feat: Add new resources for realm client policy profiles (#1138)

laureat-natzka · Laureat Grepi · Filirom1 · web-flow · commit 13e7bce9497f · 2025-07-03T16:21:06.000+02:00
* feat: Add new resources for realm client policy profiles Signed-off-by: Laureat Grepi <laureat@Laureat-MacBook-Pro.local> * fmt Signed-off-by: Laureat Grepi <laureat@Laureat-MacBook-Pro.local> * Fix tests Signed-off-by: Laureat Grepi <laureat@Laureat-MacBook-Pro.local> * Fix tests 2 Signed-off-by: Laureat Grepi <laureat@Laureat-MacBook-Pro.local> * Fix tests 3 Signed-off-by: Laureat Grepi <laureat@Laureat-MacBook-Pro.local> * Fix tests profile executor update Signed-off-by: Laureat Grepi <laureat@Laureat-MacBook-Pro.local> * update test values Signed-off-by: Laureat Grepi <laureat@Laureat-MacBook-Pro.local> * Allow secret regeneration in openid client Signed-off-by: Laureat Grepi <laureat@Laureat-MacBook-Pro.local> * update Signed-off-by: Laureat Grepi <laureat@Laureat-MacBook-Pro.local> * update Signed-off-by: Laureat Grepi <laureat@Laureat-MacBook-Pro.local> * typeString -> typeMap Signed-off-by: Laureat Grepi <laureat@Laureat-MacBook-Pro.local> * Increase MaxIdleConnsPerHost in http.Transport (#1169) The default behaviour of http.Transport does not handle the use case of "many concurrent requests against a single host" very well. By default, it will only keep 2 persistent connections in the pool. Everything above that is burst capacity, and those connections are closed. The result is a lot of connection churn, which can lead to port exhaustion (especially on more constrained resources like a shared NAT). Increase the idle pool from 2 to 100, allowing for more connection reuse and in turn reducing connection churn. Signed-off-by: Romain Philibert <romain.philibert@worldline.com> Signed-off-by: Laureat Grepi <laureat@Laureat-MacBook-Pro.local> * test: Add tests for saml aggregate attributes (#1171) * add tests for saml aggregate attributes * Fix implementation, as tests were failing * rework tests in resource_keycloak_saml_user_attribute_protocol_mapper_test.go Signed-off-by: Robin Meese <39960884+robson90@users.noreply.github.com> Signed-off-by: Laureat Grepi <laureat@Laureat-MacBook-Pro.local> * Update realm_keys.md (#1174) Signed-off-by: simonregn <33054882+simonregn@users.noreply.github.com> Signed-off-by: Laureat Grepi <laureat@Laureat-MacBook-Pro.local> * Allow the alias of Google IdP to be set (#1177) Signed-off-by: Matthew H. Irby <matt.irby@outlook.com> Co-authored-by: Sebastian Schuster <sschu@users.noreply.github.com> Signed-off-by: Laureat Grepi <laureat@Laureat-MacBook-Pro.local> * chore(deps): bump golang.org/x/net from 0.38.0 to 0.39.0 (#1183) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.38.0 to 0.39.0. - [Commits](golang/net@v0.38.0...v0.39.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-version: 0.39.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Laureat Grepi <laureat@Laureat-MacBook-Pro.local> * feat: add identity provider hardcoded group mapper (#886) Signed-off-by: Fabien Carrion <fabien@carrion.mx> Signed-off-by: Laureat Grepi <laureat@Laureat-MacBook-Pro.local> * feat: Support extra_origins in web_authn_policy and web_authn_passwordless_policy (#1173) Fixes #1170 Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com> Co-authored-by: Sebastian Schuster <sschu@users.noreply.github.com> Signed-off-by: Laureat Grepi <laureat@Laureat-MacBook-Pro.local> * Update to version 5.2 (#1185) Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.io> Signed-off-by: Laureat Grepi <laureat@Laureat-MacBook-Pro.local> * fix conflicts Signed-off-by: Laureat Grepi <laureat@Laureat-MacBook-Pro.local> * chore(deps): bump dario.cat/mergo from 1.0.1 to 1.0.2 (#1196) Bumps [dario.cat/mergo](https://github.com/imdario/mergo) from 1.0.1 to 1.0.2. - [Release notes](https://github.com/imdario/mergo/releases) - [Commits](darccio/mergo@v1.0.1...v1.0.2) --- updated-dependencies: - dependency-name: dario.cat/mergo dependency-version: 1.0.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Laureat Grepi <laureat@Laureat-MacBook-Pro.local> * chore(deps): bump golang.org/x/net from 0.39.0 to 0.40.0 (#1197) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.39.0 to 0.40.0. - [Commits](golang/net@v0.39.0...v0.40.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-version: 0.40.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Laureat Grepi <laureat@Laureat-MacBook-Pro.local> * chore(deps): bump org.jetbrains.kotlin.jvm (#1203) Bumps [org.jetbrains.kotlin.jvm](https://github.com/JetBrains/kotlin) from 2.1.20 to 2.1.21. - [Release notes](https://github.com/JetBrains/kotlin/releases) - [Changelog](https://github.com/JetBrains/kotlin/blob/master/ChangeLog.md) - [Commits](JetBrains/kotlin@v2.1.20...v2.1.21) --- updated-dependencies: - dependency-name: org.jetbrains.kotlin.jvm dependency-version: 2.1.21 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Sebastian Schuster <sebastian.schuster@bosch.com> Signed-off-by: Laureat Grepi <laureat@Laureat-MacBook-Pro.local> * chore(deps): bump github.com/hashicorp/terraform-plugin-sdk/v2 (#1202) Bumps [github.com/hashicorp/terraform-plugin-sdk/v2](https://github.com/hashicorp/terraform-plugin-sdk) from 2.36.1 to 2.37.0. - [Release notes](https://github.com/hashicorp/terraform-plugin-sdk/releases) - [Changelog](https://github.com/hashicorp/terraform-plugin-sdk/blob/main/CHANGELOG.md) - [Commits](hashicorp/terraform-plugin-sdk@v2.36.1...v2.37.0) --- updated-dependencies: - dependency-name: github.com/hashicorp/terraform-plugin-sdk/v2 dependency-version: 2.37.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Laureat Grepi <laureat@Laureat-MacBook-Pro.local> * chore(deps): bump gradle/actions in /.github/workflows (#1204) Bumps [gradle/actions](https://github.com/gradle/actions) from 4.3.1 to 4.4.0. - [Release notes](https://github.com/gradle/actions/releases) - [Commits](gradle/actions@06832c7...8379f6a) --- updated-dependencies: - dependency-name: gradle/actions dependency-version: 4.4.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Laureat Grepi <laureat@Laureat-MacBook-Pro.local> * Add support for ephemeral/write-only arguments for keycloak_oidc_identity_provider & keycloak_openid_client (#1190) * feat: Support ephemeral/write-only arguments for client_secret in keycloak_openid_client Resource Signed-off-by: Hector Valcarcel <hmvalcarcel@gmail.com> * feat: Support ephemeral/write-only arguments for client_secret in keycloak_oidc_identity_provider Resource Signed-off-by: Hector Valcarcel <hmvalcarcel@gmail.com> * feat: Support ephemeral/write-only arguments for client_secret in keycloak_openid_client Resource Signed-off-by: Hector Valcarcel <hmvalcarcel@gmail.com> * feat: Support ephemeral/write-only arguments for client_secret in keycloak_oidc_identity_provider Resource Signed-off-by: Hector Valcarcel <hmvalcarcel@gmail.com> * feat: Remove validation for write-only attribute preference in keycloak resources Signed-off-by: Hector Valcarcel <hmvalcarcel@gmail.com> --------- Signed-off-by: Hector Valcarcel <hmvalcarcel@gmail.com> Signed-off-by: Laureat Grepi <laureat@Laureat-MacBook-Pro.local> * Update to KC26.2.5 (#1214) * Update to KC26.2.5 Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.com> * Fixed test failures Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.com> * Added debug outpt Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.com> * Fixed test failures Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.com> * Removed comments Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.com> * Fix typo Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.com> * Just me being stupid Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.com> * Re-enabled tests for custom-example for compatible Keycloak versions Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.com> --------- Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.com> Signed-off-by: Laureat Grepi <laureat@Laureat-MacBook-Pro.local> * Docs: Updated Markdown to format correctly (#1201) * Updated Markdown to format correctly Signed-off-by: bubbletroubles <42738824+bubbletroubles@users.noreply.github.com> * Update openid_client_service_account_user.md Signed-off-by: bubbletroubles <42738824+bubbletroubles@users.noreply.github.com> --------- Signed-off-by: bubbletroubles <42738824+bubbletroubles@users.noreply.github.com> Signed-off-by: Laureat Grepi <laureat@Laureat-MacBook-Pro.local> * chore(deps): bump golang.org/x/net from 0.40.0 to 0.41.0 (#1216) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.40.0 to 0.41.0. - [Commits](golang/net@v0.40.0...v0.41.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-version: 0.41.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Laureat Grepi <laureat@Laureat-MacBook-Pro.local> * fix import Signed-off-by: Laureat Grepi <laureat@Laureat-MacBook-Pro.local> * remove client secret regeneration Signed-off-by: Laureat Grepi <laureat@Laureat-MacBook-Pro.local> * remove client secret regeneration Signed-off-by: Laureat Grepi <laureat@Laureat-MacBook-Pro.local> * fix Signed-off-by: Laureat Grepi <laureat@Laureat-MacBook-Pro.local> --------- Signed-off-by: Laureat Grepi <laureat@Laureat-MacBook-Pro.local> Signed-off-by: Romain Philibert <romain.philibert@worldline.com> Signed-off-by: Robin Meese <39960884+robson90@users.noreply.github.com> Signed-off-by: simonregn <33054882+simonregn@users.noreply.github.com> Signed-off-by: Matthew H. Irby <matt.irby@outlook.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Fabien Carrion <fabien@carrion.mx> Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com> Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.io> Signed-off-by: Hector Valcarcel <hmvalcarcel@gmail.com> Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.com> Signed-off-by: bubbletroubles <42738824+bubbletroubles@users.noreply.github.com> Signed-off-by: laureat-natzka <97245929+laureat-natzka@users.noreply.github.com> Co-authored-by: Laureat Grepi <laureat@Laureat-MacBook-Pro.local> Co-authored-by: Romain <romain.philibert@worldline.com> Co-authored-by: Robin Meese <39960884+robson90@users.noreply.github.com> Co-authored-by: simonregn <33054882+simonregn@users.noreply.github.com> Co-authored-by: Matthew H. Irby <irby@users.noreply.github.com> Co-authored-by: Sebastian Schuster <sschu@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Fabien Carrion <fabien@carrion.mx> Co-authored-by: Thomas Darimont <thomas.darimont@googlemail.com> Co-authored-by: Sebastian Schuster <sebastian.schuster@bosch.com> Co-authored-by: Hector Manuel <refucktor@users.noreply.github.com> Co-authored-by: bubbletroubles <42738824+bubbletroubles@users.noreply.github.com>
diff --git a/docs/resources/realm_client_policy_profile.md b/docs/resources/realm_client_policy_profile.md
@@ -0,0 +1,48 @@
+---
+page_title: "keycloak_realm_client_policy_profile Resource"
+---
+
+# keycloak_realm_client_policy_profile Resource
+
+Allows for managing Realm Client Policy Profiles.
+
+## Example Usage
+
+```hcl
+resource "keycloak_realm" "realm" {
+  realm = "my-realm"
+}
+
+resource "keycloak_realm_client_policy_profile" "profile" {
+  name     = "my-profile"
+  realm_id = keycloak_realm.realm.id
+
+  executor {
+    name = "intent-client-bind-checker"
+
+    configuration = {
+      auto-configure = true
+    }
+  }
+
+  executor {
+    name = "secure-session"
+  }
+}
+
+```
+
+### Attribute Arguments
+
+- `name` - (Required) The name of the attribute.
+- `realm_id` - (Required) The realm id.
+- `executor` - (Optional) An ordered list of [executors](#executor-arguments)
+
+#### Executor Arguments
+
+- `name` - (Required) The name of the executor. NOTE! The executor needs to exist
+- `configuration` - (Optional) - A map of configuration values
+
+## Import
+
+This resource currently does not support importing.
diff --git a/docs/resources/realm_client_policy_profile_profile.md b/docs/resources/realm_client_policy_profile_profile.md
@@ -0,0 +1,78 @@
+---
+page_title: "keycloak_realm_client_policy_profile_policy Resource"
+---
+
+# keycloak_realm_client_policy_profile_policy Resource
+
+Allows for managing Realm Client Policy Profile Policies.
+
+## Example Usage
+
+```hcl
+resource "keycloak_realm" "realm" {
+  realm = "my-realm"
+}
+
+resource "keycloak_realm_client_policy_profile" "profile" {
+  name     = "my-profile"
+  realm_id = keycloak_realm.realm.id
+  description = "Some desc"
+
+  executor {
+    name = "intent-client-bind-checker"
+
+    configuration = {
+      auto-configure = "true"
+    }
+  }
+
+  executor {
+    name = "secret-rotation"
+    configuration = {
+      expiration-period = 2505600,
+      rotated-expiration-period = 172800,
+      remaining-rotation-period = 864000
+    }
+  }
+}
+
+resource "keycloak_realm_client_policy_profile_policy" "policy" {
+  name        = "my-profile"
+  realm_id    = keycloak_realm.realm.id
+  description = "Some desc"
+  profiles = [
+    keycloak_realm_client_policy_profile.profile.name
+  ]
+
+  condition {
+    name = "client-type"
+    configuration = {
+      "protocol" = "openid-connect"
+    }
+  }
+
+  condition {
+    name = "client-attributes"
+    configuration = {
+      is-negative-logic = false
+      attributes        = jsonencode([{ "key" : "test-key", "value" : "test-value" }])
+    }
+  }
+}
+
+```
+
+### Attribute Arguments
+
+- `name` - (Required) The name of the attribute.
+- `realm_id` - (Required) The realm id.
+- `condition` - (Optional) An ordered list of [condition](#condition-arguments)
+
+#### Condition Arguments
+
+- `name` - (Required) The name of the executor. NOTE! The executor needs to exist
+- `configuration` - (Optional) - A map of configuration values
+
+## Import
+
+This resource currently does not support importing.
diff --git a/example/main.tf b/example/main.tf
@@ -1191,3 +1191,41 @@ resource "keycloak_realm_user_profile" "userprofile" {
     name = "group2"
   }
 }
+
+resource "keycloak_realm_client_policy_profile" "profile" {
+  name     = "my-profile"
+  realm_id = keycloak_realm.test.id
+  executor {
+    name = "intent-client-bind-checker"
+    configuration = {
+      auto-configure = true
+    }
+  }
+  executor {
+    name = "secure-session"
+  }
+}
+
+resource "keycloak_realm_client_policy_profile_policy" "policy" {
+  name        = "my-profile-policy"
+  realm_id    = keycloak_realm.test.id
+  description = "Some desc"
+  profiles = [
+    keycloak_realm_client_policy_profile.profile.name
+  ]
+
+  condition {
+    name = "client-type"
+    configuration = {
+      "protocol" = "openid-connect"
+    }
+  }
+
+  condition {
+    name = "client-attributes"
+    configuration = {
+      "is-negative-logic" = false
+      "attributes"        = jsonencode([{ "key" : "something", "value" : "other3" }])
+    }
+  }
+}
diff --git a/keycloak/realm_client_policy_profile.go b/keycloak/realm_client_policy_profile.go
@@ -0,0 +1,55 @@
+package keycloak
+
+import (
+	"context"
+	"fmt"
+)
+
+type RealmClientPolicyProfileExecutor struct {
+	Name          string                 `json:"executor"`
+	Configuration map[string]interface{} `json:"configuration"`
+}
+
+type RealmClientPolicyProfile struct {
+	Name        string                             `json:"name"`
+	RealmId     string                             `json:"-"`
+	Description string                             `json:"description"`
+	Executors   []RealmClientPolicyProfileExecutor `json:"executors"`
+}
+
+type RealmClientPolicyProfiles struct {
+	Profiles       []RealmClientPolicyProfile `json:"profiles"`
+	GlobalProfiles []RealmClientPolicyProfile `json:"globalProfiles"`
+}
+
+func (keycloakClient *KeycloakClient) UpdateRealmClientPolicyProfiles(ctx context.Context, realmId string, profiles *RealmClientPolicyProfiles) error {
+	return keycloakClient.put(ctx, fmt.Sprintf("/realms/%s/client-policies/profiles", realmId), profiles)
+}
+
+func (keycloakClient *KeycloakClient) GetAllRealmClientPolicyProfiles(ctx context.Context, realmId string) (*RealmClientPolicyProfiles, error) {
+	var realmClientPolicyProfiles *RealmClientPolicyProfiles
+	params := map[string]string{"include-global-profiles": "true"}
+
+	err := keycloakClient.get(ctx, fmt.Sprintf("/realms/%s/client-policies/profiles", realmId), &realmClientPolicyProfiles, params)
+	if err != nil {
+		return nil, err
+	}
+
+	return realmClientPolicyProfiles, nil
+}
+
+func (keycloakClient *KeycloakClient) GetRealmClientPolicyProfileByName(ctx context.Context, realmId string, name string) (*RealmClientPolicyProfile, error) {
+	realmClientPolicyProfiles, err := keycloakClient.GetAllRealmClientPolicyProfiles(ctx, realmId)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, profile := range realmClientPolicyProfiles.Profiles {
+		if profile.Name == name {
+			return &profile, nil
+		}
+	}
+
+	return nil, fmt.Errorf("profile with name: %s not found", name)
+
+}
diff --git a/keycloak/realm_client_policy_profile_policy.go b/keycloak/realm_client_policy_profile_policy.go
@@ -0,0 +1,54 @@
+package keycloak
+
+import (
+	"context"
+	"fmt"
+)
+
+type RealmClientPolicyProfilePolicyCondition struct {
+	Name          string                 `json:"condition"`
+	Configuration map[string]interface{} `json:"configuration"`
+}
+
+type RealmClientPolicyProfilePolicy struct {
+	Name        string                                    `json:"name"`
+	RealmId     string                                    `json:"-"`
+	Description string                                    `json:"description"`
+	Enabled     bool                                      `json:"enabled"`
+	Conditions  []RealmClientPolicyProfilePolicyCondition `json:"conditions"`
+	Profiles    []string                                  `json:"profiles"`
+}
+
+type RealmClientPolicyProfilePolicies struct {
+	Policies []RealmClientPolicyProfilePolicy `json:"policies"`
+}
+
+func (keycloakClient *KeycloakClient) UpdateRealmClientPolicyProfilePolicies(ctx context.Context, realmId string, policies *RealmClientPolicyProfilePolicies) error {
+	return keycloakClient.put(ctx, fmt.Sprintf("/realms/%s/client-policies/policies", realmId), policies)
+}
+
+func (keycloakClient *KeycloakClient) GetAllRealmClientPolicyProfilePolices(ctx context.Context, realmId string) (*RealmClientPolicyProfilePolicies, error) {
+	var realmClientPolicyProfilePolicies *RealmClientPolicyProfilePolicies
+
+	err := keycloakClient.get(ctx, fmt.Sprintf("/realms/%s/client-policies/policies", realmId), &realmClientPolicyProfilePolicies, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	return realmClientPolicyProfilePolicies, nil
+}
+
+func (keycloakClient *KeycloakClient) GetRealmClientPolicyProfilePolicyByName(ctx context.Context, realmId string, name string) (*RealmClientPolicyProfilePolicy, error) {
+	realmClientPolicyProfilePolicies, err := keycloakClient.GetAllRealmClientPolicyProfilePolices(ctx, realmId)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, policy := range realmClientPolicyProfilePolicies.Policies {
+		if policy.Name == name {
+			return &policy, nil
+		}
+	}
+
+	return nil, fmt.Errorf("policy with name: %s not found", name)
+}
diff --git a/provider/provider.go b/provider/provider.go
@@ -35,6 +35,8 @@ func KeycloakProvider(client *keycloak.KeycloakClient) *schema.Provider {
 			"keycloak_realm_events":                                      resourceKeycloakRealmEvents(),
 			"keycloak_realm_default_client_scopes":                       resourceKeycloakRealmDefaultClientScopes(),
 			"keycloak_realm_optional_client_scopes":                      resourceKeycloakRealmOptionalClientScopes(),
+			"keycloak_realm_client_policy_profile":                       resourceKeycloakRealmClientPolicyProfile(),
+			"keycloak_realm_client_policy_profile_policy":                resourceKeycloakRealmClientPolicyProfilePolicy(),
 			"keycloak_realm_keystore_aes_generated":                      resourceKeycloakRealmKeystoreAesGenerated(),
 			"keycloak_realm_keystore_ecdsa_generated":                    resourceKeycloakRealmKeystoreEcdsaGenerated(),
 			"keycloak_realm_keystore_hmac_generated":                     resourceKeycloakRealmKeystoreHmacGenerated(),
diff --git a/provider/resource_keycloak_realm_client_policy_profile.go b/provider/resource_keycloak_realm_client_policy_profile.go
diff --git a/provider/resource_keycloak_realm_client_policy_profile_policy.go b/provider/resource_keycloak_realm_client_policy_profile_policy.go
diff --git a/provider/resource_keycloak_realm_client_policy_profile_test.go b/provider/resource_keycloak_realm_client_policy_profile_test.go
