A shell script tool to export, import, list, describe, and prune Forgerock Identity Cloud and ForgeRock Access Management journeys/trees.
A shell script to export authentication journeys/trees from any realm to standard output or a file and import into any realm from standard input or a file. The tool includes scripts referenced by scripted decision nodes and when used with Identity Cloud or ForgeOps, the tool also includes Email Templates referenced by the Email Template or Email Suspend nodes. Requires curl, jq, and uuidgen to be installed and available.
% ./amtree.sh ( -e | -E | -i | -I | -l | -d | -P ) [options]
Export, import, list, describe, and prune authentication journeys/trees in the
ForgeRock Identity Platform. The utility supports Identity Cloud, ForgeOps
(CDM/CDK) deployments, and classic deployments.
Actions/tasks (must specify only one):
-e Export an authentication journey/tree.
-E Export all the journeys/trees in a realm.
-S Export all the journeys/trees in a realm as separate files of the
format <journey/tree name>.json.
-s Import all the journeys/trees in the current directory (*.json).
-i Import an authentication journey/tree.
-I Import all the journeys/trees in a realm.
-d If -h is supplied, describe the journey/tree indicated by -t, or
all journeys/trees in the realm if no -t is supplied, otherwise
describe the journey/tree export file indicated by -f.
-D If -h is supplied, describe all the journeys/trees in the realm,
otherwise describe *.json files in the current directory.
-l List all the journeys/trees in a realm.
-P Prune orphaned configuration artifacts left behind after deleting
authentication trees. You will be prompted before any irreversible
operations are performed.
-z Login, print versions and tokens, then exit.
Options:
-h url Access Management base URL, e.g.: https://cdk.iam.example.com/am
-u user Username to login with. Must be an admin user with appropriate
rights to manage authentication journeys/trees. For Identity Cloud
use a tenant admin account if possible.
-p passwd Password.
-r realm Realm. If not specified, the root realm '/' is assumed. Specify
realm as '/parent/child'. Note the leading '/'!
-f file If supplied, export/list to and import from <file> instead of
stdout and stdin. For -S, use as file prefix
-t tree Specify the name of an authentication journey/tree. Mandatory in
combination with the following actions: -i, -e, -d.
-o version Override version. Notation: "X.Y.Z" e.g. "7.1.0"
Override detected version with any version. This is helpful in
order to check if journeys in one environment would be compatible
running in another environment (e.g. in preparation of migrating
from on-prem to ForgeRock Identity Cloud. Only impacts these
actions: -d, -l.
-m type Override auto-detected deployment type. Valid values for type:
Classic - A classic Access Management-only deployment with custom
layout and configuration.
Cloud - A ForgeRock Identity Cloud environment.
ForgeOps - A ForgeOps CDK or CDM deployment.
The detected or provided deployment type controls certain behavior
like obtaining an Identity Management admin token or not and whether
to export/import referenced email templates or how to walk through
the tenant admin login flow of Identity Cloud and skip MFA.
-n No Re-UUID, i.e., import does not generate new UUIDs for (inner)nodes."
Used to update existing trees/nodes instead of cloneing them."
Run ./amtree.sh without any parameters to display this usage information.
-
Export a journey/tree called "Login" from the root realm to a file:
% ./amtree.sh -h https://cdk.iam.example.com/am -u amadmin -p 'password' -e -t Login -f Login.json -
Import a journey/tree into a sub-realm from a file and rename it to "LoginTree":
% ./amtree.sh -h https://cdk.iam.example.com/am -u amadmin -p 'password' -i -t LoginTree -f Login.json -r /parent/child -
Export all the journeys/trees from the root realm to a file:
% ./amtree.sh -h https://cdk.iam.example.com/am -u amadmin -p 'password' -E -f trees.json -
Export all the journeys/trees from the root realm to separate files in the current directory. % ./amtree.sh -h https://cdk.iam.example.com/am -u amadmin -p 'password' -S
-
Import all the journeys/trees from a file into a sub-realm:
% ./amtree.sh -h https://cdk.iam.example.com/am -u amadmin -p 'password' -I -f trees.json -r /parent/child -
Import all the trees(*.json) from the currrent directory into a sub-realm:
% ./amtree.sh -h https://cdk.iam.example.com/am -u amadmin -p 'password' -s -r /parent/child -
Clone a journey/tree "Login" to "ClonedLogin":
% ./amtree.sh -h https://cdk.iam.example.com/am -u amadmin -p 'password' -e -t Login | ./amtree.sh -h https://cdk.iam.example.com/am -u amadmin -p 'password' -i ClonedLogin -
Copy a journey/tree "Login" to "ClonedLogin" in another ForgeRock Identity Platform instance:
% ./amtree.sh -h https://cdk.iam.example.com/am -u amadmin -p 'password' -e -t Login | ./amtree.sh -h https://another.domain.org/openam -u amadmin -p 'password' -i ClonedLogin -
Copy all the journeys/trees from one realm in one ForgeRock Identity Platform instance to another realm in another instance:
% ./amtree.sh -h https://cdk.iam.example.com/am -u amadmin -p 'password' -E -r /internal | ./amtree.sh -h https://another.domain.org/openam -u amadmin -p 'password' -I -r /external -
Pruning:
% ./amtree.sh -P -h https://cdk.iam.example.com/am -u amadmin -p 'password'
% ./amtree.sh -P -h https://cdk.iam.example.com/am -r /parent/child -u amadmin -p 'password' -
List all the journeys/trees from the root realm to a file or the console:
% ./amtree.sh -h https://cdk.iam.example.com/am -u amadmin -p 'password' -l -f trees.txt
% ./amtree.sh -h https://cdk.iam.example.com/am -u amadmin -p 'password' -l -
Describe one specific journey/tree export file or all .json files in the current directory: If no file name is supplied, describe all json files in the current directory (from -S) % ./amtree.sh -d -f tree1.json
% ./amtree.sh -D -
Describe one specific journey or all in the realm: If no file name is supplied, describe all json files in the current directory (from -S) % ./amtree.sh -h https://cdk.iam.example.com/am -u amadmin -p 'password' -d -t tree1 % ./amtree.sh -h https://cdk.iam.example.com/am -u amadmin -p 'password' -D
This tool can't export passwords (including API secrets, etc), so these need to be manually added back to an imported tree or alternatively, export the source tree to a file, edit the file to add the missing fields before importing. Any dependencies than scripts and email templates needed for a journey/tree must also exist prior to import, for example inner-trees and custom nodes. Currently, scripts are NOT given a new UUID on import; an option to allow re-UUID-ing scripts might be added in the future.