Add support for fetchRoles in keycloak_openid_client_role_policy resource (#1241)

* Add fetchRoles option to keycloak_openid_client_role_policy resource

Signed-off-by: Shirak Elbakyan <[email protected]>

* Add fetch_roles to test

Signed-off-by: Shirak Elbakyan <[email protected]>

* Cosmetic changes

Signed-off-by: Shirak Elbakyan <[email protected]>

* Cosmetics

Signed-off-by: Shirak Elbakyan <[email protected]>

* Add fetchRoles option to keycloak_openid_client_role_policy resource

Signed-off-by: Shirak Elbakyan <[email protected]>

* Cosmetic changes

Signed-off-by: Shirak Elbakyan <[email protected]>

* Cosmetics

Signed-off-by: Shirak Elbakyan <[email protected]>

* Fix TestAccKeycloakOpenidClientAuthorizationRolePolicy_multiple

Signed-off-by: Shirak Elbakyan <[email protected]>

* Fix err interface conversion: interface {} is bool, not string

Signed-off-by: Shirak Elbakyan <[email protected]>

* Update

Signed-off-by: Shirak Elbakyan <[email protected]>

* Update

Signed-off-by: Shirak Elbakyan <[email protected]>

* upd

Signed-off-by: Shirak Elbakyan <[email protected]>

* Update

Signed-off-by: Shirak Elbakyan <[email protected]>

* Update

Signed-off-by: Shirak Elbakyan <[email protected]>

* Try

Signed-off-by: Shirak Elbakyan <[email protected]>

* upd

Signed-off-by: Shirak Elbakyan <[email protected]>

* Fix tests

Signed-off-by: Shirak Elbakyan <[email protected]>

---------

Signed-off-by: Shirak Elbakyan <[email protected]>

Author: elshirak

keycloak/openid_client_authorization_role_policy.go

@@ -16,6 +16,7 @@ type OpenidClientAuthorizationRolePolicy struct {
 	Type             string                          `json:"type"`
 	Roles            []OpenidClientAuthorizationRole `json:"roles,omitempty"`
 	Description      string                          `json:"description"`
+	FetchRoles       bool                            `json:"fetchRoles,omitempty"`
 }
 
 type OpenidClientAuthorizationRole struct {

provider/resource_keycloak_openid_client_authorization_role_policy.go

@@ -2,6 +2,8 @@ package provider
 
 import (
 	"context"
+
+	"github.com/hashicorp/go-version"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
@@ -47,6 +49,10 @@ func resourceKeycloakOpenidClientAuthorizationRolePolicy() *schema.Resource {
 				Type:     schema.TypeString,
 				Optional: true,
 			},
+			"fetch_roles": {
+				Type:     schema.TypeBool,
+				Optional: true,
+			},
 			"role": {
 				Type:     schema.TypeSet,
 				Required: true,
@@ -68,7 +74,7 @@ func resourceKeycloakOpenidClientAuthorizationRolePolicy() *schema.Resource {
 	}
 }
 
-func getOpenidClientAuthorizationRolePolicyResourceFromData(data *schema.ResourceData) *keycloak.OpenidClientAuthorizationRolePolicy {
+func getOpenidClientAuthorizationRolePolicyResourceFromData(data *schema.ResourceData, keycloakVersion *version.Version) *keycloak.OpenidClientAuthorizationRolePolicy {
 	var rolesList []keycloak.OpenidClientAuthorizationRole
 	if v, ok := data.Get("role").(*schema.Set); ok {
 		for _, role := range v.List() {
@@ -93,10 +99,16 @@ func getOpenidClientAuthorizationRolePolicyResourceFromData(data *schema.Resourc
 		Description:      data.Get("description").(string),
 	}
 
+	if keycloakVersion.GreaterThanOrEqual(keycloak.Version_25.AsVersion()) {
+		if v, ok := data.GetOk("fetch_roles"); ok {
+			resource.FetchRoles = v.(bool)
+		}
+	}
+
 	return &resource
 }
 
-func setOpenidClientAuthorizationRolePolicyResourceData(data *schema.ResourceData, policy *keycloak.OpenidClientAuthorizationRolePolicy) {
+func setOpenidClientAuthorizationRolePolicyResourceData(data *schema.ResourceData, policy *keycloak.OpenidClientAuthorizationRolePolicy, keycloakVersion *version.Version) {
 	data.SetId(policy.Id)
 
 	data.Set("resource_server_id", policy.ResourceServerId)
@@ -107,6 +119,10 @@ func setOpenidClientAuthorizationRolePolicyResourceData(data *schema.ResourceDat
 	data.Set("type", policy.Type)
 	data.Set("description", policy.Description)
 
+	if keycloakVersion.GreaterThanOrEqual(keycloak.Version_25.AsVersion()) {
+		data.Set("fetch_roles", policy.FetchRoles)
+	}
+
 	var roles []interface{}
 	for _, r := range policy.Roles {
 		role := map[string]interface{}{
@@ -122,21 +138,29 @@ func setOpenidClientAuthorizationRolePolicyResourceData(data *schema.ResourceDat
 
 func resourceKeycloakOpenidClientAuthorizationRolePolicyCreate(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	keycloakClient := meta.(*keycloak.KeycloakClient)
+	keycloakVersion, err := keycloakClient.Version(ctx)
+	if err != nil {
+		return diag.FromErr(err)
+	}
 
-	resource := getOpenidClientAuthorizationRolePolicyResourceFromData(data)
+	resource := getOpenidClientAuthorizationRolePolicyResourceFromData(data, keycloakVersion)
 
-	err := keycloakClient.NewOpenidClientAuthorizationRolePolicy(ctx, resource)
+	err = keycloakClient.NewOpenidClientAuthorizationRolePolicy(ctx, resource)
 	if err != nil {
 		return diag.FromErr(err)
 	}
 
-	setOpenidClientAuthorizationRolePolicyResourceData(data, resource)
+	setOpenidClientAuthorizationRolePolicyResourceData(data, resource, keycloakVersion)
 
 	return resourceKeycloakOpenidClientAuthorizationRolePolicyRead(ctx, data, meta)
 }
 
 func resourceKeycloakOpenidClientAuthorizationRolePolicyRead(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	keycloakClient := meta.(*keycloak.KeycloakClient)
+	keycloakVersion, err := keycloakClient.Version(ctx)
+	if err != nil {
+		return diag.FromErr(err)
+	}
 
 	realmId := data.Get("realm_id").(string)
 	resourceServerId := data.Get("resource_server_id").(string)
@@ -147,22 +171,26 @@ func resourceKeycloakOpenidClientAuthorizationRolePolicyRead(ctx context.Context
 		return handleNotFoundError(ctx, err, data)
 	}
 
-	setOpenidClientAuthorizationRolePolicyResourceData(data, resource)
+	setOpenidClientAuthorizationRolePolicyResourceData(data, resource, keycloakVersion)
 
 	return nil
 }
 
 func resourceKeycloakOpenidClientAuthorizationRolePolicyUpdate(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	keycloakClient := meta.(*keycloak.KeycloakClient)
+	keycloakVersion, err := keycloakClient.Version(ctx)
+	if err != nil {
+		return diag.FromErr(err)
+	}
 
-	resource := getOpenidClientAuthorizationRolePolicyResourceFromData(data)
+	resource := getOpenidClientAuthorizationRolePolicyResourceFromData(data, keycloakVersion)
 
-	err := keycloakClient.UpdateOpenidClientAuthorizationRolePolicy(ctx, resource)
+	err = keycloakClient.UpdateOpenidClientAuthorizationRolePolicy(ctx, resource)
 	if err != nil {
 		return diag.FromErr(err)
 	}
 
-	setOpenidClientAuthorizationRolePolicyResourceData(data, resource)
+	setOpenidClientAuthorizationRolePolicyResourceData(data, resource, keycloakVersion)
 
 	return nil
 }

provider/resource_keycloak_openid_client_authorization_role_policy_test.go

@@ -26,6 +26,10 @@ func TestAccKeycloakOpenidClientAuthorizationRolePolicy_basic(t *testing.T) {
 				Config: testResourceKeycloakOpenidClientAuthorizationRolePolicy_basic(roleName, clientId),
 				Check:  testResourceKeycloakOpenidClientAuthorizationRolePolicyExists("keycloak_openid_client_role_policy.test"),
 			},
+			{
+				Config: testResourceKeycloakOpenidClientAuthorizationRolePolicy_fetchRoles(roleName, clientId),
+				Check:  testResourceKeycloakOpenidClientAuthorizationRolePolicyExists("keycloak_openid_client_role_policy.test"),
+			},
 		},
 	})
 }
@@ -52,6 +56,25 @@ func TestAccKeycloakOpenidClientAuthorizationRolePolicy_multiple(t *testing.T) {
 	})
 }
 
+func TestAccKeycloakOpenidClientAuthorizationRolePolicy_fetchRoles(t *testing.T) {
+	t.Parallel()
+
+	clientId := acctest.RandomWithPrefix("tf-acc")
+	roleName := acctest.RandomWithPrefix("tf-acc")
+
+	resource.Test(t, resource.TestCase{
+		ProviderFactories: testAccProviderFactories,
+		PreCheck:          func() { testAccPreCheck(t) },
+		CheckDestroy:      testResourceKeycloakOpenidClientAuthorizationRolePolicyDestroy(),
+		Steps: []resource.TestStep{
+			{
+				Config: testResourceKeycloakOpenidClientAuthorizationRolePolicy_fetchRoles(roleName, clientId),
+				Check:  testResourceKeycloakOpenidClientAuthorizationRolePolicyExists("keycloak_openid_client_role_policy.test"),
+			},
+		},
+	})
+}
+
 func getResourceKeycloakOpenidClientAuthorizationRolePolicyFromState(s *terraform.State, resourceName string) (*keycloak.OpenidClientAuthorizationRolePolicy, error) {
 	rs, ok := s.RootModule().Resources[resourceName]
 	if !ok {
@@ -139,6 +162,43 @@ resource keycloak_openid_client_role_policy test {
 	`, testAccRealm.Realm, roleName, clientId)
 }
 
+func testResourceKeycloakOpenidClientAuthorizationRolePolicy_fetchRoles(roleName, clientId string) string {
+	return fmt.Sprintf(`
+data "keycloak_realm" "realm" {
+	realm = "%s"
+}
+
+resource keycloak_openid_client test {
+	client_id                = "%s"
+	realm_id                 = data.keycloak_realm.realm.id
+	access_type              = "CONFIDENTIAL"
+	service_accounts_enabled = true
+	authorization {
+		policy_enforcement_mode = "ENFORCING"
+	}
+}
+
+resource "keycloak_role" "test" {
+	realm_id    = data.keycloak_realm.realm.id
+	name        = "%s"
+}
+
+resource keycloak_openid_client_role_policy test {
+	resource_server_id = keycloak_openid_client.test.resource_server_id
+	realm_id = data.keycloak_realm.realm.id
+	name = "keycloak_openid_client_role_policy"
+	decision_strategy = "AFFIRMATIVE"
+	logic = "POSITIVE"
+	type = "role"
+	fetch_roles = true
+	role  {
+		id = keycloak_role.test.id
+		required = false
+	}
+}
+	`, testAccRealm.Realm, roleName, clientId)
+}
+
 func testResourceKeycloakOpenidClientAuthorizationRolePolicy_multipleRoles(roleNames []string, clientId string) string {
 	var (
 		roles        strings.Builder