we've been using the keycloak provider without issue for a while, but after upgrading our build system to terraform 1.3.0, we've started to run into this error:
Error: Cycle: module.backend.keycloak_openid_client_service_account_role.customer_backend_realm_management_roles[0] (destroy), module.backend.keycloak_openid_client_service_account_role.customer_backend_realm_management_roles[1] (destroy), module.e2e_tests[0].keycloak_openid_client_service_account_role.customer_backend_realm_management_roles[1] (destroy), random_password.keycloak_admin, provider["registry.terraform.io/mrparkers/keycloak"], module.e2e_tests[0].keycloak_openid_client_service_account_role.customer_backend_realm_management_roles[0] (destroy)
Downgrading to 1.2.9 fixes this reliably, so I fear that this is somehow related to the keycloak provider not handling the upgrade well.
For reference, I've attached our relevant configs.
module.backend keycloak configs:
data "keycloak_openid_client" "realm_management" {
realm_id = var.keycloak_realm.id
client_id = "realm-management"
}
# Create client the backend uses to authenticate with keycloak in order to create resources (like users)
resource "keycloak_openid_client" "customer_backend" {
realm_id = var.keycloak_realm.id
client_id = "customer-backend"
access_type = "CONFIDENTIAL"
direct_access_grants_enabled = true
service_accounts_enabled = true
}
# roles the backend client needs to do the actual user management
locals {
customer_backend_realm_management_roles = ["manage-users", "view-realm"]
}
resource "keycloak_openid_client_service_account_role" "customer_backend_realm_management_roles" {
count = length(local.customer_backend_realm_management_roles)
role = local.customer_backend_realm_management_roles[count.index]
realm_id = var.keycloak_realm.id
service_account_user_id = keycloak_openid_client.customer_backend.service_account_user_id
client_id = data.keycloak_openid_client.realm_management.id
}
# Put client data into kubernetes secret so backend app can use client
resource "kubernetes_secret_v1" "customer_backend_client_secret" {
metadata {
name = "customer-backend-client-credentials"
}
data = {
CLIENT_ID = keycloak_openid_client.customer_backend.client_id,
CLIENT_SECRET = keycloak_openid_client.customer_backend.client_secret
CLIENT_NAME = var.keycloak_realm.realm
}
}
module.e2e_tests keycloakconfigs:
data "keycloak_openid_client" "realm_management" {
realm_id = var.keycloak_realm.id
client_id = "realm-management"
}
## e2e-tests
resource "keycloak_openid_client" "e2e_tests" {
realm_id = var.keycloak_realm.id
client_id = "e2e-tests"
access_type = "CONFIDENTIAL"
direct_access_grants_enabled = true
service_accounts_enabled = true
}
# roles the backend client needs to do the actual user management
locals {
e2e_realm_management_roles = ["manage-users", "view-realm"]
}
resource "keycloak_openid_client_service_account_role" "customer_backend_realm_management_roles" {
count = length(local.e2e_realm_management_roles)
role = local.e2e_realm_management_roles[count.index]
realm_id = var.keycloak_realm.id
service_account_user_id = keycloak_openid_client.e2e_tests.service_account_user_id
client_id = data.keycloak_openid_client.realm_management.id
}
Hey @eviscares, I wasn't able to recreate this myself, but could you try upgrading to Terraform v1.3.2? It looks like this release and v1.3.1 contained a few fixes for cycle issues like this.
Hi,
we've been using the keycloak provider without issue for a while, but after upgrading our build system to terraform 1.3.0, we've started to run into this error:
Error: Cycle: module.backend.keycloak_openid_client_service_account_role.customer_backend_realm_management_roles[0] (destroy), module.backend.keycloak_openid_client_service_account_role.customer_backend_realm_management_roles[1] (destroy), module.e2e_tests[0].keycloak_openid_client_service_account_role.customer_backend_realm_management_roles[1] (destroy), random_password.keycloak_admin, provider["registry.terraform.io/mrparkers/keycloak"], module.e2e_tests[0].keycloak_openid_client_service_account_role.customer_backend_realm_management_roles[0] (destroy)
Downgrading to 1.2.9 fixes this reliably, so I fear that this is somehow related to the keycloak provider not handling the upgrade well.
For reference, I've attached our relevant configs.
module.backend keycloak configs:
module.e2e_tests keycloakconfigs:
keycloak provider config: