You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Recently, I've been working on CI for Keycloak based on this provider. I wrote a module that covers OpenID clients, dedicated scope mappers, service account roles, and client scopes. I already have some clients created manually in Keycloak, so I decided to import them using terraform import.
During testing, I decided to verify integrity by deleting a client and recreating it with terraform apply. After doing so, I encountered an error like this:
│ Error: validation error: a protocol mapper with name Client Host already exists for this client
│
│ with keycloak_openid_user_session_note_protocol_mapper.keycloak_openid_user_session_note_protocol_mapper["Client Host"],
│ on mappers.tf line 122, in resource "keycloak_openid_user_session_note_protocol_mapper" "keycloak_openid_user_session_note_protocol_mapper":
│ 122: resource "keycloak_openid_user_session_note_protocol_mapper" "keycloak_openid_user_session_note_protocol_mapper" {
│
╵
╷
│ Error: validation error: a protocol mapper with name Client ID already exists for this client
│
│ with keycloak_openid_user_session_note_protocol_mapper.keycloak_openid_user_session_note_protocol_mapper["Client ID"],
│ on mappers.tf line 122, in resource "keycloak_openid_user_session_note_protocol_mapper" "keycloak_openid_user_session_note_protocol_mapper":
│ 122: resource "keycloak_openid_user_session_note_protocol_mapper" "keycloak_openid_user_session_note_protocol_mapper" {
│
╵
╷
│ Error: validation error: a protocol mapper with name Client IP Address already exists for this client
│
│ with keycloak_openid_user_session_note_protocol_mapper.keycloak_openid_user_session_note_protocol_mapper["Client IP Address"],
│ on mappers.tf line 122, in resource "keycloak_openid_user_session_note_protocol_mapper" "keycloak_openid_user_session_note_protocol_mapper":
│ 122: resource "keycloak_openid_user_session_note_protocol_mapper" "keycloak_openid_user_session_note_protocol_mapper" {
│
This error indicates that some of the mappers defined by my Terraform code already exist. After further investigation, I discovered that when you create a client with service account roles enabled, Keycloak automatically creates three session note type mappers (code), which leads to an error when Terraform tries to create them.
I came up with two workarounds:
First, you can simply ignore them by not importing them into the state. However, they are mutable; they can be changed and removed. If you do not include them in the state, it defeats the whole purpose of IaC and makes it impossible to use your infrastructure code as the source of truth for cases like disaster recovery. Personally, I do not like the idea that my code does not fully reflect the state of my infrastructure.
Second, you can try to address this by enhancing your CI pipeline. For example, detect if a new client has service accounts enabled, then use the -target flag to create only the client, import those three mappers, and only then apply all other code. But this approach seems cumbersome and overly complicated to me.
I believe this is an issue and would like to create one after hearing some of your thoughts. It might just be that I am misled and there is an easy solution for this already.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Recently, I've been working on CI for Keycloak based on this provider. I wrote a module that covers OpenID clients, dedicated scope mappers, service account roles, and client scopes. I already have some clients created manually in Keycloak, so I decided to import them using
terraform import.During testing, I decided to verify integrity by deleting a client and recreating it with
terraform apply. After doing so, I encountered an error like this:This error indicates that some of the mappers defined by my Terraform code already exist. After further investigation, I discovered that when you create a client with service account roles enabled, Keycloak automatically creates three session note type mappers (code), which leads to an error when Terraform tries to create them.
I came up with two workarounds:
First, you can simply ignore them by not importing them into the state. However, they are mutable; they can be changed and removed. If you do not include them in the state, it defeats the whole purpose of IaC and makes it impossible to use your infrastructure code as the source of truth for cases like disaster recovery. Personally, I do not like the idea that my code does not fully reflect the state of my infrastructure.
Second, you can try to address this by enhancing your CI pipeline. For example, detect if a new client has service accounts enabled, then use the
-targetflag to create only the client, import those three mappers, and only then apply all other code. But this approach seems cumbersome and overly complicated to me.I believe this is an issue and would like to create one after hearing some of your thoughts. It might just be that I am misled and there is an easy solution for this already.
Beta Was this translation helpful? Give feedback.
All reactions