terraform-provider-keycloak icon indicating copy to clipboard operation
terraform-provider-keycloak copied to clipboard

Published 20 hours ago verified publisher icon mrparkers

Deletion error for authorization_scope and authorization_resource

Open rdelander opened this issue 3 years ago • 0 comments

  • Keycloak Provider Version: 3.0.1
  • Terraform Version: 0.13.0
  • Keycloak Version: 10.0.1

I am encountering an error when attempting to delete a keycloak_openid_client_authorization_scope resource.

Module:

resource "keycloak_openid_client_authorization_scope" "scope" {
  for_each = var.scopes

  realm_id           = var.realm.id
  resource_server_id = var.resource_server.resource_server_id
  name               = each.value.scope_name
  display_name       = each.value.scope_name
}

resource "keycloak_openid_client_role_policy" "policy" {
  for_each = var.scopes

  realm_id           = var.realm.id
  resource_server_id = var.resource_server.resource_server_id

  name              = "${each.value.scope_name} policy"
  decision_strategy = "UNANIMOUS"
  logic             = "POSITIVE"
  type              = "role"
  dynamic "role" {
    for_each = each.value.roles
    content {
      id       = var.roles[role.value].id
      required = false
    }
  }
}

resource "keycloak_openid_client_authorization_resource" "authorization-resource" {
  realm_id           = var.realm.id
  resource_server_id = var.resource_server.resource_server_id
  name               = var.resource_name
  display_name       = var.resource_name
  scopes             = [for x in keycloak_openid_client_authorization_scope.scope : x.name]
}

resource "keycloak_openid_client_authorization_permission" "permission" {
  for_each = var.scopes

  realm_id           = var.realm.id
  resource_server_id = var.resource_server.resource_server_id
  name               = "${each.value.scope_name} permission"
  type               = "scope"

  policies = [
    keycloak_openid_client_role_policy.policy[each.key].id
  ]
  resources = [
    keycloak_openid_client_authorization_resource.authorization-resource.id
  ]
  scopes = [
    keycloak_openid_client_authorization_scope.scope[each.key].id
  ]
}

Module Variables:

variable "realm" {
  type = object({
    id    = string
    realm = string
  })
  description = "Realm resource that this client belongs to"
}

variable "resource_server" {
  type = object({
    resource_server_id = string
  })
  description = "Server that the authorization resources belongs to"
}

variable "resource_name" {
  type = string
}

variable "roles" {
  type = map(object({ id = string }))
}

variable "scopes" {
  type = map(object({
    scope_name = string
    roles      = list(string)
  }))
  description = "Map of scopes which will add a policy and permission for each"

  default = {}
}

Terraform Plan:

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place
  - destroy

Terraform will perform the following actions:

  # module.keycloak_tenant.module.keycloak_realm["mastermind"].module.permissions["route-posting"].keycloak_openid_client_authorization_permission.permission["route-posting-edit"] will be destroyed
  - resource "keycloak_openid_client_authorization_permission" "permission" {
      - decision_strategy  = "UNANIMOUS" -> null
      - id                 = "5a759539-0b5a-4869-8c6c-c0ef2ee796ff" -> null
      - name               = "routePosting:edit permission" -> null
      - policies           = [
          - "2868193d-a2f5-44e7-b7a4-dd0c5bdc711f",
        ] -> null
      - realm_id           = "mastermind" -> null
      - resource_server_id = "4ccecf97-10c0-433f-aa2d-b9e8bdc415bc" -> null
      - resources          = [
          - "cfe7d70b-0a92-426a-8bf8-0f42cb6fd4b1",
        ] -> null
      - scopes             = [
          - "e67a4cda-0372-4cc7-bc80-4badb9b43d69",
        ] -> null
      - type               = "scope" -> null
    }

  # module.keycloak_tenant.module.keycloak_realm["mastermind"].module.permissions["route-posting"].keycloak_openid_client_authorization_resource.authorization-resource will be updated in-place
  ~ resource "keycloak_openid_client_authorization_resource" "authorization-resource" {
        attributes           = {}
        display_name         = "RoutePosting"
        id                   = "cfe7d70b-0a92-426a-8bf8-0f42cb6fd4b1"
        name                 = "RoutePosting"
        owner_managed_access = false
        realm_id             = "mastermind"
        resource_server_id   = "4ccecf97-10c0-433f-aa2d-b9e8bdc415bc"
      ~ scopes               = [
          - "routePosting:edit",
            "routePosting:view",
        ]
        uris                 = []
    }

  # module.keycloak_tenant.module.keycloak_realm["mastermind"].module.permissions["route-posting"].keycloak_openid_client_authorization_scope.scope["route-posting-edit"] will be destroyed
  - resource "keycloak_openid_client_authorization_scope" "scope" {
      - display_name       = "routePosting:edit" -> null
      - id                 = "e67a4cda-0372-4cc7-bc80-4badb9b43d69" -> null
      - name               = "routePosting:edit" -> null
      - realm_id           = "mastermind" -> null
      - resource_server_id = "4ccecf97-10c0-433f-aa2d-b9e8bdc415bc" -> null
    }

  # module.keycloak_tenant.module.keycloak_realm["mastermind"].module.permissions["route-posting"].keycloak_openid_client_role_policy.policy["route-posting-edit"] will be destroyed
  - resource "keycloak_openid_client_role_policy" "policy" {
      - decision_strategy  = "UNANIMOUS" -> null
      - id                 = "2868193d-a2f5-44e7-b7a4-dd0c5bdc711f" -> null
      - logic              = "POSITIVE" -> null
      - name               = "routePosting:edit policy" -> null
      - realm_id           = "mastermind" -> null
      - resource_server_id = "4ccecf97-10c0-433f-aa2d-b9e8bdc415bc" -> null
      - type               = "role" -> null

      - role {
          - id       = "0c407a0d-a21b-4447-a7ed-95666d3bf410" -> null
          - required = false -> null
        }
      - role {
          - id       = "4e182e08-b85b-45c8-9958-8455df8cf0fe" -> null
          - required = false -> null
        }
      - role {
          - id       = "6b1530cd-e0ac-4080-8517-8024d3ab8089" -> null
          - required = false -> null
        }
      - role {
          - id       = "94a050f7-3386-4cde-82af-6cbd243f263d" -> null
          - required = false -> null
        }
      - role {
          - id       = "ab8e6164-7ed1-408c-91db-c477ed32a1af" -> null
          - required = false -> null
        }
      - role {
          - id       = "b8cbc9b8-64cb-4639-94ae-9885e039c1eb" -> null
          - required = false -> null
        }
    }

Plan: 0 to add, 1 to change, 3 to destroy.

Terraform Apply:

module.keycloak_tenant.module.keycloak_realm["mastermind"].module.permissions["route-posting"].keycloak_openid_client_authorization_permission.permission["route-posting-edit"]: Destroying... [id=5a759539-0b5a-4869-8c6c-c0ef2ee796ff]
module.keycloak_tenant.module.keycloak_realm["mastermind"].module.permissions["route-posting"].keycloak_openid_client_authorization_permission.permission["route-posting-edit"]: Destruction complete after 0s
module.keycloak_tenant.module.keycloak_realm["mastermind"].module.permissions["route-posting"].keycloak_openid_client_authorization_scope.scope["route-posting-edit"]: Destroying... [id=e67a4cda-0372-4cc7-bc80-4badb9b43d69]
module.keycloak_tenant.module.keycloak_realm["mastermind"].module.permissions["route-posting"].keycloak_openid_client_role_policy.policy["route-posting-edit"]: Destroying... [id=2868193d-a2f5-44e7-b7a4-dd0c5bdc711f]
module.keycloak_tenant.module.keycloak_realm["mastermind"].module.permissions["route-posting"].keycloak_openid_client_role_policy.policy["route-posting-edit"]: Destruction complete after 0s

Error: error sending DELETE request to /auth/admin/realms/mastermind/clients/4ccecf97-10c0-433f-aa2d-b9e8bdc415bc/authz/resource-server/scope/e67a4cda-0372-4cc7-bc80-4badb9b43d69: 400 Bad Request. Response body: {"errorMessage":"Scopes can not be removed while associated with resources."}

Error:

Error: error sending DELETE request to /auth/admin/realms/mastermind/clients/4ccecf97-10c0-433f-aa2d-b9e8bdc415bc/authz/resource-server/scope/e67a4cda-0372-4cc7-bc80-4badb9b43d69: 400 Bad Request. Response body: {"errorMessage":"Scopes can not be removed while associated with resources."}

I believe the error is due to the order of operations when applying changes. The scope should be removed from the keycloak_openid_client_authorization_resource before destroying keycloak_openid_client_authorization_scope.

I have also attempted to explicitly set depends_on and even create_before_destroy = true with no luck. With create_before_destroy = true I get the following error:

Error: Provider produced inconsistent final plan

When expanding the plan for
module.keycloak_tenant.module.keycloak_realm["mastermind"].module.permissions["route-posting"].keycloak_openid_client_authorization_resource.authorization-resource
to include new values learned so far during apply, provider
"registry.terraform.io/mrparkers/keycloak" produced an invalid new value for
.scopes: actual set element cty.StringVal("routePosting:edit") does not
correlate with any element in plan.

This is a bug in the provider, which should be reported in the provider's own
issue tracker.


Error: Provider produced inconsistent final plan

When expanding the plan for
module.keycloak_tenant.module.keycloak_realm["mastermind"].module.permissions["route-posting"].keycloak_openid_client_authorization_resource.authorization-resource
to include new values learned so far during apply, provider
"registry.terraform.io/mrparkers/keycloak" produced an invalid new value for
.scopes: length changed from 1 to 2.

This is a bug in the provider, which should be reported in the provider's own
issue tracker.

rdelander avatar May 12 '21 18:05 rdelander