Cycle error after upgrading to terraform 1.3.0

[eviscares]

Hi,

we've been using the keycloak provider without issue for a while, but after upgrading our build system to terraform 1.3.0, we've started to run into this error: Error: Cycle: module.backend.keycloak_openid_client_service_account_role.customer_backend_realm_management_roles[0] (destroy), module.backend.keycloak_openid_client_service_account_role.customer_backend_realm_management_roles[1] (destroy), module.e2e_tests[0].keycloak_openid_client_service_account_role.customer_backend_realm_management_roles[1] (destroy), random_password.keycloak_admin, provider["registry.terraform.io/mrparkers/keycloak"], module.e2e_tests[0].keycloak_openid_client_service_account_role.customer_backend_realm_management_roles[0] (destroy)

Downgrading to 1.2.9 fixes this reliably, so I fear that this is somehow related to the keycloak provider not handling the upgrade well.

For reference, I've attached our relevant configs.

module.backend keycloak configs:

data "keycloak_openid_client" "realm_management" {
  realm_id  = var.keycloak_realm.id
  client_id = "realm-management"
}

# Create client the backend uses to authenticate with keycloak in order to create resources (like users)
resource "keycloak_openid_client" "customer_backend" {

  realm_id    = var.keycloak_realm.id
  client_id   = "customer-backend"
  access_type = "CONFIDENTIAL"

  direct_access_grants_enabled = true
  service_accounts_enabled     = true
}

# roles the backend client needs to do the actual user management
locals {
  customer_backend_realm_management_roles = ["manage-users", "view-realm"]
}

resource "keycloak_openid_client_service_account_role" "customer_backend_realm_management_roles" {
  count = length(local.customer_backend_realm_management_roles)
  role  = local.customer_backend_realm_management_roles[count.index]

  realm_id                = var.keycloak_realm.id
  service_account_user_id = keycloak_openid_client.customer_backend.service_account_user_id
  client_id               = data.keycloak_openid_client.realm_management.id
}

# Put client data into kubernetes secret so backend app can use client
resource "kubernetes_secret_v1" "customer_backend_client_secret" {
  metadata {
    name = "customer-backend-client-credentials"
  }
  data = {
    CLIENT_ID     = keycloak_openid_client.customer_backend.client_id,
    CLIENT_SECRET = keycloak_openid_client.customer_backend.client_secret
    CLIENT_NAME   = var.keycloak_realm.realm
  }
}

module.e2e_tests keycloakconfigs:

data "keycloak_openid_client" "realm_management" {
  realm_id  = var.keycloak_realm.id
  client_id = "realm-management"
}

## e2e-tests
resource "keycloak_openid_client" "e2e_tests" {
  realm_id    = var.keycloak_realm.id
  client_id   = "e2e-tests"
  access_type = "CONFIDENTIAL"

  direct_access_grants_enabled = true
  service_accounts_enabled     = true
}

# roles the backend client needs to do the actual user management
locals {
  e2e_realm_management_roles = ["manage-users", "view-realm"]
}

resource "keycloak_openid_client_service_account_role" "customer_backend_realm_management_roles" {
  count = length(local.e2e_realm_management_roles)
  role  = local.e2e_realm_management_roles[count.index]

  realm_id                = var.keycloak_realm.id
  service_account_user_id = keycloak_openid_client.e2e_tests.service_account_user_id
  client_id               = data.keycloak_openid_client.realm_management.id
}

keycloak provider config:

terraform {
  required_providers {
    keycloak = {
      source  = "mrparkers/keycloak"
      version = "3.10.0"
    }
  }
}

provider "keycloak" {
  client_id     = "admin-cli"
  username      = "admin"
  password      = random_password.keycloak_admin.result
  base_path     = ""
  url           = local.keycloak_config.external_url
  initial_login = false
}

[mrparkers]

Hey @eviscares, I wasn't able to recreate this myself, but could you try upgrading to Terraform v1.3.2? It looks like this release and v1.3.1 contained a few fixes for cycle issues like this.