@pulumi/keycloak 5.3.0 → 5.3.1

package/types/output.d.ts

@@ -13,37 +13,13 @@ export interface GetRealmInternationalization {
     supportedLocales: string[];
 }
 export interface GetRealmKeysKey {
-    /**
-     * Key algorithm (string)
-     */
     algorithm: string;
-    /**
-     * Key certificate (string)
-     */
     certificate: string;
-    /**
-     * Key ID (string)
-     */
     kid: string;
-    /**
-     * Key provider ID (string)
-     */
     providerId: string;
-    /**
-     * Key provider priority (int64)
-     */
     providerPriority: number;
-    /**
-     * Key public key (string)
-     */
     publicKey: string;
-    /**
-     * When specified, keys will be filtered by status. The statuses can be any of `ACTIVE`, `DISABLED` and `PASSIVE`.
-     */
     status: string;
-    /**
-     * Key type (string)
-     */
     type: string;
 }
 export interface GetRealmOtpPolicy {
@@ -95,26 +71,56 @@ export interface GetRealmSmtpServerAuth {
 }
 export interface GetRealmWebAuthnPasswordlessPolicy {
     acceptableAaguids: string[];
+    /**
+     * Either none, indirect or direct
+     */
     attestationConveyancePreference: string;
+    /**
+     * Either platform or cross-platform
+     */
     authenticatorAttachment: string;
     avoidSameAuthenticatorRegister: boolean;
     createTimeout: number;
     relyingPartyEntityName: string;
     relyingPartyId: string;
+    /**
+     * Either Yes or No
+     */
     requireResidentKey: string;
+    /**
+     * Keycloak lists ES256, ES384, ES512, RS256, ES384, ES512 at the time of writing
+     */
     signatureAlgorithms: string[];
+    /**
+     * Either required, preferred or discouraged
+     */
     userVerificationRequirement: string;
 }
 export interface GetRealmWebAuthnPolicy {
     acceptableAaguids: string[];
+    /**
+     * Either none, indirect or direct
+     */
     attestationConveyancePreference: string;
+    /**
+     * Either platform or cross-platform
+     */
     authenticatorAttachment: string;
     avoidSameAuthenticatorRegister: boolean;
     createTimeout: number;
     relyingPartyEntityName: string;
     relyingPartyId: string;
+    /**
+     * Either Yes or No
+     */
     requireResidentKey: string;
+    /**
+     * Keycloak lists ES256, ES384, ES512, RS256, ES384, ES512 at the time of writing
+     */
     signatureAlgorithms: string[];
+    /**
+     * Either required, preferred or discouraged
+     */
     userVerificationRequirement: string;
 }
 export interface GroupPermissionsManageMembersScope {
@@ -143,38 +149,20 @@ export interface GroupPermissionsViewScope {
     policies?: string[];
 }
 export interface RealmInternationalization {
-    /**
-     * The locale to use by default. This locale code must be present within the `supportedLocales` list.
-     */
     defaultLocale: string;
-    /**
-     * A list of [ISO 639-1](https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes) locale codes that the realm should support.
-     */
     supportedLocales: string[];
 }
 export interface RealmOtpPolicy {
     /**
-     * What hashing algorithm should be used to generate the OTP, Valid options are `HmacSHA1`,`HmacSHA256` and `HmacSHA512`. Defaults to `HmacSHA1`.
+     * What hashing algorithm should be used to generate the OTP.
      */
     algorithm?: string;
-    /**
-     * How many digits the OTP have. Defaults to `6`.
-     */
     digits?: number;
-    /**
-     * What should the initial counter value be. Defaults to `2`.
-     */
     initialCounter?: number;
-    /**
-     * How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to `1`.
-     */
     lookAheadWindow?: number;
-    /**
-     * How many seconds should an OTP token be valid. Defaults to `30`.
-     */
     period?: number;
     /**
-     * One Time Password Type, supported Values are `totp` for Time-Based One Time Password and `hotp` for Counter Based. Defaults to `totp`.
+     * OTP Type, totp for Time-Based One Time Password or hotp for counter base one time password
      */
     type?: string;
 }
@@ -183,117 +171,38 @@ export interface RealmSecurityDefenses {
     headers?: outputs.RealmSecurityDefensesHeaders;
 }
 export interface RealmSecurityDefensesBruteForceDetection {
-    /**
-     * When will failure count be reset?
-     */
     failureResetTimeSeconds?: number;
     maxFailureWaitSeconds?: number;
-    /**
-     * How many failures before wait is triggered.
-     */
     maxLoginFailures?: number;
-    /**
-     * How long to wait after a quick login failure.
-     * - `maxFailureWaitSeconds ` - (Optional) Max. time a user will be locked out.
-     */
     minimumQuickLoginWaitSeconds?: number;
-    /**
-     * When `true`, this will lock the user permanently when the user exceeds the maximum login failures.
-     */
     permanentLockout?: boolean;
-    /**
-     * Configures the amount of time, in milliseconds, for consecutive failures to lock a user out.
-     */
     quickLoginCheckMilliSeconds?: number;
-    /**
-     * This represents the amount of time a user should be locked out when the login failure threshold has been met.
-     */
     waitIncrementSeconds?: number;
 }
 export interface RealmSecurityDefensesHeaders {
-    /**
-     * Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the [W3C-CSP](https://www.w3.org/TR/CSP/) Abstract.
-     */
     contentSecurityPolicy?: string;
-    /**
-     * Used for testing Content Security Policies.
-     */
     contentSecurityPolicyReportOnly?: string;
-    /**
-     * The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests.
-     */
     referrerPolicy?: string;
-    /**
-     * The Script-Transport-Security HTTP header tells browsers to always use HTTPS.
-     */
     strictTransportSecurity?: string;
-    /**
-     * Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type
-     */
     xContentTypeOptions?: string;
-    /**
-     * Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the [RFC7034](https://tools.ietf.org/html/rfc7034)
-     */
     xFrameOptions?: string;
-    /**
-     * Prevent pages from appearing in search engines.
-     */
     xRobotsTag?: string;
-    /**
-     * This header configures the Cross-site scripting (XSS) filter in your browser.
-     */
     xXssProtection?: string;
 }
 export interface RealmSmtpServer {
-    /**
-     * Enables authentication to the SMTP server.  This block supports the following arguments:
-     */
     auth?: outputs.RealmSmtpServerAuth;
-    /**
-     * The email address uses for bounces.
-     */
     envelopeFrom?: string;
-    /**
-     * The email address for the sender.
-     */
     from: string;
-    /**
-     * The display name of the sender email address.
-     */
     fromDisplayName?: string;
-    /**
-     * The host of the SMTP server.
-     */
     host: string;
-    /**
-     * The port of the SMTP server (defaults to 25).
-     */
     port?: string;
-    /**
-     * The "reply to" email address.
-     */
     replyTo?: string;
-    /**
-     * The display name of the "reply to" email address.
-     */
     replyToDisplayName?: string;
-    /**
-     * When `true`, enables SSL. Defaults to `false`.
-     */
     ssl?: boolean;
-    /**
-     * When `true`, enables StartTLS. Defaults to `false`.
-     */
     starttls?: boolean;
 }
 export interface RealmSmtpServerAuth {
-    /**
-     * The SMTP server password.
-     */
     password: string;
-    /**
-     * The SMTP server username.
-     */
     username: string;
 }
 export interface RealmUserProfileAttribute {
@@ -379,111 +288,66 @@ export interface RealmUserProfileGroup {
     name: string;
 }
 export interface RealmWebAuthnPasswordlessPolicy {
-    /**
-     * A set of AAGUIDs for which an authenticator can be registered.
-     */
     acceptableAaguids?: string[];
     /**
-     * The preference of how to generate a WebAuthn attestation statement. Valid options are `not specified`, `none`, `indirect`, `direct`, or `enterprise`. Defaults to `not specified`.
+     * Either none, indirect or direct
      */
     attestationConveyancePreference?: string;
     /**
-     * The acceptable attachment pattern for the WebAuthn authenticator. Valid options are `not specified`, `platform`, or `cross-platform`. Defaults to `not specified`.
+     * Either platform or cross-platform
      */
     authenticatorAttachment?: string;
-    /**
-     * When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`.
-     */
     avoidSameAuthenticatorRegister?: boolean;
-    /**
-     * The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`.
-     */
     createTimeout?: number;
-    /**
-     * A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`.
-     */
     relyingPartyEntityName?: string;
-    /**
-     * The WebAuthn relying party ID.
-     */
     relyingPartyId?: string;
     /**
-     * Specifies whether or not a public key should be created to represent the resident key. Valid options are `not specified`, `Yes`, or `No`. Defaults to `not specified`.
+     * Either Yes or No
      */
     requireResidentKey?: string;
     /**
-     * A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are `ES256`, `ES384`, `ES512`, `RS256`, `RS384`, `RS512`, and `RS1`.
+     * Keycloak lists ES256, ES384, ES512, RS256, RS384, RS512, RS1 at the time of writing
      */
     signatureAlgorithms: string[];
     /**
-     * Specifies the policy for verifying a user logging in via WebAuthn. Valid options are `not specified`, `required`, `preferred`, or `discouraged`. Defaults to `not specified`.
+     * Either required, preferred or discouraged
      */
     userVerificationRequirement?: string;
 }
 export interface RealmWebAuthnPolicy {
-    /**
-     * A set of AAGUIDs for which an authenticator can be registered.
-     */
     acceptableAaguids?: string[];
     /**
-     * The preference of how to generate a WebAuthn attestation statement. Valid options are `not specified`, `none`, `indirect`, `direct`, or `enterprise`. Defaults to `not specified`.
+     * Either none, indirect or direct
      */
     attestationConveyancePreference?: string;
     /**
-     * The acceptable attachment pattern for the WebAuthn authenticator. Valid options are `not specified`, `platform`, or `cross-platform`. Defaults to `not specified`.
+     * Either platform or cross-platform
      */
     authenticatorAttachment?: string;
-    /**
-     * When `true`, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to `false`.
-     */
     avoidSameAuthenticatorRegister?: boolean;
-    /**
-     * The timeout value for creating a user's public key credential in seconds. When set to `0`, this timeout option is not adapted. Defaults to `0`.
-     */
     createTimeout?: number;
-    /**
-     * A human readable server name for the WebAuthn Relying Party. Defaults to `keycloak`.
-     */
     relyingPartyEntityName?: string;
-    /**
-     * The WebAuthn relying party ID.
-     */
     relyingPartyId?: string;
     /**
-     * Specifies whether or not a public key should be created to represent the resident key. Valid options are `not specified`, `Yes`, or `No`. Defaults to `not specified`.
+     * Either Yes or No
      */
     requireResidentKey?: string;
     /**
-     * A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are `ES256`, `ES384`, `ES512`, `RS256`, `RS384`, `RS512`, and `RS1`.
+     * Keycloak lists ES256, ES384, ES512, RS256, RS384, RS512, RS1 at the time of writing
      */
     signatureAlgorithms: string[];
     /**
-     * Specifies the policy for verifying a user logging in via WebAuthn. Valid options are `not specified`, `required`, `preferred`, or `discouraged`. Defaults to `not specified`.
+     * Either required, preferred or discouraged
      */
     userVerificationRequirement?: string;
 }
 export interface UserFederatedIdentity {
-    /**
-     * The name of the identity provider
-     */
     identityProvider: string;
-    /**
-     * The ID of the user defined in the identity provider
-     */
     userId: string;
-    /**
-     * The user name of the user defined in the identity provider
-     */
     userName: string;
 }
 export interface UserInitialPassword {
-    /**
-     * If set to `true`, the initial password is set up for renewal on first use. Default to `false`.
-     */
     temporary?: boolean;
-    /**
-     * The initial password.
-     */
     value: string;
 }
 export interface UsersPermissionsImpersonateScope {
@@ -519,7 +383,7 @@ export interface UsersPermissionsViewScope {
 export declare namespace ldap {
     interface UserFederationCache {
         /**
-         * Day of the week the entry will become invalid on
+         * Day of the week the entry will become invalid on.
          */
         evictionDay?: number;
         /**
@@ -534,14 +398,11 @@ export declare namespace ldap {
          * Max lifespan of cache entry (duration string).
          */
         maxLifespan?: string;
-        /**
-         * Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`.
-         */
         policy?: string;
     }
     interface UserFederationKerberos {
         /**
-         * The name of the kerberos realm, e.g. FOO.LOCAL.
+         * The name of the kerberos realm, e.g. FOO.LOCAL
          */
         kerberosRealm: string;
         /**
@@ -560,31 +421,13 @@ export declare namespace ldap {
 }
 export declare namespace openid {
     interface ClientAuthenticationFlowBindingOverrides {
-        /**
-         * Browser flow id, (flow needs to exist)
-         */
         browserId?: string;
-        /**
-         * Direct grant flow id (flow needs to exist)
-         */
         directGrantId?: string;
     }
     interface ClientAuthorization {
-        /**
-         * When `true`, resources can be managed remotely by the resource server. Defaults to `false`.
-         */
         allowRemoteResourceManagement?: boolean;
-        /**
-         * Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of `AFFIRMATIVE`, `CONSENSUS`, or `UNANIMOUS`. Applies to permissions.
-         */
         decisionStrategy?: string;
-        /**
-         * When `true`, defaults set by Keycloak will be respected. Defaults to `false`.
-         */
         keepDefaults?: boolean;
-        /**
-         * Dictates how policies are enforced when evaluating authorization requests. Can be one of `ENFORCING`, `PERMISSIVE`, or `DISABLED`.
-         */
         policyEnforcementMode: string;
     }
     interface ClientGroupPolicyGroup {
@@ -649,13 +492,7 @@ export declare namespace openid {
 }
 export declare namespace saml {
     interface ClientAuthenticationFlowBindingOverrides {
-        /**
-         * Browser flow id, (flow needs to exist)
-         */
         browserId?: string;
-        /**
-         * Direct grant flow id (flow needs to exist)
-         */
         directGrantId?: string;
     }
     interface GetClientAuthenticationFlowBindingOverride {

package/user.d.ts

@@ -2,55 +2,69 @@ import * as pulumi from "@pulumi/pulumi";
 import * as inputs from "./types/input";
 import * as outputs from "./types/output";
 /**
+ * ## # keycloak.User
+ *
  * Allows for creating and managing Users within Keycloak.
  *
- * This resource was created primarily to enable the acceptance tests for the `keycloak.Group` resource. Creating users within
- * Keycloak is not recommended. Instead, users should be federated from external sources by configuring user federation providers
- * or identity providers.
+ * This resource was created primarily to enable the acceptance tests for the `keycloak.Group` resource.
+ * Creating users within Keycloak is not recommended. Instead, users should be federated from external sources
+ * by configuring user federation providers or identity providers.
  *
- * ## Example Usage
+ * ### Example Usage
  *
+ * <!--Start PulumiCodeChooser -->
  * ```typescript
  * import * as pulumi from "@pulumi/pulumi";
  * import * as keycloak from "@pulumi/keycloak";
  *
  * const realm = new keycloak.Realm("realm", {
- *     realm: "my-realm",
  *     enabled: true,
+ *     realm: "my-realm",
  * });
  * const user = new keycloak.User("user", {
- *     realmId: realm.id,
- *     username: "bob",
- *     enabled: true,
  *     email: "bob@domain.com",
+ *     enabled: true,
  *     firstName: "Bob",
  *     lastName: "Bobson",
+ *     realmId: realm.id,
+ *     username: "bob",
  * });
  * const userWithInitialPassword = new keycloak.User("userWithInitialPassword", {
- *     realmId: realm.id,
- *     username: "alice",
- *     enabled: true,
  *     email: "alice@domain.com",
+ *     enabled: true,
  *     firstName: "Alice",
- *     lastName: "Aliceberg",
- *     attributes: {
- *         foo: "bar",
- *         multivalue: "value1##value2",
- *     },
  *     initialPassword: {
- *         value: "some password",
  *         temporary: true,
+ *         value: "some password",
  *     },
+ *     lastName: "Aliceberg",
+ *     realmId: realm.id,
+ *     username: "alice",
  * });
  * ```
+ * <!--End PulumiCodeChooser -->
  *
- * ## Import
+ * ### Argument Reference
  *
- * Users can be imported using the format `{{realm_id}}/{{user_id}}`, where `user_id` is the unique ID that Keycloak assigns to the user upon creation. This value can be found in the GUI when editing the user. Examplebash
+ * The following arguments are supported:
  *
- * ```sh
- *  $ pulumi import keycloak:index/user:User user my-realm/60c3f971-b1d3-4b3a-9035-d16d7540a5e4
- * ```
+ * - `realmId` - (Required) The realm this user belongs to.
+ * - `username` - (Required) The unique username of this user.
+ * - `initialPassword` (Optional) When given, the user's initial password will be set.
+ *    This attribute is only respected during initial user creation.
+ *     - `value` (Required) The initial password.
+ *     - `temporary` (Optional) If set to `true`, the initial password is set up for renewal on first use. Default to `false`.
+ * - `enabled` - (Optional) When false, this user cannot log in. Defaults to `true`.
+ * - `email` - (Optional) The user's email.
+ * - `firstName` - (Optional) The user's first name.
+ * - `lastName` - (Optional) The user's last name.
+ *
+ * ### Import
+ *
+ * Users can be imported using the format `{{realm_id}}/{{user_id}}`, where `userId` is the unique ID that Keycloak
+ * assigns to the user upon creation. This value can be found in the GUI when editing the user.
+ *
+ * Example:
  */
 export declare class User extends pulumi.CustomResource {
     /**
@@ -68,48 +82,18 @@ export declare class User extends pulumi.CustomResource {
      * when multiple copies of the Pulumi SDK have been loaded into the same process.
      */
     static isInstance(obj: any): obj is User;
-    /**
-     * A map representing attributes for the user. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars
-     */
     readonly attributes: pulumi.Output<{
         [key: string]: any;
     } | undefined>;
-    /**
-     * The user's email.
-     */
     readonly email: pulumi.Output<string | undefined>;
-    /**
-     * Whether the email address was validated or not. Default to `false`.
-     */
     readonly emailVerified: pulumi.Output<boolean | undefined>;
-    /**
-     * When false, this user cannot log in. Defaults to `true`.
-     */
     readonly enabled: pulumi.Output<boolean | undefined>;
     readonly federatedIdentities: pulumi.Output<outputs.UserFederatedIdentity[] | undefined>;
-    /**
-     * The user's first name.
-     */
     readonly firstName: pulumi.Output<string | undefined>;
-    /**
-     * When given, the user's initial password will be set. This attribute is only respected during initial user creation.
-     */
     readonly initialPassword: pulumi.Output<outputs.UserInitialPassword | undefined>;
-    /**
-     * The user's last name.
-     */
     readonly lastName: pulumi.Output<string | undefined>;
-    /**
-     * The realm this user belongs to.
-     */
     readonly realmId: pulumi.Output<string>;
-    /**
-     * A list of required user actions.
-     */
     readonly requiredActions: pulumi.Output<string[] | undefined>;
-    /**
-     * The unique username of this user.
-     */
     readonly username: pulumi.Output<string>;
     /**
      * Create a User resource with the given unique name, arguments, and options.
@@ -124,95 +108,35 @@ export declare class User extends pulumi.CustomResource {
  * Input properties used for looking up and filtering User resources.
  */
 export interface UserState {
-    /**
-     * A map representing attributes for the user. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars
-     */
     attributes?: pulumi.Input<{
         [key: string]: any;
     }>;
-    /**
-     * The user's email.
-     */
     email?: pulumi.Input<string>;
-    /**
-     * Whether the email address was validated or not. Default to `false`.
-     */
     emailVerified?: pulumi.Input<boolean>;
-    /**
-     * When false, this user cannot log in. Defaults to `true`.
-     */
     enabled?: pulumi.Input<boolean>;
     federatedIdentities?: pulumi.Input<pulumi.Input<inputs.UserFederatedIdentity>[]>;
-    /**
-     * The user's first name.
-     */
     firstName?: pulumi.Input<string>;
-    /**
-     * When given, the user's initial password will be set. This attribute is only respected during initial user creation.
-     */
     initialPassword?: pulumi.Input<inputs.UserInitialPassword>;
-    /**
-     * The user's last name.
-     */
     lastName?: pulumi.Input<string>;
-    /**
-     * The realm this user belongs to.
-     */
     realmId?: pulumi.Input<string>;
-    /**
-     * A list of required user actions.
-     */
     requiredActions?: pulumi.Input<pulumi.Input<string>[]>;
-    /**
-     * The unique username of this user.
-     */
     username?: pulumi.Input<string>;
 }
 /**
  * The set of arguments for constructing a User resource.
  */
 export interface UserArgs {
-    /**
-     * A map representing attributes for the user. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars
-     */
     attributes?: pulumi.Input<{
         [key: string]: any;
     }>;
-    /**
-     * The user's email.
-     */
     email?: pulumi.Input<string>;
-    /**
-     * Whether the email address was validated or not. Default to `false`.
-     */
     emailVerified?: pulumi.Input<boolean>;
-    /**
-     * When false, this user cannot log in. Defaults to `true`.
-     */
     enabled?: pulumi.Input<boolean>;
     federatedIdentities?: pulumi.Input<pulumi.Input<inputs.UserFederatedIdentity>[]>;
-    /**
-     * The user's first name.
-     */
     firstName?: pulumi.Input<string>;
-    /**
-     * When given, the user's initial password will be set. This attribute is only respected during initial user creation.
-     */
     initialPassword?: pulumi.Input<inputs.UserInitialPassword>;
-    /**
-     * The user's last name.
-     */
     lastName?: pulumi.Input<string>;
-    /**
-     * The realm this user belongs to.
-     */
     realmId: pulumi.Input<string>;
-    /**
-     * A list of required user actions.
-     */
     requiredActions?: pulumi.Input<pulumi.Input<string>[]>;
-    /**
-     * The unique username of this user.
-     */
     username: pulumi.Input<string>;
 }