Comments (2)
So this is a pretty common problem for Terraform providers that wrap APIs that have side effects. Pretty much every Terraform provider I've worked with, official or otherwise, has had to deal with this.
Creating a realm within Keycloak creates a ton of other resources as a side effect (clients, client scopes, roles, flows and executions, etc). Most of these resources don't really need to be modified after they're created. Some, like the account
client for example, have legitimate use cases for making changes to them after the fact.
The closest thing we have to a solution to this problem is by using data sources, which allows Terraform to reference configuration that it isn't managing so other resources can depend on it. This way, if you don't intend on making changes to the resources Keycloak creates for you, but you'd like to reference some computed attribute like an ID in some way, you can use a data source to fetch that information and use it elsewhere. An example use case of this would be assigning the offline_access
role to a user - I don't care about making changes to this role, I just need to know its ID in order to use it, so I could use a data source like this to reference it:
data "keycloak_role" "offline_access" {
realm_id = "${keycloak_realm.realm.id}"
name = "offline_access"
}
resource "keycloak_group" "group" {
realm_id = "${keycloak_realm.realm.id}"
name = "group"
}
resource "keycloak_group_roles" "group_roles" {
realm_id = "${keycloak_realm.realm.id}"
group_id = "${keycloak_group.group.id}"
roles = [
"${data.keycloak_role.offline_access.id}"
]
}
This doesn't solve the problem of wanting to make changes to configuration Keycloak creates for you, however. This isn't really a "solved" problem, unfortunately. The best we can do is import stuff we care about after the fact and make changes that way.
I don't think that the "auto-import" idea you had is a bad one, but something like this would also need to generate HCL for you. Since importing a resource saves its configuration in the state file, a following run of terraform plan
without the complementary HCL would result in Terraform believing the resource needs to be destroyed. I've talked with a few folks on the Terraform team before and I've been told that they've internally discussed some future functionality where Terraform can generate HCL based on some remote configuration, but I wouldn't expect that to become a reality any time soon.
Hopefully this helps answer some of the questions you had!
from terraform-provider-keycloak.
That's immensely helpful—I honestly didn't know you could use data sources like that. And it totally makes sense that it's hard to manage side effects like this, I just wasn't sure whether that was the case. I'll probably look into this if I find myself needing to make changes to resources that already exist from creating another resource: https://github.com/jmcgill/formation
Thank you, closing as this isn't really a concern of this provider (or really fixable by this provider).
from terraform-provider-keycloak.
Related Issues (20)
- error provider
- resource missing
- Terraform provider (client credentials grant) having issue HOT 1
- Support SAML Client in terraformer
- Update GO HOT 1
- `keycloak_openid_audience_protocol_mapper`: Unpaginated request to `/admin/realms/${realm}/clients`
- The private_key schema element of the keycloak_realm_keystore_rsa resource must be sensitive HOT 1
- The health of this repo, an open discussion. HOT 19
- keycloak_openid_client.authorization decision_strategy field doesn't work HOT 2
- no admin_events_expiration
- support `display_on_consent_screen` in `keycloak_openid_client_scope` HOT 1
- Unstable state for keycloak_user attributes (null field)
- OpenTofu registry is missing GPG keys for this provider
- Unable to set federationLink on keycloak_user
- Authentication Flow / Subflow / Executions priorities HOT 1
- Support for configuring external token exchange
- Support for Keycloak Organization (amazing) feature
- [Feature] Add an upsert flag on the client
- Client Fine Grained permissions 'extra_config' only sometimes works. KC 24.0.5
- import support for subgroups HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-provider-keycloak.