feat: adds support for Keycloak roles (#143)

.editorconfig

@@ -9,6 +9,6 @@ charset = utf-8
 trim_trailing_whitespace = true
 insert_final_newline = true
 
-[*.yml]
+[{*.yml, *.tf}]
 indent_style = space
 indent_size = 2

docs/resources/datasource_keycloak_realm_keys.md → docs/data_sources/keycloak_realm_keys.md

@@ -1,4 +1,4 @@
-# datasource keycloak_realm_keys
+# keycloak_realm_keys data source
 
 Use this data source to get the keys of a realm. Keys can be filtered by algorithm and status.
 

docs/data_sources/keycloak_role.md

@@ -0,0 +1,51 @@
+# keycloak_role data source
+
+This data source can be used to fetch properties of a Keycloak role for
+usage with other resources, such as `keycloak_group_roles`.
+
+### Example Usage
+
+```hcl
+resource "keycloak_realm" "realm" {
+    realm   = "my-realm"
+    enabled = true
+}
+
+data "keycloak_role" "offline_access" {
+    realm_id = "${keycloak_realm.realm.id}"
+    name     = "offline_access"
+}
+
+# use the data source
+
+resource "keycloak_group" "group" {
+    realm_id = "${keycloak_realm.realm.id}"
+    name     = "group"
+}
+
+resource "keycloak_group_roles" "group_roles" {
+    realm_id = "${keycloak_realm.realm.id}"
+    group_id = "${keycloak_group.group.id}"
+
+    roles = [
+        "${data.keycloak_role.offline_access.id}"
+    ]
+}
+```
+
+### Argument Reference
+
+The following arguments are supported:
+
+- `realm_id` - (Required) The realm this role exists within.
+- `client_id` - (Optional) When specified, this role is assumed to be a
+  client role belonging to the client with the provided ID
+- `name` - (Required) The name of the role
+
+### Attributes Reference
+
+In addition to the arguments listed above, the following computed attributes are exported:
+
+- `id` - The unique ID of the role, which can be used as an argument to
+  other resources supported by this provider.
+- `description` - The description of the role.

docs/resources/keycloak_group_roles.md

@@ -0,0 +1,83 @@
+# keycloak_group_roles
+
+Allows you to manage roles assigned to a Keycloak group.
+
+Note that this resource attempts to be an **authoritative** source over
+group roles. When this resource takes control over a group's roles,
+roles that are manually added to the group will be removed, and roles
+that are manually removed from the group will be added upon the next run
+of `terraform apply`.
+
+Note that when assigning composite roles to a group, you may see a
+non-empty plan following a `terraform apply` if you assign a role and a
+composite that includes that role to the same group.
+
+### Example Usage
+
+```hcl
+resource "keycloak_realm" "realm" {
+  realm   = "my-realm"
+  enabled = true
+}
+
+resource "keycloak_role" "realm_role" {
+  realm_id    = "${keycloak_realm.realm.id}"
+  name        = "my-realm-role"
+  description = "My Realm Role"
+}
+
+resource "keycloak_openid_client" "client" {
+  realm_id  = "${keycloak_realm.realm.id}"
+  client_id = "client"
+  name      = "client"
+
+  enabled = true
+
+  access_type = "BEARER-ONLY"
+}
+
+resource "keycloak_role" "client_role" {
+  realm_id    = "${keycloak_realm.realm.id}"
+  client_id   = "${keycloak_client.client.id}"
+  name        = "my-client-role"
+  description = "My Client Role"
+}
+
+resource "keycloak_group" "group" {
+  realm_id = "${keycloak_realm.realm.id}"
+  name     = "my-group"
+}
+
+resource "keycloak_group_roles" "group_roles" {
+  realm_id = "${keycloak_realm.realm.id}"
+  group_id = "${keycloak_group.group.id}"
+  
+  roles = [
+    "${keycloak_role.realm_role.id}",
+    "${keycloak_role.client_role.id}",
+  ]
+}
+```
+
+### Argument Reference
+
+The following arguments are supported:
+
+- `realm_id` - (Required) The realm this group exists in.
+- `group_id` - (Required) The ID of the group this resource should
+  manage roles for.
+- `roles` - (Required) A list of role IDs to map to the group
+
+### Import
+
+This resource can be imported using the format
+`{{realm_id}}/{{group_id}}`, where `group_id` is the unique ID that
+Keycloak assigns to the group upon creation. This value can be found in
+the URI when editing this group in the GUI, and is typically a GUID.
+
+Example:
+
+```bash
+$ terraform import keycloak_group_roles.group_roles my-realm/18cc6b87-2ce7-4e59-bdc8-b9d49ec98a94
+```
+

docs/resources/keycloak_openid_hardcoded_role_protocol_mapper.md

@@ -0,0 +1,93 @@
+# keycloak_openid_hardcoded_role_protocol_mapper
+
+Allows for creating and managing hardcoded role protocol mappers within
+Keycloak.
+
+Hardcoded role protocol mappers allow you to specify a single role to
+always map to an access token for a client. Protocol mappers can be
+defined for a single client, or they can be defined for a client scope
+which can be shared between multiple different clients.
+
+### Example Usage (Client)
+
+```hcl
+resource "keycloak_realm" "realm" {
+    realm   = "my-realm"
+    enabled = true
+}
+
+resource "keycloak_role" "role" {
+    realm_id = "${keycloak_realm.realm.id}"
+    name     = "my-role"
+}
+
+resource "keycloak_openid_client" "openid_client" {
+    realm_id            = "${keycloak_realm.realm.id}"
+    client_id           = "test-client"
+
+    name                = "test client"
+    enabled             = true
+
+    access_type         = "CONFIDENTIAL"
+    valid_redirect_uris = [
+        "http://localhost:8080/openid-callback"
+    ]
+}
+
+resource "keycloak_openid_hardcoded_role_protocol_mapper" "hardcoded_role_mapper" {
+    realm_id  = "${keycloak_realm.realm.id}"
+    client_id = "${keycloak_openid_client.openid_client.id}"
+    name      = "hardcoded-role-mapper"
+    role_id   = "${keycloak_role.role.id}"
+}
+```
+
+### Example Usage (Client Scope)
+
+```hcl
+resource "keycloak_realm" "realm" {
+    realm   = "my-realm"
+    enabled = true
+}
+
+resource "keycloak_role" "role" {
+    realm_id = "${keycloak_realm.realm.id}"
+    name     = "my-role"
+}
+
+resource "keycloak_openid_client_scope" "client_scope" {
+    realm_id = "${keycloak_realm.realm.id}"
+    name     = "test-client-scope"
+}
+
+resource "keycloak_openid_hardcoded_role_protocol_mapper" "hardcoded_role_mapper" {
+    realm_id        = "${keycloak_realm.realm.id}"
+    client_scope_id = "${keycloak_openid_client_scope.client_scope.id}"
+    name            = "hardcoded-role-mapper"
+    role_id         = "${keycloak_role.role.id}"
+}
+```
+
+### Argument Reference
+
+The following arguments are supported:
+
+- `realm_id` - (Required) The realm this protocol mapper exists within.
+- `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to.
+- `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to.
+- `name` - (Required) The display name of this protocol mapper in the
+  GUI.
+- `role_id` - (Required) The ID of the role to map to an access token.
+
+### Import
+
+Protocol mappers can be imported using one of the following formats:
+- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}`
+- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}`
+
+Example:
+
+```bash
+$ terraform import keycloak_openid_hardcoded_role_protocol_mapper.hardcoded_role_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4
+$ terraform import keycloak_openid_hardcoded_role_protocol_mapper.hardcoded_role_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4
+```

docs/resources/keycloak_role.md

@@ -0,0 +1,136 @@
+# keycloak_role
+
+Allows for creating and managing roles within Keycloak.
+
+Roles allow you define privileges within Keycloak and map them to users
+and groups.
+
+### Example Usage (Realm role)
+
+```hcl
+resource "keycloak_realm" "realm" {
+    realm   = "my-realm"
+    enabled = true
+}
+
+resource "keycloak_role" "realm_role" {
+    realm_id    = "${keycloak_realm.realm.id}"
+    name        = "my-realm-role"
+    description = "My Realm Role"
+}
+```
+
+### Example Usage (Client role)
+
+```hcl
+resource "keycloak_realm" "realm" {
+    realm   = "my-realm"
+    enabled = true
+}
+
+resource "keycloak_openid_client" "client" {
+  realm_id  = "${keycloak_realm.realm.id}"
+  client_id = "client"
+  name      = "client"
+
+  enabled = true
+
+  access_type = "BEARER-ONLY"
+}
+
+resource "keycloak_role" "client_role" {
+    realm_id    = "${keycloak_realm.realm.id}"
+    client_id   = "${keycloak_client.client.id}"
+    name        = "my-client-role"
+    description = "My Client Role"
+}
+```
+
+### Example Usage (Composite role)
+
+```hcl
+resource "keycloak_realm" "realm" {
+    realm   = "my-realm"
+    enabled = true
+}
+
+# realm roles
+
+resource "keycloak_role" "create_role" {
+    realm_id    = "${keycloak_realm.realm.id}"
+    name        = "create"
+}
+
+resource "keycloak_role" "read_role" {
+    realm_id    = "${keycloak_realm.realm.id}"
+    name        = "read"
+}
+
+resource "keycloak_role" "update_role" {
+    realm_id    = "${keycloak_realm.realm.id}"
+    name        = "update"
+}
+
+resource "keycloak_role" "delete_role" {
+    realm_id    = "${keycloak_realm.realm.id}"
+    name        = "delete"
+}
+
+# client role
+
+resource "keycloak_openid_client" "client" {
+  realm_id  = "${keycloak_realm.realm.id}"
+  client_id = "client"
+  name      = "client"
+
+  enabled = true
+
+  access_type = "BEARER-ONLY"
+}
+
+resource "keycloak_role" "client_role" {
+    realm_id    = "${keycloak_realm.realm.id}"
+    client_id   = "${keycloak_client.client.id}"
+    name        = "my-client-role"
+    description = "My Client Role"
+}
+
+resource "keycloak_role" "admin_role" {
+    realm_id        = "${keycloak_realm.realm.id}"
+    name            = "admin"
+    composite_roles = [
+      "{keycloak_role.create_role.id}",
+      "{keycloak_role.read_role.id}",
+      "{keycloak_role.update_role.id}",
+      "{keycloak_role.delete_role.id}",
+      "{keycloak_role.client_role.id}",
+    ]
+}
+```
+
+### Argument Reference
+
+The following arguments are supported:
+
+- `realm_id` - (Required) The realm this role exists within.
+- `client_id` - (Optional) When specified, this role will be created as
+  a client role attached to the client with the provided ID
+- `name` - (Required) The name of the role
+- `description` - (Optional) The description of the role
+- `composite_roles` - (Optional) When specified, this role will be a
+  composite role, composed of all roles that have an ID present within
+  this list.
+
+
+### Import
+
+Roles can be imported using the format `{{realm_id}}/{{role_id}}`, where
+`role_id` is the unique ID that Keycloak assigns to the role. The ID is
+not easy to find in the GUI, but it appears in the URL when editing the
+role.
+
+Example:
+
+```bash
+$ terraform import keycloak_role.role my-realm/7e8cf32a-8acb-4d34-89c4-04fb1d10ccad
+```