name="signDocuments") def sign_documents(self) -> pulumi.Output[Optional[bool]]: + """ + When `true`, the SAML document will be signed by Keycloak using the realm's private key. Defaults to `true`. + """ return pulumi.get(self, "sign_documents") @property @pulumi.getter(name="signatureAlgorithm") def signature_algorithm(self) -> pulumi.Output[Optional[str]]: + """ + The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1". + """ return pulumi.get(self, "signature_algorithm") @property @pulumi.getter(name="signatureKeyName") def signature_key_name(self) -> pulumi.Output[Optional[str]]: + """ + The value of the `KeyName` element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID". + """ return pulumi.get(self, "signature_key_name") @property @pulumi.getter(name="signingCertificate") def signing_certificate(self) -> pulumi.Output[str]: + """ + If documents or assertions from the client are signed, this certificate will be used to verify the signature. + """ return pulumi.get(self, "signing_certificate") @property @pulumi.getter(name="signingCertificateSha1") def signing_certificate_sha1(self) -> pulumi.Output[str]: + """ + (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty. + """ return pulumi.get(self, "signing_certificate_sha1") @property @pulumi.getter(name="signingPrivateKey") def signing_private_key(self) -> pulumi.Output[str]: + """ + If documents or assertions from the client are signed, this private key will be used to verify the signature. + """ return pulumi.get(self, "signing_private_key") @property @pulumi.getter(name="signingPrivateKeySha1") def signing_private_key_sha1(self) -> pulumi.Output[str]: + """ + (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty. + """ return pulumi.get(self, "signing_private_key_sha1") @property @pulumi.getter(name="validRedirectUris") def valid_redirect_uris(self) -> pulumi.Output[Optional[Sequence[str]]]: + """ + When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. + """ return pulumi.get(self, "valid_redirect_uris") diff --git a/sdk/python/pulumi_keycloak/saml/identity_provider.py b/sdk/python/pulumi_keycloak/saml/identity_provider.py index d8ca02a9..810d6eaa 100644 --- a/sdk/python/pulumi_keycloak/saml/identity_provider.py +++ b/sdk/python/pulumi_keycloak/saml/identity_provider.py @@ -58,47 +58,42 @@ def __init__(__self__, *, xml_sign_key_info_key_name_transformer: Optional[pulumi.Input[str]] = None): """ The set of arguments for constructing a IdentityProvider resource. - :param pulumi.Input[str] alias: The alias uniquely identifies an identity provider and it is also used to build the redirect uri. + :param pulumi.Input[str] alias: The unique name of identity provider. :param pulumi.Input[str] entity_id: The Entity ID that will be used to uniquely identify this SAML Service Provider. - :param pulumi.Input[str] realm: Realm Name - :param pulumi.Input[str] single_sign_on_service_url: SSO Logout URL. - :param pulumi.Input[bool] add_read_token_role_on_create: Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. - :param pulumi.Input[bool] authenticate_by_default: Enable/disable authenticate users by default. - :param pulumi.Input[Sequence[pulumi.Input[str]]] authn_context_class_refs: AuthnContext ClassRefs - :param pulumi.Input[str] authn_context_comparison_type: AuthnContext Comparison - :param pulumi.Input[Sequence[pulumi.Input[str]]] authn_context_decl_refs: AuthnContext DeclRefs - :param pulumi.Input[bool] backchannel_supported: Does the external IDP support backchannel logout? - :param pulumi.Input[str] display_name: Friendly name for Identity Providers. - :param pulumi.Input[bool] enabled: Enable/disable this identity provider. - :param pulumi.Input[str] first_broker_login_flow_alias: Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means - that there is not yet existing Keycloak account linked with the authenticated identity provider account. - :param pulumi.Input[bool] force_authn: Require Force Authn. - :param pulumi.Input[str] gui_order: GUI Order - :param pulumi.Input[bool] hide_on_login_page: Hide On Login Page. - :param pulumi.Input[bool] link_only: If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't - want to allow login from the provider, but want to integrate with a provider + :param pulumi.Input[str] realm: The name of the realm. This is unique across Keycloak. + :param pulumi.Input[str] single_sign_on_service_url: The Url that must be used to send authentication requests (SAML AuthnRequest). + :param pulumi.Input[bool] add_read_token_role_on_create: When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`. + :param pulumi.Input[bool] authenticate_by_default: Authenticate users by default. Defaults to `false`. + :param pulumi.Input[Sequence[pulumi.Input[str]]] authn_context_class_refs: Ordered list of requested AuthnContext ClassRefs. + :param pulumi.Input[str] authn_context_comparison_type: Specifies the comparison method used to evaluate the requested context classes or statements. + :param pulumi.Input[Sequence[pulumi.Input[str]]] authn_context_decl_refs: Ordered list of requested AuthnContext DeclRefs. + :param pulumi.Input[bool] backchannel_supported: Does the external IDP support backchannel logout?. Defaults to `false`. + :param pulumi.Input[str] display_name: The display name for the realm that is shown when logging in to the admin console. + :param pulumi.Input[bool] enabled: When `false`, users and clients will not be able to access this realm. Defaults to `true`. + :param pulumi.Input[str] first_broker_login_flow_alias: Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. + :param pulumi.Input[bool] force_authn: Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. + :param pulumi.Input[str] gui_order: A number defining the order of this identity provider in the GUI. + :param pulumi.Input[bool] hide_on_login_page: If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. + :param pulumi.Input[bool] link_only: When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`. :param pulumi.Input[str] login_hint: Login Hint. - :param pulumi.Input[str] name_id_policy_format: Name ID Policy Format. - :param pulumi.Input[bool] post_binding_authn_request: Post Binding Authn Request. - :param pulumi.Input[bool] post_binding_logout: Post Binding Logout. - :param pulumi.Input[bool] post_binding_response: Post Binding Response. - :param pulumi.Input[str] post_broker_login_flow_alias: Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want - additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if - you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that - authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. - :param pulumi.Input[str] principal_attribute: Principal Attribute - :param pulumi.Input[str] principal_type: Principal Type - :param pulumi.Input[str] provider_id: provider id, is always saml, unless you have a custom implementation - :param pulumi.Input[str] signature_algorithm: Signing Algorithm. + :param pulumi.Input[str] name_id_policy_format: Specifies the URI reference corresponding to a name identifier format. Defaults to empty. + :param pulumi.Input[bool] post_binding_authn_request: Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. + :param pulumi.Input[bool] post_binding_logout: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. + :param pulumi.Input[bool] post_binding_response: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. + :param pulumi.Input[str] post_broker_login_flow_alias: Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. + :param pulumi.Input[str] principal_attribute: The principal attribute. + :param pulumi.Input[str] principal_type: The principal type. Can be one of `SUBJECT`, `ATTRIBUTE` or `FRIENDLY_ATTRIBUTE`. + :param pulumi.Input[str] provider_id: The ID of the identity provider to use. Defaults to `saml`, which should be used unless you have extended Keycloak and provided your own implementation. + :param pulumi.Input[str] signature_algorithm: Signing Algorithm. Defaults to empty. :param pulumi.Input[str] signing_certificate: Signing Certificate. - :param pulumi.Input[str] single_logout_service_url: Logout URL. - :param pulumi.Input[bool] store_token: Enable/disable if tokens must be stored after authenticating users. - :param pulumi.Input[str] sync_mode: Sync Mode - :param pulumi.Input[bool] trust_email: If enabled then email provided by this provider is not verified even if verification is enabled for the realm. + :param pulumi.Input[str] single_logout_service_url: The Url that must be used to send logout requests. + :param pulumi.Input[bool] store_token: When `true`, tokens will be stored after authenticating users. Defaults to `true`. + :param pulumi.Input[str] sync_mode: The default sync mode to use for all mappers attached to this identity provider. Can be one of `IMPORT`, `FORCE`, or `LEGACY`. + :param pulumi.Input[bool] trust_email: When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`. :param pulumi.Input[bool] validate_signature: Enable/disable signature validation of SAML responses. - :param pulumi.Input[bool] want_assertions_encrypted: Want Assertions Encrypted. - :param pulumi.Input[bool] want_assertions_signed: Want Assertions Signed. - :param pulumi.Input[str] xml_sign_key_info_key_name_transformer: Sign Key Transformer. + :param pulumi.Input[bool] want_assertions_encrypted: Indicates whether this service provider expects an encrypted Assertion. + :param pulumi.Input[bool] want_assertions_signed: Indicates whether this service provider expects a signed Assertion. + :param pulumi.Input[str] xml_sign_key_info_key_name_transformer: The SAML signature key name. Can be one of `NONE`, `KEY_ID`, or `CERT_SUBJECT`. """ pulumi.set(__self__, "alias", alias) pulumi.set(__self__, "entity_id", entity_id) @@ -175,7 +170,7 @@ def __init__(__self__, *, @pulumi.getter def alias(self) -> pulumi.Input[str]: """ - The alias uniquely identifies an identity provider and it is also used to build the redirect uri. + The unique name of identity provider. """ return pulumi.get(self, "alias") @@ -199,7 +194,7 @@ def entity_id(self, value: pulumi.Input[str]): @pulumi.getter def realm(self) -> pulumi.Input[str]: """ - Realm Name + The name of the realm. This is unique across Keycloak. """ return pulumi.get(self, "realm") @@ -211,7 +206,7 @@ def realm(self, value: pulumi.Input[str]): @pulumi.getter(name="singleSignOnServiceUrl") def single_sign_on_service_url(self) -> pulumi.Input[str]: """ - SSO Logout URL. + The Url that must be used to send authentication requests (SAML AuthnRequest). """ return pulumi.get(self, "single_sign_on_service_url") @@ -223,7 +218,7 @@ def single_sign_on_service_url(self, value: pulumi.Input[str]): @pulumi.getter(name="addReadTokenRoleOnCreate") def add_read_token_role_on_create(self) -> Optional[pulumi.Input[bool]]: """ - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. + When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`. """ return pulumi.get(self, "add_read_token_role_on_create") @@ -235,7 +230,7 @@ def add_read_token_role_on_create(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="authenticateByDefault") def authenticate_by_default(self) -> Optional[pulumi.Input[bool]]: """ - Enable/disable authenticate users by default. + Authenticate users by default. Defaults to `false`. """ return pulumi.get(self, "authenticate_by_default") @@ -247,7 +242,7 @@ def authenticate_by_default(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="authnContextClassRefs") def authn_context_class_refs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: """ - AuthnContext ClassRefs + Ordered list of requested AuthnContext ClassRefs. """ return pulumi.get(self, "authn_context_class_refs") @@ -259,7 +254,7 @@ def authn_context_class_refs(self, value: Optional[pulumi.Input[Sequence[pulumi. @pulumi.getter(name="authnContextComparisonType") def authn_context_comparison_type(self) -> Optional[pulumi.Input[str]]: """ - AuthnContext Comparison + Specifies the comparison method used to evaluate the requested context classes or statements. """ return pulumi.get(self, "authn_context_comparison_type") @@ -271,7 +266,7 @@ def authn_context_comparison_type(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="authnContextDeclRefs") def authn_context_decl_refs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: """ - AuthnContext DeclRefs + Ordered list of requested AuthnContext DeclRefs. """ return pulumi.get(self, "authn_context_decl_refs") @@ -283,7 +278,7 @@ def authn_context_decl_refs(self, value: Optional[pulumi.Input[Sequence[pulumi.I @pulumi.getter(name="backchannelSupported") def backchannel_supported(self) -> Optional[pulumi.Input[bool]]: """ - Does the external IDP support backchannel logout? + Does the external IDP support backchannel logout?. Defaults to `false`. """ return pulumi.get(self, "backchannel_supported") @@ -295,7 +290,7 @@ def backchannel_supported(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="displayName") def display_name(self) -> Optional[pulumi.Input[str]]: """ - Friendly name for Identity Providers. + The display name for the realm that is shown when logging in to the admin console. """ return pulumi.get(self, "display_name") @@ -307,7 +302,7 @@ def display_name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def enabled(self) -> Optional[pulumi.Input[bool]]: """ - Enable/disable this identity provider. + When `false`, users and clients will not be able to access this realm. Defaults to `true`. """ return pulumi.get(self, "enabled") @@ -328,8 +323,7 @@ def extra_config(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[st @pulumi.getter(name="firstBrokerLoginFlowAlias") def first_broker_login_flow_alias(self) -> Optional[pulumi.Input[str]]: """ - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means - that there is not yet existing Keycloak account linked with the authenticated identity provider account. + Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. """ return pulumi.get(self, "first_broker_login_flow_alias") @@ -341,7 +335,7 @@ def first_broker_login_flow_alias(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="forceAuthn") def force_authn(self) -> Optional[pulumi.Input[bool]]: """ - Require Force Authn. + Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. """ return pulumi.get(self, "force_authn") @@ -353,7 +347,7 @@ def force_authn(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="guiOrder") def gui_order(self) -> Optional[pulumi.Input[str]]: """ - GUI Order + A number defining the order of this identity provider in the GUI. """ return pulumi.get(self, "gui_order") @@ -365,7 +359,7 @@ def gui_order(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="hideOnLoginPage") def hide_on_login_page(self) -> Optional[pulumi.Input[bool]]: """ - Hide On Login Page. + If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. """ return pulumi.get(self, "hide_on_login_page") @@ -377,8 +371,7 @@ def hide_on_login_page(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="linkOnly") def link_only(self) -> Optional[pulumi.Input[bool]]: """ - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't - want to allow login from the provider, but want to integrate with a provider + When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`. """ return pulumi.get(self, "link_only") @@ -402,7 +395,7 @@ def login_hint(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="nameIdPolicyFormat") def name_id_policy_format(self) -> Optional[pulumi.Input[str]]: """ - Name ID Policy Format. + Specifies the URI reference corresponding to a name identifier format. Defaults to empty. """ return pulumi.get(self, "name_id_policy_format") @@ -414,7 +407,7 @@ def name_id_policy_format(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="postBindingAuthnRequest") def post_binding_authn_request(self) -> Optional[pulumi.Input[bool]]: """ - Post Binding Authn Request. + Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. """ return pulumi.get(self, "post_binding_authn_request") @@ -426,7 +419,7 @@ def post_binding_authn_request(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="postBindingLogout") def post_binding_logout(self) -> Optional[pulumi.Input[bool]]: """ - Post Binding Logout. + Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. """ return pulumi.get(self, "post_binding_logout") @@ -438,7 +431,7 @@ def post_binding_logout(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="postBindingResponse") def post_binding_response(self) -> Optional[pulumi.Input[bool]]: """ - Post Binding Response. + Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. """ return pulumi.get(self, "post_binding_response") @@ -450,10 +443,7 @@ def post_binding_response(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="postBrokerLoginFlowAlias") def post_broker_login_flow_alias(self) -> Optional[pulumi.Input[str]]: """ - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want - additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if - you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that - authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. + Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. """ return pulumi.get(self, "post_broker_login_flow_alias") @@ -465,7 +455,7 @@ def post_broker_login_flow_alias(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="principalAttribute") def principal_attribute(self) -> Optional[pulumi.Input[str]]: """ - Principal Attribute + The principal attribute. """ return pulumi.get(self, "principal_attribute") @@ -477,7 +467,7 @@ def principal_attribute(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="principalType") def principal_type(self) -> Optional[pulumi.Input[str]]: """ - Principal Type + The principal type. Can be one of `SUBJECT`, `ATTRIBUTE` or `FRIENDLY_ATTRIBUTE`. """ return pulumi.get(self, "principal_type") @@ -489,7 +479,7 @@ def principal_type(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="providerId") def provider_id(self) -> Optional[pulumi.Input[str]]: """ - provider id, is always saml, unless you have a custom implementation + The ID of the identity provider to use. Defaults to `saml`, which should be used unless you have extended Keycloak and provided your own implementation. """ return pulumi.get(self, "provider_id") @@ -501,7 +491,7 @@ def provider_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="signatureAlgorithm") def signature_algorithm(self) -> Optional[pulumi.Input[str]]: """ - Signing Algorithm. + Signing Algorithm. Defaults to empty. """ return pulumi.get(self, "signature_algorithm") @@ -525,7 +515,7 @@ def signing_certificate(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="singleLogoutServiceUrl") def single_logout_service_url(self) -> Optional[pulumi.Input[str]]: """ - Logout URL. + The Url that must be used to send logout requests. """ return pulumi.get(self, "single_logout_service_url") @@ -537,7 +527,7 @@ def single_logout_service_url(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="storeToken") def store_token(self) -> Optional[pulumi.Input[bool]]: """ - Enable/disable if tokens must be stored after authenticating users. + When `true`, tokens will be stored after authenticating users. Defaults to `true`. """ return pulumi.get(self, "store_token") @@ -549,7 +539,7 @@ def store_token(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="syncMode") def sync_mode(self) -> Optional[pulumi.Input[str]]: """ - Sync Mode + The default sync mode to use for all mappers attached to this identity provider. Can be one of `IMPORT`, `FORCE`, or `LEGACY`. """ return pulumi.get(self, "sync_mode") @@ -561,7 +551,7 @@ def sync_mode(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="trustEmail") def trust_email(self) -> Optional[pulumi.Input[bool]]: """ - If enabled then email provided by this provider is not verified even if verification is enabled for the realm. + When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`. """ return pulumi.get(self, "trust_email") @@ -585,7 +575,7 @@ def validate_signature(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="wantAssertionsEncrypted") def want_assertions_encrypted(self) -> Optional[pulumi.Input[bool]]: """ - Want Assertions Encrypted. + Indicates whether this service provider expects an encrypted Assertion. """ return pulumi.get(self, "want_assertions_encrypted") @@ -597,7 +587,7 @@ def want_assertions_encrypted(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="wantAssertionsSigned") def want_assertions_signed(self) -> Optional[pulumi.Input[bool]]: """ - Want Assertions Signed. + Indicates whether this service provider expects a signed Assertion. """ return pulumi.get(self, "want_assertions_signed") @@ -609,7 +599,7 @@ def want_assertions_signed(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="xmlSignKeyInfoKeyNameTransformer") def xml_sign_key_info_key_name_transformer(self) -> Optional[pulumi.Input[str]]: """ - Sign Key Transformer. + The SAML signature key name. Can be one of `NONE`, `KEY_ID`, or `CERT_SUBJECT`. """ return pulumi.get(self, "xml_sign_key_info_key_name_transformer") @@ -661,48 +651,43 @@ def __init__(__self__, *, xml_sign_key_info_key_name_transformer: Optional[pulumi.Input[str]] = None): """ Input properties used for looking up and filtering IdentityProvider resources. - :param pulumi.Input[bool] add_read_token_role_on_create: Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. - :param pulumi.Input[str] alias: The alias uniquely identifies an identity provider and it is also used to build the redirect uri. - :param pulumi.Input[bool] authenticate_by_default: Enable/disable authenticate users by default. - :param pulumi.Input[Sequence[pulumi.Input[str]]] authn_context_class_refs: AuthnContext ClassRefs - :param pulumi.Input[str] authn_context_comparison_type: AuthnContext Comparison - :param pulumi.Input[Sequence[pulumi.Input[str]]] authn_context_decl_refs: AuthnContext DeclRefs - :param pulumi.Input[bool] backchannel_supported: Does the external IDP support backchannel logout? - :param pulumi.Input[str] display_name: Friendly name for Identity Providers. - :param pulumi.Input[bool] enabled: Enable/disable this identity provider. + :param pulumi.Input[bool] add_read_token_role_on_create: When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`. + :param pulumi.Input[str] alias: The unique name of identity provider. + :param pulumi.Input[bool] authenticate_by_default: Authenticate users by default. Defaults to `false`. + :param pulumi.Input[Sequence[pulumi.Input[str]]] authn_context_class_refs: Ordered list of requested AuthnContext ClassRefs. + :param pulumi.Input[str] authn_context_comparison_type: Specifies the comparison method used to evaluate the requested context classes or statements. + :param pulumi.Input[Sequence[pulumi.Input[str]]] authn_context_decl_refs: Ordered list of requested AuthnContext DeclRefs. + :param pulumi.Input[bool] backchannel_supported: Does the external IDP support backchannel logout?. Defaults to `false`. + :param pulumi.Input[str] display_name: The display name for the realm that is shown when logging in to the admin console. + :param pulumi.Input[bool] enabled: When `false`, users and clients will not be able to access this realm. Defaults to `true`. :param pulumi.Input[str] entity_id: The Entity ID that will be used to uniquely identify this SAML Service Provider. - :param pulumi.Input[str] first_broker_login_flow_alias: Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means - that there is not yet existing Keycloak account linked with the authenticated identity provider account. - :param pulumi.Input[bool] force_authn: Require Force Authn. - :param pulumi.Input[str] gui_order: GUI Order - :param pulumi.Input[bool] hide_on_login_page: Hide On Login Page. + :param pulumi.Input[str] first_broker_login_flow_alias: Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. + :param pulumi.Input[bool] force_authn: Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. + :param pulumi.Input[str] gui_order: A number defining the order of this identity provider in the GUI. + :param pulumi.Input[bool] hide_on_login_page: If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. :param pulumi.Input[str] internal_id: Internal Identity Provider Id - :param pulumi.Input[bool] link_only: If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't - want to allow login from the provider, but want to integrate with a provider + :param pulumi.Input[bool] link_only: When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`. :param pulumi.Input[str] login_hint: Login Hint. - :param pulumi.Input[str] name_id_policy_format: Name ID Policy Format. - :param pulumi.Input[bool] post_binding_authn_request: Post Binding Authn Request. - :param pulumi.Input[bool] post_binding_logout: Post Binding Logout. - :param pulumi.Input[bool] post_binding_response: Post Binding Response. - :param pulumi.Input[str] post_broker_login_flow_alias: Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want - additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if - you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that - authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. - :param pulumi.Input[str] principal_attribute: Principal Attribute - :param pulumi.Input[str] principal_type: Principal Type - :param pulumi.Input[str] provider_id: provider id, is always saml, unless you have a custom implementation - :param pulumi.Input[str] realm: Realm Name - :param pulumi.Input[str] signature_algorithm: Signing Algorithm. + :param pulumi.Input[str] name_id_policy_format: Specifies the URI reference corresponding to a name identifier format. Defaults to empty. + :param pulumi.Input[bool] post_binding_authn_request: Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. + :param pulumi.Input[bool] post_binding_logout: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. + :param pulumi.Input[bool] post_binding_response: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. + :param pulumi.Input[str] post_broker_login_flow_alias: Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. + :param pulumi.Input[str] principal_attribute: The principal attribute. + :param pulumi.Input[str] principal_type: The principal type. Can be one of `SUBJECT`, `ATTRIBUTE` or `FRIENDLY_ATTRIBUTE`. + :param pulumi.Input[str] provider_id: The ID of the identity provider to use. Defaults to `saml`, which should be used unless you have extended Keycloak and provided your own implementation. + :param pulumi.Input[str] realm: The name of the realm. This is unique across Keycloak. + :param pulumi.Input[str] signature_algorithm: Signing Algorithm. Defaults to empty. :param pulumi.Input[str] signing_certificate: Signing Certificate. - :param pulumi.Input[str] single_logout_service_url: Logout URL. - :param pulumi.Input[str] single_sign_on_service_url: SSO Logout URL. - :param pulumi.Input[bool] store_token: Enable/disable if tokens must be stored after authenticating users. - :param pulumi.Input[str] sync_mode: Sync Mode - :param pulumi.Input[bool] trust_email: If enabled then email provided by this provider is not verified even if verification is enabled for the realm. + :param pulumi.Input[str] single_logout_service_url: The Url that must be used to send logout requests. + :param pulumi.Input[str] single_sign_on_service_url: The Url that must be used to send authentication requests (SAML AuthnRequest). + :param pulumi.Input[bool] store_token: When `true`, tokens will be stored after authenticating users. Defaults to `true`. + :param pulumi.Input[str] sync_mode: The default sync mode to use for all mappers attached to this identity provider. Can be one of `IMPORT`, `FORCE`, or `LEGACY`. + :param pulumi.Input[bool] trust_email: When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`. :param pulumi.Input[bool] validate_signature: Enable/disable signature validation of SAML responses. - :param pulumi.Input[bool] want_assertions_encrypted: Want Assertions Encrypted. - :param pulumi.Input[bool] want_assertions_signed: Want Assertions Signed. - :param pulumi.Input[str] xml_sign_key_info_key_name_transformer: Sign Key Transformer. + :param pulumi.Input[bool] want_assertions_encrypted: Indicates whether this service provider expects an encrypted Assertion. + :param pulumi.Input[bool] want_assertions_signed: Indicates whether this service provider expects a signed Assertion. + :param pulumi.Input[str] xml_sign_key_info_key_name_transformer: The SAML signature key name. Can be one of `NONE`, `KEY_ID`, or `CERT_SUBJECT`. """ if add_read_token_role_on_create is not None: pulumi.set(__self__, "add_read_token_role_on_create", add_read_token_role_on_create) @@ -785,7 +770,7 @@ def __init__(__self__, *, @pulumi.getter(name="addReadTokenRoleOnCreate") def add_read_token_role_on_create(self) -> Optional[pulumi.Input[bool]]: """ - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. + When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`. """ return pulumi.get(self, "add_read_token_role_on_create") @@ -797,7 +782,7 @@ def add_read_token_role_on_create(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter def alias(self) -> Optional[pulumi.Input[str]]: """ - The alias uniquely identifies an identity provider and it is also used to build the redirect uri. + The unique name of identity provider. """ return pulumi.get(self, "alias") @@ -809,7 +794,7 @@ def alias(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="authenticateByDefault") def authenticate_by_default(self) -> Optional[pulumi.Input[bool]]: """ - Enable/disable authenticate users by default. + Authenticate users by default. Defaults to `false`. """ return pulumi.get(self, "authenticate_by_default") @@ -821,7 +806,7 @@ def authenticate_by_default(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="authnContextClassRefs") def authn_context_class_refs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: """ - AuthnContext ClassRefs + Ordered list of requested AuthnContext ClassRefs. """ return pulumi.get(self, "authn_context_class_refs") @@ -833,7 +818,7 @@ def authn_context_class_refs(self, value: Optional[pulumi.Input[Sequence[pulumi. @pulumi.getter(name="authnContextComparisonType") def authn_context_comparison_type(self) -> Optional[pulumi.Input[str]]: """ - AuthnContext Comparison + Specifies the comparison method used to evaluate the requested context classes or statements. """ return pulumi.get(self, "authn_context_comparison_type") @@ -845,7 +830,7 @@ def authn_context_comparison_type(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="authnContextDeclRefs") def authn_context_decl_refs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: """ - AuthnContext DeclRefs + Ordered list of requested AuthnContext DeclRefs. """ return pulumi.get(self, "authn_context_decl_refs") @@ -857,7 +842,7 @@ def authn_context_decl_refs(self, value: Optional[pulumi.Input[Sequence[pulumi.I @pulumi.getter(name="backchannelSupported") def backchannel_supported(self) -> Optional[pulumi.Input[bool]]: """ - Does the external IDP support backchannel logout? + Does the external IDP support backchannel logout?. Defaults to `false`. """ return pulumi.get(self, "backchannel_supported") @@ -869,7 +854,7 @@ def backchannel_supported(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="displayName") def display_name(self) -> Optional[pulumi.Input[str]]: """ - Friendly name for Identity Providers. + The display name for the realm that is shown when logging in to the admin console. """ return pulumi.get(self, "display_name") @@ -881,7 +866,7 @@ def display_name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def enabled(self) -> Optional[pulumi.Input[bool]]: """ - Enable/disable this identity provider. + When `false`, users and clients will not be able to access this realm. Defaults to `true`. """ return pulumi.get(self, "enabled") @@ -914,8 +899,7 @@ def extra_config(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[st @pulumi.getter(name="firstBrokerLoginFlowAlias") def first_broker_login_flow_alias(self) -> Optional[pulumi.Input[str]]: """ - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means - that there is not yet existing Keycloak account linked with the authenticated identity provider account. + Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. """ return pulumi.get(self, "first_broker_login_flow_alias") @@ -927,7 +911,7 @@ def first_broker_login_flow_alias(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="forceAuthn") def force_authn(self) -> Optional[pulumi.Input[bool]]: """ - Require Force Authn. + Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. """ return pulumi.get(self, "force_authn") @@ -939,7 +923,7 @@ def force_authn(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="guiOrder") def gui_order(self) -> Optional[pulumi.Input[str]]: """ - GUI Order + A number defining the order of this identity provider in the GUI. """ return pulumi.get(self, "gui_order") @@ -951,7 +935,7 @@ def gui_order(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="hideOnLoginPage") def hide_on_login_page(self) -> Optional[pulumi.Input[bool]]: """ - Hide On Login Page. + If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. """ return pulumi.get(self, "hide_on_login_page") @@ -975,8 +959,7 @@ def internal_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="linkOnly") def link_only(self) -> Optional[pulumi.Input[bool]]: """ - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't - want to allow login from the provider, but want to integrate with a provider + When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`. """ return pulumi.get(self, "link_only") @@ -1000,7 +983,7 @@ def login_hint(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="nameIdPolicyFormat") def name_id_policy_format(self) -> Optional[pulumi.Input[str]]: """ - Name ID Policy Format. + Specifies the URI reference corresponding to a name identifier format. Defaults to empty. """ return pulumi.get(self, "name_id_policy_format") @@ -1012,7 +995,7 @@ def name_id_policy_format(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="postBindingAuthnRequest") def post_binding_authn_request(self) -> Optional[pulumi.Input[bool]]: """ - Post Binding Authn Request. + Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. """ return pulumi.get(self, "post_binding_authn_request") @@ -1024,7 +1007,7 @@ def post_binding_authn_request(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="postBindingLogout") def post_binding_logout(self) -> Optional[pulumi.Input[bool]]: """ - Post Binding Logout. + Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. """ return pulumi.get(self, "post_binding_logout") @@ -1036,7 +1019,7 @@ def post_binding_logout(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="postBindingResponse") def post_binding_response(self) -> Optional[pulumi.Input[bool]]: """ - Post Binding Response. + Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. """ return pulumi.get(self, "post_binding_response") @@ -1048,10 +1031,7 @@ def post_binding_response(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="postBrokerLoginFlowAlias") def post_broker_login_flow_alias(self) -> Optional[pulumi.Input[str]]: """ - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want - additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if - you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that - authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. + Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. """ return pulumi.get(self, "post_broker_login_flow_alias") @@ -1063,7 +1043,7 @@ def post_broker_login_flow_alias(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="principalAttribute") def principal_attribute(self) -> Optional[pulumi.Input[str]]: """ - Principal Attribute + The principal attribute. """ return pulumi.get(self, "principal_attribute") @@ -1075,7 +1055,7 @@ def principal_attribute(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="principalType") def principal_type(self) -> Optional[pulumi.Input[str]]: """ - Principal Type + The principal type. Can be one of `SUBJECT`, `ATTRIBUTE` or `FRIENDLY_ATTRIBUTE`. """ return pulumi.get(self, "principal_type") @@ -1087,7 +1067,7 @@ def principal_type(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="providerId") def provider_id(self) -> Optional[pulumi.Input[str]]: """ - provider id, is always saml, unless you have a custom implementation + The ID of the identity provider to use. Defaults to `saml`, which should be used unless you have extended Keycloak and provided your own implementation. """ return pulumi.get(self, "provider_id") @@ -1099,7 +1079,7 @@ def provider_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def realm(self) -> Optional[pulumi.Input[str]]: """ - Realm Name + The name of the realm. This is unique across Keycloak. """ return pulumi.get(self, "realm") @@ -1111,7 +1091,7 @@ def realm(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="signatureAlgorithm") def signature_algorithm(self) -> Optional[pulumi.Input[str]]: """ - Signing Algorithm. + Signing Algorithm. Defaults to empty. """ return pulumi.get(self, "signature_algorithm") @@ -1135,7 +1115,7 @@ def signing_certificate(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="singleLogoutServiceUrl") def single_logout_service_url(self) -> Optional[pulumi.Input[str]]: """ - Logout URL. + The Url that must be used to send logout requests. """ return pulumi.get(self, "single_logout_service_url") @@ -1147,7 +1127,7 @@ def single_logout_service_url(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="singleSignOnServiceUrl") def single_sign_on_service_url(self) -> Optional[pulumi.Input[str]]: """ - SSO Logout URL. + The Url that must be used to send authentication requests (SAML AuthnRequest). """ return pulumi.get(self, "single_sign_on_service_url") @@ -1159,7 +1139,7 @@ def single_sign_on_service_url(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="storeToken") def store_token(self) -> Optional[pulumi.Input[bool]]: """ - Enable/disable if tokens must be stored after authenticating users. + When `true`, tokens will be stored after authenticating users. Defaults to `true`. """ return pulumi.get(self, "store_token") @@ -1171,7 +1151,7 @@ def store_token(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="syncMode") def sync_mode(self) -> Optional[pulumi.Input[str]]: """ - Sync Mode + The default sync mode to use for all mappers attached to this identity provider. Can be one of `IMPORT`, `FORCE`, or `LEGACY`. """ return pulumi.get(self, "sync_mode") @@ -1183,7 +1163,7 @@ def sync_mode(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="trustEmail") def trust_email(self) -> Optional[pulumi.Input[bool]]: """ - If enabled then email provided by this provider is not verified even if verification is enabled for the realm. + When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`. """ return pulumi.get(self, "trust_email") @@ -1207,7 +1187,7 @@ def validate_signature(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="wantAssertionsEncrypted") def want_assertions_encrypted(self) -> Optional[pulumi.Input[bool]]: """ - Want Assertions Encrypted. + Indicates whether this service provider expects an encrypted Assertion. """ return pulumi.get(self, "want_assertions_encrypted") @@ -1219,7 +1199,7 @@ def want_assertions_encrypted(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="wantAssertionsSigned") def want_assertions_signed(self) -> Optional[pulumi.Input[bool]]: """ - Want Assertions Signed. + Indicates whether this service provider expects a signed Assertion. """ return pulumi.get(self, "want_assertions_signed") @@ -1231,7 +1211,7 @@ def want_assertions_signed(self, value: Optional[pulumi.Input[bool]]): @pulumi.getter(name="xmlSignKeyInfoKeyNameTransformer") def xml_sign_key_info_key_name_transformer(self) -> Optional[pulumi.Input[str]]: """ - Sign Key Transformer. + The SAML signature key name. Can be one of `NONE`, `KEY_ID`, or `CERT_SUBJECT`. """ return pulumi.get(self, "xml_sign_key_info_key_name_transformer") @@ -1284,21 +1264,23 @@ def __init__(__self__, xml_sign_key_info_key_name_transformer: Optional[pulumi.Input[str]] = None, __props__=None): """ - ## # saml.IdentityProvider + Allows for creating and managing SAML Identity Providers within Keycloak. - Allows to create and manage SAML Identity Providers within Keycloak. + SAML (Security Assertion Markup Language) identity providers allows users to authenticate through a third-party system using the SAML protocol. - SAML (Security Assertion Markup Language) identity providers allows to authenticate through a third-party system, using SAML standard. - - ### Example Usage + ## Example Usage ```python import pulumi import pulumi_keycloak as keycloak - realm_identity_provider = keycloak.saml.IdentityProvider("realm_identity_provider", + realm = keycloak.Realm("realm", realm="my-realm", - alias="my-idp", + enabled=True) + realm_saml_identity_provider = keycloak.saml.IdentityProvider("realm_saml_identity_provider", + realm=realm.id, + alias="my-saml-idp", + entity_id="https://domain.com/entity_id", single_sign_on_service_url="https://domain.com/adfs/ls/", single_logout_service_url="https://domain.com/adfs/ls/?wa=wsignout1.0", backchannel_supported=True, @@ -1310,89 +1292,56 @@ def __init__(__self__, force_authn=True) ``` - ### Argument Reference - - The following arguments are supported: - - - `realm` - (Required) The name of the realm. This is unique across Keycloak. - - `alias` - (Optional) The uniq name of identity provider. - - `enabled` - (Optional) When false, users and clients will not be able to access this realm. Defaults to `true`. - - `display_name` - (Optional) The display name for the realm that is shown when logging in to the admin console. - - `store_token` - (Optional) Enable/disable if tokens must be stored after authenticating users. Defaults to `true`. - - `add_read_token_role_on_create` - (Optional) Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. Defaults to `false`. - - `trust_email` - (Optional) If enabled then email provided by this provider is not verified even if verification is enabled for the realm. Defaults to `false`. - - `link_only` - (Optional) If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider. Defaults to `false`. - - `hide_on_login_page` - (Optional) If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. - - `first_broker_login_flow_alias` - (Optional) Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. - - `post_broker_login_flow_alias` - (Optional) Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. - - `authenticate_by_default` - (Optional) Authenticate users by default. Defaults to `false`. - - #### SAML Configuration - - - `single_sign_on_service_url` - (Optional) The Url that must be used to send authentication requests (SAML AuthnRequest). - - `single_logout_service_url` - (Optional) The Url that must be used to send logout requests. - - `backchannel_supported` - (Optional) Does the external IDP support back-channel logout ?. - - `name_id_policy_format` - (Optional) Specifies the URI reference corresponding to a name identifier format. Defaults to empty. - - `post_binding_response` - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. - - `post_binding_authn_request` - (Optional) Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. - - `post_binding_logout` - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. - - `want_assertions_signed` - (Optional) Indicates whether this service provider expects a signed Assertion. - - `want_assertions_encrypted` - (Optional) Indicates whether this service provider expects an encrypted Assertion. - - `force_authn` - (Optional) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. - - `validate_signature` - (Optional) Enable/disable signature validation of SAML responses. - - `signing_certificate` - (Optional) Signing Certificate. - - `signature_algorithm` - (Optional) Signing Algorithm. Defaults to empty. - - `xml_sign_key_info_key_name_transformer` - (Optional) Sign Key Transformer. Defaults to empty. - - ### Import + ## Import Identity providers can be imported using the format `{{realm_id}}/{{idp_alias}}`, where `idp_alias` is the identity provider alias. Example: + bash + + ```sh + $ pulumi import keycloak:saml/identityProvider:IdentityProvider realm_saml_identity_provider my-realm/my-saml-idp + ``` + :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[bool] add_read_token_role_on_create: Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. - :param pulumi.Input[str] alias: The alias uniquely identifies an identity provider and it is also used to build the redirect uri. - :param pulumi.Input[bool] authenticate_by_default: Enable/disable authenticate users by default. - :param pulumi.Input[Sequence[pulumi.Input[str]]] authn_context_class_refs: AuthnContext ClassRefs - :param pulumi.Input[str] authn_context_comparison_type: AuthnContext Comparison - :param pulumi.Input[Sequence[pulumi.Input[str]]] authn_context_decl_refs: AuthnContext DeclRefs - :param pulumi.Input[bool] backchannel_supported: Does the external IDP support backchannel logout? - :param pulumi.Input[str] display_name: Friendly name for Identity Providers. - :param pulumi.Input[bool] enabled: Enable/disable this identity provider. + :param pulumi.Input[bool] add_read_token_role_on_create: When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`. + :param pulumi.Input[str] alias: The unique name of identity provider. + :param pulumi.Input[bool] authenticate_by_default: Authenticate users by default. Defaults to `false`. + :param pulumi.Input[Sequence[pulumi.Input[str]]] authn_context_class_refs: Ordered list of requested AuthnContext ClassRefs. + :param pulumi.Input[str] authn_context_comparison_type: Specifies the comparison method used to evaluate the requested context classes or statements. + :param pulumi.Input[Sequence[pulumi.Input[str]]] authn_context_decl_refs: Ordered list of requested AuthnContext DeclRefs. + :param pulumi.Input[bool] backchannel_supported: Does the external IDP support backchannel logout?. Defaults to `false`. + :param pulumi.Input[str] display_name: The display name for the realm that is shown when logging in to the admin console. + :param pulumi.Input[bool] enabled: When `false`, users and clients will not be able to access this realm. Defaults to `true`. :param pulumi.Input[str] entity_id: The Entity ID that will be used to uniquely identify this SAML Service Provider. - :param pulumi.Input[str] first_broker_login_flow_alias: Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means - that there is not yet existing Keycloak account linked with the authenticated identity provider account. - :param pulumi.Input[bool] force_authn: Require Force Authn. - :param pulumi.Input[str] gui_order: GUI Order - :param pulumi.Input[bool] hide_on_login_page: Hide On Login Page. - :param pulumi.Input[bool] link_only: If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't - want to allow login from the provider, but want to integrate with a provider + :param pulumi.Input[str] first_broker_login_flow_alias: Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. + :param pulumi.Input[bool] force_authn: Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. + :param pulumi.Input[str] gui_order: A number defining the order of this identity provider in the GUI. + :param pulumi.Input[bool] hide_on_login_page: If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. + :param pulumi.Input[bool] link_only: When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`. :param pulumi.Input[str] login_hint: Login Hint. - :param pulumi.Input[str] name_id_policy_format: Name ID Policy Format. - :param pulumi.Input[bool] post_binding_authn_request: Post Binding Authn Request. - :param pulumi.Input[bool] post_binding_logout: Post Binding Logout. - :param pulumi.Input[bool] post_binding_response: Post Binding Response. - :param pulumi.Input[str] post_broker_login_flow_alias: Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want - additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if - you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that - authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. - :param pulumi.Input[str] principal_attribute: Principal Attribute - :param pulumi.Input[str] principal_type: Principal Type - :param pulumi.Input[str] provider_id: provider id, is always saml, unless you have a custom implementation - :param pulumi.Input[str] realm: Realm Name - :param pulumi.Input[str] signature_algorithm: Signing Algorithm. + :param pulumi.Input[str] name_id_policy_format: Specifies the URI reference corresponding to a name identifier format. Defaults to empty. + :param pulumi.Input[bool] post_binding_authn_request: Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. + :param pulumi.Input[bool] post_binding_logout: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. + :param pulumi.Input[bool] post_binding_response: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. + :param pulumi.Input[str] post_broker_login_flow_alias: Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. + :param pulumi.Input[str] principal_attribute: The principal attribute. + :param pulumi.Input[str] principal_type: The principal type. Can be one of `SUBJECT`, `ATTRIBUTE` or `FRIENDLY_ATTRIBUTE`. + :param pulumi.Input[str] provider_id: The ID of the identity provider to use. Defaults to `saml`, which should be used unless you have extended Keycloak and provided your own implementation. + :param pulumi.Input[str] realm: The name of the realm. This is unique across Keycloak. + :param pulumi.Input[str] signature_algorithm: Signing Algorithm. Defaults to empty. :param pulumi.Input[str] signing_certificate: Signing Certificate. - :param pulumi.Input[str] single_logout_service_url: Logout URL. - :param pulumi.Input[str] single_sign_on_service_url: SSO Logout URL. - :param pulumi.Input[bool] store_token: Enable/disable if tokens must be stored after authenticating users. - :param pulumi.Input[str] sync_mode: Sync Mode - :param pulumi.Input[bool] trust_email: If enabled then email provided by this provider is not verified even if verification is enabled for the realm. + :param pulumi.Input[str] single_logout_service_url: The Url that must be used to send logout requests. + :param pulumi.Input[str] single_sign_on_service_url: The Url that must be used to send authentication requests (SAML AuthnRequest). + :param pulumi.Input[bool] store_token: When `true`, tokens will be stored after authenticating users. Defaults to `true`. + :param pulumi.Input[str] sync_mode: The default sync mode to use for all mappers attached to this identity provider. Can be one of `IMPORT`, `FORCE`, or `LEGACY`. + :param pulumi.Input[bool] trust_email: When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`. :param pulumi.Input[bool] validate_signature: Enable/disable signature validation of SAML responses. - :param pulumi.Input[bool] want_assertions_encrypted: Want Assertions Encrypted. - :param pulumi.Input[bool] want_assertions_signed: Want Assertions Signed. - :param pulumi.Input[str] xml_sign_key_info_key_name_transformer: Sign Key Transformer. + :param pulumi.Input[bool] want_assertions_encrypted: Indicates whether this service provider expects an encrypted Assertion. + :param pulumi.Input[bool] want_assertions_signed: Indicates whether this service provider expects a signed Assertion. + :param pulumi.Input[str] xml_sign_key_info_key_name_transformer: The SAML signature key name. Can be one of `NONE`, `KEY_ID`, or `CERT_SUBJECT`. """ ... @overload @@ -1401,21 +1350,23 @@ def __init__(__self__, args: IdentityProviderArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - ## # saml.IdentityProvider + Allows for creating and managing SAML Identity Providers within Keycloak. - Allows to create and manage SAML Identity Providers within Keycloak. + SAML (Security Assertion Markup Language) identity providers allows users to authenticate through a third-party system using the SAML protocol. - SAML (Security Assertion Markup Language) identity providers allows to authenticate through a third-party system, using SAML standard. - - ### Example Usage + ## Example Usage ```python import pulumi import pulumi_keycloak as keycloak - realm_identity_provider = keycloak.saml.IdentityProvider("realm_identity_provider", + realm = keycloak.Realm("realm", realm="my-realm", - alias="my-idp", + enabled=True) + realm_saml_identity_provider = keycloak.saml.IdentityProvider("realm_saml_identity_provider", + realm=realm.id, + alias="my-saml-idp", + entity_id="https://domain.com/entity_id", single_sign_on_service_url="https://domain.com/adfs/ls/", single_logout_service_url="https://domain.com/adfs/ls/?wa=wsignout1.0", backchannel_supported=True, @@ -1427,46 +1378,18 @@ def __init__(__self__, force_authn=True) ``` - ### Argument Reference - - The following arguments are supported: - - - `realm` - (Required) The name of the realm. This is unique across Keycloak. - - `alias` - (Optional) The uniq name of identity provider. - - `enabled` - (Optional) When false, users and clients will not be able to access this realm. Defaults to `true`. - - `display_name` - (Optional) The display name for the realm that is shown when logging in to the admin console. - - `store_token` - (Optional) Enable/disable if tokens must be stored after authenticating users. Defaults to `true`. - - `add_read_token_role_on_create` - (Optional) Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. Defaults to `false`. - - `trust_email` - (Optional) If enabled then email provided by this provider is not verified even if verification is enabled for the realm. Defaults to `false`. - - `link_only` - (Optional) If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider. Defaults to `false`. - - `hide_on_login_page` - (Optional) If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. - - `first_broker_login_flow_alias` - (Optional) Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. - - `post_broker_login_flow_alias` - (Optional) Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. - - `authenticate_by_default` - (Optional) Authenticate users by default. Defaults to `false`. - - #### SAML Configuration - - - `single_sign_on_service_url` - (Optional) The Url that must be used to send authentication requests (SAML AuthnRequest). - - `single_logout_service_url` - (Optional) The Url that must be used to send logout requests. - - `backchannel_supported` - (Optional) Does the external IDP support back-channel logout ?. - - `name_id_policy_format` - (Optional) Specifies the URI reference corresponding to a name identifier format. Defaults to empty. - - `post_binding_response` - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. - - `post_binding_authn_request` - (Optional) Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. - - `post_binding_logout` - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. - - `want_assertions_signed` - (Optional) Indicates whether this service provider expects a signed Assertion. - - `want_assertions_encrypted` - (Optional) Indicates whether this service provider expects an encrypted Assertion. - - `force_authn` - (Optional) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. - - `validate_signature` - (Optional) Enable/disable signature validation of SAML responses. - - `signing_certificate` - (Optional) Signing Certificate. - - `signature_algorithm` - (Optional) Signing Algorithm. Defaults to empty. - - `xml_sign_key_info_key_name_transformer` - (Optional) Sign Key Transformer. Defaults to empty. - - ### Import + ## Import Identity providers can be imported using the format `{{realm_id}}/{{idp_alias}}`, where `idp_alias` is the identity provider alias. Example: + bash + + ```sh + $ pulumi import keycloak:saml/identityProvider:IdentityProvider realm_saml_identity_provider my-realm/my-saml-idp + ``` + :param str resource_name: The name of the resource. :param IdentityProviderArgs args: The arguments to use to populate this resource's properties. :param pulumi.ResourceOptions opts: Options for the resource. @@ -1629,48 +1552,43 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[bool] add_read_token_role_on_create: Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. - :param pulumi.Input[str] alias: The alias uniquely identifies an identity provider and it is also used to build the redirect uri. - :param pulumi.Input[bool] authenticate_by_default: Enable/disable authenticate users by default. - :param pulumi.Input[Sequence[pulumi.Input[str]]] authn_context_class_refs: AuthnContext ClassRefs - :param pulumi.Input[str] authn_context_comparison_type: AuthnContext Comparison - :param pulumi.Input[Sequence[pulumi.Input[str]]] authn_context_decl_refs: AuthnContext DeclRefs - :param pulumi.Input[bool] backchannel_supported: Does the external IDP support backchannel logout? - :param pulumi.Input[str] display_name: Friendly name for Identity Providers. - :param pulumi.Input[bool] enabled: Enable/disable this identity provider. + :param pulumi.Input[bool] add_read_token_role_on_create: When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`. + :param pulumi.Input[str] alias: The unique name of identity provider. + :param pulumi.Input[bool] authenticate_by_default: Authenticate users by default. Defaults to `false`. + :param pulumi.Input[Sequence[pulumi.Input[str]]] authn_context_class_refs: Ordered list of requested AuthnContext ClassRefs. + :param pulumi.Input[str] authn_context_comparison_type: Specifies the comparison method used to evaluate the requested context classes or statements. + :param pulumi.Input[Sequence[pulumi.Input[str]]] authn_context_decl_refs: Ordered list of requested AuthnContext DeclRefs. + :param pulumi.Input[bool] backchannel_supported: Does the external IDP support backchannel logout?. Defaults to `false`. + :param pulumi.Input[str] display_name: The display name for the realm that is shown when logging in to the admin console. + :param pulumi.Input[bool] enabled: When `false`, users and clients will not be able to access this realm. Defaults to `true`. :param pulumi.Input[str] entity_id: The Entity ID that will be used to uniquely identify this SAML Service Provider. - :param pulumi.Input[str] first_broker_login_flow_alias: Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means - that there is not yet existing Keycloak account linked with the authenticated identity provider account. - :param pulumi.Input[bool] force_authn: Require Force Authn. - :param pulumi.Input[str] gui_order: GUI Order - :param pulumi.Input[bool] hide_on_login_page: Hide On Login Page. + :param pulumi.Input[str] first_broker_login_flow_alias: Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. + :param pulumi.Input[bool] force_authn: Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. + :param pulumi.Input[str] gui_order: A number defining the order of this identity provider in the GUI. + :param pulumi.Input[bool] hide_on_login_page: If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. :param pulumi.Input[str] internal_id: Internal Identity Provider Id - :param pulumi.Input[bool] link_only: If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't - want to allow login from the provider, but want to integrate with a provider + :param pulumi.Input[bool] link_only: When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`. :param pulumi.Input[str] login_hint: Login Hint. - :param pulumi.Input[str] name_id_policy_format: Name ID Policy Format. - :param pulumi.Input[bool] post_binding_authn_request: Post Binding Authn Request. - :param pulumi.Input[bool] post_binding_logout: Post Binding Logout. - :param pulumi.Input[bool] post_binding_response: Post Binding Response. - :param pulumi.Input[str] post_broker_login_flow_alias: Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want - additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if - you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that - authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. - :param pulumi.Input[str] principal_attribute: Principal Attribute - :param pulumi.Input[str] principal_type: Principal Type - :param pulumi.Input[str] provider_id: provider id, is always saml, unless you have a custom implementation - :param pulumi.Input[str] realm: Realm Name - :param pulumi.Input[str] signature_algorithm: Signing Algorithm. + :param pulumi.Input[str] name_id_policy_format: Specifies the URI reference corresponding to a name identifier format. Defaults to empty. + :param pulumi.Input[bool] post_binding_authn_request: Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. + :param pulumi.Input[bool] post_binding_logout: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. + :param pulumi.Input[bool] post_binding_response: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. + :param pulumi.Input[str] post_broker_login_flow_alias: Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. + :param pulumi.Input[str] principal_attribute: The principal attribute. + :param pulumi.Input[str] principal_type: The principal type. Can be one of `SUBJECT`, `ATTRIBUTE` or `FRIENDLY_ATTRIBUTE`. + :param pulumi.Input[str] provider_id: The ID of the identity provider to use. Defaults to `saml`, which should be used unless you have extended Keycloak and provided your own implementation. + :param pulumi.Input[str] realm: The name of the realm. This is unique across Keycloak. + :param pulumi.Input[str] signature_algorithm: Signing Algorithm. Defaults to empty. :param pulumi.Input[str] signing_certificate: Signing Certificate. - :param pulumi.Input[str] single_logout_service_url: Logout URL. - :param pulumi.Input[str] single_sign_on_service_url: SSO Logout URL. - :param pulumi.Input[bool] store_token: Enable/disable if tokens must be stored after authenticating users. - :param pulumi.Input[str] sync_mode: Sync Mode - :param pulumi.Input[bool] trust_email: If enabled then email provided by this provider is not verified even if verification is enabled for the realm. + :param pulumi.Input[str] single_logout_service_url: The Url that must be used to send logout requests. + :param pulumi.Input[str] single_sign_on_service_url: The Url that must be used to send authentication requests (SAML AuthnRequest). + :param pulumi.Input[bool] store_token: When `true`, tokens will be stored after authenticating users. Defaults to `true`. + :param pulumi.Input[str] sync_mode: The default sync mode to use for all mappers attached to this identity provider. Can be one of `IMPORT`, `FORCE`, or `LEGACY`. + :param pulumi.Input[bool] trust_email: When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`. :param pulumi.Input[bool] validate_signature: Enable/disable signature validation of SAML responses. - :param pulumi.Input[bool] want_assertions_encrypted: Want Assertions Encrypted. - :param pulumi.Input[bool] want_assertions_signed: Want Assertions Signed. - :param pulumi.Input[str] xml_sign_key_info_key_name_transformer: Sign Key Transformer. + :param pulumi.Input[bool] want_assertions_encrypted: Indicates whether this service provider expects an encrypted Assertion. + :param pulumi.Input[bool] want_assertions_signed: Indicates whether this service provider expects a signed Assertion. + :param pulumi.Input[str] xml_sign_key_info_key_name_transformer: The SAML signature key name. Can be one of `NONE`, `KEY_ID`, or `CERT_SUBJECT`. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -1720,7 +1638,7 @@ def get(resource_name: str, @pulumi.getter(name="addReadTokenRoleOnCreate") def add_read_token_role_on_create(self) -> pulumi.Output[Optional[bool]]: """ - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. + When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`. """ return pulumi.get(self, "add_read_token_role_on_create") @@ -1728,7 +1646,7 @@ def add_read_token_role_on_create(self) -> pulumi.Output[Optional[bool]]: @pulumi.getter def alias(self) -> pulumi.Output[str]: """ - The alias uniquely identifies an identity provider and it is also used to build the redirect uri. + The unique name of identity provider. """ return pulumi.get(self, "alias") @@ -1736,7 +1654,7 @@ def alias(self) -> pulumi.Output[str]: @pulumi.getter(name="authenticateByDefault") def authenticate_by_default(self) -> pulumi.Output[Optional[bool]]: """ - Enable/disable authenticate users by default. + Authenticate users by default. Defaults to `false`. """ return pulumi.get(self, "authenticate_by_default") @@ -1744,7 +1662,7 @@ def authenticate_by_default(self) -> pulumi.Output[Optional[bool]]: @pulumi.getter(name="authnContextClassRefs") def authn_context_class_refs(self) -> pulumi.Output[Optional[Sequence[str]]]: """ - AuthnContext ClassRefs + Ordered list of requested AuthnContext ClassRefs. """ return pulumi.get(self, "authn_context_class_refs") @@ -1752,7 +1670,7 @@ def authn_context_class_refs(self) -> pulumi.Output[Optional[Sequence[str]]]: @pulumi.getter(name="authnContextComparisonType") def authn_context_comparison_type(self) -> pulumi.Output[Optional[str]]: """ - AuthnContext Comparison + Specifies the comparison method used to evaluate the requested context classes or statements. """ return pulumi.get(self, "authn_context_comparison_type") @@ -1760,7 +1678,7 @@ def authn_context_comparison_type(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="authnContextDeclRefs") def authn_context_decl_refs(self) -> pulumi.Output[Optional[Sequence[str]]]: """ - AuthnContext DeclRefs + Ordered list of requested AuthnContext DeclRefs. """ return pulumi.get(self, "authn_context_decl_refs") @@ -1768,7 +1686,7 @@ def authn_context_decl_refs(self) -> pulumi.Output[Optional[Sequence[str]]]: @pulumi.getter(name="backchannelSupported") def backchannel_supported(self) -> pulumi.Output[Optional[bool]]: """ - Does the external IDP support backchannel logout? + Does the external IDP support backchannel logout?. Defaults to `false`. """ return pulumi.get(self, "backchannel_supported") @@ -1776,7 +1694,7 @@ def backchannel_supported(self) -> pulumi.Output[Optional[bool]]: @pulumi.getter(name="displayName") def display_name(self) -> pulumi.Output[Optional[str]]: """ - Friendly name for Identity Providers. + The display name for the realm that is shown when logging in to the admin console. """ return pulumi.get(self, "display_name") @@ -1784,7 +1702,7 @@ def display_name(self) -> pulumi.Output[Optional[str]]: @pulumi.getter def enabled(self) -> pulumi.Output[Optional[bool]]: """ - Enable/disable this identity provider. + When `false`, users and clients will not be able to access this realm. Defaults to `true`. """ return pulumi.get(self, "enabled") @@ -1805,8 +1723,7 @@ def extra_config(self) -> pulumi.Output[Optional[Mapping[str, str]]]: @pulumi.getter(name="firstBrokerLoginFlowAlias") def first_broker_login_flow_alias(self) -> pulumi.Output[Optional[str]]: """ - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means - that there is not yet existing Keycloak account linked with the authenticated identity provider account. + Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. """ return pulumi.get(self, "first_broker_login_flow_alias") @@ -1814,7 +1731,7 @@ def first_broker_login_flow_alias(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="forceAuthn") def force_authn(self) -> pulumi.Output[Optional[bool]]: """ - Require Force Authn. + Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. """ return pulumi.get(self, "force_authn") @@ -1822,7 +1739,7 @@ def force_authn(self) -> pulumi.Output[Optional[bool]]: @pulumi.getter(name="guiOrder") def gui_order(self) -> pulumi.Output[Optional[str]]: """ - GUI Order + A number defining the order of this identity provider in the GUI. """ return pulumi.get(self, "gui_order") @@ -1830,7 +1747,7 @@ def gui_order(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="hideOnLoginPage") def hide_on_login_page(self) -> pulumi.Output[Optional[bool]]: """ - Hide On Login Page. + If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. """ return pulumi.get(self, "hide_on_login_page") @@ -1846,8 +1763,7 @@ def internal_id(self) -> pulumi.Output[str]: @pulumi.getter(name="linkOnly") def link_only(self) -> pulumi.Output[Optional[bool]]: """ - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't - want to allow login from the provider, but want to integrate with a provider + When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`. """ return pulumi.get(self, "link_only") @@ -1863,7 +1779,7 @@ def login_hint(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="nameIdPolicyFormat") def name_id_policy_format(self) -> pulumi.Output[Optional[str]]: """ - Name ID Policy Format. + Specifies the URI reference corresponding to a name identifier format. Defaults to empty. """ return pulumi.get(self, "name_id_policy_format") @@ -1871,7 +1787,7 @@ def name_id_policy_format(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="postBindingAuthnRequest") def post_binding_authn_request(self) -> pulumi.Output[Optional[bool]]: """ - Post Binding Authn Request. + Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. """ return pulumi.get(self, "post_binding_authn_request") @@ -1879,7 +1795,7 @@ def post_binding_authn_request(self) -> pulumi.Output[Optional[bool]]: @pulumi.getter(name="postBindingLogout") def post_binding_logout(self) -> pulumi.Output[Optional[bool]]: """ - Post Binding Logout. + Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. """ return pulumi.get(self, "post_binding_logout") @@ -1887,7 +1803,7 @@ def post_binding_logout(self) -> pulumi.Output[Optional[bool]]: @pulumi.getter(name="postBindingResponse") def post_binding_response(self) -> pulumi.Output[Optional[bool]]: """ - Post Binding Response. + Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. """ return pulumi.get(self, "post_binding_response") @@ -1895,10 +1811,7 @@ def post_binding_response(self) -> pulumi.Output[Optional[bool]]: @pulumi.getter(name="postBrokerLoginFlowAlias") def post_broker_login_flow_alias(self) -> pulumi.Output[Optional[str]]: """ - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want - additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if - you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that - authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. + Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. """ return pulumi.get(self, "post_broker_login_flow_alias") @@ -1906,7 +1819,7 @@ def post_broker_login_flow_alias(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="principalAttribute") def principal_attribute(self) -> pulumi.Output[Optional[str]]: """ - Principal Attribute + The principal attribute. """ return pulumi.get(self, "principal_attribute") @@ -1914,7 +1827,7 @@ def principal_attribute(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="principalType") def principal_type(self) -> pulumi.Output[Optional[str]]: """ - Principal Type + The principal type. Can be one of `SUBJECT`, `ATTRIBUTE` or `FRIENDLY_ATTRIBUTE`. """ return pulumi.get(self, "principal_type") @@ -1922,7 +1835,7 @@ def principal_type(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="providerId") def provider_id(self) -> pulumi.Output[Optional[str]]: """ - provider id, is always saml, unless you have a custom implementation + The ID of the identity provider to use. Defaults to `saml`, which should be used unless you have extended Keycloak and provided your own implementation. """ return pulumi.get(self, "provider_id") @@ -1930,7 +1843,7 @@ def provider_id(self) -> pulumi.Output[Optional[str]]: @pulumi.getter def realm(self) -> pulumi.Output[str]: """ - Realm Name + The name of the realm. This is unique across Keycloak. """ return pulumi.get(self, "realm") @@ -1938,7 +1851,7 @@ def realm(self) -> pulumi.Output[str]: @pulumi.getter(name="signatureAlgorithm") def signature_algorithm(self) -> pulumi.Output[Optional[str]]: """ - Signing Algorithm. + Signing Algorithm. Defaults to empty. """ return pulumi.get(self, "signature_algorithm") @@ -1954,7 +1867,7 @@ def signing_certificate(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="singleLogoutServiceUrl") def single_logout_service_url(self) -> pulumi.Output[Optional[str]]: """ - Logout URL. + The Url that must be used to send logout requests. """ return pulumi.get(self, "single_logout_service_url") @@ -1962,7 +1875,7 @@ def single_logout_service_url(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="singleSignOnServiceUrl") def single_sign_on_service_url(self) -> pulumi.Output[str]: """ - SSO Logout URL. + The Url that must be used to send authentication requests (SAML AuthnRequest). """ return pulumi.get(self, "single_sign_on_service_url") @@ -1970,7 +1883,7 @@ def single_sign_on_service_url(self) -> pulumi.Output[str]: @pulumi.getter(name="storeToken") def store_token(self) -> pulumi.Output[Optional[bool]]: """ - Enable/disable if tokens must be stored after authenticating users. + When `true`, tokens will be stored after authenticating users. Defaults to `true`. """ return pulumi.get(self, "store_token") @@ -1978,7 +1891,7 @@ def store_token(self) -> pulumi.Output[Optional[bool]]: @pulumi.getter(name="syncMode") def sync_mode(self) -> pulumi.Output[Optional[str]]: """ - Sync Mode + The default sync mode to use for all mappers attached to this identity provider. Can be one of `IMPORT`, `FORCE`, or `LEGACY`. """ return pulumi.get(self, "sync_mode") @@ -1986,7 +1899,7 @@ def sync_mode(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="trustEmail") def trust_email(self) -> pulumi.Output[Optional[bool]]: """ - If enabled then email provided by this provider is not verified even if verification is enabled for the realm. + When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`. """ return pulumi.get(self, "trust_email") @@ -2002,7 +1915,7 @@ def validate_signature(self) -> pulumi.Output[Optional[bool]]: @pulumi.getter(name="wantAssertionsEncrypted") def want_assertions_encrypted(self) -> pulumi.Output[Optional[bool]]: """ - Want Assertions Encrypted. + Indicates whether this service provider expects an encrypted Assertion. """ return pulumi.get(self, "want_assertions_encrypted") @@ -2010,7 +1923,7 @@ def want_assertions_encrypted(self) -> pulumi.Output[Optional[bool]]: @pulumi.getter(name="wantAssertionsSigned") def want_assertions_signed(self) -> pulumi.Output[Optional[bool]]: """ - Want Assertions Signed. + Indicates whether this service provider expects a signed Assertion. """ return pulumi.get(self, "want_assertions_signed") @@ -2018,7 +1931,7 @@ def want_assertions_signed(self) -> pulumi.Output[Optional[bool]]: @pulumi.getter(name="xmlSignKeyInfoKeyNameTransformer") def xml_sign_key_info_key_name_transformer(self) -> pulumi.Output[Optional[str]]: """ - Sign Key Transformer. + The SAML signature key name. Can be one of `NONE`, `KEY_ID`, or `CERT_SUBJECT`. """ return pulumi.get(self, "xml_sign_key_info_key_name_transformer") diff --git a/sdk/python/pulumi_keycloak/saml/outputs.py b/sdk/python/pulumi_keycloak/saml/outputs.py index dc586a56..cdfdf93e 100644 --- a/sdk/python/pulumi_keycloak/saml/outputs.py +++ b/sdk/python/pulumi_keycloak/saml/outputs.py @@ -43,6 +43,10 @@ def get(self, key: str, default = None) -> Any: def __init__(__self__, *, browser_id: Optional[str] = None, direct_grant_id: Optional[str] = None): + """ + :param str browser_id: Browser flow id, (flow needs to exist) + :param str direct_grant_id: Direct grant flow id (flow needs to exist) + """ if browser_id is not None: pulumi.set(__self__, "browser_id", browser_id) if direct_grant_id is not None: @@ -51,11 +55,17 @@ def __init__(__self__, *, @property @pulumi.getter(name="browserId") def browser_id(self) -> Optional[str]: + """ + Browser flow id, (flow needs to exist) + """ return pulumi.get(self, "browser_id") @property @pulumi.getter(name="directGrantId") def direct_grant_id(self) -> Optional[str]: + """ + Direct grant flow id (flow needs to exist) + """ return pulumi.get(self, "direct_grant_id") diff --git a/sdk/python/pulumi_keycloak/saml/user_attribute_protocol_mapper.py b/sdk/python/pulumi_keycloak/saml/user_attribute_protocol_mapper.py index e0bbd668..1aa6cfb0 100644 --- a/sdk/python/pulumi_keycloak/saml/user_attribute_protocol_mapper.py +++ b/sdk/python/pulumi_keycloak/saml/user_attribute_protocol_mapper.py @@ -29,6 +29,14 @@ def __init__(__self__, *, name: Optional[pulumi.Input[str]] = None): """ The set of arguments for constructing a UserAttributeProtocolMapper resource. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + :param pulumi.Input[str] saml_attribute_name: The name of the SAML attribute. + :param pulumi.Input[str] saml_attribute_name_format: The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + :param pulumi.Input[str] user_attribute: The custom user attribute to map. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] friendly_name: An optional human-friendly name for this attribute. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. """ pulumi.set(__self__, "realm_id", realm_id) pulumi.set(__self__, "saml_attribute_name", saml_attribute_name) @@ -46,6 +54,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Input[str]: + """ + The realm this protocol mapper exists within. + """ return pulumi.get(self, "realm_id") @realm_id.setter @@ -55,6 +66,9 @@ def realm_id(self, value: pulumi.Input[str]): @property @pulumi.getter(name="samlAttributeName") def saml_attribute_name(self) -> pulumi.Input[str]: + """ + The name of the SAML attribute. + """ return pulumi.get(self, "saml_attribute_name") @saml_attribute_name.setter @@ -64,6 +78,9 @@ def saml_attribute_name(self, value: pulumi.Input[str]): @property @pulumi.getter(name="samlAttributeNameFormat") def saml_attribute_name_format(self) -> pulumi.Input[str]: + """ + The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + """ return pulumi.get(self, "saml_attribute_name_format") @saml_attribute_name_format.setter @@ -73,6 +90,9 @@ def saml_attribute_name_format(self, value: pulumi.Input[str]): @property @pulumi.getter(name="userAttribute") def user_attribute(self) -> pulumi.Input[str]: + """ + The custom user attribute to map. + """ return pulumi.get(self, "user_attribute") @user_attribute.setter @@ -82,6 +102,9 @@ def user_attribute(self, value: pulumi.Input[str]): @property @pulumi.getter(name="clientId") def client_id(self) -> Optional[pulumi.Input[str]]: + """ + The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + """ return pulumi.get(self, "client_id") @client_id.setter @@ -91,6 +114,9 @@ def client_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="clientScopeId") def client_scope_id(self) -> Optional[pulumi.Input[str]]: + """ + The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + """ return pulumi.get(self, "client_scope_id") @client_scope_id.setter @@ -100,6 +126,9 @@ def client_scope_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="friendlyName") def friendly_name(self) -> Optional[pulumi.Input[str]]: + """ + An optional human-friendly name for this attribute. + """ return pulumi.get(self, "friendly_name") @friendly_name.setter @@ -109,6 +138,9 @@ def friendly_name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: + """ + The display name of this protocol mapper in the GUI. + """ return pulumi.get(self, "name") @name.setter @@ -129,6 +161,14 @@ def __init__(__self__, *, user_attribute: Optional[pulumi.Input[str]] = None): """ Input properties used for looking up and filtering UserAttributeProtocolMapper resources. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] friendly_name: An optional human-friendly name for this attribute. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + :param pulumi.Input[str] saml_attribute_name: The name of the SAML attribute. + :param pulumi.Input[str] saml_attribute_name_format: The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + :param pulumi.Input[str] user_attribute: The custom user attribute to map. """ if client_id is not None: pulumi.set(__self__, "client_id", client_id) @@ -150,6 +190,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="clientId") def client_id(self) -> Optional[pulumi.Input[str]]: + """ + The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + """ return pulumi.get(self, "client_id") @client_id.setter @@ -159,6 +202,9 @@ def client_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="clientScopeId") def client_scope_id(self) -> Optional[pulumi.Input[str]]: + """ + The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + """ return pulumi.get(self, "client_scope_id") @client_scope_id.setter @@ -168,6 +214,9 @@ def client_scope_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="friendlyName") def friendly_name(self) -> Optional[pulumi.Input[str]]: + """ + An optional human-friendly name for this attribute. + """ return pulumi.get(self, "friendly_name") @friendly_name.setter @@ -177,6 +226,9 @@ def friendly_name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: + """ + The display name of this protocol mapper in the GUI. + """ return pulumi.get(self, "name") @name.setter @@ -186,6 +238,9 @@ def name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="realmId") def realm_id(self) -> Optional[pulumi.Input[str]]: + """ + The realm this protocol mapper exists within. + """ return pulumi.get(self, "realm_id") @realm_id.setter @@ -195,6 +250,9 @@ def realm_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="samlAttributeName") def saml_attribute_name(self) -> Optional[pulumi.Input[str]]: + """ + The name of the SAML attribute. + """ return pulumi.get(self, "saml_attribute_name") @saml_attribute_name.setter @@ -204,6 +262,9 @@ def saml_attribute_name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="samlAttributeNameFormat") def saml_attribute_name_format(self) -> Optional[pulumi.Input[str]]: + """ + The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + """ return pulumi.get(self, "saml_attribute_name_format") @saml_attribute_name_format.setter @@ -213,6 +274,9 @@ def saml_attribute_name_format(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="userAttribute") def user_attribute(self) -> Optional[pulumi.Input[str]]: + """ + The custom user attribute to map. + """ return pulumi.get(self, "user_attribute") @user_attribute.setter @@ -235,17 +299,15 @@ def __init__(__self__, user_attribute: Optional[pulumi.Input[str]] = None, __props__=None): """ - ## # saml.UserAttributeProtocolMapper + Allows for creating and managing user attribute protocol mappers for SAML clients within Keycloak. - Allows for creating and managing user attribute protocol mappers for - SAML clients within Keycloak. + SAML user attribute protocol mappers allow you to map custom attributes defined for a user within Keycloak to an attribute + in a SAML assertion. - SAML user attribute protocol mappers allow you to map custom attributes defined - for a user within Keycloak to an attribute in a SAML assertion. Protocol mappers - can be defined for a single client, or they can be defined for a client scope which - can be shared between multiple different clients. + Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + multiple different clients. - ### Example Usage (Client) + ## Example Usage ```python import pulumi @@ -255,11 +317,11 @@ def __init__(__self__, realm="my-realm", enabled=True) saml_client = keycloak.saml.Client("saml_client", - realm_id=test["id"], - client_id="test-saml-client", - name="test-saml-client") + realm_id=realm.id, + client_id="saml-client", + name="saml-client") saml_user_attribute_mapper = keycloak.saml.UserAttributeProtocolMapper("saml_user_attribute_mapper", - realm_id=test["id"], + realm_id=realm.id, client_id=saml_client.id, name="displayname-user-attribute-mapper", user_attribute="displayName", @@ -267,29 +329,36 @@ def __init__(__self__, saml_attribute_name_format="Unspecified") ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this protocol mapper exists within. - - `client_id` - (Required if `client_scope_id` is not specified) The SAML client this protocol mapper is attached to. - - `client_scope_id` - (Required if `client_id` is not specified) The SAML client scope this protocol mapper is attached to. - - `name` - (Required) The display name of this protocol mapper in the GUI. - - `user_attribute` - (Required) The custom user attribute to map. - - `friendly_name` - (Optional) An optional human-friendly name for this attribute. - - `saml_attribute_name` - (Required) The name of the SAML attribute. - - `saml_attribute_name_format` - (Required) The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. - - ### Import + ## Import Protocol mappers can be imported using one of the following formats: + - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` Example: + bash + + ```sh + $ pulumi import keycloak:saml/userAttributeProtocolMapper:UserAttributeProtocolMapper saml_user_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + + ```sh + $ pulumi import keycloak:saml/userAttributeProtocolMapper:UserAttributeProtocolMapper saml_user_attribute_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] friendly_name: An optional human-friendly name for this attribute. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + :param pulumi.Input[str] saml_attribute_name: The name of the SAML attribute. + :param pulumi.Input[str] saml_attribute_name_format: The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + :param pulumi.Input[str] user_attribute: The custom user attribute to map. """ ... @overload @@ -298,17 +367,15 @@ def __init__(__self__, args: UserAttributeProtocolMapperArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - ## # saml.UserAttributeProtocolMapper + Allows for creating and managing user attribute protocol mappers for SAML clients within Keycloak. - Allows for creating and managing user attribute protocol mappers for - SAML clients within Keycloak. + SAML user attribute protocol mappers allow you to map custom attributes defined for a user within Keycloak to an attribute + in a SAML assertion. - SAML user attribute protocol mappers allow you to map custom attributes defined - for a user within Keycloak to an attribute in a SAML assertion. Protocol mappers - can be defined for a single client, or they can be defined for a client scope which - can be shared between multiple different clients. + Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + multiple different clients. - ### Example Usage (Client) + ## Example Usage ```python import pulumi @@ -318,11 +385,11 @@ def __init__(__self__, realm="my-realm", enabled=True) saml_client = keycloak.saml.Client("saml_client", - realm_id=test["id"], - client_id="test-saml-client", - name="test-saml-client") + realm_id=realm.id, + client_id="saml-client", + name="saml-client") saml_user_attribute_mapper = keycloak.saml.UserAttributeProtocolMapper("saml_user_attribute_mapper", - realm_id=test["id"], + realm_id=realm.id, client_id=saml_client.id, name="displayname-user-attribute-mapper", user_attribute="displayName", @@ -330,27 +397,26 @@ def __init__(__self__, saml_attribute_name_format="Unspecified") ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this protocol mapper exists within. - - `client_id` - (Required if `client_scope_id` is not specified) The SAML client this protocol mapper is attached to. - - `client_scope_id` - (Required if `client_id` is not specified) The SAML client scope this protocol mapper is attached to. - - `name` - (Required) The display name of this protocol mapper in the GUI. - - `user_attribute` - (Required) The custom user attribute to map. - - `friendly_name` - (Optional) An optional human-friendly name for this attribute. - - `saml_attribute_name` - (Required) The name of the SAML attribute. - - `saml_attribute_name_format` - (Required) The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. - - ### Import + ## Import Protocol mappers can be imported using one of the following formats: + - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` Example: + bash + + ```sh + $ pulumi import keycloak:saml/userAttributeProtocolMapper:UserAttributeProtocolMapper saml_user_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + + ```sh + $ pulumi import keycloak:saml/userAttributeProtocolMapper:UserAttributeProtocolMapper saml_user_attribute_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + :param str resource_name: The name of the resource. :param UserAttributeProtocolMapperArgs args: The arguments to use to populate this resource's properties. :param pulumi.ResourceOptions opts: Options for the resource. @@ -424,6 +490,14 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] friendly_name: An optional human-friendly name for this attribute. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + :param pulumi.Input[str] saml_attribute_name: The name of the SAML attribute. + :param pulumi.Input[str] saml_attribute_name_format: The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + :param pulumi.Input[str] user_attribute: The custom user attribute to map. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -442,40 +516,64 @@ def get(resource_name: str, @property @pulumi.getter(name="clientId") def client_id(self) -> pulumi.Output[Optional[str]]: + """ + The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + """ return pulumi.get(self, "client_id") @property @pulumi.getter(name="clientScopeId") def client_scope_id(self) -> pulumi.Output[Optional[str]]: + """ + The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + """ return pulumi.get(self, "client_scope_id") @property @pulumi.getter(name="friendlyName") def friendly_name(self) -> pulumi.Output[Optional[str]]: + """ + An optional human-friendly name for this attribute. + """ return pulumi.get(self, "friendly_name") @property @pulumi.getter def name(self) -> pulumi.Output[str]: + """ + The display name of this protocol mapper in the GUI. + """ return pulumi.get(self, "name") @property @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Output[str]: + """ + The realm this protocol mapper exists within. + """ return pulumi.get(self, "realm_id") @property @pulumi.getter(name="samlAttributeName") def saml_attribute_name(self) -> pulumi.Output[str]: + """ + The name of the SAML attribute. + """ return pulumi.get(self, "saml_attribute_name") @property @pulumi.getter(name="samlAttributeNameFormat") def saml_attribute_name_format(self) -> pulumi.Output[str]: + """ + The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + """ return pulumi.get(self, "saml_attribute_name_format") @property @pulumi.getter(name="userAttribute") def user_attribute(self) -> pulumi.Output[str]: + """ + The custom user attribute to map. + """ return pulumi.get(self, "user_attribute") diff --git a/sdk/python/pulumi_keycloak/saml/user_property_protocol_mapper.py b/sdk/python/pulumi_keycloak/saml/user_property_protocol_mapper.py index 64660f7d..c58bd336 100644 --- a/sdk/python/pulumi_keycloak/saml/user_property_protocol_mapper.py +++ b/sdk/python/pulumi_keycloak/saml/user_property_protocol_mapper.py @@ -29,6 +29,14 @@ def __init__(__self__, *, name: Optional[pulumi.Input[str]] = None): """ The set of arguments for constructing a UserPropertyProtocolMapper resource. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + :param pulumi.Input[str] saml_attribute_name: The name of the SAML attribute. + :param pulumi.Input[str] saml_attribute_name_format: The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + :param pulumi.Input[str] user_property: The property of the Keycloak user model to map. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] friendly_name: An optional human-friendly name for this attribute. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. """ pulumi.set(__self__, "realm_id", realm_id) pulumi.set(__self__, "saml_attribute_name", saml_attribute_name) @@ -46,6 +54,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Input[str]: + """ + The realm this protocol mapper exists within. + """ return pulumi.get(self, "realm_id") @realm_id.setter @@ -55,6 +66,9 @@ def realm_id(self, value: pulumi.Input[str]): @property @pulumi.getter(name="samlAttributeName") def saml_attribute_name(self) -> pulumi.Input[str]: + """ + The name of the SAML attribute. + """ return pulumi.get(self, "saml_attribute_name") @saml_attribute_name.setter @@ -64,6 +78,9 @@ def saml_attribute_name(self, value: pulumi.Input[str]): @property @pulumi.getter(name="samlAttributeNameFormat") def saml_attribute_name_format(self) -> pulumi.Input[str]: + """ + The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + """ return pulumi.get(self, "saml_attribute_name_format") @saml_attribute_name_format.setter @@ -73,6 +90,9 @@ def saml_attribute_name_format(self, value: pulumi.Input[str]): @property @pulumi.getter(name="userProperty") def user_property(self) -> pulumi.Input[str]: + """ + The property of the Keycloak user model to map. + """ return pulumi.get(self, "user_property") @user_property.setter @@ -82,6 +102,9 @@ def user_property(self, value: pulumi.Input[str]): @property @pulumi.getter(name="clientId") def client_id(self) -> Optional[pulumi.Input[str]]: + """ + The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + """ return pulumi.get(self, "client_id") @client_id.setter @@ -91,6 +114,9 @@ def client_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="clientScopeId") def client_scope_id(self) -> Optional[pulumi.Input[str]]: + """ + The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + """ return pulumi.get(self, "client_scope_id") @client_scope_id.setter @@ -100,6 +126,9 @@ def client_scope_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="friendlyName") def friendly_name(self) -> Optional[pulumi.Input[str]]: + """ + An optional human-friendly name for this attribute. + """ return pulumi.get(self, "friendly_name") @friendly_name.setter @@ -109,6 +138,9 @@ def friendly_name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: + """ + The display name of this protocol mapper in the GUI. + """ return pulumi.get(self, "name") @name.setter @@ -129,6 +161,14 @@ def __init__(__self__, *, user_property: Optional[pulumi.Input[str]] = None): """ Input properties used for looking up and filtering UserPropertyProtocolMapper resources. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] friendly_name: An optional human-friendly name for this attribute. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + :param pulumi.Input[str] saml_attribute_name: The name of the SAML attribute. + :param pulumi.Input[str] saml_attribute_name_format: The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + :param pulumi.Input[str] user_property: The property of the Keycloak user model to map. """ if client_id is not None: pulumi.set(__self__, "client_id", client_id) @@ -150,6 +190,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="clientId") def client_id(self) -> Optional[pulumi.Input[str]]: + """ + The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + """ return pulumi.get(self, "client_id") @client_id.setter @@ -159,6 +202,9 @@ def client_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="clientScopeId") def client_scope_id(self) -> Optional[pulumi.Input[str]]: + """ + The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + """ return pulumi.get(self, "client_scope_id") @client_scope_id.setter @@ -168,6 +214,9 @@ def client_scope_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="friendlyName") def friendly_name(self) -> Optional[pulumi.Input[str]]: + """ + An optional human-friendly name for this attribute. + """ return pulumi.get(self, "friendly_name") @friendly_name.setter @@ -177,6 +226,9 @@ def friendly_name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: + """ + The display name of this protocol mapper in the GUI. + """ return pulumi.get(self, "name") @name.setter @@ -186,6 +238,9 @@ def name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="realmId") def realm_id(self) -> Optional[pulumi.Input[str]]: + """ + The realm this protocol mapper exists within. + """ return pulumi.get(self, "realm_id") @realm_id.setter @@ -195,6 +250,9 @@ def realm_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="samlAttributeName") def saml_attribute_name(self) -> Optional[pulumi.Input[str]]: + """ + The name of the SAML attribute. + """ return pulumi.get(self, "saml_attribute_name") @saml_attribute_name.setter @@ -204,6 +262,9 @@ def saml_attribute_name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="samlAttributeNameFormat") def saml_attribute_name_format(self) -> Optional[pulumi.Input[str]]: + """ + The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + """ return pulumi.get(self, "saml_attribute_name_format") @saml_attribute_name_format.setter @@ -213,6 +274,9 @@ def saml_attribute_name_format(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="userProperty") def user_property(self) -> Optional[pulumi.Input[str]]: + """ + The property of the Keycloak user model to map. + """ return pulumi.get(self, "user_property") @user_property.setter @@ -235,17 +299,15 @@ def __init__(__self__, user_property: Optional[pulumi.Input[str]] = None, __props__=None): """ - ## # saml.UserPropertyProtocolMapper - - Allows for creating and managing user property protocol mappers for - SAML clients within Keycloak. + Allows for creating and managing user property protocol mappers for SAML clients within Keycloak. SAML user property protocol mappers allow you to map properties of the Keycloak - user model to an attribute in a SAML assertion. Protocol mappers - can be defined for a single client, or they can be defined for a client scope which - can be shared between multiple different clients. + user model to an attribute in a SAML assertion. + + Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + multiple different clients. - ### Example Usage (Client) + ## Example Usage ```python import pulumi @@ -255,11 +317,11 @@ def __init__(__self__, realm="my-realm", enabled=True) saml_client = keycloak.saml.Client("saml_client", - realm_id=test["id"], - client_id="test-saml-client", - name="test-saml-client") + realm_id=realm.id, + client_id="saml-client", + name="saml-client") saml_user_property_mapper = keycloak.saml.UserPropertyProtocolMapper("saml_user_property_mapper", - realm_id=test["id"], + realm_id=realm.id, client_id=saml_client.id, name="email-user-property-mapper", user_property="email", @@ -267,29 +329,36 @@ def __init__(__self__, saml_attribute_name_format="Unspecified") ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this protocol mapper exists within. - - `client_id` - (Required if `client_scope_id` is not specified) The SAML client this protocol mapper is attached to. - - `client_scope_id` - (Required if `client_id` is not specified) The SAML client scope this protocol mapper is attached to. - - `name` - (Required) The display name of this protocol mapper in the GUI. - - `user_property` - (Required) The property of the Keycloak user model to map. - - `friendly_name` - (Optional) An optional human-friendly name for this attribute. - - `saml_attribute_name` - (Required) The name of the SAML attribute. - - `saml_attribute_name_format` - (Required) The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. - - ### Import + ## Import Protocol mappers can be imported using one of the following formats: + - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` Example: + bash + + ```sh + $ pulumi import keycloak:saml/userPropertyProtocolMapper:UserPropertyProtocolMapper saml_user_property_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + + ```sh + $ pulumi import keycloak:saml/userPropertyProtocolMapper:UserPropertyProtocolMapper saml_user_property_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] friendly_name: An optional human-friendly name for this attribute. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + :param pulumi.Input[str] saml_attribute_name: The name of the SAML attribute. + :param pulumi.Input[str] saml_attribute_name_format: The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + :param pulumi.Input[str] user_property: The property of the Keycloak user model to map. """ ... @overload @@ -298,17 +367,15 @@ def __init__(__self__, args: UserPropertyProtocolMapperArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - ## # saml.UserPropertyProtocolMapper - - Allows for creating and managing user property protocol mappers for - SAML clients within Keycloak. + Allows for creating and managing user property protocol mappers for SAML clients within Keycloak. SAML user property protocol mappers allow you to map properties of the Keycloak - user model to an attribute in a SAML assertion. Protocol mappers - can be defined for a single client, or they can be defined for a client scope which - can be shared between multiple different clients. + user model to an attribute in a SAML assertion. - ### Example Usage (Client) + Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between + multiple different clients. + + ## Example Usage ```python import pulumi @@ -318,11 +385,11 @@ def __init__(__self__, realm="my-realm", enabled=True) saml_client = keycloak.saml.Client("saml_client", - realm_id=test["id"], - client_id="test-saml-client", - name="test-saml-client") + realm_id=realm.id, + client_id="saml-client", + name="saml-client") saml_user_property_mapper = keycloak.saml.UserPropertyProtocolMapper("saml_user_property_mapper", - realm_id=test["id"], + realm_id=realm.id, client_id=saml_client.id, name="email-user-property-mapper", user_property="email", @@ -330,27 +397,26 @@ def __init__(__self__, saml_attribute_name_format="Unspecified") ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this protocol mapper exists within. - - `client_id` - (Required if `client_scope_id` is not specified) The SAML client this protocol mapper is attached to. - - `client_scope_id` - (Required if `client_id` is not specified) The SAML client scope this protocol mapper is attached to. - - `name` - (Required) The display name of this protocol mapper in the GUI. - - `user_property` - (Required) The property of the Keycloak user model to map. - - `friendly_name` - (Optional) An optional human-friendly name for this attribute. - - `saml_attribute_name` - (Required) The name of the SAML attribute. - - `saml_attribute_name_format` - (Required) The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. - - ### Import + ## Import Protocol mappers can be imported using one of the following formats: + - Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + - Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` Example: + bash + + ```sh + $ pulumi import keycloak:saml/userPropertyProtocolMapper:UserPropertyProtocolMapper saml_user_property_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + + ```sh + $ pulumi import keycloak:saml/userPropertyProtocolMapper:UserPropertyProtocolMapper saml_user_property_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + :param str resource_name: The name of the resource. :param UserPropertyProtocolMapperArgs args: The arguments to use to populate this resource's properties. :param pulumi.ResourceOptions opts: Options for the resource. @@ -424,6 +490,14 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] friendly_name: An optional human-friendly name for this attribute. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + :param pulumi.Input[str] saml_attribute_name: The name of the SAML attribute. + :param pulumi.Input[str] saml_attribute_name_format: The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + :param pulumi.Input[str] user_property: The property of the Keycloak user model to map. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -442,40 +516,64 @@ def get(resource_name: str, @property @pulumi.getter(name="clientId") def client_id(self) -> pulumi.Output[Optional[str]]: + """ + The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + """ return pulumi.get(self, "client_id") @property @pulumi.getter(name="clientScopeId") def client_scope_id(self) -> pulumi.Output[Optional[str]]: + """ + The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + """ return pulumi.get(self, "client_scope_id") @property @pulumi.getter(name="friendlyName") def friendly_name(self) -> pulumi.Output[Optional[str]]: + """ + An optional human-friendly name for this attribute. + """ return pulumi.get(self, "friendly_name") @property @pulumi.getter def name(self) -> pulumi.Output[str]: + """ + The display name of this protocol mapper in the GUI. + """ return pulumi.get(self, "name") @property @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Output[str]: + """ + The realm this protocol mapper exists within. + """ return pulumi.get(self, "realm_id") @property @pulumi.getter(name="samlAttributeName") def saml_attribute_name(self) -> pulumi.Output[str]: + """ + The name of the SAML attribute. + """ return pulumi.get(self, "saml_attribute_name") @property @pulumi.getter(name="samlAttributeNameFormat") def saml_attribute_name_format(self) -> pulumi.Output[str]: + """ + The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. + """ return pulumi.get(self, "saml_attribute_name_format") @property @pulumi.getter(name="userProperty") def user_property(self) -> pulumi.Output[str]: + """ + The property of the Keycloak user model to map. + """ return pulumi.get(self, "user_property") diff --git a/sdk/python/pulumi_keycloak/user.py b/sdk/python/pulumi_keycloak/user.py index 76898a9a..21ca5db3 100644 --- a/sdk/python/pulumi_keycloak/user.py +++ b/sdk/python/pulumi_keycloak/user.py @@ -34,6 +34,17 @@ def __init__(__self__, *, required_actions: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None): """ The set of arguments for constructing a User resource. + :param pulumi.Input[str] realm_id: The realm this user belongs to. + :param pulumi.Input[str] username: The unique username of this user. + :param pulumi.Input[Mapping[str, pulumi.Input[str]]] attributes: A map representing attributes for the user. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + :param pulumi.Input[str] email: The user's email. + :param pulumi.Input[bool] email_verified: Whether the email address was validated or not. Default to `false`. + :param pulumi.Input[bool] enabled: When false, this user cannot log in. Defaults to `true`. + :param pulumi.Input[Sequence[pulumi.Input['UserFederatedIdentityArgs']]] federated_identities: When specified, the user will be linked to a federated identity provider. Refer to the federated user example for more details. + :param pulumi.Input[str] first_name: The user's first name. + :param pulumi.Input['UserInitialPasswordArgs'] initial_password: When given, the user's initial password will be set. This attribute is only respected during initial user creation. + :param pulumi.Input[str] last_name: The user's last name. + :param pulumi.Input[Sequence[pulumi.Input[str]]] required_actions: A list of required user actions. """ pulumi.set(__self__, "realm_id", realm_id) pulumi.set(__self__, "username", username) @@ -59,6 +70,9 @@ def __init__(__self__, *, @property @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Input[str]: + """ + The realm this user belongs to. + """ return pulumi.get(self, "realm_id") @realm_id.setter @@ -68,6 +82,9 @@ def realm_id(self, value: pulumi.Input[str]): @property @pulumi.getter def username(self) -> pulumi.Input[str]: + """ + The unique username of this user. + """ return pulumi.get(self, "username") @username.setter @@ -77,6 +94,9 @@ def username(self, value: pulumi.Input[str]): @property @pulumi.getter def attributes(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]: + """ + A map representing attributes for the user. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + """ return pulumi.get(self, "attributes") @attributes.setter @@ -86,6 +106,9 @@ def attributes(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str] @property @pulumi.getter def email(self) -> Optional[pulumi.Input[str]]: + """ + The user's email. + """ return pulumi.get(self, "email") @email.setter @@ -95,6 +118,9 @@ def email(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="emailVerified") def email_verified(self) -> Optional[pulumi.Input[bool]]: + """ + Whether the email address was validated or not. Default to `false`. + """ return pulumi.get(self, "email_verified") @email_verified.setter @@ -104,6 +130,9 @@ def email_verified(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter def enabled(self) -> Optional[pulumi.Input[bool]]: + """ + When false, this user cannot log in. Defaults to `true`. + """ return pulumi.get(self, "enabled") @enabled.setter @@ -113,6 +142,9 @@ def enabled(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="federatedIdentities") def federated_identities(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['UserFederatedIdentityArgs']]]]: + """ + When specified, the user will be linked to a federated identity provider. Refer to the federated user example for more details. + """ return pulumi.get(self, "federated_identities") @federated_identities.setter @@ -122,6 +154,9 @@ def federated_identities(self, value: Optional[pulumi.Input[Sequence[pulumi.Inpu @property @pulumi.getter(name="firstName") def first_name(self) -> Optional[pulumi.Input[str]]: + """ + The user's first name. + """ return pulumi.get(self, "first_name") @first_name.setter @@ -131,6 +166,9 @@ def first_name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="initialPassword") def initial_password(self) -> Optional[pulumi.Input['UserInitialPasswordArgs']]: + """ + When given, the user's initial password will be set. This attribute is only respected during initial user creation. + """ return pulumi.get(self, "initial_password") @initial_password.setter @@ -140,6 +178,9 @@ def initial_password(self, value: Optional[pulumi.Input['UserInitialPasswordArgs @property @pulumi.getter(name="lastName") def last_name(self) -> Optional[pulumi.Input[str]]: + """ + The user's last name. + """ return pulumi.get(self, "last_name") @last_name.setter @@ -149,6 +190,9 @@ def last_name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="requiredActions") def required_actions(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + A list of required user actions. + """ return pulumi.get(self, "required_actions") @required_actions.setter @@ -172,6 +216,17 @@ def __init__(__self__, *, username: Optional[pulumi.Input[str]] = None): """ Input properties used for looking up and filtering User resources. + :param pulumi.Input[Mapping[str, pulumi.Input[str]]] attributes: A map representing attributes for the user. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + :param pulumi.Input[str] email: The user's email. + :param pulumi.Input[bool] email_verified: Whether the email address was validated or not. Default to `false`. + :param pulumi.Input[bool] enabled: When false, this user cannot log in. Defaults to `true`. + :param pulumi.Input[Sequence[pulumi.Input['UserFederatedIdentityArgs']]] federated_identities: When specified, the user will be linked to a federated identity provider. Refer to the federated user example for more details. + :param pulumi.Input[str] first_name: The user's first name. + :param pulumi.Input['UserInitialPasswordArgs'] initial_password: When given, the user's initial password will be set. This attribute is only respected during initial user creation. + :param pulumi.Input[str] last_name: The user's last name. + :param pulumi.Input[str] realm_id: The realm this user belongs to. + :param pulumi.Input[Sequence[pulumi.Input[str]]] required_actions: A list of required user actions. + :param pulumi.Input[str] username: The unique username of this user. """ if attributes is not None: pulumi.set(__self__, "attributes", attributes) @@ -199,6 +254,9 @@ def __init__(__self__, *, @property @pulumi.getter def attributes(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]: + """ + A map representing attributes for the user. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + """ return pulumi.get(self, "attributes") @attributes.setter @@ -208,6 +266,9 @@ def attributes(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str] @property @pulumi.getter def email(self) -> Optional[pulumi.Input[str]]: + """ + The user's email. + """ return pulumi.get(self, "email") @email.setter @@ -217,6 +278,9 @@ def email(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="emailVerified") def email_verified(self) -> Optional[pulumi.Input[bool]]: + """ + Whether the email address was validated or not. Default to `false`. + """ return pulumi.get(self, "email_verified") @email_verified.setter @@ -226,6 +290,9 @@ def email_verified(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter def enabled(self) -> Optional[pulumi.Input[bool]]: + """ + When false, this user cannot log in. Defaults to `true`. + """ return pulumi.get(self, "enabled") @enabled.setter @@ -235,6 +302,9 @@ def enabled(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="federatedIdentities") def federated_identities(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['UserFederatedIdentityArgs']]]]: + """ + When specified, the user will be linked to a federated identity provider. Refer to the federated user example for more details. + """ return pulumi.get(self, "federated_identities") @federated_identities.setter @@ -244,6 +314,9 @@ def federated_identities(self, value: Optional[pulumi.Input[Sequence[pulumi.Inpu @property @pulumi.getter(name="firstName") def first_name(self) -> Optional[pulumi.Input[str]]: + """ + The user's first name. + """ return pulumi.get(self, "first_name") @first_name.setter @@ -253,6 +326,9 @@ def first_name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="initialPassword") def initial_password(self) -> Optional[pulumi.Input['UserInitialPasswordArgs']]: + """ + When given, the user's initial password will be set. This attribute is only respected during initial user creation. + """ return pulumi.get(self, "initial_password") @initial_password.setter @@ -262,6 +338,9 @@ def initial_password(self, value: Optional[pulumi.Input['UserInitialPasswordArgs @property @pulumi.getter(name="lastName") def last_name(self) -> Optional[pulumi.Input[str]]: + """ + The user's last name. + """ return pulumi.get(self, "last_name") @last_name.setter @@ -271,6 +350,9 @@ def last_name(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="realmId") def realm_id(self) -> Optional[pulumi.Input[str]]: + """ + The realm this user belongs to. + """ return pulumi.get(self, "realm_id") @realm_id.setter @@ -280,6 +362,9 @@ def realm_id(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="requiredActions") def required_actions(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + A list of required user actions. + """ return pulumi.get(self, "required_actions") @required_actions.setter @@ -289,6 +374,9 @@ def required_actions(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[st @property @pulumi.getter def username(self) -> Optional[pulumi.Input[str]]: + """ + The unique username of this user. + """ return pulumi.get(self, "username") @username.setter @@ -314,15 +402,13 @@ def __init__(__self__, username: Optional[pulumi.Input[str]] = None, __props__=None): """ - ## # User - Allows for creating and managing Users within Keycloak. - This resource was created primarily to enable the acceptance tests for the `Group` resource. - Creating users within Keycloak is not recommended. Instead, users should be federated from external sources - by configuring user federation providers or identity providers. + This resource was created primarily to enable the acceptance tests for the `Group` resource. Creating users within + Keycloak is not recommended. Instead, users should be federated from external sources by configuring user federation providers + or identity providers. - ### Example Usage + ## Example Usage ```python import pulumi @@ -345,36 +431,43 @@ def __init__(__self__, email="alice@domain.com", first_name="Alice", last_name="Aliceberg", + attributes={ + "foo": "bar", + "multivalue": "value1##value2", + }, initial_password={ "value": "some password", "temporary": True, }) ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this user belongs to. - - `username` - (Required) The unique username of this user. - - `initial_password` (Optional) When given, the user's initial password will be set. - This attribute is only respected during initial user creation. - - `value` (Required) The initial password. - - `temporary` (Optional) If set to `true`, the initial password is set up for renewal on first use. Default to `false`. - - `enabled` - (Optional) When false, this user cannot log in. Defaults to `true`. - - `email` - (Optional) The user's email. - - `first_name` - (Optional) The user's first name. - - `last_name` - (Optional) The user's last name. - - ### Import + ## Import Users can be imported using the format `{{realm_id}}/{{user_id}}`, where `user_id` is the unique ID that Keycloak + assigns to the user upon creation. This value can be found in the GUI when editing the user. Example: + bash + + ```sh + $ pulumi import keycloak:index/user:User user my-realm/60c3f971-b1d3-4b3a-9035-d16d7540a5e4 + ``` + :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[Mapping[str, pulumi.Input[str]]] attributes: A map representing attributes for the user. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + :param pulumi.Input[str] email: The user's email. + :param pulumi.Input[bool] email_verified: Whether the email address was validated or not. Default to `false`. + :param pulumi.Input[bool] enabled: When false, this user cannot log in. Defaults to `true`. + :param pulumi.Input[Sequence[pulumi.Input[Union['UserFederatedIdentityArgs', 'UserFederatedIdentityArgsDict']]]] federated_identities: When specified, the user will be linked to a federated identity provider. Refer to the federated user example for more details. + :param pulumi.Input[str] first_name: The user's first name. + :param pulumi.Input[Union['UserInitialPasswordArgs', 'UserInitialPasswordArgsDict']] initial_password: When given, the user's initial password will be set. This attribute is only respected during initial user creation. + :param pulumi.Input[str] last_name: The user's last name. + :param pulumi.Input[str] realm_id: The realm this user belongs to. + :param pulumi.Input[Sequence[pulumi.Input[str]]] required_actions: A list of required user actions. + :param pulumi.Input[str] username: The unique username of this user. """ ... @overload @@ -383,15 +476,13 @@ def __init__(__self__, args: UserArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - ## # User - Allows for creating and managing Users within Keycloak. - This resource was created primarily to enable the acceptance tests for the `Group` resource. - Creating users within Keycloak is not recommended. Instead, users should be federated from external sources - by configuring user federation providers or identity providers. + This resource was created primarily to enable the acceptance tests for the `Group` resource. Creating users within + Keycloak is not recommended. Instead, users should be federated from external sources by configuring user federation providers + or identity providers. - ### Example Usage + ## Example Usage ```python import pulumi @@ -414,34 +505,30 @@ def __init__(__self__, email="alice@domain.com", first_name="Alice", last_name="Aliceberg", + attributes={ + "foo": "bar", + "multivalue": "value1##value2", + }, initial_password={ "value": "some password", "temporary": True, }) ``` - ### Argument Reference - - The following arguments are supported: - - - `realm_id` - (Required) The realm this user belongs to. - - `username` - (Required) The unique username of this user. - - `initial_password` (Optional) When given, the user's initial password will be set. - This attribute is only respected during initial user creation. - - `value` (Required) The initial password. - - `temporary` (Optional) If set to `true`, the initial password is set up for renewal on first use. Default to `false`. - - `enabled` - (Optional) When false, this user cannot log in. Defaults to `true`. - - `email` - (Optional) The user's email. - - `first_name` - (Optional) The user's first name. - - `last_name` - (Optional) The user's last name. - - ### Import + ## Import Users can be imported using the format `{{realm_id}}/{{user_id}}`, where `user_id` is the unique ID that Keycloak + assigns to the user upon creation. This value can be found in the GUI when editing the user. Example: + bash + + ```sh + $ pulumi import keycloak:index/user:User user my-realm/60c3f971-b1d3-4b3a-9035-d16d7540a5e4 + ``` + :param str resource_name: The name of the resource. :param UserArgs args: The arguments to use to populate this resource's properties. :param pulumi.ResourceOptions opts: Options for the resource. @@ -520,6 +607,17 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[Mapping[str, pulumi.Input[str]]] attributes: A map representing attributes for the user. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + :param pulumi.Input[str] email: The user's email. + :param pulumi.Input[bool] email_verified: Whether the email address was validated or not. Default to `false`. + :param pulumi.Input[bool] enabled: When false, this user cannot log in. Defaults to `true`. + :param pulumi.Input[Sequence[pulumi.Input[Union['UserFederatedIdentityArgs', 'UserFederatedIdentityArgsDict']]]] federated_identities: When specified, the user will be linked to a federated identity provider. Refer to the federated user example for more details. + :param pulumi.Input[str] first_name: The user's first name. + :param pulumi.Input[Union['UserInitialPasswordArgs', 'UserInitialPasswordArgsDict']] initial_password: When given, the user's initial password will be set. This attribute is only respected during initial user creation. + :param pulumi.Input[str] last_name: The user's last name. + :param pulumi.Input[str] realm_id: The realm this user belongs to. + :param pulumi.Input[Sequence[pulumi.Input[str]]] required_actions: A list of required user actions. + :param pulumi.Input[str] username: The unique username of this user. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -541,55 +639,88 @@ def get(resource_name: str, @property @pulumi.getter def attributes(self) -> pulumi.Output[Optional[Mapping[str, str]]]: + """ + A map representing attributes for the user. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars + """ return pulumi.get(self, "attributes") @property @pulumi.getter def email(self) -> pulumi.Output[Optional[str]]: + """ + The user's email. + """ return pulumi.get(self, "email") @property @pulumi.getter(name="emailVerified") def email_verified(self) -> pulumi.Output[Optional[bool]]: + """ + Whether the email address was validated or not. Default to `false`. + """ return pulumi.get(self, "email_verified") @property @pulumi.getter def enabled(self) -> pulumi.Output[Optional[bool]]: + """ + When false, this user cannot log in. Defaults to `true`. + """ return pulumi.get(self, "enabled") @property @pulumi.getter(name="federatedIdentities") def federated_identities(self) -> pulumi.Output[Optional[Sequence['outputs.UserFederatedIdentity']]]: + """ + When specified, the user will be linked to a federated identity provider. Refer to the federated user example for more details. + """ return pulumi.get(self, "federated_identities") @property @pulumi.getter(name="firstName") def first_name(self) -> pulumi.Output[Optional[str]]: + """ + The user's first name. + """ return pulumi.get(self, "first_name") @property @pulumi.getter(name="initialPassword") def initial_password(self) -> pulumi.Output[Optional['outputs.UserInitialPassword']]: + """ + When given, the user's initial password will be set. This attribute is only respected during initial user creation. + """ return pulumi.get(self, "initial_password") @property @pulumi.getter(name="lastName") def last_name(self) -> pulumi.Output[Optional[str]]: + """ + The user's last name. + """ return pulumi.get(self, "last_name") @property @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Output[str]: + """ + The realm this user belongs to. + """ return pulumi.get(self, "realm_id") @property @pulumi.getter(name="requiredActions") def required_actions(self) -> pulumi.Output[Optional[Sequence[str]]]: + """ + A list of required user actions. + """ return pulumi.get(self, "required_actions") @property @pulumi.getter def username(self) -> pulumi.Output[str]: + """ + The unique username of this user. + """ return pulumi.get(self, "username")