Manage Keycloak with OpenTofu
What you’ll accomplish
Section titled “What you’ll accomplish”You’ll enable the built-in uds-opentofu-client in UDS Core’s Keycloak realm and use it with the OpenTofu Keycloak provider to programmatically manage Keycloak resources — groups, clients, identity providers, and more.
Prerequisites
Section titled “Prerequisites”Before you begin
Section titled “Before you begin”UDS Core ships with a uds-opentofu-client in the uds realm. This client is disabled by default — it carries realm-admin permissions and should only be enabled when you intend to actively use it.
-
Enable the OpenTofu client via bundle override
Add
OPENTOFU_CLIENT_ENABLED: "true"to yourrealmInitEnvinuds-bundle.yaml. Set your desired authentication flows in the same deployment:uds-bundle.yaml packages:- name: corerepository: registry.defenseunicorns.com/public/coreref: x.x.x-upstreamoverrides:keycloak:keycloak:values:- path: realmInitEnvvalue:OPENTOFU_CLIENT_ENABLED: "true"- path: realmAuthFlowsvalue:USERNAME_PASSWORD_AUTH_ENABLED: trueX509_AUTH_ENABLED: falseSOCIAL_AUTH_ENABLED: falseOTP_ENABLED: trueWEBAUTHN_ENABLED: falseX509_MFA_ENABLED: falseDeploy the bundle:
Terminal window uds create <path-to-bundle-dir>uds deploy uds-bundle-<name>-<arch>-<version>.tar.zstEnable the client in the Keycloak admin UI
Section titled “Enable the client in the Keycloak admin UI”For already-running deployments where a full redeploy is not possible, enable the client directly in the Keycloak Admin Console:
- Navigate to
keycloak.<admin_domain>and log in with admin credentials - Switch to the uds realm using the top-left dropdown
- Go to Clients → select
uds-opentofu-client - Toggle Enabled to On in the top-right of the settings page
- Click Save
- Navigate to
-
Retrieve the client secret
After the client is enabled, retrieve its secret from the Keycloak Admin Console:
- Go to Clients →
uds-opentofu-client - Click the Credentials tab
- Copy the Client Secret value
- Go to Clients →
-
Configure the OpenTofu Keycloak provider
Create your OpenTofu configuration pointing at your UDS Core Keycloak instance:
main.tf terraform {required_providers {keycloak = {source = "keycloak/keycloak"version = "5.5.0"}}required_version = ">= 1.0.0"}variable "keycloak_client_secret" {type = stringdescription = "Client secret for the uds-opentofu-client"sensitive = true}provider "keycloak" {client_id = "uds-opentofu-client"client_secret = var.keycloak_client_secreturl = "https://keycloak.<admin_domain>"realm = "uds"}Store the client secret in a
.tfvarsfile and add it to.gitignore:secrets.auto.tfvars keycloak_client_secret = "your-client-secret-here" -
Manage Keycloak resources with OpenTofu
With the provider configured, manage resources in the
udsrealm declaratively. For example, to create a group hierarchy:groups.tf resource "keycloak_group" "example_group" {realm_id = "uds"name = "example-group"attributes = {description = "Example group created via OpenTofu"created_by = "opentofu"}}resource "keycloak_group" "nested_group" {realm_id = "uds"name = "nested-example-group"parent_id = keycloak_group.example_group.idattributes = {description = "Nested group under example-group"}}Apply your configuration:
Terminal window tofu plantofu apply -auto-approve
Verification
Section titled “Verification”Confirm the OpenTofu client is enabled and your provider connectivity works:
- In the Keycloak Admin Console, go to Clients →
uds-opentofu-clientand confirm the Enabled toggle is On - Run
tofu plan— if the provider authenticates successfully, the plan output shows your resources without any authentication error
After running tofu apply, confirm resources created by OpenTofu appear in the Keycloak Admin Console (for example, check Groups after creating groups).
Troubleshooting
Section titled “Troubleshooting”Problem: uds-opentofu-client is disabled after deploying with OPENTOFU_CLIENT_ENABLED: "true"
Section titled “Problem: uds-opentofu-client is disabled after deploying with OPENTOFU_CLIENT_ENABLED: "true"”Symptoms: The client exists in Keycloak but shows as disabled, or OpenTofu authentication fails with a 401 error.
Solution: realmInitEnv values apply only during initial realm import. If Keycloak was already running when the bundle was deployed, the setting had no effect. Enable the client manually in the admin UI:
- Go to Clients →
uds-opentofu-client - Toggle Enabled to On
- Click Save
Problem: OpenTofu provider returns “Malformed version” error
Section titled “Problem: OpenTofu provider returns “Malformed version” error”Symptoms: tofu plan fails with a Malformed version error (see Keycloak Terraform Provider #1342).
Solution: This is a known issue with Keycloak 26.4.0+. Add the view-system role to realm-admin:
- In the Keycloak Admin Console, go to Clients →
realm-management→ Client Roles → click Create Role - Set Role Name to
view-systemwith descriptionEnables displaying SystemInfo through the ServerInfo endpointand click Save - Navigate back to Client Roles, find
realm-admin, and open it - Go to the Associated roles tab → Assign role → Client Roles
- Find and assign
view-system
Problem: OpenTofu fails with a permissions error when managing resources
Section titled “Problem: OpenTofu fails with a permissions error when managing resources”Symptoms: tofu apply fails with an authorization error when creating or modifying Keycloak resources.
Solution: Confirm the uds-opentofu-client service account has the realm-management: realm-admin role:
- Go to Clients →
uds-opentofu-client→ Service account roles tab - Confirm
realm-management: realm-adminis listed - If missing, click Assign role, filter by Client Roles, find
realm-management: realm-admin, and assign it
Related Documentation
Section titled “Related Documentation”- OpenTofu Keycloak provider — full provider resource reference
- Configure Keycloak authentication methods — set auth flows alongside OpenTofu enablement
- Upgrade Keycloak realm configuration — manual upgrade steps when re-importing the realm with new config
Next steps
Section titled “Next steps”These guides and concepts may be useful to explore next: