The official Skycloak Terraform provider provisions your entire managed Keycloak from one API key: the cluster, the platform around it (WAF, SIEM, custom domains, branding), and a bootstrapped realm with users, roles, and identity providers. Go from an empty file to a running, secured, branded instance in a single terraform apply.
# Auth reads the SKYCLOAK_API_KEY env var (sk_sc_...)
provider "skycloak" {}
# 1. Provision a managed Keycloak cluster
resource "skycloak_cluster" "prod" {
name = "production"
type = "keycloak"
size = "small"
version = "26.6.3"
location = "us"
}
# 2. Create a realm on it
resource "skycloak_realm" "app" {
cluster_id = skycloak_cluster.prod.id
name = "app"
display_name = "Application Realm"
enabled = true
}
# 3. Add Google sign-in
resource "skycloak_identity_provider" "google" {
cluster_id = skycloak_cluster.prod.id
realm_name = skycloak_realm.app.name
provider_id = "google"
type = "oidc"
client_id = var.google_client_id
client_secret = var.google_client_secret
}
# 4. Brand the login page and switch on the WAF
resource "skycloak_login_branding" "app" {
cluster_id = skycloak_cluster.prod.id
realm_name = skycloak_realm.app.name
primary_color = "#3b82f6"
logo_url = "https://myapp.com/logo.svg"
}
resource "skycloak_cluster_security" "prod" {
cluster_id = skycloak_cluster.prod.id
waf = {
enabled = true
mode = "block"
preset = "owasp_top_10"
}
}
The community provider configures a Keycloak you already run. This one provisions it, secures it, and bootstraps the realm, in a single file.
The infrastructure the admin API cannot touch.
Clusters, custom domains & routes, cluster security (WAF, IP access control, rate limiting, geo & bot rules), maintenance windows, extensions, SIEM destinations, webhooks, exports.
The building blocks inside a realm.
Realms, users, realm roles, groups & memberships, role assignments, applications (clients) & secrets, identity providers, SMTP. Deep realm config (auth flows, protocol mappers, client scopes) pairs with the community provider.
A login page that looks like yours.
Login branding, email branding, custom themes, theme assignments (per realm and per client), CAPTCHA domains.
The community provider is excellent at what it does: configuring a Keycloak you already run. It authenticates against a Keycloak admin API, so it can never provision the instance or the platform around it. This can.
| Community Keycloak provider Config on a Keycloak you run | Skycloak provider Provision + config, one API key | |
|---|---|---|
| Create realms, users, roles, groups | ||
| Basic clients, identity providers, SMTP | ||
| Deep realm config: auth flows, protocol mappers, client scopes, policies | ||
| Provision the Keycloak cluster itself | ||
| Custom domains & routing | ||
| WAF, IP access control, rate limiting | ||
| SIEM streaming & webhooks | ||
| Login & email branding, custom themes | ||
| Extensions & maintenance windows | ||
| Servers you run and patch | All of them | None |
| Authentication | Admin service account | One Skycloak API key |
Create a scoped sk_sc_ API key in the Skycloak dashboard and export it as SKYCLOAK_API_KEY.
Add the sky-cloak/skycloak provider to your config and pin a version.
terraform applyPlan, review, apply. Your cluster, realm, and branding come up together, versioned and reviewable.
terraform {
required_providers {
skycloak = {
source = "sky-cloak/skycloak"
version = "~> 0.3"
}
}
}
keycloak/keycloak provider configures a Keycloak that you host and run: it talks to the admin REST API to manage realms, clients, users, and deep settings like authentication flows and protocol mappers. The Skycloak provider talks to the Skycloak API, so it provisions the managed cluster itself and manages the platform layer the admin API cannot reach (custom domains, WAF, IP rules, SIEM, extensions, maintenance windows, branding), plus the basic realm setup (realms, users, roles, groups, basic clients, identity providers, SMTP), from one API key. For deep realm configuration you pair it with the community provider.keycloak/keycloak provider.keycloak/keycloak provider pointed at your cluster URL, in the same project. See the guide on using both providers together.sk_sc_...) in the dashboard and expose it as the SKYCLOAK_API_KEY environment variable. The provider reads it automatically.required_providers block so a new release never changes resources under you, and review the changelog before you upgrade.Grab the provider from the registry, or start a free trial and mint your first API key. Unlimited users on every plan, real upstream Keycloak, no lock-in.