search

mrparkers / terraform-provider-keycloak

Terraform provider for Keycloak
https://registry.terraform.io/providers/mrparkers/keycloak/latest/docs
MIT License
624 stars 306 forks source link

Changes to `custom_identity_provider_mapper` ignored when updating roles or groups #901

Open kherock opened 10 months ago

kherock commented 10 months ago

When refactoring an identity provider mapper, I encountered some unexpected behavior when converting it to a different type:

  # keycloak_custom_identity_provider_mapper.this will be updated in-place
  ~ resource "keycloak_custom_identity_provider_mapper" "this" {
      ~ extra_config             = {
          - "attributes"  = jsonencode([]) -> null
          - "claim"       = "foobar" -> null
          - "claim.value" = "baz" -> null
          ~ "claims"      = jsonencode(
              ~ [
                  + {
                      + key   = "foobar"
                      + value = "baz"
                    },
                  + {
                      + key   = "abc"
                      + value = "123"
                    },
                ]
            )
            # (2 unchanged elements hidden)
        }
        id                       = "e6b41322-27ba-49d3-8e7d-f7c51186c010"
      ~ identity_provider_mapper = "oidc-group-idp-mapper" -> "oidc-advanced-group-idp-mapper"
        name                     = "oidc group mapper"
        # (2 unchanged attributes hidden)
    }

Terraform attempted to update the mapper in-place, but afterward I began to see server errors on Keycloak due to it failing to properly evaluate the mapper's configuration. In the Keycloak side, it showed the original mapper definition unchanged, despite Terraform reporting that the changes were applied successfully. Keycloak doesn't allow changing the mapper type in the admin UI, so I don't think this operation is actually supported by the API.

kherock commented 10 months ago

Upon further inspection, this actually appears to be a Keycloak bug which I've attempted to detail here:

https://github.com/keycloak/keycloak/issues/24894

The issue is likely unrelated to the IDP mapper type. The only workaround I can think of for this would be to introduce an artificial delay on IDP mapper resources so that Keycloak's own event handling has a chance to apply before the Terraform provider sends subsequent updates to the IDP mapper.

Currently, the only other resource updates that can trigger IDP mappers are groups and roles: https://github.com/keycloak/keycloak/tree/main/server-spi-private/src/main/java/org/keycloak/broker/provider/mappersync