I’m looking for advice on how to manage Keycloak realm configuration across multiple environments (dev, staging, prod).
Our setup includes:
Custom roles, client scopes, protocol mappers
Custom authentication flows
Custom SPIs
We’d like to:
Version and track changes to realm configuration
Sync updates across multiple realms
Avoid manual setup or full exports/imports every time
I’ve looked into Terraform, the Admin REST API, and kcadm.sh, but wondering what others are doing. Ideally I want something that supports incremental updates, not just full realm replacements.
Now that Keycloak has adopted the Keycloak Terraform provider, it is the best option available today.
In the latest Keycloak Realm Configuration Management survey, it received 51% of the votes.
I second the answer from @embesozzi . However, it is important to note that not every solution works for every use case. The terraform provider is good for 80% of use cases, the keycloak-config-cli is also good for many cases.
If you find that the tools are not working for your case(s), you may also need to use the Admin API directly, or via the Admin CLI.
Thanks guys for the quick response. @xgp you’ve mention that Terraform doesn’t cover all use cases. I’ve been playing with it a little, and I had some issues with authentication flow. Specifically the ordering of the executions.
In the keycloak provider docs they mention this issue, and recommend using a depends_on block to force the order of creation. However that didn’t prove to work all the time, and the executions order ended up being random, without even an option of changing it in the admin using dragging.
Have you had any experience with auth flows in terraform? would you recommend other tools for that specific area?
Authentication flows are one of the use cases we’ve never been able to get any of the tools to do right. We’ve actually built an extension that takes a full flow (in realm export format) creates it atomically, and optionally binds it to a flow, all in one transaction.
We built that for a customer, but we’re in the process of getting approval to open source it. I’ll post here when it’s available.
I’ve never tested/executed it, but I know from one of my customers, that there was an issue with the ordering of steps in auth flows, but this was fixed and the admin API can also use this order attribute. AFAIK (but I can be wrong), also the Terraform provider should support this.
@embesozzi@xgp
In my case, I need to manage mutiple realms. The realms are created dynamically via our admin console (a realm is created for each new organization).
When using terraform, it is impossible to create a hard coded resource for each realm.
I’ve played a little (with the help of ChatGPT) with using one realm resource with for each, so far without much success.
Is this the right approach for a multi realm solution?
Can anyone share any sample of how to configure such a terraform project?
