[authz] keep_defaults works partially only at the 1st apply

[semangard]

Hello,

a) If I create a new client with keep_defaults to false then only the default resource is not created; the default policy and permission are still created. => Is that expected ?

b) On an existing client : when I switch keep_defaults to false :

  # module.MS1_client.keycloak_openid_client.openid_client_confidential will be updated in-place
  ~ resource "keycloak_openid_client" "openid_client_confidential" {
        access_type                              = "CONFIDENTIAL"
        client_id                                = "MS1_back"
        client_secret                            = (sensitive value)
        consent_required                         = false
        direct_access_grants_enabled             = false
        enabled                                  = true
        exclude_session_state_from_auth_response = false
        full_scope_allowed                       = true
        id                                       = "3054968a-2cf4-4310-abef-2901d37d135e"
        implicit_flow_enabled                    = false
        name                                     = "MS1_back"
        realm_id                                 = "demo-uma"
        resource_server_id                       = "3054968a-2cf4-4310-abef-2901d37d135e"
        service_account_user_id                  = "07ce69b6-11a6-411e-bc4e-89ac4eed2fb7"
        service_accounts_enabled                 = true
        standard_flow_enabled                    = false
        valid_redirect_uris                      = []
        web_origins                              = []

      + authorization {
          + allow_remote_resource_management = true
          + keep_defaults                    = false
          + policy_enforcement_mode          = "ENFORCING"
        }
      - authorization {
          - allow_remote_resource_management = true -> null
          - keep_defaults                    = true -> null
          - policy_enforcement_mode          = "ENFORCING" -> null
        }
    }

Then existing defaults are not removed. => Is that expected ?

[mrparkers]

If I create a new client with keep_defaults to false then only the default resource is not created; the default policy and permission are still created. Is that expected ?

Probably not. What we're actually doing is deleting the resource after the client is created. So if there are additional default resources that need to be cleaned up, the provider should probably handle that as well.

On an existing client, when I switch keep_defaults to false, Then existing defaults are not removed. Is that expected ?

I think so. We probably only want to respect authorization.keep_defaults when clients are created. I think it's dangerous for an update to this attribute to delete other resources. We should improve the documentation for this to make that more clear. We could also mark this attribute as ForceNew which would require the client to be deleted and recreated in order for this attribute to change.