Open kherock opened 11 months ago
Upon further inspection, this actually appears to be a Keycloak bug which I've attempted to detail here:
https://github.com/keycloak/keycloak/issues/24894
The issue is likely unrelated to the IDP mapper type. The only workaround I can think of for this would be to introduce an artificial delay on IDP mapper resources so that Keycloak's own event handling has a chance to apply before the Terraform provider sends subsequent updates to the IDP mapper.
Currently, the only other resource updates that can trigger IDP mappers are groups and roles: https://github.com/keycloak/keycloak/tree/main/server-spi-private/src/main/java/org/keycloak/broker/provider/mappersync
When refactoring an identity provider mapper, I encountered some unexpected behavior when converting it to a different type:
Terraform attempted to update the mapper in-place, but afterward I began to see server errors on Keycloak due to it failing to properly evaluate the mapper's configuration. In the Keycloak side, it showed the original mapper definition unchanged, despite Terraform reporting that the changes were applied successfully.
Keycloak doesn't allow changing the mapper type in the admin UI, so I don't think this operation is actually supported by the API.