// the find
adorsys/keycloak-config-cli
Import YAML/JSON-formatted configuration files into Keycloak - Configuration as Code for Keycloak.
keycloak-config-cli lets you manage Keycloak realm configuration as versioned YAML/JSON files and apply them idempotently via the Admin REST API. It's a CI/CD init container or job — run it before your app starts, and Keycloak matches your declared state. Aimed at teams who want GitOps for their IAM layer without clicking through the admin console.
The idempotent apply model with remote state tracking means re-running the same config is safe, and it only touches resources it manages — not the whole realm. Variable substitution covers the common env-per-environment cases without requiring a separate templating layer. The baseline snapshot system per Keycloak version handles the 'what's a default and what did I set' problem, which is genuinely hard with Keycloak exports. TestContainers-based integration tests against a real Keycloak instance rather than mocks, so what passes in CI actually reflects production behavior.
It supports only the latest 4 Keycloak releases, which sounds reasonable until you're on a regulated system where upgrades take quarters — you're either keeping pace with Keycloak's release cadence or you're on your own. The config file format is based on Keycloak's own export format, which is notoriously noisy and unstable across versions; small Keycloak upgrades have historically broken existing config files in non-obvious ways. The JavaScript evaluation feature in variable substitution is an odd choice — running arbitrary JS in a Java process via Nashorn/GraalJS just to compute string values is a complexity hazard that will surprise whoever inherits the config. No drift detection: if someone modifies Keycloak via the admin console out of band, you won't know until the next apply run potentially overwrites it.