keycloak_user_roles resource removes existing role_id while updating the resource

[rvashishth]

~ resource "keycloak_user_roles" "user_roles" {
       id       = "developer-platform/da0ede55-f8d6-4352-9172-b2e3f508b5a1"
       realm_id = "developer-platform"
     ~ role_ids = [
         - "489701d7-7123-47a5-8a89-89ef92454b2e",
         + "eeffa302-c5ca-430e-83a6-d22a54e8ec55",
       ]
       user_id  = "da0ede55-f8d6-4352-9172-b2e3f508b5a1"
   }

Here the first role id 489 was already assigned to this user. But when we tried to add another role_id after refreshing the state this provider removes the existing role assignment.

Expected Behaviour: Existing role assignment must not be removed while modifying the keycloak_user_roles resource until specified.

This behaviour is pretty much consistent.

[mrparkers]

Can you give me a snippet of what your HCL configuration here looks like? I'm curious to know whether or not that first role with ID 489701d7-7123-47a5-8a89-89ef92454b2e was assigned to that user outside of Terraform, or if this assignment is present in your Terraform configuration but the provider is removing it anyways.

[utamas]

@mrparkers Hi. I'm experiencing something similar. I'm setting up a new realm, with a client and some users with some roles. The user(s) get some default roles - like uma_authorization, offline_access, view-profile or manage-account.

resource "keycloak_realm" "my_realm" {
  realm                       = "My-Realm"
  default_signature_algorithm = "RS256"
}

resource "keycloak_openid_client" "my_client_id" {
  client_id                    = "my-client-id"
  access_type                  = "PUBLIC"
  access_token_lifespan        = "3660"
  direct_access_grants_enabled = true
  realm_id                     = keycloak_realm.my_realm.id
  standard_flow_enabled        = true
  use_refresh_tokens           = false
  valid_redirect_uris = [ for uri in var.valid_redirect_uris: "${uri}/*" ]
  web_origins = var.valid_redirect_uris
}

resource "keycloak_role" "my_role" {
  realm_id    = keycloak_realm.my_realm.id
  client_id   = keycloak_openid_client.my_client_id.id
  name        = "my-role"
}

// this role is automatically added
data "keycloak_role" "uma_authorization" {
  realm_id    = keycloak_realm.my_realm.id
  name        = "uma_authorization"
}

resource "keycloak_user" "my_user" {
  realm_id       = keycloak_realm.my_realm.id
  username       = "username"
  email          = "[email protected]"
  email_verified = true
  enabled        = true
  first_name     = "Jane"
  last_name      = "Doe"

  initial_password {
    value     = "dummy_password"
    temporary = false
  }
}

resource "keycloak_user_roles" "roles_of_my_user" {
  realm_id = keycloak_realm.my_realm.id
  user_id  = keycloak_user.my_user.id

  role_ids = [
    data.keycloak_role.uma_authorization.id,
    keycloak_role.app_cs.id,
  ]
}

terraform apply -auto-approve will run successfully, but a subsequent plan shows that a role was removed outside of terraform. Running terraform apply -auto-approve again will add the role back and stay that way.

[utamas]

I can set up an example project if that helps.

[utamas]

OK. I guess I need to read the manual. :) My observation is literally covered in the first sentence.

However, it is still puzzling to me why this behavior occurs. @mrparkers, could you please give some insight into what is going on here?