Code cleanups (#1050)

- Avoid usage of deprecated Go APIs
- Fix broken links
- Fix linter issues (docker compose, editor config)
- Fix typos

Fixes #1049

.editorconfig

@@ -9,6 +9,6 @@ charset = utf-8
 trim_trailing_whitespace = true
 insert_final_newline = true
 
-[{*.yml, *.tf}]
+[{*.yml,*.tf}]
 indent_style = space
 indent_size = 2

.goreleaser.yml

@@ -47,7 +47,7 @@ signs:
   - artifacts: checksum
     args:
       # if you are using this is a GitHub action or some other automated pipeline, you
-      # need to pass the batch flag to indicate its not interactive.
+      # need to pass the batch flag to indicate it's not interactive.
       - "--batch"
       - "--local-user"
       - "{{ .Env.GPG_FINGERPRINT }}" # set this environment variable for your signing key

README.md

@@ -76,7 +76,7 @@ build you can use the `linux_amd64` build as long as `libc6-compat` is installed
 ## Development
 
 This project requires Go 1.22 and Terraform 1.4.1.
-This project uses [Go Modules](https://github.com/golang/go/wiki/Modules) for dependency management, which allows this project to exist outside of an existing GOPATH.
+This project uses [Go Modules](https://github.com/golang/go/wiki/Modules) for dependency management, which allows this project to exist outside an existing GOPATH.
 
 After cloning the repository, you can build the project by running `make build`.
 

docker-compose.yml

@@ -37,7 +37,7 @@ services:
 # Enable for remote java debugging
 #    - PREPEND_JAVA_OPTS=-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:8787
     ports:
-    - 8080:8080
+    - "8080:8080"
 # Enable for remote java debugging
 #    - 8787:8787
     volumes:

docs/data-sources/client_description_converter.md

@@ -62,9 +62,11 @@ resource "keycloak_saml_client" "saml_client" {
 ## Attributes Reference
 
 The exported attributes for this data source are a combination of the attributes for the [`keycloak_openid_client`][2]
-and [`keycloak_saml_client`][3] resources. You can also refer to the [ClientRepresentation][4] Javadocs for more details.
+and [`keycloak_saml_client`][3] resources. You can also refer to the [ClientRepresentation Javadocs][4] or [API docs][5] for more details.
+
+[1]: https://www.keycloak.org/docs-api/latest/javadocs/org/keycloak/exportimport/ClientDescriptionConverter.html
+[2]: https://registry.terraform.io/providers/keycloak/keycloak/latest/docs/resources/openid_client
+[3]: https://registry.terraform.io/providers/keycloak/keycloak/latest/docs/resources/saml_client
+[4]: https://www.keycloak.org/docs-api/latest/javadocs/org/keycloak/representations/idm/ClientRepresentation.html
+[5]: https://www.keycloak.org/docs-api/latest/rest-api/index.html#ClientRepresentation
 
-[1]: https://www.keycloak.org/docs-api/6.0/javadocs/org/keycloak/exportimport/ClientDescriptionConverter.html
-[2]: providers/keycloak/keycloak/latest/docs/resources/openid_client
-[3]: providers/keycloak/keycloak/latest/docs/resources/saml_client
-[4]: https://www.keycloak.org/docs-api/6.0/javadocs/org/keycloak/representations/idm/ClientRepresentation.html

docs/data-sources/openid_client_service_account_user.md

@@ -59,6 +59,6 @@ resource "keycloak_user_roles" "service_account_user_roles" {
 `email` - (Computed) The service account user's email.
 `first_name` - (Computed) The service account user's first name.
 `last_name` - (Computed) The service account user's last name.
-`enabled` - (Computed) Whether or not the service account user is enabled.
+`enabled` - (Computed) Whether the service account user is enabled.
 `attributes` - (Computed) The service account user's attributes.
 `federated_identity` - (Computed) This attribute exists in order to adhere to the spec of a Keycloak user, but a service account user will never have a federated identity, so this will always be `null`.

docs/data-sources/user.md

@@ -41,4 +41,4 @@ output "keycloak_user_id" {
 - `federated_identity` - (Computed) The user's federated identities, if applicable. This block has the following schema:
   - `identity_provider` - (Computed) The name of the identity provider
   - `user_id` - (Computed) The ID of the user defined in the identity provider
-  - `user_name` - (Computed) The user name of the user defined in the identity provider
+  - `user_name` - (Computed) The username of the user defined in the identity provider

docs/resources/custom_user_federation.md

@@ -43,7 +43,7 @@ resource "keycloak_custom_user_federation" "custom_user_federation" {
 - `parent_id` - (Optional) Must be set to the realms' `internal_id`  when it differs from the realm. This can happen when existing resources are imported into the state.
 - `full_sync_period` - (Optional) How frequently Keycloak should sync all users, in seconds. Omit this property to disable periodic full sync.
 - `changed_sync_period` - (Optional) How frequently Keycloak should sync changed users, in seconds. Omit this property to disable periodic changed users sync.
-- `config` - (Optional) The provider configuration handed over to your custom user federation provider. In order to add multivalue settings, use `##` to seperate the values.
+- `config` - (Optional) The provider configuration handed over to your custom user federation provider. In order to add multivalued settings, use `##` to separate the values.
 
 ## Import
 

docs/resources/group.md

@@ -49,7 +49,7 @@ resource "keycloak_group" "child_group_with_optional_attributes" {
 - `realm_id` - (Required) The realm this group exists in.
 - `parent_id` - (Optional) The ID of this group's parent. If omitted, this group will be defined at the root level.
 - `name` - (Required) The name of the group.
-- `attributes` - (Optional) A map representing attributes for the group. In order to add multivalue attributes, use `##` to seperate the values. Max length for each value is 255 chars
+- `attributes` - (Optional) A map representing attributes for the group. In order to add multivalued attributes, use `##` to separate the values. Max length for each value is 255 chars
 
 ## Attributes Reference
 

docs/resources/group_memberships.md

@@ -59,4 +59,4 @@ resource "keycloak_group_memberships" "group_members" {
 This resource does not support import. Instead of importing, feel free to create this resource
 as if it did not already exist on the server.
 
-[1]: providers/keycloak/keycloak/latest/docs/resources/group_memberships
+[1]: https://registry.terraform.io/providers/keycloak/keycloak/latest/docs/resources/group_memberships

docs/resources/identity_provider_token_exchange_scope_permission.md

@@ -18,7 +18,7 @@ When enabling Identity Provider Permissions, Keycloak does several things automa
 The only thing that is missing is a policy set on the permission.
 As the policy lives within the context of the realm-management client, you cannot create a policy resource and link to from with your _.tf_ file. This would also cause an implicit cycle dependency.
 Thus, the only way to manage this in terraform is to create and manage the policy internally from within this terraform resource itself.
-At the moment only a client policy type is supported. The client policy will automatically be created for the clients parameter.
+At the moment only a client policy type is supported. The client policy will automatically be created for the `clients` parameter.
 
 ## Example Usage
 

docs/resources/ldap_group_mapper.md

@@ -65,7 +65,7 @@ resource "keycloak_ldap_group_mapper" "ldap_group_mapper" {
 - `membership_ldap_attribute` - (Required) The name of the LDAP attribute that is used for membership mappings.
 - `membership_attribute_type` - (Optional) Can be one of `DN` or `UID`. Defaults to `DN`.
 - `membership_user_ldap_attribute` - (Required) The name of the LDAP attribute on a user that is used for membership mappings.
-- `groups_ldap_filter` - (Optional) When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`.
+- `groups_ldap_filter` - (Optional) When specified, adds a custom filter to be used when querying for groups. Must start with `(` and end with `)`.
 - `mode` - (Optional) Can be one of `READ_ONLY`, `LDAP_ONLY` or `IMPORT`. Defaults to `READ_ONLY`.
 - `user_roles_retrieve_strategy` - (Optional) Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`.
 - `memberof_ldap_attribute` - (Optional) Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`.

docs/resources/ldap_role_mapper.md

@@ -63,7 +63,7 @@ resource "keycloak_ldap_role_mapper" "ldap_role_mapper" {
 - `membership_ldap_attribute` - (Required) The name of the LDAP attribute that is used for membership mappings.
 - `membership_attribute_type` - (Optional) Can be one of `DN` or `UID`. Defaults to `DN`.
 - `membership_user_ldap_attribute` - (Required) The name of the LDAP attribute on a user that is used for membership mappings.
-- `roles_ldap_filter` - (Optional) When specified, adds an additional custom filter to be used when querying for roles. Must start with `(` and end with `)`.
+- `roles_ldap_filter` - (Optional) When specified, adds a custom filter to be used when querying for roles. Must start with `(` and end with `)`.
 - `mode` - (Optional) Can be one of `READ_ONLY`, `LDAP_ONLY` or `IMPORT`. Defaults to `READ_ONLY`.
 - `user_roles_retrieve_strategy` - (Optional) Can be one of `LOAD_ROLES_BY_MEMBER_ATTRIBUTE`, `GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_ROLES_BY_MEMBER_ATTRIBUTE`.
 - `memberof_ldap_attribute` - (Optional) Specifies the name of the LDAP attribute on the LDAP user that contains the roles the user has. Defaults to `memberOf`. This is only used when

docs/resources/oidc_google_identity_provider.md

@@ -38,7 +38,7 @@ resource "keycloak_oidc_google_identity_provider" "google" {
 - `enabled` - (Optional) When `true`, users will be able to log in to this realm using this identity provider. Defaults to `true`.
 - `store_token` - (Optional) When `true`, tokens will be stored after authenticating users. Defaults to `true`.
 - `add_read_token_role_on_create` - (Optional) When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`.
-- `link_only` - (Optional) When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`.
+- `link_only` - (Optional) When `true`, users cannot sign-in using this provider, but their existing accounts will be linked when possible. Defaults to `false`.
 - `trust_email` - (Optional) When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`.
 - `first_broker_login_flow_alias` - (Optional) The authentication flow to use when users log in for the first time through this identity provider. Defaults to `first broker login`.
 - `post_broker_login_flow_alias` - (Optional) The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
@@ -68,4 +68,4 @@ Example:
 
 ```bash
 $ terraform import keycloak_oidc_google_identity_provider.google.google_identity_provider my-realm/my-google-idp
-```
+```

docs/resources/oidc_identity_provider.md

@@ -33,7 +33,7 @@ resource "keycloak_oidc_identity_provider" "realm_identity_provider" {
 ## Argument Reference
 
 - `realm` - (Required) The name of the realm. This is unique across Keycloak.
-- `alias` - (Required) The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
+- `alias` - (Required) The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
 - `authorization_url` - (Required) The Authorization Url.
 - `client_id` - (Required) The client or client identifier registered within the identity provider.
 - `client_secret` - (Required) The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
@@ -42,7 +42,7 @@ resource "keycloak_oidc_identity_provider" "realm_identity_provider" {
 - `enabled` - (Optional) When `true`, users will be able to log in to this realm using this identity provider. Defaults to `true`.
 - `store_token` - (Optional) When `true`, tokens will be stored after authenticating users. Defaults to `true`.
 - `add_read_token_role_on_create` - (Optional) When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`.
-- `link_only` - (Optional) When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`.
+- `link_only` - (Optional) When `true`, users cannot sign-in using this provider, but their existing accounts will be linked when possible. Defaults to `false`.
 - `trust_email` - (Optional) When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`.
 - `first_broker_login_flow_alias` - (Optional) The authentication flow to use when users log in for the first time through this identity provider. Defaults to `first broker login`.
 - `post_broker_login_flow_alias` - (Optional) The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
@@ -54,7 +54,7 @@ resource "keycloak_oidc_identity_provider" "realm_identity_provider" {
 - `issuer` - (Optional) The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
 - `disable_user_info` - (Optional) When `true`, disables the usage of the user info service to obtain additional user information. Defaults to `false`.
 - `hide_on_login_page` - (Optional) When `true`, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to `false`.
-- `logout_url` - (Optional) The Logout URL is the end session endpoint to use to logout user from external identity provider.
+- `logout_url` - (Optional) The Logout URL is the end session endpoint to use to sign-out the user from external identity provider.
 - `login_hint` - (Optional) Pass login hint to identity provider.
 - `ui_locales` - (Optional) Pass current locale to identity provider. Defaults to `false`.
 - `accepts_prompt_none_forward_from_client` (Optional) When `true`, the IDP will accept forwarded authentication requests that contain the `prompt=none` query parameter. Defaults to `false`.

docs/resources/openid_audience_protocol_mapper.md

@@ -6,7 +6,7 @@ page_title: "keycloak_openid_audience_protocol_mapper Resource"
 
 Allows for creating and managing audience protocol mappers within Keycloak.
 
-Audience protocol mappers allow you add audiences to the `aud` claim within issued tokens. The audience can be a custom
+Audience protocol mappers allow you to add audiences to the `aud` claim within issued tokens. The audience can be a custom
 string, or it can be mapped to the ID of a pre-existing client.
 
 ## Example Usage (Client)

docs/resources/openid_client.md

@@ -68,7 +68,7 @@ resource "keycloak_openid_client" "openid_client" {
 wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled`
 is set to `true`.
 - `valid_post_logout_redirect_uris` - (Optional) A list of valid URIs a browser is permitted to redirect to after a successful logout.
-- `web_origins` - (Optional) A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`."
+- `web_origins` - (Optional) A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`.
 - `root_url` - (Optional) When specified, this URL is prepended to any relative URLs found within `valid_redirect_uris`, `web_origins`, and `admin_url`. NOTE: Due to limitations in the Keycloak API, when the `root_url` attribute is used, the `valid_redirect_uris`, `web_origins`, and `admin_url` attributes will be required.
 - `admin_url` - (Optional) URL to the admin interface of the client.
 - `base_url` - (Optional) Default URL to use when the auth server needs to redirect or link back to the client.

docs/resources/openid_user_property_protocol_mapper.md

@@ -70,7 +70,7 @@ resource "keycloak_openid_user_property_protocol_mapper" "user_property_mapper"
 
 - `realm_id` - (Required) The realm this protocol mapper exists within.
 - `name` - (Required) The display name of this protocol mapper in the GUI.
-- `user_property` - (Required) The built in user property (such as email) to map a claim for.
+- `user_property` - (Required) The built-in user property (such as email) to map a claim for.
 - `claim_name` - (Required) The name of the claim to insert into a token.
 - `client_id` - (Optional) The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified.
 - `client_scope_id` - (Optional) The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to.

docs/resources/openid_user_session_note_protocol_mapper.md

@@ -75,7 +75,7 @@ resource "keycloak_openid_user_session_note_protocol_mapper" "user_session_note_
 - `client_id` - (Optional) The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified.
 - `client_scope_id` - (Optional) The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified.
 - `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`.
-- `session_note` - (Optional) String value being the name of stored user session note within the UserSessionModel.note map.
+- `session_note` - (Optional) String value being the name of stored user session note within the `UserSessionModel.note` map.
 - `session_note_label` - (Optional) **Deprecated** Use `session_note` instead.
 - `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`.
 - `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`.