@pulumi/keycloak 5.3.0 → 5.3.1

package/ldap/userAttributeMapper.js

@@ -6,51 +6,66 @@ exports.UserAttributeMapper = void 0;
 const pulumi = require("@pulumi/pulumi");
 const utilities = require("../utilities");
 /**
+ * ## # keycloak.ldap.UserAttributeMapper
+ *
  * Allows for creating and managing user attribute mappers for Keycloak users
  * federated via LDAP.
  *
  * The LDAP user attribute mapper can be used to map a single LDAP attribute
  * to an attribute on the Keycloak user model.
  *
- * ## Example Usage
+ * ### Example Usage
  *
+ * <!--Start PulumiCodeChooser -->
  * ```typescript
  * import * as pulumi from "@pulumi/pulumi";
  * import * as keycloak from "@pulumi/keycloak";
  *
  * const realm = new keycloak.Realm("realm", {
- *     realm: "my-realm",
  *     enabled: true,
+ *     realm: "test",
  * });
  * const ldapUserFederation = new keycloak.ldap.UserFederation("ldapUserFederation", {
- *     realmId: realm.id,
- *     usernameLdapAttribute: "cn",
+ *     bindCredential: "admin",
+ *     bindDn: "cn=admin,dc=example,dc=org",
+ *     connectionUrl: "ldap://openldap",
  *     rdnLdapAttribute: "cn",
- *     uuidLdapAttribute: "entryDN",
+ *     realmId: realm.id,
  *     userObjectClasses: [
  *         "simpleSecurityObject",
  *         "organizationalRole",
  *     ],
- *     connectionUrl: "ldap://openldap",
+ *     usernameLdapAttribute: "cn",
  *     usersDn: "dc=example,dc=org",
- *     bindDn: "cn=admin,dc=example,dc=org",
- *     bindCredential: "admin",
+ *     uuidLdapAttribute: "entryDN",
  * });
  * const ldapUserAttributeMapper = new keycloak.ldap.UserAttributeMapper("ldapUserAttributeMapper", {
- *     realmId: realm.id,
+ *     ldapAttribute: "bar",
  *     ldapUserFederationId: ldapUserFederation.id,
+ *     realmId: realm.id,
  *     userModelAttribute: "foo",
- *     ldapAttribute: "bar",
  * });
  * ```
+ * <!--End PulumiCodeChooser -->
  *
- * ## Import
+ * ### Argument Reference
  *
- * LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. Examplebash
+ * The following arguments are supported:
  *
- * ```sh
- *  $ pulumi import keycloak:ldap/userAttributeMapper:UserAttributeMapper ldap_user_attribute_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67
- * ```
+ * - `realmId` - (Required) The realm that this LDAP mapper will exist in.
+ * - `ldapUserFederationId` - (Required) The ID of the LDAP user federation provider to attach this mapper to.
+ * - `name` - (Required) Display name of this mapper when displayed in the console.
+ * - `userModelAttribute` - (Required) Name of the user property or attribute you want to map the LDAP attribute into.
+ * - `ldapAttribute` - (Required) Name of the mapped attribute on the LDAP object.
+ * - `readOnly` - (Optional) When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`.
+ * - `alwaysReadValueFromLdap` - (Optional) When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`.
+ * - `isMandatoryInLdap` - (Optional) When `true`, this attribute must exist in LDAP. Defaults to `false`.
+ *
+ * ### Import
+ *
+ * LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`.
+ * The ID of the LDAP user federation provider and the mapper can be found within
+ * the Keycloak GUI, and they are typically GUIDs:
  */
 class UserAttributeMapper extends pulumi.CustomResource {
     /**

package/ldap/userAttributeMapper.js.map

@@ -1 +1 @@
-{"version":3,"file":"userAttributeMapper.js","sourceRoot":"","sources":["../../ldap/userAttributeMapper.ts"],"names":[],"mappings":";AAAA,wFAAwF;AACxF,iFAAiF;;;AAEjF,yCAAyC;AACzC,0CAA0C;AAE1C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8CG;AACH,MAAa,mBAAoB,SAAQ,MAAM,CAAC,cAAc;IAC1D;;;;;;;;OAQG;IACI,MAAM,CAAC,GAAG,CAAC,IAAY,EAAE,EAA2B,EAAE,KAAgC,EAAE,IAAmC;QAC9H,OAAO,IAAI,mBAAmB,CAAC,IAAI,EAAO,KAAK,kCAAO,IAAI,KAAE,EAAE,EAAE,EAAE,IAAG,CAAC;IAC1E,CAAC;IAKD;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,mBAAmB,CAAC,YAAY,CAAC;IACpE,CAAC;IAmDD,YAAY,IAAY,EAAE,WAAgE,EAAE,IAAmC;QAC3H,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,IAAI,CAAC,EAAE,EAAE;YACT,MAAM,KAAK,GAAG,WAAmD,CAAC;YAClE,cAAc,CAAC,yBAAyB,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC,CAAC,SAAS,CAAC;YAC9F,cAAc,CAAC,uBAAuB,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC,CAAC,SAAS,CAAC;YAC1F,cAAc,CAAC,mBAAmB,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC,SAAS,CAAC;YAClF,cAAc,CAAC,mBAAmB,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC,SAAS,CAAC;YAClF,cAAc,CAAC,eAAe,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC;YAC1E,cAAc,CAAC,sBAAsB,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC,CAAC,SAAS,CAAC;YACxF,cAAc,CAAC,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;YACxD,cAAc,CAAC,UAAU,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;YAChE,cAAc,CAAC,SAAS,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC;YAC9D,cAAc,CAAC,oBAAoB,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC,CAAC,SAAS,CAAC;SACvF;aAAM;YACH,MAAM,IAAI,GAAG,WAAkD,CAAC;YAChE,IAAI,CAAC,CAAC,IAAI,IAAI,IAAI,CAAC,aAAa,KAAK,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBAC1D,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;aAChE;YACD,IAAI,CAAC,CAAC,IAAI,IAAI,IAAI,CAAC,oBAAoB,KAAK,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBACjE,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;aACvE;YACD,IAAI,CAAC,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,KAAK,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBACpD,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;aAC1D;YACD,IAAI,CAAC,CAAC,IAAI,IAAI,IAAI,CAAC,kBAAkB,KAAK,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBAC/D,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;aACrE;YACD,cAAc,CAAC,yBAAyB,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC,CAAC,SAAS,CAAC;YAC5F,cAAc,CAAC,uBAAuB,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC,SAAS,CAAC;YACxF,cAAc,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,CAAC,SAAS,CAAC;YAChF,cAAc,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,CAAC,SAAS,CAAC;YAChF,cAAc,CAAC,eAAe,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC;YACxE,cAAc,CAAC,sBAAsB,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,CAAC,SAAS,CAAC;YACtF,cAAc,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;YACtD,cAAc,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;YAC9D,cAAc,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC;YAC5D,cAAc,CAAC,oBAAoB,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,CAAC,SAAS,CAAC;SACrF;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,KAAK,CAAC,mBAAmB,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,CAAC,CAAC;IACxE,CAAC;;AAvHL,kDAwHC;AA1GG,gBAAgB;AACO,gCAAY,GAAG,uDAAuD,CAAC"}
+{"version":3,"file":"userAttributeMapper.js","sourceRoot":"","sources":["../../ldap/userAttributeMapper.ts"],"names":[],"mappings":";AAAA,wFAAwF;AACxF,iFAAiF;;;AAEjF,yCAAyC;AACzC,0CAA0C;AAE1C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6DG;AACH,MAAa,mBAAoB,SAAQ,MAAM,CAAC,cAAc;IAC1D;;;;;;;;OAQG;IACI,MAAM,CAAC,GAAG,CAAC,IAAY,EAAE,EAA2B,EAAE,KAAgC,EAAE,IAAmC;QAC9H,OAAO,IAAI,mBAAmB,CAAC,IAAI,EAAO,KAAK,kCAAO,IAAI,KAAE,EAAE,EAAE,EAAE,IAAG,CAAC;IAC1E,CAAC;IAKD;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,mBAAmB,CAAC,YAAY,CAAC;IACpE,CAAC;IAmDD,YAAY,IAAY,EAAE,WAAgE,EAAE,IAAmC;QAC3H,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,IAAI,CAAC,EAAE,EAAE;YACT,MAAM,KAAK,GAAG,WAAmD,CAAC;YAClE,cAAc,CAAC,yBAAyB,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC,CAAC,SAAS,CAAC;YAC9F,cAAc,CAAC,uBAAuB,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC,CAAC,SAAS,CAAC;YAC1F,cAAc,CAAC,mBAAmB,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC,SAAS,CAAC;YAClF,cAAc,CAAC,mBAAmB,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC,SAAS,CAAC;YAClF,cAAc,CAAC,eAAe,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC;YAC1E,cAAc,CAAC,sBAAsB,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC,CAAC,SAAS,CAAC;YACxF,cAAc,CAAC,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;YACxD,cAAc,CAAC,UAAU,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;YAChE,cAAc,CAAC,SAAS,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC;YAC9D,cAAc,CAAC,oBAAoB,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC,CAAC,SAAS,CAAC;SACvF;aAAM;YACH,MAAM,IAAI,GAAG,WAAkD,CAAC;YAChE,IAAI,CAAC,CAAC,IAAI,IAAI,IAAI,CAAC,aAAa,KAAK,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBAC1D,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;aAChE;YACD,IAAI,CAAC,CAAC,IAAI,IAAI,IAAI,CAAC,oBAAoB,KAAK,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBACjE,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;aACvE;YACD,IAAI,CAAC,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,KAAK,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBACpD,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;aAC1D;YACD,IAAI,CAAC,CAAC,IAAI,IAAI,IAAI,CAAC,kBAAkB,KAAK,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBAC/D,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;aACrE;YACD,cAAc,CAAC,yBAAyB,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC,CAAC,SAAS,CAAC;YAC5F,cAAc,CAAC,uBAAuB,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC,SAAS,CAAC;YACxF,cAAc,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,CAAC,SAAS,CAAC;YAChF,cAAc,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,CAAC,SAAS,CAAC;YAChF,cAAc,CAAC,eAAe,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC;YACxE,cAAc,CAAC,sBAAsB,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,CAAC,SAAS,CAAC;YACtF,cAAc,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;YACtD,cAAc,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;YAC9D,cAAc,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC;YAC5D,cAAc,CAAC,oBAAoB,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,CAAC,SAAS,CAAC;SACrF;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,KAAK,CAAC,mBAAmB,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,CAAC,CAAC;IACxE,CAAC;;AAvHL,kDAwHC;AA1GG,gBAAgB;AACO,gCAAY,GAAG,uDAAuD,CAAC"}

package/ldap/userFederation.d.ts

@@ -2,6 +2,8 @@ import * as pulumi from "@pulumi/pulumi";
 import * as inputs from "../types/input";
 import * as outputs from "../types/output";
 /**
+ * ## # keycloak.ldap.UserFederation
+ *
  * Allows for creating and managing LDAP user federation providers within Keycloak.
  *
  * Keycloak can use an LDAP user federation provider to federate users to Keycloak
@@ -9,47 +11,78 @@ import * as outputs from "../types/output";
  * will exist within the realm and will be able to log in to clients. Federated
  * users can have their attributes defined using mappers.
  *
- * ## Example Usage
+ * ### Example Usage
  *
+ * <!--Start PulumiCodeChooser -->
  * ```typescript
  * import * as pulumi from "@pulumi/pulumi";
  * import * as keycloak from "@pulumi/keycloak";
  *
  * const realm = new keycloak.Realm("realm", {
- *     realm: "my-realm",
  *     enabled: true,
+ *     realm: "test",
  * });
  * const ldapUserFederation = new keycloak.ldap.UserFederation("ldapUserFederation", {
- *     realmId: realm.id,
+ *     bindCredential: "admin",
+ *     bindDn: "cn=admin,dc=example,dc=org",
+ *     connectionTimeout: "5s",
+ *     connectionUrl: "ldap://openldap",
  *     enabled: true,
- *     usernameLdapAttribute: "cn",
  *     rdnLdapAttribute: "cn",
- *     uuidLdapAttribute: "entryDN",
+ *     readTimeout: "10s",
+ *     realmId: realm.id,
  *     userObjectClasses: [
  *         "simpleSecurityObject",
  *         "organizationalRole",
  *     ],
- *     connectionUrl: "ldap://openldap",
+ *     usernameLdapAttribute: "cn",
  *     usersDn: "dc=example,dc=org",
- *     bindDn: "cn=admin,dc=example,dc=org",
- *     bindCredential: "admin",
- *     connectionTimeout: "5s",
- *     readTimeout: "10s",
- *     kerberos: {
- *         kerberosRealm: "FOO.LOCAL",
- *         serverPrincipal: "HTTP/host.foo.com@FOO.LOCAL",
- *         keyTab: "/etc/host.keytab",
- *     },
+ *     uuidLdapAttribute: "entryDN",
  * });
  * ```
+ * <!--End PulumiCodeChooser -->
  *
- * ## Import
+ * ### Argument Reference
  *
- * LDAP user federation providers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}`. The ID of the LDAP user federation provider can be found within the Keycloak GUI and is typically a GUIDbash
+ * The following arguments are supported:
  *
- * ```sh
- *  $ pulumi import keycloak:ldap/userFederation:UserFederation ldap_user_federation my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860
- * ```
+ * - `realmId` - (Required) The realm that this provider will provide user federation for.
+ * - `name` - (Required) Display name of the provider when displayed in the console.
+ * - `enabled` - (Optional) When `false`, this provider will not be used when performing queries for users. Defaults to `true`.
+ * - `priority` - (Optional) Priority of this provider when looking up users. Lower values are first. Defaults to `0`.
+ * - `importEnabled` - (Optional) When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`.
+ * - `editMode` - (Optional) Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`.
+ * - `syncRegistrations` - (Optional) When `true`, newly created users will be synced back to LDAP. Defaults to `false`.
+ * - `vendor` - (Optional) Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OPTIONAL`.
+ * - `usernameLdapAttribute` - (Required) Name of the LDAP attribute to use as the Keycloak username.
+ * - `rdnLdapAttribute` - (Required) Name of the LDAP attribute to use as the relative distinguished name.
+ * - `uuidLdapAttribute` - (Required) Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
+ * - `userObjectClasses` - (Required) Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.
+ * - `connectionUrl` - (Required) Connection URL to the LDAP server.
+ * - `usersDn` - (Required) Full DN of LDAP tree where your users are.
+ * - `bindDn` - (Optional) DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bindCredential` is set.
+ * - `bindCredential` - (Optional) Password of LDAP admin. This attribute must be set if `bindDn` is set.
+ * - `customUserSearchFilter` - (Optional) Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`.
+ * - `searchScope` - (Optional) Can be one of `ONE_LEVEL` or `SUBTREE`:
+ *     - `ONE_LEVEL`: Only search for users in the DN specified by `userDn`.
+ *     - `SUBTREE`: Search entire LDAP subtree.
+ * - `validatePasswordPolicy` - (Optional) When `true`, Keycloak will validate passwords using the realm policy before updating it.
+ * - `useTruststoreSpi` - (Optional) Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`:
+ *     - `ALWAYS` - Always use the truststore SPI for LDAP connections.
+ *     - `NEVER` - Never use the truststore SPI for LDAP connections.
+ *     - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol.
+ * - `connectionTimeout` - (Optional) LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String).
+ * - `readTimeout` - (Optional) LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String).
+ * - `pagination` - (Optional) When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`.
+ * - `batchSizeForSync` - (Optional) The number of users to sync within a single transaction. Defaults to `1000`.
+ * - `fullSyncPeriod` - (Optional) How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
+ * - `changedSyncPeriod` - (Optional) How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
+ * - `cachePolicy` - (Optional) Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`.
+ *
+ * ### Import
+ *
+ * LDAP user federation providers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}`.
+ * The ID of the LDAP user federation provider can be found within the Keycloak GUI and is typically a GUID:
  */
 export declare class UserFederation extends pulumi.CustomResource {
     /**
@@ -68,27 +101,28 @@ export declare class UserFederation extends pulumi.CustomResource {
      */
     static isInstance(obj: any): obj is UserFederation;
     /**
-     * The number of users to sync within a single transaction. Defaults to `1000`.
+     * The number of users to sync within a single transaction.
      */
     readonly batchSizeForSync: pulumi.Output<number | undefined>;
     /**
-     * Password of LDAP admin. This attribute must be set if `bindDn` is set.
+     * Password of LDAP admin.
      */
     readonly bindCredential: pulumi.Output<string | undefined>;
     /**
-     * DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bindCredential` is set.
+     * DN of LDAP admin, which will be used by Keycloak to access LDAP server.
      */
     readonly bindDn: pulumi.Output<string | undefined>;
     /**
-     * A block containing the cache settings.
+     * Settings regarding cache policy for this realm.
      */
     readonly cache: pulumi.Output<outputs.ldap.UserFederationCache | undefined>;
     /**
-     * How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
+     * How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users
+     * sync.
      */
     readonly changedSyncPeriod: pulumi.Output<number | undefined>;
     /**
-     * LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String).
+     * LDAP connection timeout (duration string)
      */
     readonly connectionTimeout: pulumi.Output<string | undefined>;
     /**
@@ -96,19 +130,20 @@ export declare class UserFederation extends pulumi.CustomResource {
      */
     readonly connectionUrl: pulumi.Output<string>;
     /**
-     * Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`.
+     * Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'.
      */
     readonly customUserSearchFilter: pulumi.Output<string | undefined>;
     /**
-     * When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to `false`.
+     * When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP
+     * user federation provider.
      */
     readonly deleteDefaultMappers: pulumi.Output<boolean | undefined>;
     /**
-     * Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`.
+     * READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP.
      */
     readonly editMode: pulumi.Output<string | undefined>;
     /**
-     * When `false`, this provider will not be used when performing queries for users. Defaults to `true`.
+     * When false, this provider will not be used when performing queries for users.
      */
     readonly enabled: pulumi.Output<boolean | undefined>;
     /**
@@ -116,11 +151,11 @@ export declare class UserFederation extends pulumi.CustomResource {
      */
     readonly fullSyncPeriod: pulumi.Output<number | undefined>;
     /**
-     * When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`.
+     * When true, LDAP users will be imported into the Keycloak database.
      */
     readonly importEnabled: pulumi.Output<boolean | undefined>;
     /**
-     * A block containing the kerberos settings.
+     * Settings regarding kerberos authentication for this realm.
      */
     readonly kerberos: pulumi.Output<outputs.ldap.UserFederationKerberos | undefined>;
     /**
@@ -128,11 +163,11 @@ export declare class UserFederation extends pulumi.CustomResource {
      */
     readonly name: pulumi.Output<string>;
     /**
-     * When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`.
+     * When true, Keycloak assumes the LDAP server supports pagination.
      */
     readonly pagination: pulumi.Output<boolean | undefined>;
     /**
-     * Priority of this provider when looking up users. Lower values are first. Defaults to `0`.
+     * Priority of this provider when looking up users. Lower values are first.
      */
     readonly priority: pulumi.Output<number | undefined>;
     /**
@@ -140,23 +175,23 @@ export declare class UserFederation extends pulumi.CustomResource {
      */
     readonly rdnLdapAttribute: pulumi.Output<string>;
     /**
-     * LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String).
+     * LDAP read timeout (duration string)
      */
     readonly readTimeout: pulumi.Output<string | undefined>;
     /**
-     * The realm that this provider will provide user federation for.
+     * The realm this provider will provide user federation for.
      */
     readonly realmId: pulumi.Output<string>;
     /**
-     * Can be one of `ONE_LEVEL` or `SUBTREE`:
+     * ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.
      */
     readonly searchScope: pulumi.Output<string | undefined>;
     /**
-     * When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.
+     * When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.
      */
     readonly startTls: pulumi.Output<boolean | undefined>;
     /**
-     * When `true`, newly created users will be synced back to LDAP. Defaults to `false`.
+     * When true, newly created users will be synced back to LDAP.
      */
     readonly syncRegistrations: pulumi.Output<boolean | undefined>;
     /**
@@ -167,12 +202,9 @@ export declare class UserFederation extends pulumi.CustomResource {
      * When `true`, use the LDAPv3 Password Modify Extended Operation (RFC-3062).
      */
     readonly usePasswordModifyExtendedOp: pulumi.Output<boolean | undefined>;
-    /**
-     * Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`:
-     */
     readonly useTruststoreSpi: pulumi.Output<string | undefined>;
     /**
-     * Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.
+     * All values of LDAP objectClass attribute for users in LDAP.
      */
     readonly userObjectClasses: pulumi.Output<string[]>;
     /**
@@ -188,11 +220,11 @@ export declare class UserFederation extends pulumi.CustomResource {
      */
     readonly uuidLdapAttribute: pulumi.Output<string>;
     /**
-     * When `true`, Keycloak will validate passwords using the realm policy before updating it.
+     * When true, Keycloak will validate passwords using the realm policy before updating it.
      */
     readonly validatePasswordPolicy: pulumi.Output<boolean | undefined>;
     /**
-     * Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`.
+     * LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required.
      */
     readonly vendor: pulumi.Output<string | undefined>;
     /**
@@ -209,27 +241,28 @@ export declare class UserFederation extends pulumi.CustomResource {
  */
 export interface UserFederationState {
     /**
-     * The number of users to sync within a single transaction. Defaults to `1000`.
+     * The number of users to sync within a single transaction.
      */
     batchSizeForSync?: pulumi.Input<number>;
     /**
-     * Password of LDAP admin. This attribute must be set if `bindDn` is set.
+     * Password of LDAP admin.
      */
     bindCredential?: pulumi.Input<string>;
     /**
-     * DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bindCredential` is set.
+     * DN of LDAP admin, which will be used by Keycloak to access LDAP server.
      */
     bindDn?: pulumi.Input<string>;
     /**
-     * A block containing the cache settings.
+     * Settings regarding cache policy for this realm.
      */
     cache?: pulumi.Input<inputs.ldap.UserFederationCache>;
     /**
-     * How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
+     * How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users
+     * sync.
      */
     changedSyncPeriod?: pulumi.Input<number>;
     /**
-     * LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String).
+     * LDAP connection timeout (duration string)
      */
     connectionTimeout?: pulumi.Input<string>;
     /**
@@ -237,19 +270,20 @@ export interface UserFederationState {
      */
     connectionUrl?: pulumi.Input<string>;
     /**
-     * Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`.
+     * Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'.
      */
     customUserSearchFilter?: pulumi.Input<string>;
     /**
-     * When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to `false`.
+     * When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP
+     * user federation provider.
      */
     deleteDefaultMappers?: pulumi.Input<boolean>;
     /**
-     * Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`.
+     * READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP.
      */
     editMode?: pulumi.Input<string>;
     /**
-     * When `false`, this provider will not be used when performing queries for users. Defaults to `true`.
+     * When false, this provider will not be used when performing queries for users.
      */
     enabled?: pulumi.Input<boolean>;
     /**
@@ -257,11 +291,11 @@ export interface UserFederationState {
      */
     fullSyncPeriod?: pulumi.Input<number>;
     /**
-     * When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`.
+     * When true, LDAP users will be imported into the Keycloak database.
      */
     importEnabled?: pulumi.Input<boolean>;
     /**
-     * A block containing the kerberos settings.
+     * Settings regarding kerberos authentication for this realm.
      */
     kerberos?: pulumi.Input<inputs.ldap.UserFederationKerberos>;
     /**
@@ -269,11 +303,11 @@ export interface UserFederationState {
      */
     name?: pulumi.Input<string>;
     /**
-     * When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`.
+     * When true, Keycloak assumes the LDAP server supports pagination.
      */
     pagination?: pulumi.Input<boolean>;
     /**
-     * Priority of this provider when looking up users. Lower values are first. Defaults to `0`.
+     * Priority of this provider when looking up users. Lower values are first.
      */
     priority?: pulumi.Input<number>;
     /**
@@ -281,23 +315,23 @@ export interface UserFederationState {
      */
     rdnLdapAttribute?: pulumi.Input<string>;
     /**
-     * LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String).
+     * LDAP read timeout (duration string)
      */
     readTimeout?: pulumi.Input<string>;
     /**
-     * The realm that this provider will provide user federation for.
+     * The realm this provider will provide user federation for.
      */
     realmId?: pulumi.Input<string>;
     /**
-     * Can be one of `ONE_LEVEL` or `SUBTREE`:
+     * ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.
      */
     searchScope?: pulumi.Input<string>;
     /**
-     * When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.
+     * When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.
      */
     startTls?: pulumi.Input<boolean>;
     /**
-     * When `true`, newly created users will be synced back to LDAP. Defaults to `false`.
+     * When true, newly created users will be synced back to LDAP.
      */
     syncRegistrations?: pulumi.Input<boolean>;
     /**
@@ -308,12 +342,9 @@ export interface UserFederationState {
      * When `true`, use the LDAPv3 Password Modify Extended Operation (RFC-3062).
      */
     usePasswordModifyExtendedOp?: pulumi.Input<boolean>;
-    /**
-     * Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`:
-     */
     useTruststoreSpi?: pulumi.Input<string>;
     /**
-     * Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.
+     * All values of LDAP objectClass attribute for users in LDAP.
      */
     userObjectClasses?: pulumi.Input<pulumi.Input<string>[]>;
     /**
@@ -329,11 +360,11 @@ export interface UserFederationState {
      */
     uuidLdapAttribute?: pulumi.Input<string>;
     /**
-     * When `true`, Keycloak will validate passwords using the realm policy before updating it.
+     * When true, Keycloak will validate passwords using the realm policy before updating it.
      */
     validatePasswordPolicy?: pulumi.Input<boolean>;
     /**
-     * Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`.
+     * LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required.
      */
     vendor?: pulumi.Input<string>;
 }
@@ -342,27 +373,28 @@ export interface UserFederationState {
  */
 export interface UserFederationArgs {
     /**
-     * The number of users to sync within a single transaction. Defaults to `1000`.
+     * The number of users to sync within a single transaction.
      */
     batchSizeForSync?: pulumi.Input<number>;
     /**
-     * Password of LDAP admin. This attribute must be set if `bindDn` is set.
+     * Password of LDAP admin.
      */
     bindCredential?: pulumi.Input<string>;
     /**
-     * DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bindCredential` is set.
+     * DN of LDAP admin, which will be used by Keycloak to access LDAP server.
      */
     bindDn?: pulumi.Input<string>;
     /**
-     * A block containing the cache settings.
+     * Settings regarding cache policy for this realm.
      */
     cache?: pulumi.Input<inputs.ldap.UserFederationCache>;
     /**
-     * How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
+     * How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users
+     * sync.
      */
     changedSyncPeriod?: pulumi.Input<number>;
     /**
-     * LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String).
+     * LDAP connection timeout (duration string)
      */
     connectionTimeout?: pulumi.Input<string>;
     /**
@@ -370,19 +402,20 @@ export interface UserFederationArgs {
      */
     connectionUrl: pulumi.Input<string>;
     /**
-     * Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`.
+     * Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'.
      */
     customUserSearchFilter?: pulumi.Input<string>;
     /**
-     * When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to `false`.
+     * When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP
+     * user federation provider.
      */
     deleteDefaultMappers?: pulumi.Input<boolean>;
     /**
-     * Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`.
+     * READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP.
      */
     editMode?: pulumi.Input<string>;
     /**
-     * When `false`, this provider will not be used when performing queries for users. Defaults to `true`.
+     * When false, this provider will not be used when performing queries for users.
      */
     enabled?: pulumi.Input<boolean>;
     /**
@@ -390,11 +423,11 @@ export interface UserFederationArgs {
      */
     fullSyncPeriod?: pulumi.Input<number>;
     /**
-     * When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`.
+     * When true, LDAP users will be imported into the Keycloak database.
      */
     importEnabled?: pulumi.Input<boolean>;
     /**
-     * A block containing the kerberos settings.
+     * Settings regarding kerberos authentication for this realm.
      */
     kerberos?: pulumi.Input<inputs.ldap.UserFederationKerberos>;
     /**
@@ -402,11 +435,11 @@ export interface UserFederationArgs {
      */
     name?: pulumi.Input<string>;
     /**
-     * When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`.
+     * When true, Keycloak assumes the LDAP server supports pagination.
      */
     pagination?: pulumi.Input<boolean>;
     /**
-     * Priority of this provider when looking up users. Lower values are first. Defaults to `0`.
+     * Priority of this provider when looking up users. Lower values are first.
      */
     priority?: pulumi.Input<number>;
     /**
@@ -414,23 +447,23 @@ export interface UserFederationArgs {
      */
     rdnLdapAttribute: pulumi.Input<string>;
     /**
-     * LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String).
+     * LDAP read timeout (duration string)
      */
     readTimeout?: pulumi.Input<string>;
     /**
-     * The realm that this provider will provide user federation for.
+     * The realm this provider will provide user federation for.
      */
     realmId: pulumi.Input<string>;
     /**
-     * Can be one of `ONE_LEVEL` or `SUBTREE`:
+     * ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.
      */
     searchScope?: pulumi.Input<string>;
     /**
-     * When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.
+     * When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.
      */
     startTls?: pulumi.Input<boolean>;
     /**
-     * When `true`, newly created users will be synced back to LDAP. Defaults to `false`.
+     * When true, newly created users will be synced back to LDAP.
      */
     syncRegistrations?: pulumi.Input<boolean>;
     /**
@@ -441,12 +474,9 @@ export interface UserFederationArgs {
      * When `true`, use the LDAPv3 Password Modify Extended Operation (RFC-3062).
      */
     usePasswordModifyExtendedOp?: pulumi.Input<boolean>;
-    /**
-     * Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`:
-     */
     useTruststoreSpi?: pulumi.Input<string>;
     /**
-     * Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.
+     * All values of LDAP objectClass attribute for users in LDAP.
      */
     userObjectClasses: pulumi.Input<pulumi.Input<string>[]>;
     /**
@@ -462,11 +492,11 @@ export interface UserFederationArgs {
      */
     uuidLdapAttribute: pulumi.Input<string>;
     /**
-     * When `true`, Keycloak will validate passwords using the realm policy before updating it.
+     * When true, Keycloak will validate passwords using the realm policy before updating it.
      */
     validatePasswordPolicy?: pulumi.Input<boolean>;
     /**
-     * Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`.
+     * LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required.
      */
     vendor?: pulumi.Input<string>;
 }