pulumi-keycloak-kotlin/com.pulumi.keycloak.kotlin/UserRolesArgs

UserRolesArgs

data class UserRolesArgs(val exhaustive: Output<Boolean>? = null, val realmId: Output<String>? = null, val roleIds: Output<List<String>>? = null, val userId: Output<String>? = null) : ConvertibleToJava<UserRolesArgs>

Allows you to manage roles assigned to a Keycloak user. If exhaustive is true, this resource attempts to be an authoritative source over user roles: roles that are manually added to the user will be removed, and roles that are manually removed from the user will be added upon the next run of pulumi up. If exhaustive is false, this resource is a partial assignation of roles to a user. As a result, you can use multiple keycloak.UserRoles for the same user_id. Note that when assigning composite roles to a user, you may see a non-empty plan following a pulumi up if you assign a role and a composite that includes that role to the same user.

Example Usage

Exhaustive Roles)

import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
    realm: "my-realm",
    enabled: true,
});
const realmRole = new keycloak.Role("realm_role", {
    realmId: realm.id,
    name: "my-realm-role",
    description: "My Realm Role",
});
const client = new keycloak.openid.Client("client", {
    realmId: realm.id,
    clientId: "client",
    name: "client",
    enabled: true,
    accessType: "BEARER-ONLY",
});
const clientRole = new keycloak.Role("client_role", {
    realmId: realm.id,
    clientId: clientKeycloakClient.id,
    name: "my-client-role",
    description: "My Client Role",
});
const user = new keycloak.User("user", {
    realmId: realm.id,
    username: "bob",
    enabled: true,
    email: "bob@domain.com",
    firstName: "Bob",
    lastName: "Bobson",
});
const userRoles = new keycloak.UserRoles("user_roles", {
    realmId: realm.id,
    userId: user.id,
    roleIds: [
        realmRole.id,
        clientRole.id,
    ],
});

import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
    realm="my-realm",
    enabled=True)
realm_role = keycloak.Role("realm_role",
    realm_id=realm.id,
    name="my-realm-role",
    description="My Realm Role")
client = keycloak.openid.Client("client",
    realm_id=realm.id,
    client_id="client",
    name="client",
    enabled=True,
    access_type="BEARER-ONLY")
client_role = keycloak.Role("client_role",
    realm_id=realm.id,
    client_id=client_keycloak_client["id"],
    name="my-client-role",
    description="My Client Role")
user = keycloak.User("user",
    realm_id=realm.id,
    username="bob",
    enabled=True,
    email="bob@domain.com",
    first_name="Bob",
    last_name="Bobson")
user_roles = keycloak.UserRoles("user_roles",
    realm_id=realm.id,
    user_id=user.id,
    role_ids=[
        realm_role.id,
        client_role.id,
    ])

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
    var realm = new Keycloak.Realm("realm", new()
    {
        RealmName = "my-realm",
        Enabled = true,
    });
    var realmRole = new Keycloak.Role("realm_role", new()
    {
        RealmId = realm.Id,
        Name = "my-realm-role",
        Description = "My Realm Role",
    });
    var client = new Keycloak.OpenId.Client("client", new()
    {
        RealmId = realm.Id,
        ClientId = "client",
        Name = "client",
        Enabled = true,
        AccessType = "BEARER-ONLY",
    });
    var clientRole = new Keycloak.Role("client_role", new()
    {
        RealmId = realm.Id,
        ClientId = clientKeycloakClient.Id,
        Name = "my-client-role",
        Description = "My Client Role",
    });
    var user = new Keycloak.User("user", new()
    {
        RealmId = realm.Id,
        Username = "bob",
        Enabled = true,
        Email = "bob@domain.com",
        FirstName = "Bob",
        LastName = "Bobson",
    });
    var userRoles = new Keycloak.UserRoles("user_roles", new()
    {
        RealmId = realm.Id,
        UserId = user.Id,
        RoleIds = new[]
        {
            realmRole.Id,
            clientRole.Id,
        },
    });
});

package main
import (
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak"
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Realm:   pulumi.String("my-realm"),
			Enabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		realmRole, err := keycloak.NewRole(ctx, "realm_role", &keycloak.RoleArgs{
			RealmId:     realm.ID(),
			Name:        pulumi.String("my-realm-role"),
			Description: pulumi.String("My Realm Role"),
		})
		if err != nil {
			return err
		}
		_, err = openid.NewClient(ctx, "client", &openid.ClientArgs{
			RealmId:    realm.ID(),
			ClientId:   pulumi.String("client"),
			Name:       pulumi.String("client"),
			Enabled:    pulumi.Bool(true),
			AccessType: pulumi.String("BEARER-ONLY"),
		})
		if err != nil {
			return err
		}
		clientRole, err := keycloak.NewRole(ctx, "client_role", &keycloak.RoleArgs{
			RealmId:     realm.ID(),
			ClientId:    pulumi.Any(clientKeycloakClient.Id),
			Name:        pulumi.String("my-client-role"),
			Description: pulumi.String("My Client Role"),
		})
		if err != nil {
			return err
		}
		user, err := keycloak.NewUser(ctx, "user", &keycloak.UserArgs{
			RealmId:   realm.ID(),
			Username:  pulumi.String("bob"),
			Enabled:   pulumi.Bool(true),
			Email:     pulumi.String("bob@domain.com"),
			FirstName: pulumi.String("Bob"),
			LastName:  pulumi.String("Bobson"),
		})
		if err != nil {
			return err
		}
		_, err = keycloak.NewUserRoles(ctx, "user_roles", &keycloak.UserRolesArgs{
			RealmId: realm.ID(),
			UserId:  user.ID(),
			RoleIds: pulumi.StringArray{
				realmRole.ID(),
				clientRole.ID(),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.Role;
import com.pulumi.keycloak.RoleArgs;
import com.pulumi.keycloak.openid.Client;
import com.pulumi.keycloak.openid.ClientArgs;
import com.pulumi.keycloak.User;
import com.pulumi.keycloak.UserArgs;
import com.pulumi.keycloak.UserRoles;
import com.pulumi.keycloak.UserRolesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var realm = new Realm("realm", RealmArgs.builder()
            .realm("my-realm")
            .enabled(true)
            .build());
        var realmRole = new Role("realmRole", RoleArgs.builder()
            .realmId(realm.id())
            .name("my-realm-role")
            .description("My Realm Role")
            .build());
        var client = new Client("client", ClientArgs.builder()
            .realmId(realm.id())
            .clientId("client")
            .name("client")
            .enabled(true)
            .accessType("BEARER-ONLY")
            .build());
        var clientRole = new Role("clientRole", RoleArgs.builder()
            .realmId(realm.id())
            .clientId(clientKeycloakClient.id())
            .name("my-client-role")
            .description("My Client Role")
            .build());
        var user = new User("user", UserArgs.builder()
            .realmId(realm.id())
            .username("bob")
            .enabled(true)
            .email("bob@domain.com")
            .firstName("Bob")
            .lastName("Bobson")
            .build());
        var userRoles = new UserRoles("userRoles", UserRolesArgs.builder()
            .realmId(realm.id())
            .userId(user.id())
            .roleIds(
                realmRole.id(),
                clientRole.id())
            .build());
    }
}

resources:
  realm:
    type: keycloak:Realm
    properties:
      realm: my-realm
      enabled: true
  realmRole:
    type: keycloak:Role
    name: realm_role
    properties:
      realmId: ${realm.id}
      name: my-realm-role
      description: My Realm Role
  client:
    type: keycloak:openid:Client
    properties:
      realmId: ${realm.id}
      clientId: client
      name: client
      enabled: true
      accessType: BEARER-ONLY
  clientRole:
    type: keycloak:Role
    name: client_role
    properties:
      realmId: ${realm.id}
      clientId: ${clientKeycloakClient.id}
      name: my-client-role
      description: My Client Role
  user:
    type: keycloak:User
    properties:
      realmId: ${realm.id}
      username: bob
      enabled: true
      email: bob@domain.com
      firstName: Bob
      lastName: Bobson
  userRoles:
    type: keycloak:UserRoles
    name: user_roles
    properties:
      realmId: ${realm.id}
      userId: ${user.id}
      roleIds:
        - ${realmRole.id}
        - ${clientRole.id}

Import

This resource can be imported using the format {{realm_id}}/{{user_id}}, where user_id is the unique ID that Keycloak assigns to the user upon creation. This value can be found in the GUI when editing the user, and is typically a GUID. Example: bash

$ pulumi import keycloak:index/userRoles:UserRoles user_roles my-realm/b0ae6924-1bd5-4655-9e38-dae7c5e42924

Constructors

UserRolesArgs

constructor(exhaustive: Output<Boolean>? = null, realmId: Output<String>? = null, roleIds: Output<List<String>>? = null, userId: Output<String>? = null)

Properties

exhaustive

val exhaustive: Output<Boolean>? = null

Indicates if the list of roles is exhaustive. In this case, roles that are manually added to the user will be removed. Defaults to true.

realmId

val realmId: Output<String>? = null

The realm this user exists in.

roleIds

val roleIds: Output<List<String>>? = null

A list of role IDs to map to the user

userId

val userId: Output<String>? = null

The ID of the user this resource should manage roles for.

Functions

toJava

open override fun toJava(): UserRolesArgs