Open pescobar opened 1 year ago
I have done some more testing and I noticed that if I create all the resources using terraform (new resources keycloak_realm
and keycloak_realm_keystore_rsa
) then the new RSA key I add with terraform is visible in the keycloak webui even if the parentId
format uses the realm name instead of the realm internal id.
This is the API output for a realm+rsa key created with terraform which is visible from the webui:
$> mastertoken=$(curl -s -k -g -d "client_id=admin-cli" -d "username=admin" -d "password=admin" -d "grant_type=password" -d "client_secret=" "http://localhost:8080/realms/master/protocol/openid-connect/token" | sed 's/.*access_token":"//g' | sed 's/".*//g')
$> curl -s -k -X GET http://localhost:8080/admin/realms/myrealm/components/ -H "Content-Type: application/json" -H "Authorization: bearer $mastertoken" |jq .|grep parent
"parentId": "myrealm",
"parentId": "myrealm",
"parentId": "myrealm",
"parentId": "myrealm",
"parentId": "myrealm",
"parentId": "myrealm",
"parentId": "myrealm",
"parentId": "myrealm",
"parentId": "myrealm",
"parentId": "myrealm",
"parentId": "myrealm",
"parentId": "myrealm",
"parentId": "myrealm",
For resources created from scratch using terraform the terraform state uses the same value for id
and internal_id
$> terraform state show keycloak_realm.myrealm|grep myrealm
# keycloak_realm.myrealm:
resource "keycloak_realm" "myrealm" {
id = "myrealm"
internal_id = "myrealm"
realm = "myrealm"
but for realms created using the webui and then imported into terraform the id
and internal_id
don't match:
$> terraform import keycloak_realm.anotherrealm anotherrealm
$> terraform state show keycloak_realm.anotherrealm |egrep "another|internal_id"
# keycloak_realm.anotherrealm:
resource "keycloak_realm" "anotherrealm" {
id = "anotherrealm"
internal_id = "734fb52a-07e7-45a2-b456-21312e57e695"
realm = "anotherrealm"
The problem seems to be that if I add resources using terraform then parentId = $id
for all the components in the realm but if I add resources using the webui parentID = $internal_id
and they differ
Is there any possible workaround for this issue?
I ran into this same issue. I created a new realm manually, and then attempted to add RSA keys using keycloak_realm_keystore_rsa. No errors, Terraform's plan and apply looks good, but nothing gets created under Realm Settings -> Keys.
mrparkers/keycloak version 4.3.1, Keycloak 20.0.5
We are also experiencing this issue with mrparkers/keycloak version 4.4.0 and keycloak 23.0.0
Would it be feasible to simply add the parentId argument to the keycloak_realm_keystore_rsa
resource, so we can manually pass keycloak_realm.some_realm.internal_id
through to the rest request?
Or maybe an imported
boolean, deciding whether to use realm_id
or internal_id
, as to not break realms already managed by the provider?
I have realized that the provider is not defining the right
parentId
for the realm components when creating new realms.I tested it with keycloak 19.0.3 and 20.0.3. You can reproduce the problem like this:
First boot a keycloak test instance listening in http://localhost:8080 with username
admin
and passwordadmin
:Then you can create a new realm using this terraform code:
If you query the components for the new realm
myrealm
created with terraform you get this:But if I create another realm named
anotherrealm
using the keycloak webui the parentIDs for the components are in different format:I noticed this problem because I tried to import an existing realm which was created using the webui into terraform and when I tried to add a new resource of type
keycloak_realm_keystore_rsa
the parentID was wrong. This is the output I get when I query the components for it, the only component with different parentID is the rsa key I created using terraform. The other realm components with parentID in format3c4726c8-3589-41fd-b58e-6a289c062811
were created when I created the realm using the webuiTerraform succeeded and the new rsa key resource is added to the terraform state but it's not visible in the keycloak webui.
I also tried to define
realm_id = 3c4726c8-3589-41fd-b58e-6a289c062811
for resourcekeycloak_realm_keystore_rsa
in my terraform code in case this could workaround the problem but then I get this error:p.s. The token in
$mastertoken
is only valid for 1min so make sure to refresh it when testing using curl