Viewing docs for Keycloak v6.12.0
published on Saturday, Jun 6, 2026 by Pulumi
published on Saturday, Jun 6, 2026 by Pulumi
Viewing docs for Keycloak v6.12.0
published on Saturday, Jun 6, 2026 by Pulumi
published on Saturday, Jun 6, 2026 by Pulumi
Allows you to manage Regex policies.
Regex policies allow you to define conditions using regular expressions evaluated on attributes of either the current identity or a specific target claim.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
realm: "my-realm",
enabled: true,
});
const test = new keycloak.openid.Client("test", {
clientId: "client_id",
realmId: realm.id,
accessType: "CONFIDENTIAL",
serviceAccountsEnabled: true,
authorization: {
policyEnforcementMode: "ENFORCING",
},
});
const testClientRegexPolicy = new keycloak.openid.ClientRegexPolicy("test", {
resourceServerId: test.resourceServerId,
realmId: realm.id,
name: "regex_policy",
decisionStrategy: "UNANIMOUS",
logic: "POSITIVE",
targetClaim: "sample-claim",
pattern: "^sample.+$",
});
import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
realm="my-realm",
enabled=True)
test = keycloak.openid.Client("test",
client_id="client_id",
realm_id=realm.id,
access_type="CONFIDENTIAL",
service_accounts_enabled=True,
authorization={
"policy_enforcement_mode": "ENFORCING",
})
test_client_regex_policy = keycloak.openid.ClientRegexPolicy("test",
resource_server_id=test.resource_server_id,
realm_id=realm.id,
name="regex_policy",
decision_strategy="UNANIMOUS",
logic="POSITIVE",
target_claim="sample-claim",
pattern="^sample.+$")
package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/openid"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
Realm: pulumi.String("my-realm"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
test, err := openid.NewClient(ctx, "test", &openid.ClientArgs{
ClientId: pulumi.String("client_id"),
RealmId: realm.ID(),
AccessType: pulumi.String("CONFIDENTIAL"),
ServiceAccountsEnabled: pulumi.Bool(true),
Authorization: &openid.ClientAuthorizationArgs{
PolicyEnforcementMode: pulumi.String("ENFORCING"),
},
})
if err != nil {
return err
}
_, err = openid.NewClientRegexPolicy(ctx, "test", &openid.ClientRegexPolicyArgs{
ResourceServerId: test.ResourceServerId,
RealmId: realm.ID(),
Name: pulumi.String("regex_policy"),
DecisionStrategy: pulumi.String("UNANIMOUS"),
Logic: pulumi.String("POSITIVE"),
TargetClaim: pulumi.String("sample-claim"),
Pattern: pulumi.String("^sample.+$"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var realm = new Keycloak.Realm("realm", new()
{
RealmName = "my-realm",
Enabled = true,
});
var test = new Keycloak.OpenId.Client("test", new()
{
ClientId = "client_id",
RealmId = realm.Id,
AccessType = "CONFIDENTIAL",
ServiceAccountsEnabled = true,
Authorization = new Keycloak.OpenId.Inputs.ClientAuthorizationArgs
{
PolicyEnforcementMode = "ENFORCING",
},
});
var testClientRegexPolicy = new Keycloak.OpenId.ClientRegexPolicy("test", new()
{
ResourceServerId = test.ResourceServerId,
RealmId = realm.Id,
Name = "regex_policy",
DecisionStrategy = "UNANIMOUS",
Logic = "POSITIVE",
TargetClaim = "sample-claim",
Pattern = "^sample.+$",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.openid.Client;
import com.pulumi.keycloak.openid.ClientArgs;
import com.pulumi.keycloak.openid.inputs.ClientAuthorizationArgs;
import com.pulumi.keycloak.openid.ClientRegexPolicy;
import com.pulumi.keycloak.openid.ClientRegexPolicyArgs;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realm = new Realm("realm", RealmArgs.builder()
.realm("my-realm")
.enabled(true)
.build());
var test = new Client("test", ClientArgs.builder()
.clientId("client_id")
.realmId(realm.id())
.accessType("CONFIDENTIAL")
.serviceAccountsEnabled(true)
.authorization(ClientAuthorizationArgs.builder()
.policyEnforcementMode("ENFORCING")
.build())
.build());
var testClientRegexPolicy = new ClientRegexPolicy("testClientRegexPolicy", ClientRegexPolicyArgs.builder()
.resourceServerId(test.resourceServerId())
.realmId(realm.id())
.name("regex_policy")
.decisionStrategy("UNANIMOUS")
.logic("POSITIVE")
.targetClaim("sample-claim")
.pattern("^sample.+$")
.build());
}
}
resources:
realm:
type: keycloak:Realm
properties:
realm: my-realm
enabled: true
test:
type: keycloak:openid:Client
properties:
clientId: client_id
realmId: ${realm.id}
accessType: CONFIDENTIAL
serviceAccountsEnabled: true
authorization:
policyEnforcementMode: ENFORCING
testClientRegexPolicy:
type: keycloak:openid:ClientRegexPolicy
name: test
properties:
resourceServerId: ${test.resourceServerId}
realmId: ${realm.id}
name: regex_policy
decisionStrategy: UNANIMOUS
logic: POSITIVE
targetClaim: sample-claim
pattern: ^sample.+$
pulumi {
required_providers {
keycloak = {
source = "pulumi/keycloak"
}
}
}
resource "keycloak_realm" "realm" {
realm = "my-realm"
enabled = true
}
resource "keycloak_openid_client" "test" {
client_id = "client_id"
realm_id = keycloak_realm.realm.id
access_type = "CONFIDENTIAL"
service_accounts_enabled = true
authorization = {
policy_enforcement_mode = "ENFORCING"
}
}
resource "keycloak_openid_clientregexpolicy" "test" {
resource_server_id = keycloak_openid_client.test.resource_server_id
realm_id = keycloak_realm.realm.id
name = "regex_policy"
decision_strategy = "UNANIMOUS"
logic = "POSITIVE"
target_claim = "sample-claim"
pattern = "^sample.+$"
}
Argument Reference
The following arguments are supported:
realmId- (Required) The realm this policy exists in.resourceServerId- (Required) The ID of the resource server.name- (Required) The name of the policy.decisionStrategy- (Required) The decision strategy, can be one ofUNANIMOUS,AFFIRMATIVE, orCONSENSUS.targetClaim- (Required) The name of the target claim in the token.pattern- (Required) The Regex pattern.targetContextAttributes- (Optional)trueif policy should be evaluated on context attributes instead of identity attributes.logic- (Optional) The logic, can be one ofPOSITIVEorNEGATIVE. Defaults toPOSITIVE.type- (Optional) The type of the policy. Defaults toregex.description- (Optional) A description for the authorization policy.
Attributes Reference
In addition to the arguments listed above, the following computed attributes are exported:
id- Policy ID representing the Regex policy.
Create ClientRegexPolicy Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new ClientRegexPolicy(name: string, args: ClientRegexPolicyArgs, opts?: CustomResourceOptions);@overload
def ClientRegexPolicy(resource_name: str,
args: ClientRegexPolicyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def ClientRegexPolicy(resource_name: str,
opts: Optional[ResourceOptions] = None,
decision_strategy: Optional[str] = None,
pattern: Optional[str] = None,
realm_id: Optional[str] = None,
resource_server_id: Optional[str] = None,
target_claim: Optional[str] = None,
description: Optional[str] = None,
logic: Optional[str] = None,
name: Optional[str] = None,
target_context_attributes: Optional[bool] = None)func NewClientRegexPolicy(ctx *Context, name string, args ClientRegexPolicyArgs, opts ...ResourceOption) (*ClientRegexPolicy, error)public ClientRegexPolicy(string name, ClientRegexPolicyArgs args, CustomResourceOptions? opts = null)
public ClientRegexPolicy(String name, ClientRegexPolicyArgs args)
public ClientRegexPolicy(String name, ClientRegexPolicyArgs args, CustomResourceOptions options)
type: keycloak:openid:ClientRegexPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
resource "keycloak_openid_clientregexpolicy" "name" {
# resource properties
}Parameters
- name string
- The unique name of the resource.
- args ClientRegexPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args ClientRegexPolicyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args ClientRegexPolicyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ClientRegexPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args ClientRegexPolicyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var clientRegexPolicyResource = new Keycloak.OpenId.ClientRegexPolicy("clientRegexPolicyResource", new()
{
DecisionStrategy = "string",
Pattern = "string",
RealmId = "string",
ResourceServerId = "string",
TargetClaim = "string",
Description = "string",
Logic = "string",
Name = "string",
TargetContextAttributes = false,
});
example, err := openid.NewClientRegexPolicy(ctx, "clientRegexPolicyResource", &openid.ClientRegexPolicyArgs{
DecisionStrategy: pulumi.String("string"),
Pattern: pulumi.String("string"),
RealmId: pulumi.String("string"),
ResourceServerId: pulumi.String("string"),
TargetClaim: pulumi.String("string"),
Description: pulumi.String("string"),
Logic: pulumi.String("string"),
Name: pulumi.String("string"),
TargetContextAttributes: pulumi.Bool(false),
})
resource "keycloak_openid_clientregexpolicy" "clientRegexPolicyResource" {
decision_strategy = "string"
pattern = "string"
realm_id = "string"
resource_server_id = "string"
target_claim = "string"
description = "string"
logic = "string"
name = "string"
target_context_attributes = false
}
var clientRegexPolicyResource = new ClientRegexPolicy("clientRegexPolicyResource", ClientRegexPolicyArgs.builder()
.decisionStrategy("string")
.pattern("string")
.realmId("string")
.resourceServerId("string")
.targetClaim("string")
.description("string")
.logic("string")
.name("string")
.targetContextAttributes(false)
.build());
client_regex_policy_resource = keycloak.openid.ClientRegexPolicy("clientRegexPolicyResource",
decision_strategy="string",
pattern="string",
realm_id="string",
resource_server_id="string",
target_claim="string",
description="string",
logic="string",
name="string",
target_context_attributes=False)
const clientRegexPolicyResource = new keycloak.openid.ClientRegexPolicy("clientRegexPolicyResource", {
decisionStrategy: "string",
pattern: "string",
realmId: "string",
resourceServerId: "string",
targetClaim: "string",
description: "string",
logic: "string",
name: "string",
targetContextAttributes: false,
});
type: keycloak:openid:ClientRegexPolicy
properties:
decisionStrategy: string
description: string
logic: string
name: string
pattern: string
realmId: string
resourceServerId: string
targetClaim: string
targetContextAttributes: false
ClientRegexPolicy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The ClientRegexPolicy resource accepts the following input properties:
- Decision
Strategy string - Pattern string
- Realm
Id string - Resource
Server stringId - Target
Claim string - Description string
- Logic string
- Name string
- Target
Context boolAttributes
- Decision
Strategy string - Pattern string
- Realm
Id string - Resource
Server stringId - Target
Claim string - Description string
- Logic string
- Name string
- Target
Context boolAttributes
- decision_
strategy string - pattern string
- realm_
id string - resource_
server_ stringid - target_
claim string - description string
- logic string
- name string
- target_
context_ boolattributes
- decision
Strategy String - pattern String
- realm
Id String - resource
Server StringId - target
Claim String - description String
- logic String
- name String
- target
Context BooleanAttributes
- decision
Strategy string - pattern string
- realm
Id string - resource
Server stringId - target
Claim string - description string
- logic string
- name string
- target
Context booleanAttributes
- decision_
strategy str - pattern str
- realm_
id str - resource_
server_ strid - target_
claim str - description str
- logic str
- name str
- target_
context_ boolattributes
- decision
Strategy String - pattern String
- realm
Id String - resource
Server StringId - target
Claim String - description String
- logic String
- name String
- target
Context BooleanAttributes
Outputs
All input properties are implicitly available as output properties. Additionally, the ClientRegexPolicy resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing ClientRegexPolicy Resource
Get an existing ClientRegexPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: ClientRegexPolicyState, opts?: CustomResourceOptions): ClientRegexPolicy@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
decision_strategy: Optional[str] = None,
description: Optional[str] = None,
logic: Optional[str] = None,
name: Optional[str] = None,
pattern: Optional[str] = None,
realm_id: Optional[str] = None,
resource_server_id: Optional[str] = None,
target_claim: Optional[str] = None,
target_context_attributes: Optional[bool] = None) -> ClientRegexPolicyfunc GetClientRegexPolicy(ctx *Context, name string, id IDInput, state *ClientRegexPolicyState, opts ...ResourceOption) (*ClientRegexPolicy, error)public static ClientRegexPolicy Get(string name, Input<string> id, ClientRegexPolicyState? state, CustomResourceOptions? opts = null)public static ClientRegexPolicy get(String name, Output<String> id, ClientRegexPolicyState state, CustomResourceOptions options)resources: _: type: keycloak:openid:ClientRegexPolicy get: id: ${id}import {
to = keycloak_openid_clientregexpolicy.example
id = "${id}"
}
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Decision
Strategy string - Description string
- Logic string
- Name string
- Pattern string
- Realm
Id string - Resource
Server stringId - Target
Claim string - Target
Context boolAttributes
- Decision
Strategy string - Description string
- Logic string
- Name string
- Pattern string
- Realm
Id string - Resource
Server stringId - Target
Claim string - Target
Context boolAttributes
- decision_
strategy string - description string
- logic string
- name string
- pattern string
- realm_
id string - resource_
server_ stringid - target_
claim string - target_
context_ boolattributes
- decision
Strategy String - description String
- logic String
- name String
- pattern String
- realm
Id String - resource
Server StringId - target
Claim String - target
Context BooleanAttributes
- decision
Strategy string - description string
- logic string
- name string
- pattern string
- realm
Id string - resource
Server stringId - target
Claim string - target
Context booleanAttributes
- decision_
strategy str - description str
- logic str
- name str
- pattern str
- realm_
id str - resource_
server_ strid - target_
claim str - target_
context_ boolattributes
- decision
Strategy String - description String
- logic String
- name String
- pattern String
- realm
Id String - resource
Server StringId - target
Claim String - target
Context BooleanAttributes
Import
Regex policies can be imported using the format: {{realmId}}/{{resourceServerId}}/{{policyId}}.
Example:
$ pulumi import keycloak:openid/clientRegexPolicy:ClientRegexPolicy test my-realm/3bd4a686-1062-4b59-97b8-e4e3f10b99da/63b3cde8-987d-4cd9-9306-1955579281d9
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Keycloak pulumi/pulumi-keycloak
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
keycloakTerraform Provider.
Viewing docs for Keycloak v6.12.0
published on Saturday, Jun 6, 2026 by Pulumi
published on Saturday, Jun 6, 2026 by Pulumi