Improve support for import of OIDC clients #1267
Description
Description
Keycloak creates a bunch of default clients in master or new realms:
account: Represents the backend for the account APIaccount-console: Provides a frontend for user account management.admin-cli: Used for managing realms via CLI tools like kcadm.sh.broker: Serves as the backend for identity brokering.security-admin-console: Manages the admin UI for a specific realm.realm-management: Backend API for realm-specific management. Does not exist inmaster.
https://skycloak.io/blog/what-to-do-with-the-default-clients-in-your-newly-created-keycloak-realm-2/
Now it makes a lot of sense that we would want to manage these clients with Terraform. I want to delete some of these clients, but deleting such a resource seems to be nigh impossible via Terraform... The next best option then would be to disable them instead by setting enabled = false.... But before we can apply any config, we need Terraform to import the client into state. I see two ways of doing that and both seem to be completely crippled atm:
- Use a Terraform
importblock - Use the
import = truefield on thekeycloak_openid_clientresource
Option 1 would be my preferred method since it is a Terraform-wide feature that in principle works for any supported resource, not just openid clients. However, this is completely crippled because of this:
Import
Clients can be imported using the format {{realm_id}}/{{client_keycloak_id}},
where client_keycloak_id is the unique ID that Keycloak assigns to the client
upon creation. This value can be found in the URI when editing this client in
the GUI, and is typically a GUID.
Yeah, so that is completely pointless. We cannot predict what GUID a new client in a new (or default) realm will get so we can never automate anything this way. Why oh why can we not use the admin-cli, broker etc client ids here???
Maybe option 2 can save us? This second option is specific to the keycloak_openid_client resource and since we only have to specify true we neatly bypass the whole unpredictable ID is useless problem. So I tried that but my plan tells me it will create all these resources anyway, even though I specified import = true. So I did some searching and encountered this open issue:
keycloak_oidc_client import unexpected behaviour #1007
So basically, the whole plan then apply process breaks when we use this option...
So we are left empty handed. There is this entire project, but I can not import the clients for master and I cannot import the clients for my new realm, so basically whatever I do with this entire project, I always end up with lots of stuff that I simply cannot configure. At least not in a repeatable way, which sort of is the whole point of Terraform to begin with.
Keycloak devs should make it possible to import clients and indeed most all resources without having to resort to hardcoded GUIDs in the config files. If they dont, this whole provider is crippled.
Discussion
No response
Motivation
No response
Details
No response