Expected behavour:

If I import a client and roles, and imediatly do a plan, I should only see the real changes, like composite_roles defined on my realm but not in my plan:

Actual behaviour:

After import, a new plan will try to replace my client and all of it's roles.

Client and roles were imported with these commands:

tofu import 'module.idps.keycloak_openid_client.realm_management'                                  my_cool_realm/3724ef20-29d2-4cb0-a4d3-38b0020ab198
tofu import 'module.roles.keycloak_role.client_role["realm-management/manage-realm"]'              my_cool_realm/f668ae38-6efc-4391-9e01-79e6f9032738
tofu import 'module.roles.keycloak_role.client_role["realm-management/view-events"]'               my_cool_realm/fff26e0d-af39-4ae7-8042-93a02f9dfca0
tofu import 'module.roles.keycloak_role.client_role["realm-management/create-client"]'             my_cool_realm/c6c9967d-4c8e-4a27-ba7e-6c0ac40cd806
tofu import 'module.roles.keycloak_role.client_role["realm-management/query-users"]'               my_cool_realm/f989275a-3d33-4005-b83f-38698af74160
tofu import 'module.roles.keycloak_role.client_role["realm-management/manage-authorization"]'      my_cool_realm/cdbec79d-3e4d-439d-80b5-1ddc592a8e28
tofu import 'module.roles.keycloak_role.client_role["realm-management/manage-identity-providers"]' my_cool_realm/947c5893-a900-4250-be29-8999f87eedeb
tofu import 'module.roles.keycloak_role.client_role["realm-management/view-identity-providers"]'   my_cool_realm/839726fc-e11d-4ea3-b777-f43f75e7556b
tofu import 'module.roles.keycloak_role.client_role["realm-management/manage-events"]'             my_cool_realm/911ddba6-d596-4b48-81c0-e7c9ed47257b
tofu import 'module.roles.keycloak_role.client_role["realm-management/query-groups"]'              my_cool_realm/cc722453-2e7e-441e-8176-2921b2a5499e
tofu import 'module.roles.keycloak_role.client_role["realm-management/manage-users"]'              my_cool_realm/66c9ae6b-279b-449e-9c73-d7b0df65087a
tofu import 'module.roles.keycloak_role.client_role["realm-management/view-realm"]'                my_cool_realm/77ba4f25-e1e3-4af5-aa06-88b3c178e453
tofu import 'module.roles.keycloak_role.client_role["realm-management/realm-admin"]'               my_cool_realm/8e65f7d9-9ed8-4a7f-9a3f-78dc3fdca9d3
tofu import 'module.roles.keycloak_role.client_role["realm-management/view-authorization"]'        my_cool_realm/e23977a2-5f9e-4084-bf63-842f86b0ecd3
tofu import 'module.roles.keycloak_role.client_role["realm-management/manage-clients"]'            my_cool_realm/1b6c1172-4a35-43c0-b83e-f599ecb05901
tofu import 'module.roles.keycloak_role.client_role["realm-management/query-realms"]'              my_cool_realm/fa067c02-492b-4907-931a-d3ac20f22af5
tofu import 'module.roles.keycloak_role.client_role["realm-management/impersonation"]'             my_cool_realm/2b35f507-3e2c-46d0-9f20-b654cb8fe38d
tofu import 'module.roles.keycloak_role.client_role["realm-management/query-clients"]'             my_cool_realm/08f090a2-e797-4cb4-9819-316c1017a5f7
tofu import 'module.roles.keycloak_role.client_role["realm-management/view-clients"]'              my_cool_realm/bab9758c-35de-4bf8-80b3-f7f63ed838c5
tofu import 'module.roles.keycloak_role.client_role["realm-management/view-users"]'                my_cool_realm/be98a991-b150-4230-98b1-f9ec70320666

Hotfix

It appears to be safe to just ignore the realm id for these resources in my case. The credentials provided to terraform/tofu only have access to that realm anyway so there's never a possiblily that the realm could be wrong.

resource "keycloak_role" "client_role" {
    for_each    = local.client_role_combinations
    realm_id    = var.realm_id
    client_id   = var.clients[split("/", each.key)[0]]
    description = contains(keys(var.roles), each.key) ? var.roles[each.key] : "$${role_${split("/", each.key)[1]}}"
    name = split("/", each.key)[1]

    lifecycle {
      ignore_changes = [realm_id]
    }
}

keycloak / terraform-provider-keycloak

Importing clients / roles does not update realm_id correctly #935

Expected behavour:

Actual behaviour:

Hotfix