Add partial organization support (#8)

* Add organizations support without tests

* Add tests to organization and fixes

* Make organizations tests execution conditional

* Use a custom realm for testing organizations

* Make organization support for the test realms conditional on keycloak version

* Add documentation, missing enabled field in organization and remove some code duplication

---------

Co-authored-by: lucdew <[email protected]>

Author: lucdew

docs/resources/organization.md

@@ -0,0 +1,69 @@
+---
+page_title: "keycloak_organization Resource"
+---
+
+# keycloak_organization Resource
+
+Allows for creating and managing Organizations within Keycloak.
+
+It only configures the Organization own data but not the association to the identity providers or organization members.
+
+## Example Usage
+
+```hcl
+resource "keycloak_realm" "realm" {
+  realm   = "my-realm"
+  enabled = true
+}
+
+resource "keycloak_organization" "engineering" {
+  realm_id     = keycloak_realm.example.id
+  name         = "engineering"
+  alias        = "engineering"
+  description  = "Organization for the engineering department"
+
+  domain       {
+	name = "engineering.example.com"
+	verified = true
+  }
+
+  domain       {
+	name = "engineering-lab.example.com"
+  }
+
+  attributes   = {
+    department = "technical"
+    location   = "headquarter"
+  }
+}
+
+
+
+```
+
+## Argument Reference
+
+- `realm_id` - (Required) The realm this organization exists in.
+- `name` - (Required) The name of the organization
+- `alias` - (Optional) The alias of the organization. It cannot be updated and must not have spaces. If not set it is computed.
+- `enabled` - (Optional) When `false`, members will not be able to access this organization. Defaults to `true`.
+- `description` - (Optional) the organization description.
+- `redirect_url` - (Optional) the organization redirect url.
+- `attributes` - (Optional) A map representing attributes for the organization. In order to add multivalued attributes, use `##` to separate the values. Max length for each value is 255 chars
+
+### Domains
+
+Associated domains can be configured by using 1 or more `domain` block, which supports the following arguments:
+
+- `name` - (Required) The domain name. Must be unique.
+- `verified` - (Optional) When `true`, indicates that the domain has been verified. Defaults to `false`.
+
+## Import
+
+Organizations can be imported using the format `{{realm_id}}/{{organization_id}}`, where `organization` is the unique ID that Keycloak assigns to the organization upon creation. This value can be found in the URI when editing this organization in the GUI, and is typically a GUID.
+
+Example:
+
+```bash
+$ terraform import keycloak_organization.engineering my-realm/934a4a4e-28bd-4703-a0fa-332df153aabd
+```

keycloak/identity_provider.go

@@ -52,6 +52,8 @@ type IdentityProviderConfig struct {
 	AuthnContextComparisonType      string                    `json:"authnContextComparisonType,omitempty"`
 	AuthnContextDeclRefs            types.KeycloakSliceQuoted `json:"authnContextDeclRefs,omitempty"`
 	Issuer                          string                    `json:"issuer,omitempty"`
+	OrgDomain                       string                    `json:"kc.org.domain,omitempty"`
+	OrgRedirectEmailMatches         types.KeycloakBoolQuoted  `json:"kc.org.broker.redirect.mode.email-matches,omitempty"`
 }
 
 type IdentityProvider struct {
@@ -65,11 +67,12 @@ type IdentityProvider struct {
 	AddReadTokenRoleOnCreate  bool                    `json:"addReadTokenRoleOnCreate"`
 	AuthenticateByDefault     bool                    `json:"authenticateByDefault"`
 	LinkOnly                  bool                    `json:"linkOnly"`
-	HideOnLogin               bool                    `json:"hideOnLogin,omitempty"` //since keycloak v26
+	HideOnLogin               bool                    `json:"hideOnLogin,omitempty"` // since keycloak v26
 	TrustEmail                bool                    `json:"trustEmail"`
 	FirstBrokerLoginFlowAlias string                  `json:"firstBrokerLoginFlowAlias"`
 	PostBrokerLoginFlowAlias  string                  `json:"postBrokerLoginFlowAlias"`
 	Config                    *IdentityProviderConfig `json:"config"`
+	OrganizationId            string                  `json:"organizationId,omitempty"` // since keycloak v26
 }
 
 func (keycloakClient *KeycloakClient) NewIdentityProvider(ctx context.Context, identityProvider *IdentityProvider) error {

keycloak/organization.go

@@ -0,0 +1,132 @@
+package keycloak
+
+import (
+	"context"
+	"fmt"
+	"strings"
+)
+
+type OrganizationDomain struct {
+	Name     string `json:"name,omitempty"`
+	Verified bool   `json:"verified,omitempty"`
+}
+
+type Organization struct {
+	Id          string               `json:"id,omitempty"`
+	RealmId     string               `json:"-"`
+	Name        string               `json:"name"`
+	Alias       string               `json:"alias,omitempty"`
+	Enabled     bool                 `json:"enabled"`
+	RedirectUrl string               `json:"redirectUrl,omitempty"`
+	Description string               `json:"description,omitempty"`
+	Domains     []OrganizationDomain `json:"domains,omitempty"`
+	Attributes  map[string][]string  `json:"attributes,omitempty"`
+}
+
+func (keycloakClient *KeycloakClient) CreateOrganization(ctx context.Context, organization *Organization) error {
+	path := fmt.Sprintf("/realms/%s/organizations", organization.RealmId)
+
+	_, location, err := keycloakClient.post(ctx, path, organization)
+	if err != nil {
+		return err
+	}
+
+	// Extract ID from location URL
+	parts := strings.Split(location, "/")
+	organization.Id = parts[len(parts)-1]
+
+	return nil
+}
+
+// GetOrganizationsPath returns the URL for the organization API endpoint
+func (keycloakClient *KeycloakClient) GetOrganizationsPath(realmId string) string {
+	return fmt.Sprintf("/realms/%s/organizations", realmId)
+}
+
+// GetOrganizations gets all organizations in a realm
+// This function can be used to list all organizations or filter by search criteria
+func (keycloakClient *KeycloakClient) GetOrganizations(ctx context.Context, realmId string, params ...map[string]string) ([]*Organization, error) {
+	var organizations []*Organization
+	queryParams := make(map[string]string)
+
+	// Apply optional filter parameters
+	if len(params) > 0 && params[0] != nil {
+		for k, v := range params[0] {
+			queryParams[k] = v
+		}
+	}
+
+	err := keycloakClient.get(ctx, keycloakClient.GetOrganizationsPath(realmId), &organizations, queryParams)
+	if err != nil {
+		return nil, fmt.Errorf("failed to fetch organizations: %w", err)
+	}
+
+	// Set RealmId for each organization
+	for _, organization := range organizations {
+		organization.RealmId = realmId
+	}
+
+	return organizations, nil
+}
+
+// GetOrganizationsPaginated gets organizations with pagination support
+func (keycloakClient *KeycloakClient) GetOrganizationsPaginated(ctx context.Context, realmId string, first, max int, search string) ([]*Organization, error) {
+	queryParams := map[string]string{
+		"first": fmt.Sprintf("%d", first),
+		"max":   fmt.Sprintf("%d", max),
+	}
+
+	if search != "" {
+		queryParams["search"] = search
+	}
+
+	return keycloakClient.GetOrganizations(ctx, realmId, queryParams)
+}
+
+// GetOrganizationByName gets an organization by name
+func (keycloakClient *KeycloakClient) GetOrganizationByName(ctx context.Context, realmId, name string) (*Organization, error) {
+	var organizations []*Organization
+
+	params := map[string]string{
+		"search": name,
+		"exact":  "true",
+	}
+
+	err := keycloakClient.get(ctx, keycloakClient.GetOrganizationsPath(realmId), &organizations, params)
+	if err != nil {
+		return nil, err
+	}
+
+	// Find the exact match by name
+	for _, organization := range organizations {
+		if organization.Name == name {
+			organization.RealmId = realmId
+			return organization, nil
+		}
+	}
+
+	return nil, nil
+}
+
+func (keycloakClient *KeycloakClient) GetOrganization(ctx context.Context, realmId, id string) (*Organization, error) {
+	organization := Organization{}
+	organization.RealmId = realmId
+
+	path := fmt.Sprintf("/realms/%s/organizations/%s", realmId, id)
+	err := keycloakClient.get(ctx, path, &organization, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	return &organization, nil
+}
+
+func (keycloakClient *KeycloakClient) UpdateOrganization(ctx context.Context, organization *Organization) error {
+	path := fmt.Sprintf("/realms/%s/organizations/%s", organization.RealmId, organization.Id)
+	return keycloakClient.put(ctx, path, organization)
+}
+
+func (keycloakClient *KeycloakClient) DeleteOrganization(ctx context.Context, realmId, id string) error {
+	path := fmt.Sprintf("/realms/%s/organizations/%s", realmId, id)
+	return keycloakClient.delete(ctx, path, nil)
+}

provider/generic_keycloak_identity_provider.go

@@ -8,6 +8,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 	"github.com/keycloak/terraform-provider-keycloak/keycloak"
+	"github.com/keycloak/terraform-provider-keycloak/keycloak/types"
 	"reflect"
 	"strings"
 )
@@ -18,8 +19,10 @@ var syncModes = []string{
 	"LEGACY",
 }
 
-type identityProviderDataGetterFunc func(data *schema.ResourceData, keycloakVersion *version.Version) (*keycloak.IdentityProvider, error)
-type identityProviderDataSetterFunc func(data *schema.ResourceData, identityProvider *keycloak.IdentityProvider, keycloakVersion *version.Version) error
+type (
+	identityProviderDataGetterFunc func(data *schema.ResourceData, keycloakVersion *version.Version) (*keycloak.IdentityProvider, error)
+	identityProviderDataSetterFunc func(data *schema.ResourceData, identityProvider *keycloak.IdentityProvider, keycloakVersion *version.Version) error
+)
 
 func resourceKeycloakIdentityProvider() *schema.Resource {
 	return &schema.Resource{
@@ -34,6 +37,7 @@ func resourceKeycloakIdentityProvider() *schema.Resource {
 				ForceNew:    true,
 				Description: "The alias uniquely identifies an identity provider and it is also used to build the redirect uri.",
 			},
+
 			"realm": {
 				Type:        schema.TypeString,
 				Required:    true,
@@ -119,6 +123,28 @@ func resourceKeycloakIdentityProvider() *schema.Resource {
 				ValidateFunc: validation.StringInSlice(syncModes, false),
 				Description:  "Sync Mode",
 			},
+			"organization": {
+				Type:     schema.TypeList,
+				Optional: true,
+				MaxItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"organization_id": {
+							Type:     schema.TypeString,
+							Required: true,
+						},
+						"domain": {
+							Type:     schema.TypeString,
+							Optional: true,
+							Default:  "",
+						},
+						"redirect_email_domain_matches": {
+							Type:     schema.TypeBool,
+							Optional: true,
+						},
+					},
+				},
+			},
 		},
 	}
 }
@@ -145,6 +171,19 @@ func getIdentityProviderFromData(data *schema.ResourceData, keycloakVersion *ver
 		PostBrokerLoginFlowAlias:  data.Get("post_broker_login_flow_alias").(string),
 		InternalId:                data.Get("internal_id").(string),
 	}
+
+	if v, ok := data.GetOk("organization"); ok {
+		organizationSettings := v.([]interface{})[0].(map[string]interface{})
+		identityProvider.OrganizationId = organizationSettings["organization_id"].(string)
+
+		if v, ok := organizationSettings["domain"]; ok {
+			defaultIdentityProviderConfig.OrgDomain = v.(string)
+		}
+		if v, ok = organizationSettings["redirect_email_domain_matches"]; ok {
+			defaultIdentityProviderConfig.OrgRedirectEmailMatches = types.KeycloakBoolQuoted(reflect.ValueOf(v).Bool())
+		}
+	}
+
 	if keycloakVersion.GreaterThanOrEqual(keycloak.Version_26.AsVersion()) {
 		// Since keycloak v26 the attribute is moved from Config to Provider.
 		identityProvider.HideOnLogin = data.Get("hide_on_login_page").(bool)
@@ -173,6 +212,17 @@ func setIdentityProviderData(data *schema.ResourceData, identityProvider *keyclo
 		data.Set("hide_on_login_page", identityProvider.HideOnLogin)
 	}
 
+	if identityProvider.OrganizationId != "" {
+		organizationSettings := make(map[string]interface{})
+		organizationSettings["organization_id"] = identityProvider.OrganizationId
+		organizationSettings["redirect_email_domain_matches"] = identityProvider.Config.OrgRedirectEmailMatches
+		organizationSettings["domain"] = identityProvider.Config.OrgDomain
+
+		data.Set("organization", []interface{}{organizationSettings})
+	} else {
+		data.Set("organization", nil)
+	}
+
 	// identity provider config
 	data.Set("gui_order", identityProvider.Config.GuiOrder)
 	data.Set("sync_mode", identityProvider.Config.SyncMode)

provider/provider.go

@@ -121,6 +121,7 @@ func KeycloakProvider(client *keycloak.KeycloakClient) *schema.Provider {
 			"keycloak_user_groups":                                       resourceKeycloakUserGroups(),
 			"keycloak_group_permissions":                                 resourceKeycloakGroupPermissions(),
 			"keycloak_authentication_bindings":                           resourceKeycloakAuthenticationBindings(),
+			"keycloak_organization":                                      resourceKeycloakOrganization(),
 		},
 		Schema: map[string]*schema.Schema{
 			"client_id": {

provider/provider_test.go

@@ -113,6 +113,9 @@ func createTestRealm(testCtx context.Context) *keycloak.Realm {
 		Realm:   name,
 		Enabled: true,
 	}
+	if ok, _ := keycloakClient.VersionIsGreaterThanOrEqualTo(testCtx, keycloak.Version_26); ok {
+		r.OrganizationsEnabled = true
+	}
 
 	var err error
 	for i := 0; i < 3; i++ { // on CI this sometimes fails and keycloak can't be reached