Add keycloak_organization_identity_provider resource (#9)

* Add keycloak_organization_identity_provider resource

---------

Co-authored-by: lucdew <[email protected]>

Author: lucdew

docs/resources/organization.md

@@ -23,12 +23,12 @@ resource "keycloak_organization" "engineering" {
   description  = "Organization for the engineering department"
 
   domain       {
-	name = "engineering.example.com"
-	verified = true
+    name = "engineering.example.com"
+    verified = true
   }
 
   domain       {
-	name = "engineering-lab.example.com"
+    name = "engineering-lab.example.com"
   }
 
   attributes   = {
@@ -37,8 +37,6 @@ resource "keycloak_organization" "engineering" {
   }
 }
 
-
-
 ```
 
 ## Argument Reference

docs/resources/organization_identity_provider.md

@@ -0,0 +1,69 @@
+---
+page_title: "keycloak_organization_identity_provider Resource"
+---
+
+# keycloak_organization_identity_provider Resource
+
+Allows to link an identity provider to an organization.
+
+## Example Usage
+
+```hcl
+resource "keycloak_realm" "realm" {
+  realm   = "my-realm"
+  enabled = true
+}
+
+resource "keycloak_organization" "engineering" {
+  realm_id     = keycloak_realm.example.id
+  name         = "engineering"
+  alias        = "engineering"
+  description  = "Organization for the engineering department"
+
+  domain       {
+    name = "example.com"
+  }
+
+  domain       {
+    name = "anotherexample.com"
+  }
+}
+
+resource "keycloak_oidc_identity_provider" "oidc" {
+    realm_id     = keycloak_realm.example.id
+    provider_id       = "oidc"
+    alias             = "myidp"
+    authorization_url = "https://example.com/auth"
+    token_url         = "https://example.com/token"
+    client_id         = "example_id"
+    client_secret     = "example_token"
+    default_scopes    = "openid random"
+}
+
+resource "keycloak_organization_identity_provider" "oidc" {
+    realm_id = data.keycloak_realm.realm.id
+    organization_id = keycloak_organization.engineering.id
+    identity_provider_alias = keycloak_oidc_identity_provider.oidc.alias
+    domain = "example.com"
+    redirect_email_domain_matches = true
+}
+
+```
+
+## Argument Reference
+
+- `realm_id` - (Required) The realm this identity provider and organization exist in.
+- `organization_id` - (Required) The unique ID of the organization.
+- `identity_provider_alias` - (Required) The alias of the identity provider to link to the organization.
+- `domain` - (Optional) the domain associated to the identity provider.
+- `redirect_email_domain_matches` - (Optional) When true, redirects users to the identity provider if the user's email matches the domain.
+
+## Import
+
+Organization identity providers can be imported using the format `{{realm_id}}/{{organization_id}}/{{identity_provider_alias}}`, where `organization` is the unique ID that Keycloak assigns to the organization upon creation. This value can be found in the URI when editing this organization in the GUI, and is typically a GUID.
+
+Example:
+
+```bash
+$ terraform import keycloak_organization_identity_provider.oidc my-realm/934a4a4e-28bd-4703-a0fa-332df153aabd/myidp
+```

keycloak/organization.go

@@ -38,6 +38,28 @@ func (keycloakClient *KeycloakClient) CreateOrganization(ctx context.Context, or
 	return nil
 }
 
+func (keycloakClient *KeycloakClient) LinkIdentityProviderToOrganization(ctx context.Context, realmId string, orgId string, idpAlias string) error {
+	path := fmt.Sprintf("/realms/%s/organizations/%s/identity-providers", realmId, orgId)
+
+	_, err := keycloakClient.sendRaw(ctx, path, []byte(idpAlias))
+
+	return err
+}
+
+func (keycloakClient *KeycloakClient) UnlinkIdentityProviderToOrganization(ctx context.Context, realmId string, orgId string, idpAlias string) error {
+	path := fmt.Sprintf("/realms/%s/organizations/%s/identity-providers/%s", realmId, orgId, idpAlias)
+
+	err := keycloakClient.delete(ctx, path, nil)
+
+	return err
+}
+
+func (keycloakClient *KeycloakClient) CheckIdentityProviderLinkToOrganization(ctx context.Context, realmId string, orgId string, idpAlias string) error {
+	path := fmt.Sprintf("/realms/%s/organizations/%s/identity-providers/%s", realmId, orgId, idpAlias)
+	_, err := keycloakClient.getRaw(ctx, path, nil)
+	return err
+}
+
 // GetOrganizationsPath returns the URL for the organization API endpoint
 func (keycloakClient *KeycloakClient) GetOrganizationsPath(realmId string) string {
 	return fmt.Sprintf("/realms/%s/organizations", realmId)

provider/generic_keycloak_identity_provider.go

@@ -125,21 +125,24 @@ func resourceKeycloakIdentityProvider() *schema.Resource {
 			},
 			"organization": {
 				Type:     schema.TypeList,
+				Computed: true,
 				Optional: true,
 				MaxItems: 1,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"organization_id": {
 							Type:     schema.TypeString,
-							Required: true,
+							Computed: true,
+							Optional: true,
 						},
 						"domain": {
 							Type:     schema.TypeString,
+							Computed: true,
 							Optional: true,
-							Default:  "",
 						},
 						"redirect_email_domain_matches": {
 							Type:     schema.TypeBool,
+							Computed: true,
 							Optional: true,
 						},
 					},

provider/provider.go

@@ -122,6 +122,7 @@ func KeycloakProvider(client *keycloak.KeycloakClient) *schema.Provider {
 			"keycloak_group_permissions":                                 resourceKeycloakGroupPermissions(),
 			"keycloak_authentication_bindings":                           resourceKeycloakAuthenticationBindings(),
 			"keycloak_organization":                                      resourceKeycloakOrganization(),
+			"keycloak_organization_identity_provider":                    resourceKeycloakOrganizationIdentityProvider(),
 		},
 		Schema: map[string]*schema.Schema{
 			"client_id": {

provider/resource_keycloak_organization_identity_provider.go

@@ -0,0 +1,154 @@
+package provider
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+
+	"github.com/keycloak/terraform-provider-keycloak/keycloak"
+	"github.com/keycloak/terraform-provider-keycloak/keycloak/types"
+)
+
+func resourceKeycloakOrganizationIdentityProvider() *schema.Resource {
+	return &schema.Resource{
+		CreateContext: resourceKeycloakOrganizationIdentityProviderCreate,
+		ReadContext:   resourceKeycloakOrganizationIdentityProviderRead,
+		UpdateContext: resourceKeycloakOrganizationIdentityProviderUpdate,
+		DeleteContext: resourceKeycloakOrganizationIdentityProviderDelete,
+		Importer: &schema.ResourceImporter{
+			StateContext: resourceKeycloakOrganizationIdentityProviderImport,
+		},
+		Schema: map[string]*schema.Schema{
+			"realm_id": {
+				Type:         schema.TypeString,
+				Required:     true,
+				ForceNew:     true,
+				ValidateFunc: validation.StringIsNotEmpty,
+			},
+			"organization_id": {
+				Type:         schema.TypeString,
+				Required:     true,
+				ForceNew:     true,
+				ValidateFunc: validation.StringIsNotEmpty,
+			},
+			"identity_provider_alias": {
+				Type:         schema.TypeString,
+				Required:     true,
+				ForceNew:     true,
+				ValidateFunc: validation.StringIsNotEmpty,
+			},
+			"domain": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Default:  "",
+			},
+			"redirect_email_domain_matches": {
+				Type:     schema.TypeBool,
+				Optional: true,
+			},
+		},
+	}
+}
+
+func resourceKeycloakOrganizationIdentityProviderCreate(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	keycloakClient := meta.(*keycloak.KeycloakClient)
+
+	realmId, orgId, idpAlias := getOrganizationIdentityProviderFromData(data)
+
+	idp, err := keycloakClient.GetIdentityProvider(ctx, realmId, idpAlias)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	idp.Config.OrgDomain = data.Get("domain").(string)
+	idp.Config.OrgRedirectEmailMatches = types.KeycloakBoolQuoted(data.Get("redirect_email_domain_matches").(bool))
+	keycloakClient.UpdateIdentityProvider(ctx, idp)
+
+	err = keycloakClient.LinkIdentityProviderToOrganization(ctx, realmId, orgId, idpAlias)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	data.SetId(fmt.Sprintf("%s/%s/%s", realmId, orgId, idpAlias))
+
+	return resourceKeycloakOrganizationIdentityProviderRead(ctx, data, meta)
+}
+
+func resourceKeycloakOrganizationIdentityProviderRead(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	keycloakClient := meta.(*keycloak.KeycloakClient)
+
+	realmId, orgId, idpAlias := getOrganizationIdentityProviderFromData(data)
+
+	err := keycloakClient.CheckIdentityProviderLinkToOrganization(ctx, realmId, orgId, idpAlias)
+	if err != nil {
+		return handleNotFoundError(ctx, err, data)
+	}
+
+	idp, err := keycloakClient.GetIdentityProvider(ctx, realmId, idpAlias)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+	data.Set("domain", idp.Config.OrgDomain)
+	data.Set("redirect_email_domain_matches", idp.Config.OrgRedirectEmailMatches)
+
+	return nil
+}
+
+func resourceKeycloakOrganizationIdentityProviderUpdate(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	keycloakClient := meta.(*keycloak.KeycloakClient)
+
+	realmId, orgId, idpAlias := getOrganizationIdentityProviderFromData(data)
+
+	err := keycloakClient.CheckIdentityProviderLinkToOrganization(ctx, realmId, orgId, idpAlias)
+	if err != nil {
+		return handleNotFoundError(ctx, err, data)
+	}
+
+	idp, err := keycloakClient.GetIdentityProvider(ctx, realmId, idpAlias)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+	idp.Config.OrgDomain = data.Get("domain").(string)
+	idp.Config.OrgRedirectEmailMatches = types.KeycloakBoolQuoted(data.Get("redirect_email_domain_matches").(bool))
+	keycloakClient.UpdateIdentityProvider(ctx, idp)
+
+	return nil
+}
+
+func resourceKeycloakOrganizationIdentityProviderDelete(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	keycloakClient := meta.(*keycloak.KeycloakClient)
+
+	realmId, orgId, idpAlias := getOrganizationIdentityProviderFromData(data)
+
+	err := keycloakClient.UnlinkIdentityProviderToOrganization(ctx, realmId, orgId, idpAlias)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	return nil
+}
+
+func resourceKeycloakOrganizationIdentityProviderImport(ctx context.Context, data *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
+	parts := strings.Split(data.Id(), "/")
+	if len(parts) != 3 {
+		return nil, fmt.Errorf("invalid import. Supported format: {{realm}}/{{organizationId}}/{{identityProviderAlias}}")
+	}
+
+	data.Set("realm_id", parts[0])
+	data.Set("organization_id", parts[1])
+	data.Set("identity_provider_alias", parts[2])
+
+	return []*schema.ResourceData{data}, nil
+}
+
+func getOrganizationIdentityProviderFromData(data *schema.ResourceData) (realmId, orgId, idpAlias string) {
+	realmId = data.Get("realm_id").(string)
+	orgId = data.Get("organization_id").(string)
+	idpAlias = data.Get("identity_provider_alias").(string)
+
+	return
+}