I’ve been using Keycloak for several years, and up until now I’ve always relied on the
OVERWRITE_EXISTING realm import strategy.
The main reason was consistency across environments — every deploy results in an identical realm state, no manual UI configuration, no drift, and no human errors.
All configuration lives in realm JSON, and this has worked well for DEV / STAGING / PROD.
I also use custom user federation, so no local users are stored in Keycloak, which made this approach feel safe and clean.
However, I recently ran into a problem with MFA:
When a user configures MFA
Keycloak is redeployed
Realm is re-imported using OVERWRITE_EXISTING
The user is forced to set up MFA again on next login.
From what I understand, this happens because OVERWRITE_EXISTING → MFA secrets and required-action state are stored as Keycloak-managed credentials, and realm overwrite removes them — even for federated users.
Now I’m considering switching to IGNORE_EXISTING if necessary and I wanted to ask the community:
Which realm import strategy do you use in production and why?
Does Keycloak recommend a preferred strategy?
How do you balance configuration consistency?
How do you rollback changes if something was wrong configured on UI?
Enable events and track what was changed?
Keycloak’s im-/export functionality is not meant for being used as kind of configuration as code. As you experienced, it’s an “all or nothing” operation with OVERWRITE_EXISTING vs. IGNORE.
The im-/exports of a Keycloak realm is more a tool for something like “I want to port a dedicated state from one environment to another” to investigate in some behavior or to port it to a different environment in terms of a migration (e.g. migration of database).
To achieve consistency across environments, what I read from your post is your goal, I strongly recommend to use something like the official Keycloak Terraform provider [1], Keycloak Config CLI [2], Keycloak Ansible Collection [3] or similar projects.
The Terraform provider is maintained directly by the Keycloak team/project, the other ones are community projects.
I start considering and getting know with Terraform, do you have some example of using it in your work?
Is this should be separated form my repo where I define all my extensions or I can keep it in the same place?
I recommend to read the official Terraform documentation. It’s possible to import an existing realm as a state and also to transform this state into the .tf file format. Documentation and also some AI advice (use carefully! and use it as some kind of support, don’t let do AI all of your stuff!) can be of good help.
The answer to the question to where to maintain the TF resources depends on your overall repository/project/resource structure. I’m a big fan of having as most as possible resources in one repository, but I know others who are happy to have it distributed across several repos. Distributing it may introduce more complexity to your deployment pipelines, but on the other hand may also give you more flexibility. As always, it’s a trade-off.
