keycloak_realm_user_profile: should support 'unmanagedAttributePolicy'

[scottescue]

The unmanagedAttributePolicy attribute has been added to the User Profile Config definition as of Keycloak version 24. This is exposed in the Admin UI as the Unmanaged Attributes realm setting.

Allowed values are:

• omitted - Disabled
• ENABLED - Enabled
• ADMIN_VIEW - Only administrators can view
• ADMIN_EDIT - Only administrators can write

The provider should allow this new attribute to be set in the keycloak_realm_user_profile resource.

[ericwalterb]

This is something we also hope gets added. Since upgrading to Keycloak 24, we have to manually enable Unmanaged Attributes. However, every time we run the terraform plan, it gets set back to null.

[bradhead]

@ericwalterb Were you able to apply the keycloak_realm_user_profile resource at all? I get a failure that username can't be removed.. I am not trying to remove it.. seems the state thinks it is creating the profile for the first time and it does not support import. Did you sort out how to set unmanaged attributes?

[soulchild]

@ericwalterb Interesting! We have the option manually set to "Only administrators can write" and a Terraform run does not seem to touch/change the option. Are you sure you're seeing changes to the option after applying the Terraform plan? I'm really worried that this gets reset without us noticing which would cause a lot of headaches for us.

[grolingm-VU]

We also had to manually enable the option. First, we left the option to the default value. We have a number of users that we import through this provider and stored a number of custom user attributes (now called unmanaged user attributes) on these users. Having the default keycloak completely ignores these user attributes and doesn't even store them.

Currently, we have to enable this option manually after each installation of the keycloak. This is very tideous work as we switch between both instances of the cluster after each deployment and those instances are set-up from scratch. I really appreaciate the option to have managed and unmanaged user attributes as it would give us a better handling of user attributes in general. However, having neither the possibility to enable the option nor the possibility to really define all managed attributes via _keycloak_realm_userprofile is a challenging problem.

There are two discussions open targeting the problem on a broader level: Keycloak version >= 24 support? #944 and The health of this repo, an open discussion. #964

The only work-around, we are discussing, is using a restful provider such as magodo/restful:

• GET request to {keycloak}/admin/realms/:realm/users/profile
• change the response JSON and switch the attribute ... "unmanagedAttributePolicy": "DISABLED", ... to "ENABLED", "ADMIN_EDIT" or "ADMIN_VIEW"
• PUT request the the same interface with the just updated JSON

But this solution is far from ideal