Skip to content

Latest commit

 

History

History
3776 lines (2145 loc) · 75.8 KB

REFERENCE.md

File metadata and controls

3776 lines (2145 loc) · 75.8 KB

Reference

Table of Contents

Classes

Public Classes

Private Classes

  • keycloak::db::mariadb: Manage MySQL DB
  • keycloak::db::mysql: Manage MySQL DB
  • keycloak::db::postgres: Manage postgres DB
  • keycloak::resources: Define Keycloak resources

Defined types

Resource types

Data types

Classes

keycloak

Manage Keycloak

Examples

include ::keycloak

Parameters

The following parameters are available in the keycloak class:

manage_install

Data type: Boolean

Install Keycloak from upstream Keycloak tarball. Set to false to manage installation of Keycloak outside this module and set $install_dir to match. Defaults to true.

Default value: true

version

Data type: String

Version of Keycloak to install and manage.

Default value: '18.0.0'

package_url

Data type: Optional[Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl]]

URL of the Keycloak download. Default is based on version.

Default value: undef

install_dir

Data type: Optional[Stdlib::Absolutepath]

The directory of where to install Keycloak. Default is /opt/keycloak-${version}.

Default value: undef

java_declare_method

Data type: Enum['include','class']

How to declare the Java class within this module The include value only includes the java class The class method defines the Java class and passes necessary parameters For RedHat base systems this defaults to class, other OSes default to include

Default value: 'class'

java_package

Data type: String[1]

Java package name, only used when java_declare_method is class

Default value: 'java-11-openjdk-devel'

java_home

Data type: Stdlib::Absolutepath

Java home path, only used when java_declare_method is class

Default value: '/usr/lib/jvm/java-11-openjdk'

java_alternative_path

Data type: Stdlib::Absolutepath

Java alternative path, only used when java_declare_method is class

Default value: '/usr/lib/jvm/java-11-openjdk/bin/java'

java_alternative

Data type: String[1]

Java alternative, only used when java_declare_method is class

Default value: '/usr/lib/jvm/java-11-openjdk/bin/java'

service_name

Data type: String

Keycloak service name. Default is keycloak.

Default value: 'keycloak'

service_ensure

Data type: String

Keycloak service ensure property. Default is running.

Default value: 'running'

service_enable

Data type: Boolean

Keycloak service enable property. Default is true.

Default value: true

java_opts

Data type: Optional[Variant[String, Array]]

Sets additional options to Java virtual machine environment variable.

Default value: undef

start_command

Data type: Enum['start','start-dev']

The start command to use to run Keycloak

Default value: 'start'

service_extra_opts

Data type: Optional[String]

Additional options added to the end of the service command-line.

Default value: undef

service_environment_file

Data type: Optional[Stdlib::Absolutepath]

Path to the file with environment variables for the systemd service

Default value: undef

configs

Data type: Keycloak::Configs

Define additional configs for keycloak.conf

Default value: {}

hostname

Data type: Stdlib::Host

hostname to set in keycloak.conf

Default value: $facts['networking']['fqdn']

http_enabled

Data type: Boolean

Whether to enable HTTP

Default value: true

http_host

Data type: Stdlib::IP::Address

HTTP host

Default value: '0.0.0.0'

http_port

Data type: Stdlib::Port

HTTP port

Default value: 8080

https_port

Data type: Stdlib::Port

HTTPS port

Default value: 8443

manage_user

Data type: Boolean

Defines if the module should manage the Linux user for Keycloak installation

Default value: true

user

Data type: String

Keycloak user name. Default is keycloak.

Default value: 'keycloak'

user_shell

Data type: Stdlib::Absolutepath

Keycloak user shell.

Default value: '/sbin/nologin'

group

Data type: String

Keycloak user group name. Default is keycloak.

Default value: 'keycloak'

user_uid

Data type: Optional[Integer]

Keycloak user UID. Default is undef.

Default value: undef

group_gid

Data type: Optional[Integer]

Keycloak user group GID. Default is undef.

Default value: undef

system_user

Data type: Boolean

If keycloak user should be a system user with lower uid and gid. Default is true

Default value: true

admin_user

Data type: String

Keycloak administrative username. Default is admin.

Default value: 'admin'

admin_user_password

Data type: String

Keycloak administrative user password. Default is changeme.

Default value: 'changeme'

manage_db

Data type: Boolean

Boolean that determines if configured database will be managed.

Default value: true

manage_db_server

Data type: Boolean

Include the DB server class for postgres, mariadb or mysql

Default value: true

db

Data type: Enum['dev-file', 'dev-mem', 'mariadb', 'mysql', 'oracle', 'postgres']

Database driver to use for Keycloak.

Default value: 'dev-file'

db_url_host

Data type: Optional[Stdlib::Host]

Database host.

Default value: undef

db_url_port

Data type: Optional[Stdlib::Port]

Database port.

Default value: undef

db_url

Data type: Optional[String[1]]

Database url.

Default value: undef

db_url_database

Data type: String[1]

Database name.

Default value: 'keycloak'

db_username

Data type: String[1]

Database user name.

Default value: 'keycloak'

db_password

Data type: String[1]

Database user password.

Default value: 'changeme'

db_charset

Data type: String

MySQL and MariaDB database charset

Default value: 'utf8'

features

Data type: Optional[Array[String[1]]]

Keycloak features to enable

Default value: undef

features_disabled

Data type: Optional[Array[String[1]]]

Keycloak features to disable

Default value: undef

truststore

Data type: Boolean

Boolean that sets if truststore should be used. Default is false.

Default value: false

truststore_hosts

Data type: Hash

Hash that is used to define keycloak::turststore::host resources. Default is {}.

Default value: {}

truststore_password

Data type: String

Truststore password. Default is keycloak.

Default value: 'keycloak'

proxy

Data type: Enum['edge','reencrypt','passthrough','none']

Type of proxy to use for Keycloak

Default value: 'none'

realms

Data type: Hash

Hash that is used to define keycloak_realm resources. Default is {}.

Default value: {}

realms_merge

Data type: Boolean

Boolean that sets if realms should be merged from Hiera.

Default value: false

oidc_client_scopes

Data type: Hash

Hash that is used to define keycloak::client_scope::oidc resources. Default is {}.

Default value: {}

oidc_client_scopes_merge

Data type: Boolean

Boolean that sets if oidc_client_scopes should be merged from Hiera.

Default value: false

saml_client_scopes

Data type: Hash

Hash that is used to define keycloak::client_scope::saml resources. Default is {}.

Default value: {}

saml_client_scopes_merge

Data type: Boolean

Boolean that sets if saml_client_scopes should be merged from Hiera.

Default value: false

identity_providers

Data type: Hash

Hash that is used to define keycloak_identity_provider resources.

Default value: {}

identity_providers_merge

Data type: Boolean

Boolean that sets if identity_providers should be merged from Hiera.

Default value: false

client_protocol_mappers

Data type: Hash

Hash that is used to define keycloak_client_protocol_mapper resources.

Default value: {}

client_scopes

Data type: Hash

Hash that is used to define keycloak_client_scope resources.

Default value: {}

client_scopes_merge

Data type: Boolean

Boolean that sets if client_scopes should be merged from Hiera.

Default value: false

protocol_mappers

Data type: Hash

Hash that is used to define keycloak_protocol_mapper resources.

Default value: {}

protocol_mappers_merge

Data type: Boolean

Boolean that sets if protocol_mappers should be merged from Hiera.

Default value: false

clients

Data type: Hash

Hash that is used to define keycloak_client resources.

Default value: {}

clients_merge

Data type: Boolean

Boolean that sets if clients should be merged from Hiera.

Default value: false

flows

Data type: Hash

Hash taht is used to define keycloak_flow resources.

Default value: {}

flows_merge

Data type: Boolean

Boolean that sets if flows should be merged from Hiera.

Default value: false

flow_executions

Data type: Hash

Hash taht is used to define keycloak_flow resources.

Default value: {}

flow_executions_merge

Data type: Boolean

Boolean that sets if flows should be merged from Hiera.

Default value: false

required_actions

Data type: Hash

Hash that is used to define keycloak_required_action resources.

Default value: {}

required_actions_merge

Data type: Boolean

Boolean that sets if required_actions should be merged from Hiera.

Default value: false

ldap_mappers

Data type: Hash

Hash that is used to define keycloak_ldap_mapper resources.

Default value: {}

ldap_mappers_merge

Data type: Boolean

Boolean that sets if ldap_mappers should be merged from Hiera.

Default value: false

ldap_user_providers

Data type: Hash

Hash that is used to define keycloak_ldap_user_provider resources.

Default value: {}

ldap_user_providers_merge

Data type: Boolean

Boolean that sets if ldap_user_providers should be merged from Hiera.

Default value: false

with_sssd_support

Data type: Boolean

Boolean that determines if SSSD user provider support should be available

Default value: false

libunix_dbus_java_source

Data type: Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl]

Source URL of libunix-dbus-java

Default value: 'https://github.com/keycloak/libunix-dbus-java/archive/libunix-dbus-java-0.8.0.tar.gz'

install_libunix_dbus_java_build_dependencies

Data type: Boolean

Boolean that determines of libunix-dbus-java build dependencies are managed by this module

Default value: true

libunix_dbus_java_build_dependencies

Data type: Array

Packages needed to build libunix-dbus-java

Default value: []

libunix_dbus_java_libdir

Data type: Stdlib::Absolutepath

Path to directory to install libunix-dbus-java libraries

Default value: '/usr/lib64'

jna_package_name

Data type: String

Package name for jna

Default value: 'jna'

manage_sssd_config

Data type: Boolean

Boolean that determines if SSSD ifp config for Keycloak is managed

Default value: true

sssd_ifp_user_attributes

Data type: Array

user_attributes to define for SSSD ifp service

Default value: []

restart_sssd

Data type: Boolean

Boolean that determines if SSSD should be restarted

Default value: true

spi_deployments

Data type: Hash

Hash used to define keycloak::spi_deployment resources

Default value: {}

providers_purge

Data type: Boolean

Purge the providers directory of unmanaged SPIs

Default value: true

custom_config_content

Data type: Optional[String]

Custom configuration content to be added to keycloak.conf

Default value: undef

custom_config_source

Data type: Optional[Variant[String, Array]]

Custom configuration source file to be added to keycloak.conf

Default value: undef

validator_test_url

Data type: String

The URL path for validator testing Only necessary to set if the URL path to Keycloak is modified

Default value: '/realms/master/.well-known/openid-configuration'

keycloak::config

Private class.

keycloak::install

Private class.

keycloak::service

Private class.

keycloak::sssd

Private class.

Defined types

keycloak::client_scope::oidc

Manage Keycloak OpenID Connect client scope using built-in mappers

Examples

keycloak::client_scope::oidc { 'oidc-clients':
  realm => 'test',
}

Parameters

The following parameters are available in the keycloak::client_scope::oidc defined type:

realm

Data type: String

Realm of the client scope.

resource_name

Data type: String

Name of the client scope resource

Default value: $name

keycloak::client_scope::saml

Manage Keycloak SAML client scope using built-in mappers

Examples

keycloak::client_scope::saml { 'saml-clients':
  realm => 'test',
}

Parameters

The following parameters are available in the keycloak::client_scope::saml defined type:

realm

Data type: String

Realm of the client scope.

resource_name

Data type: String

Name of the client scope resource

Default value: $name

keycloak::freeipa_ldap_mappers

setup FreeIPA LDAP mappers for Keycloak

Examples

keycloak::freeipa_ldap_mappers { 'ipa.example.org':
  realm            => 'EXAMPLE.ORG',
  groups_dn        => 'cn=groups,cn=accounts,dc=example,dc=org',
  roles_dn         => 'cn=groups,cn=accounts,dc=example,dc=org'
}

Parameters

The following parameters are available in the keycloak::freeipa_ldap_mappers defined type:

realm

Data type: String

Keycloak realm

groups_dn

Data type: String

Groups DN

roles_dn

Data type: String

Roles DN

parent_id

Data type: String

Used to identify the parent LDAP user provider, name used with keycloak::freeipa_user_provider

Default value: $title

keycloak::freeipa_user_provider

setup IPA as an LDAP user provider for Keycloak

Examples

Add FreeIPA as a user provider
keycloak::freeipa_user_provider { 'ipa.example.org':
  ensure          => 'present',
  realm           => 'EXAMPLE.ORG',
  bind_dn         => 'uid=ldapproxy,cn=sysaccounts,cn=etc,dc=example,dc=org',
  bind_credential => 'secret',
  users_dn        => 'cn=users,cn=accounts,dc=example,dc=org',
  priority        => 10,
}

Parameters

The following parameters are available in the keycloak::freeipa_user_provider defined type:

ensure

Data type: Enum['present', 'absent']

LDAP user provider status

Default value: 'present'

id

Data type: Optional[String]

ID to use for user provider

Default value: undef

ipa_host

Data type: Stdlib::Host

Hostname of the FreeIPA server (e.g. ipa.example.org)

Default value: $title

realm

Data type: String

Keycloak realm

bind_dn

Data type: String

LDAP bind dn

bind_credential

Data type: String

LDAP bind password

users_dn

Data type: String

The DN for user search

priority

Data type: Integer

Priority for this user provider

Default value: 10

ldaps

Data type: Boolean

Use LDAPS protocol instead of LDAP

Default value: false

full_sync_period

Data type: Optional[Integer]

Synchronize all users this often (fullSyncPeriod)

Default value: undef

changed_sync_period

Data type: Optional[Integer]

Synchronize changed users this often (changedSyncPeriod)

Default value: undef

keycloak::spi_deployment

}

Examples

Add Duo SPI
keycloak::spi_deployment { 'duo-spi':
  ensure        => 'present',
  deployed_name => 'keycloak-duo-spi-jar-with-dependencies.jar',
  source        => 'file:///path/to/source/keycloak-duo-spi-jar-with-dependencies.jar',
}
Add Duo SPI and check API for existance of resources before going onto dependenct resources
keycloak::spi_deployment { 'duo-spi':
  deployed_name => 'keycloak-duo-spi-jar-with-dependencies.jar',
  source        => 'file:///path/to/source/keycloak-duo-spi-jar-with-dependencies.jar',
  test_url      => 'authentication/authenticator-providers',
  test_key      => 'id',
  test_value    => 'duo-mfa-authenticator',
  test_realm    => 'test',
  before        => Keycloak_flow_execution['duo-mfa-authenticator under form-browser-with-duo on test'],

Parameters

The following parameters are available in the keycloak::spi_deployment defined type:

ensure

Data type: Enum['present', 'absent']

State of the deployment

Default value: 'present'

deployed_name

Data type: String[1]

Name of the file to be deployed. Defaults to $name.

Default value: $name

source

Data type: Variant[Stdlib::Filesource, Stdlib::HTTPSUrl]

Source of the deployment, supports 'file://', 'puppet://', 'https://' or 'http://'

test_url

Data type: Optional[String]

URL to test for existance of resources created by this SPI

Default value: undef

test_key

Data type: Optional[String]

Key of resource when testing for resource created by this SPI

Default value: undef

test_value

Data type: Optional[String]

Value of the test_key when testing for resources created by this SPI

Default value: undef

test_realm

Data type: Optional[String]

Realm to query when looking for resources created by this SPI

Default value: undef

test_before

Data type: Optional[Array]

Setup autorequires for validator dependent resources

Default value: undef

keycloak::truststore::host

Add host to Keycloak truststore

Examples

keycloak::truststore::host { 'ldap1.example.com':
  certificate => '/etc/openldap/certs/0a00000.0',
}

Parameters

The following parameters are available in the keycloak::truststore::host defined type:

certificate

Data type: String

Path to host certificate

ensure

Data type: Enum['latest', 'present', 'absent']

Host ensure value passed to java_ks resource.

Default value: 'latest'

Resource types

keycloak_api

Type that configures API connection parameters for other keycloak types that use the Keycloak API.

Examples

Define API access
keycloak_api { 'keycloak'
  install_dir  => '/opt/keycloak',
  server       => 'http://localhost:8080',
  realm        => 'master',
  user         => 'admin',
  password     => 'changeme',
}

Parameters

The following parameters are available in the keycloak_api type.

install_dir

Install location of Keycloak

Default value: /opt/keycloak

name

namevar

Keycloak API config

password

Password for authentication

Default value: changeme

realm

Realm for authentication

Default value: master

server

Auth URL for Keycloak server

Default value: http://localhost:8080

use_wrapper

Valid values: true, false

Boolean that determines if kcadm_wrapper.sh should be used

Default value: false

user

User for authentication

Default value: admin

keycloak_client

Manage Keycloak clients

Examples

Add a OpenID Connect client
keycloak_client { 'www.example.com':
  ensure                => 'present',
  realm                 => 'test',
  redirect_uris         => [
    "https://www.example.com/oidc",
    "https://www.example.com",
  ],
  default_client_scopes => ['profile','email'],
  secret                => 'supersecret',
}

Properties

The following properties are available in the keycloak_client type.

access_token_lifespan

access.token.lifespan

admin_url

adminUrl

authorization_services_enabled

Valid values: true, false

authorizationServicesEnabled

Default value: false

backchannel_logout_url

backchannel.logout.url

base_url

baseUrl

bearer_only

Valid values: true, false

bearerOnly

Default value: false

browser_flow

authenticationFlowBindingOverrides.browser (Use flow alias, not ID)

Default value: absent

client_authenticator_type

clientAuthenticatorType

Default value: client-secret

default_client_scopes

defaultClientScopes

Default value: []

direct_access_grants_enabled

Valid values: true, false

enabled

Default value: true

direct_grant_flow

authenticationFlowBindingOverrides.direct_grant (Use flow alias, not ID)

Default value: absent

enabled

Valid values: true, false

enabled

Default value: true

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

full_scope_allowed

Valid values: true, false

fullScopeAllowed

Default value: true

implicit_flow_enabled

Valid values: true, false

implicitFlowEnabled

Default value: false

login_theme

login_theme

Default value: absent

optional_client_scopes

optionalClientScopes

Default value: []

protocol

Valid values: openid-connect, saml

protocol

Default value: openid-connect

public_client

Valid values: true, false

enabled

Default value: false

redirect_uris

redirectUris

Default value: []

roles

roles

Default value: []

root_url

rootUrl

saml_artifact_binding_url

saml_artifact_binding_url

saml_assertion_consumer_url_post

saml_assertion_consumer_url_post

saml_assertion_signature

saml.assertion.signature

saml_encrypt

saml.encrypt

saml_encryption_certificate

saml.encryption.certificate

saml_name_id_format

saml_name_id_format

saml_signing_certificate

saml.signing.certificate

saml_signing_private_key

saml.signing.private.key

saml_single_logout_service_url_redirect

saml_single_logout_service_url_redirect

secret

secret

service_accounts_enabled

Valid values: true, false

serviceAccountsEnabled

Default value: false

standard_flow_enabled

Valid values: true, false

standardFlowEnabled

Default value: true

web_origins

webOrigins

Default value: []

Parameters

The following parameters are available in the keycloak_client type.

client_id

clientId. Defaults to name.

id

Id. Defaults to client_id

name

namevar

The client name

provider

The specific backend to use for this keycloak_client resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

realm

realm

keycloak_client_protocol_mapper

Manage Keycloak protocol mappers

Examples

Add email protocol mapper to test.example.com client in realm test
keycloak_client_protocol_mapper { "email for test.example.com on test":
  claim_name     => 'email',
  user_attribute => 'email',
}

Properties

The following properties are available in the keycloak_client_protocol_mapper type.

access_token_claim

Valid values: true, false

access.token.claim. Default to true for protocol openid-connect.

attribute_name

attribute.name Default to resource_name for type saml-user-property-mapper.

attribute_nameformat

attribute.nameformat

claim_name

claim.name

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

friendly_name

friendly.name. Default to resource_name for type saml-user-property-mapper.

full_path

Valid values: true, false

full.path. Default to false for type oidc-group-membership-mapper.

id_token_claim

Valid values: true, false

id.token.claim. Default to true for protocol openid-connect.

included_client_audience

included.client.audience Required for type of oidc-audience-mapper

json_type_label

json.type.label. Default to String for type oidc-usermodel-property-mapper and oidc-group-membership-mapper.

protocol

Valid values: openid-connect, saml

protocol

Default value: openid-connect

script

Script, only valid for type of saml-javascript-mapper'

Array values will be joined with newlines. Strings will be kept unchanged.

single

Valid values: true, false

single. Default to false for type saml-role-list-mapper.

user_attribute

user.attribute. Default to resource_name for type oidc-usermodel-property-mapper or saml-user-property-mapper

userinfo_token_claim

Valid values: true, false

userinfo.token.claim. Default to true for protocol openid-connect except type of oidc-audience-mapper.

Parameters

The following parameters are available in the keycloak_client_protocol_mapper type.

client

client

id

Id.

name

namevar

The protocol mapper name

provider

The specific backend to use for this keycloak_client_protocol_mapper resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

realm

realm

resource_name

The protocol mapper name. Defaults to name.

type

Valid values: oidc-usermodel-client-role-mapper, oidc-usermodel-property-mapper, oidc-full-name-mapper, oidc-group-membership-mapper, oidc-audience-mapper, saml-user-property-mapper, saml-role-list-mapper

protocolMapper.

Default is oidc-usermodel-property-mapper for protocol openid-connect and saml-user-property-mapper for protocol saml.

keycloak_client_scope

Manage Keycloak client scopes

Examples

Define a OpenID Connect client scope in the test realm
keycloak_client_scope { 'email on test':
  protocol => 'openid-connect',
}

Properties

The following properties are available in the keycloak_client_scope type.

consent_screen_text

consent.screen.text

display_on_consent_screen

Valid values: true, false

display.on.consent.screen

Default value: true

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

protocol

Valid values: openid-connect, saml

protocol

Default value: openid-connect

Parameters

The following parameters are available in the keycloak_client_scope type.

id

Id. Defaults to resource_name.

name

namevar

The client scope name

provider

The specific backend to use for this keycloak_client_scope resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

realm

realm

resource_name

The client scope name. Defaults to name.

keycloak_conn_validator

Verify that a connection can be successfully established between a node and the keycloak server. Its primary use is as a precondition to prevent configuration changes from being applied if the keycloak server cannot be reached, but it could potentially be used for other purposes such as monitoring.

Properties

The following properties are available in the keycloak_conn_validator type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

Parameters

The following parameters are available in the keycloak_conn_validator type.

keycloak_port

The port that the keycloak server should be listening on.

Default value: 8080

keycloak_server

The DNS name or IP address of the server where keycloak should be running.

Default value: localhost

name

namevar

An arbitrary name used as the identity of the resource.

provider

The specific backend to use for this keycloak_conn_validator resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

test_url

URL to use for testing if the Keycloak database is up

Default value: /auth/admin/serverinfo

timeout

The max number of seconds that the validator should wait before giving up and deciding that keycloak is not running; defaults to 15 seconds.

Default value: 30

use_ssl

Whether the connection will be attemped using https

Default value: false

keycloak_flow

Manage a Keycloak flow Autorequires

  • keycloak_realm defined for realm parameter
  • keycloak_flow of flow_alias if top_level=false
  • keycloak_flow of flow_alias if other index is lower and if top_level=false
  • keycloak_flow_execution if flow_alias is the same and other index is lower and if top_level=false

Examples

Add custom flow
keycloak_flow { 'browser-with-duo':
  ensure => 'present',
  realm  => 'test',
}
Add a flow execution to existing browser-with-duo flow
keycloak_flow { 'form-browser-with-duo under browser-with-duo on test':
  ensure      => 'present',
  index       => 2,
  requirement => 'ALTERNATIVE',
  top_level   => false,
}

Properties

The following properties are available in the keycloak_flow type.

description

description

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

index

execution index, only applied to top_level=false, required for top_level=false

requirement

Valid values: DISABLED, ALTERNATIVE, REQUIRED, CONDITIONAL, disabled, alternative, required, conditional

requirement, only applied to top_level=false and defaults to DISABLED

Parameters

The following parameters are available in the keycloak_flow type.

alias

Alias. Default to name.

flow_alias

flowAlias, required for top_level=false

id

Id. Default to $alias-$realm when top_level is true. Only applies to top_level=true

name

namevar

The flow name

provider

The specific backend to use for this keycloak_flow resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

provider_id

Valid values: basic-flow, form-flow

providerId

Default value: basic-flow

realm

realm

top_level

Valid values: true, false

topLevel

Default value: true

type

sub-flow execution provider, default to registration-page-form for top_level=false and does not apply to top_level=true

keycloak_flow_execution

Manage a Keycloak flow Autorequires

  • keycloak_realm defined for realm parameter
  • keycloak_flow of value defined for flow_alias
  • keycloak_flow if they share same flow_alias value and the other resource index is lower
  • keycloak_flow_execution if flow_alias is the same and other index is lower

Examples

Add an execution to a flow
keycloak_flow_execution { 'auth-cookie under browser-with-duo on test':
  ensure       => 'present',
  configurable => false,
  display_name => 'Cookie',
  index        => 0,
  requirement  => 'ALTERNATIVE',
}
Add an execution to a execution flow that is one level deeper than top level
keycloak_flow_execution { 'auth-username-password-form under form-browser-with-duo on test':
  ensure       => 'present',
  configurable => false,
  display_name => 'Username Password Form',
  index        => 0,
  requirement  => 'REQUIRED',
}
Add an execution with a configuration
keycloak_flow_execution { 'duo-mfa-authenticator under form-browser-with-duo on test':
  ensure       => 'present',
  configurable => true,
  display_name => 'Duo MFA',
  alias        => 'Duo',
  config       => {
    "duomfa.akey"    => "foo-akey",
    "duomfa.apihost" => "api-foo.duosecurity.com",
    "duomfa.skey"    => "secret",
    "duomfa.ikey"    => "foo-ikey",
    "duomfa.groups"  => "duo"
  },
  requirement  => 'REQUIRED',
  index        => 1,
}

Properties

The following properties are available in the keycloak_flow_execution type.

config

execution config

configurable

Valid values: true, false

configurable

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

index

execution index

requirement

Valid values: DISABLED, ALTERNATIVE, REQUIRED, CONDITIONAL, disabled, alternative, required, conditional

requirement

Default value: DISABLED

Parameters

The following parameters are available in the keycloak_flow_execution type.

alias

alias

config_id

read-only config ID

display_name

displayName

flow_alias

flowAlias

id

read-only Id

name

namevar

The flow execution name

provider

The specific backend to use for this keycloak_flow_execution resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

provider_id

provider

realm

realm

keycloak_identity_provider

Manage Keycloak identity providers

Examples

Add CILogon identity provider to test realm
keycloak_identity_provider { 'cilogon on test':
  ensure                         => 'present',
  display_name                   => 'CILogon',
  provider_id                    => 'oidc',
  first_broker_login_flow_alias  => 'browser',
  client_id                      => 'cilogon:/client_id/foobar',
  client_secret                  => 'supersecret',
  user_info_url                  => 'https://cilogon.org/oauth2/userinfo',
  token_url                      => 'https://cilogon.org/oauth2/token',
  authorization_url              => 'https://cilogon.org/authorize',
}

Properties

The following properties are available in the keycloak_identity_provider type.

add_read_token_role_on_create

Valid values: true, false

addReadTokenRoleOnCreate

Default value: false

allowed_clock_skew

allowedClockSkew

authenticate_by_default

Valid values: true, false

authenticateByDefault

Default value: false

authorization_url

authorizationUrl

backchannel_supported

Valid values: true, false

backchannelSupported

Default value: false

client_auth_method

Valid values: client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt

clientAuthMethod

Default value: client_secret_post

client_id

clientId

client_secret

clientSecret

default_scope

default_scope

disable_user_info

Valid values: true, false

disableUserInfo

Default value: false

display_name

displayName

enabled

Valid values: true, false

enabled

Default value: true

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

first_broker_login_flow_alias

firstBrokerLoginFlowAlias

Default value: first broker login

forward_parameters

forwardParameters

gui_order

guiOrder

hide_on_login_page

Valid values: true, false

hideOnLoginPage

Default value: false

issuer

issuer

jwks_url

jwksUrl

link_only

Valid values: true, false

linkOnly

Default value: false

login_hint

Valid values: true, false

loginHint

Default value: false

logout_url

logoutUrl

post_broker_login_flow_alias

postBrokerLoginFlowAlias

prompt

Valid values: none, consent, login, select_account

prompt

store_token

Valid values: true, false

storeToken

Default value: false

sync_mode

Valid values: IMPORT, LEGACY, FORCE

syncMode

Default value: IMPORT

token_url

tokenUrl

trust_email

Valid values: true, false

trustEmail

Default value: false

ui_locales

Valid values: true, false

uiLocales

Default value: false

update_profile_first_login_mode

Valid values: on, off

updateProfileFirstLoginMode

Default value: on

use_jwks_url

Valid values: true, false

useJwksUrl

Default value: true

user_info_url

userInfoUrl

validate_signature

Valid values: true, false

validateSignature

Default value: false

Parameters

The following parameters are available in the keycloak_identity_provider type.

alias

The identity provider name. Defaults to name.

internal_id

internalId. Defaults to "alias-realm"

name

namevar

The identity provider name

provider

The specific backend to use for this keycloak_identity_provider resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

provider_id

Valid values: oidc, keycloak-oidc

providerId

Default value: oidc

realm

realm

keycloak_ldap_mapper

Manage Keycloak LDAP attribute mappers

Examples

Add full name attribute mapping
keycloak_ldap_mapper { 'full name for LDAP-test on test:
  ensure         => 'present',
  type           => 'full-name-ldap-mapper',
  ldap_attribute => 'gecos',
}

Properties

The following properties are available in the keycloak_ldap_mapper type.

always_read_value_from_ldap

Valid values: true, false

always.read.value.from.ldap. Defaults to true if type is user-attribute-ldap-mapper.

client_id

client.id, only for type of role-ldap-mapper

drop_non_existing_groups_during_sync

Valid values: true, false

drop.non.existing.groups.during.sync, only for type of group-ldap-mapper

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

group_name_ldap_attribute

group.name.ldap.attribute, only for type of group-ldap-mapper

group_object_classes

group.object.classes, only for type of group-ldap-mapper

groups_dn

groups.dn, only for type of group-ldap-mapper

groups_ldap_filter

groups.ldap.filter, only for type of group-ldap-mapper

ignore_missing_groups

Valid values: true, false

ignore.missing.groups, only for type of group-ldap-mapper

is_mandatory_in_ldap

is.mandatory.in.ldap. Defaults to false unless type is full-name-ldap-mapper.

ldap_attribute

ldap.attribute

mapped_group_attributes

mapped.group.attributes, only for type of group-ldap-mapper

memberof_ldap_attribute

memberof.ldap.attribute, only for type of group-ldap-mapper and role-ldap-mapper

membership_attribute_type

Valid values: DN, UID

membership.attribute.type, only for type of group-ldap-mapper and role-ldap-mapper

membership_ldap_attribute

membership.ldap.attribute, only for type of group-ldap-mapper and role-ldap-mapper

membership_user_ldap_attribute

membership.user.ldap.attribute, only for type of group-ldap-mapper and role-ldap-mapper

mode

Valid values: READ_ONLY, LDAP_ONLY

mode, only for type of group-ldap-mapper and role-ldap-mapper

preserve_group_inheritance

Valid values: true, false

preserve.group.inheritance, only for type of group-ldap-mapper

read_only

Valid values: true, false

read.only

role_name_ldap_attribute

role.name.ldap.attribute, only for type of role-ldap-mapper

role_object_classes

role.object.classes, only for type of role-ldap-mapper

roles_dn

roles.dn, only for type of role-ldap-mapper

roles_ldap_filter

roles.ldap.filter, only for type of role-ldap-mapper

use_realm_roles_mapping

Valid values: true, false

use.realm.roles.mapping, only for type of role-ldap-mapper

user_model_attribute

user.model.attribute

user_roles_retrieve_strategy

Valid values: LOAD_GROUPS_BY_MEMBER_ATTRIBUTE, GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE, LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY, LOAD_ROLES_BY_MEMBER_ATTRIBUTE, GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE, LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY

user.roles.retrieve.strategy, only for type of group-ldap-mapper and role-ldap-mapper

write_only

Valid values: true, false

write.only. Defaults to false if type is full-name-ldap-mapper.

Parameters

The following parameters are available in the keycloak_ldap_mapper type.

id

Id.

ldap

Name of parent keycloak_ldap_user_provider resource

name

namevar

The LDAP mapper name

parent_id

parentId

provider

The specific backend to use for this keycloak_ldap_mapper resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

realm

realm

resource_name

The LDAP mapper name. Defaults to name

type

Valid values: user-attribute-ldap-mapper, full-name-ldap-mapper, group-ldap-mapper, role-ldap-mapper

providerId

Default value: user-attribute-ldap-mapper

keycloak_ldap_user_provider

Manage Keycloak LDAP user providers

Examples

Add LDAP user provider to test realm
keycloak_ldap_user_provider { 'LDAP on test':
  ensure             => 'present',
  users_dn           => 'ou=People,dc=example,dc=com',
  connection_url     => 'ldaps://ldap1.example.com:636 ldaps://ldap2.example.com:636',
  import_enabled     => false,
  use_truststore_spi => 'never',
}

Properties

The following properties are available in the keycloak_ldap_user_provider type.

auth_type

Valid values: none, simple

authType

Default value: none

batch_size_for_sync

batchSizeForSync

Default value: 1000

bind_credential

bindCredential

bind_dn

bindDn

changed_sync_period

changedSyncPeriod

Default value: -1

connection_url

connectionUrl

custom_user_search_filter

Valid values: %r{.*}, absent

customUserSearchFilter

Default value: absent

edit_mode

Valid values: READ_ONLY, WRITABLE, UNSYNCED

editMode

Default value: READ_ONLY

enabled

Valid values: true, false

enabled

Default value: true

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

full_sync_period

fullSyncPeriod

Default value: -1

import_enabled

Valid values: true, false

importEnabled

Default value: true

priority

priority

Default value: 0

rdn_ldap_attribute

rdnLdapAttribute

Default value: uid

search_scope

Valid values: one, one_level, subtree, 1, 2, 1, 2

searchScope

sync_registrations

Valid values: true, false

syncRegistrations

Default value: false

trust_email

Valid values: true, false

trustEmail

Default value: false

use_kerberos_for_password_authentication

Valid values: true, false

useKerberosForPasswordAuthentication

use_truststore_spi

Valid values: always, ldapsOnly, never

useTruststoreSpi

Default value: ldapsOnly

user_object_classes

userObjectClasses

Default value: ['inetOrgPerson', 'organizationalPerson']

username_ldap_attribute

usernameLdapAttribute

Default value: uid

users_dn

usersDn

uuid_ldap_attribute

uuidLdapAttribute

Default value: entryUUID

vendor

Valid values: ad, rhds, tivoli, eDirectory, other

vendor

Default value: other

Parameters

The following parameters are available in the keycloak_ldap_user_provider type.

id

Id

name

namevar

The LDAP user provider name

provider

The specific backend to use for this keycloak_ldap_user_provider resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

realm

parentId

resource_name

The LDAP user provider name. Defaults to name.

keycloak_protocol_mapper

Manage Keycloak client scope protocol mappers

Examples

Add email protocol mapper to oidc-client client scope in realm test
keycloak_protocol_mapper { "email for oidc-clients on test":
  claim_name     => 'email',
  user_attribute => 'email',
}

Properties

The following properties are available in the keycloak_protocol_mapper type.

access_token_claim

Valid values: true, false

access.token.claim. Default to true for protocol openid-connect.

attribute_name

attribute.name Default to resource_name for type saml-user-property-mapper.

attribute_nameformat

attribute.nameformat

claim_name

claim.name

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

friendly_name

friendly.name. Default to resource_name for type saml-user-property-mapper.

full_path

Valid values: true, false

full.path. Default to false for type oidc-group-membership-mapper.

id_token_claim

Valid values: true, false

id.token.claim. Default to true for protocol openid-connect.

included_client_audience

included.client.audience Required for type of oidc-audience-mapper

json_type_label

json.type.label. Default to String for type oidc-usermodel-property-mapper and oidc-group-membership-mapper.

protocol

Valid values: openid-connect, saml

protocol

Default value: openid-connect

script

Script, only valid for type of saml-javascript-mapper'

Array values will be joined with newlines. Strings will be kept unchanged.

single

Valid values: true, false

single. Default to false for type saml-role-list-mapper or saml-javascript-mapper.

user_attribute

user.attribute. Default to resource_name for type oidc-usermodel-property-mapper or saml-user-property-mapper

userinfo_token_claim

Valid values: true, false

userinfo.token.claim. Default to true for protocol openid-connect except type of oidc-audience-mapper.

Parameters

The following parameters are available in the keycloak_protocol_mapper type.

client_scope

client scope

id

Id.

name

namevar

The protocol mapper name

provider

The specific backend to use for this keycloak_protocol_mapper resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

realm

realm

resource_name

The protocol mapper name. Defaults to name.

type

Valid values: oidc-usermodel-property-mapper, oidc-usermodel-attribute-mapper, oidc-full-name-mapper, oidc-group-membership-mapper, oidc-audience-mapper, saml-group-membership-mapper, saml-user-property-mapper, saml-user-attribute-mapper, saml-role-list-mapper

protocolMapper.

Default is oidc-usermodel-property-mapper for protocol openid-connect and saml-user-property-mapper for protocol saml.

keycloak_realm

Manage Keycloak realms

Examples

Add a realm with a custom theme
keycloak_realm { 'test':
  ensure                   => 'present',
  remember_me              => true,
  login_with_email_allowed => false,
  login_theme              => 'my_theme',
}

Properties

The following properties are available in the keycloak_realm type.

access_code_lifespan

accessCodeLifespan

access_code_lifespan_login

accessCodeLifespanLogin

access_code_lifespan_user_action

accessCodeLifespanUserAction

access_token_lifespan

accessTokenLifespan

access_token_lifespan_for_implicit_flow

accessTokenLifespanForImplicitFlow

account_theme

accountTheme

Default value: keycloak

action_token_generated_by_admin_lifespan

actionTokenGeneratedByAdminLifespan

action_token_generated_by_user_lifespan

actionTokenGeneratedByUserLifespan

admin_events_details_enabled

Valid values: true, false

adminEventsDetailsEnabled

Default value: false

admin_events_enabled

Valid values: true, false

adminEventsEnabled

Default value: false

admin_theme

adminTheme

Default value: keycloak

browser_flow

browserFlow

Default value: browser

brute_force_protected

Valid values: true, false

bruteForceProtected

client_authentication_flow

clientAuthenticationFlow

Default value: clients

content_security_policy

contentSecurityPolicy

Default value: frame-src 'self'; frame-ancestors 'self'; object-src 'none';

custom_properties

custom properties to pass as realm configurations

default_client_scopes

Default Client Scopes

direct_grant_flow

directGrantFlow

Default value: direct grant

display_name

displayName

display_name_html

displayNameHtml

docker_authentication_flow

dockerAuthenticationFlow

Default value: docker auth

edit_username_allowed

Valid values: true, false

editUsernameAllowed

Default value: false

email_theme

emailTheme

Default value: keycloak

enabled

Valid values: true, false

enabled

Default value: true

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

events_enabled

Valid values: true, false

eventsEnabled

Default value: false

events_expiration

eventsExpiration

events_listeners

eventsListeners

Default value: ['jboss-logging']

internationalization_enabled

Valid values: true, false

internationalizationEnabled

Default value: false

login_theme

loginTheme

Default value: keycloak

login_with_email_allowed

Valid values: true, false

loginWithEmailAllowed

Default value: true

offline_session_idle_timeout

offlineSessionIdleTimeout

offline_session_max_lifespan

offlineSessionMaxLifespan

offline_session_max_lifespan_enabled

Valid values: true, false

offlineSessionMaxLifespanEnabled

Default value: false

optional_client_scopes

Optional Client Scopes

registration_allowed

Valid values: true, false

registrationAllowed

Default value: false

registration_flow

registrationFlow

Default value: registration

remember_me

Valid values: true, false

rememberMe

Default value: false

reset_credentials_flow

resetCredentialsFlow

Default value: reset credentials

reset_password_allowed

Valid values: true, false

resetPasswordAllowed

Default value: false

roles

roles

Default value: ['offline_access', 'uma_authorization']

smtp_server_auth

Valid values: true, false

smtpServer auth

smtp_server_envelope_from

smtpServer envelope_from

smtp_server_from

smtpServer from

smtp_server_from_display_name

smtpServer fromDisplayName

smtp_server_host

smtpServer host

smtp_server_password

smtpServer password

smtp_server_port

smtpServer port

smtp_server_reply_to

smtpServer replyto

smtp_server_reply_to_display_name

smtpServer replyToDisplayName

smtp_server_ssl

Valid values: true, false

smtpServer ssl

smtp_server_starttls

Valid values: true, false

smtpServer starttls

smtp_server_user

smtpServer user

ssl_required

Valid values: none, all, external

sslRequired

Default value: external

sso_session_idle_timeout

ssoSessionIdleTimeout

sso_session_idle_timeout_remember_me

ssoSessionIdleTimeoutRememberMe

sso_session_max_lifespan

ssoSessionMaxLifespan

sso_session_max_lifespan_remember_me

ssoSessionMaxLifespanRememberMe

supported_locales

Supported Locales

user_managed_access_allowed

Valid values: true, false

userManagedAccessAllowed

Default value: false

verify_email

Valid values: true, false

verifyEmail

Default value: false

Parameters

The following parameters are available in the keycloak_realm type.

id

Id. Default to name.

manage_roles

Valid values: true, false

Manage realm roles

Default value: true

name

namevar

The realm name

provider

The specific backend to use for this keycloak_realm resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

keycloak_required_action

Manage Keycloak required actions

Examples

Enable Webauthn Register and make it default
keycloak_required_action { 'webauthn-register on master':
  ensure => present,
  provider_id => 'webauthn-register',
  display_name => 'Webauthn Register',
  default => true,
  enabled => true,
  priority => 1,
  config => {
    'something' => 'true', # keep in mind that keycloak only supports strings for both keys and values
    'smth else' => '1',
  },
  alias => 'webauthn',
}

@example Minimal example to enable email verification without making it default
keycloak_required_action { 'VERIFY_EMAIL on master':
  ensure => present,
  provider_id => 'webauthn-register',
}

Properties

The following properties are available in the keycloak_required_action type.

alias

Alias. Default to provider_id.

config

Required action config

default

Valid values: true, false

If the required action is a default one. Default to false

Default value: false

display_name

Displayed name. Default to provider_id

enabled

Valid values: true, false

If the required action is enabled. Default to true.

Default value: true

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

priority

Required action priority

Parameters

The following parameters are available in the keycloak_required_action type.

name

namevar

The required action name

provider

The specific backend to use for this keycloak_required_action resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

provider_id

providerId of the required action

realm

realm

keycloak_resource_validator

Verify that a specific Keycloak resource is available

Properties

The following properties are available in the keycloak_resource_validator type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

Parameters

The following parameters are available in the keycloak_resource_validator type.

dependent_resources

Resources that should autorequire this validator, eg: Keycloak_flow_execution[foobar]

name

namevar

An arbitrary name used as the identity of the resource.

provider

The specific backend to use for this keycloak_resource_validator resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

realm

Realm to query

test_key

Key to lookup

test_url

URL to use for testing if the Keycloak database is up

test_value

Value to lookup

timeout

The max number of seconds that the validator should wait before giving up and deciding that keycloak is not running; defaults to 15 seconds.

Default value: 30

keycloak_role_mapping

Attach realm roles to users and groups

Examples

Ensure that a user has the defined realm roles
keycloak_role_mapping { 'john-offline_access':
  realm       => 'test',
  name        => 'john',
  realm_roles => ['offline_access'],
}

Properties

The following properties are available in the keycloak_role_mapping type.

realm_roles

realm roles

Default value: []

Parameters

The following parameters are available in the keycloak_role_mapping type.

group

Valid values: true, false

is this a group instead of a user

Default value: false

name

namevar

--uusername/--gname

provider

The specific backend to use for this keycloak_role_mapping resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

realm

realm

keycloak_sssd_user_provider

Manage Keycloak SSSD user providers

Examples

Add SSSD user provider to test realm
keycloak_sssd_user_provider { 'SSSD on test':
  ensure => 'present',
}

Properties

The following properties are available in the keycloak_sssd_user_provider type.

cache_policy

Valid values: DEFAULT, EVICT_DAILY, EVICT_WEEKLY, MAX_LIFESPAN, NO_CACHE

cachePolicy

Default value: DEFAULT

enabled

Valid values: true, false

enabled

Default value: true

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

eviction_day

evictionDay

eviction_hour

evictionHour

eviction_minute

evictionMinute

max_lifespan

maxLifespan

priority

priority

Default value: 0

Parameters

The following parameters are available in the keycloak_sssd_user_provider type.

id

Id. Defaults to "resource_name-realm"

name

namevar

The SSSD user provider name

provider

The specific backend to use for this keycloak_sssd_user_provider resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

realm

parentId

resource_name

The SSSD user provider name. Defaults to name.

Data types

Keycloak::Configs

https://www.keycloak.org/server/all-config

Alias of

Struct[{
    Optional['cache'] => Enum['local', 'ispn'],
    Optional['cache-config-file'] => Stdlib::Absolutepath,
    Optional['cache-stack'] => Enum['tcp','udp','kubernetes','ec2','azure','google'],
    Optional['db'] => Enum['dev-file','dev-mem','mariadb','mysql','oracle','postgres'],
    Optional['db-password'] => String[1],
    Optional['db-pool-initial-size'] => Integer,
    Optional['db-pool-max-size'] => Integer,
    Optional['db-pool-min-size'] => Integer,
    Optional['db-schema'] => String[1],
    Optional['db-url'] => String[1],
    Optional['db-url-database'] => String[1],
    Optional['db-url-host'] => Stdlib::Host,
    Optional['db-url-port'] => Stdlib::Port,
    Optional['db-url-properties'] => String[1],
    Optional['db-username'] => String[1],
    Optional['transaction-xa-enabled'] => Boolean,
    Optional['features'] => Array[String[1]],
    Optional['features-disabled'] => Array[String[1]],
    Optional['hostname'] => Stdlib::Host,
    Optional['hostname-path'] => String[1],
    Optional['hostname-port'] => Stdlib::Port,
    Optional['hostname-strict'] => Boolean,
    Optional['hostname-strict-backchannel'] => Boolean,
    Optional['hostname-strict-https'] => Boolean,
    Optional['http-enabled'] => Boolean,
    Optional['http-host'] => Stdlib::Host,
    Optional['http-port'] => Stdlib::Port,
    Optional['http-relative-path'] => String[1],
    Optional['https-certificate-file'] => Stdlib::Absolutepath,
    Optional['https-certificate-key-file'] => Stdlib::Absolutepath,
    Optional['https-cipher-suites'] => Array[String[1]],
    Optional['https-client-auth'] => Enum['none','request','required'],
    Optional['https-key-store-file'] => Stdlib::Absolutepath,
    Optional['https-key-store-password'] => String[1],
    Optional['https-key-store-type'] => String[1],
    Optional['https-port'] => Stdlib::Port,
    Optional['https-protocols'] => Array[String[1]],
    Optional['https-trust-store-file'] => Stdlib::Absolutepath,
    Optional['https-trust-store-password'] => String[1],
    Optional['https-trust-store-type'] => String[1],
    Optional['health-enabled'] => Boolean,
    Optional['metrics-enabled'] => Boolean,
    Optional['proxy'] => Enum['edge','reencrypt','passthrough','none'],
    Optional['vault'] => Enum['vault','vault-dir'],
    Optional['log'] => Array[Enum['console','file']],
    Optional['log-console-color'] => Boolean,
    Optional['log-console-format'] => String[1],
    Optional['log-console-output'] => Enum['default','json'],
    Optional['log-file'] => Stdlib::Absolutepath,
    Optional['log-file-format'] => String[1],
    Optional['log-level'] => String[1],
  }]