Ensure security defenses settings are set on setRealmData realm (#1257) #1279
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…loak#1257) This ensures that the securityDefensesSettings propagated to the terraform state. Avoid repeated call to setRealmData(..) from resourceKeycloakRealmCreate. Mark resource_keycloak_realm `security_defenses` property as computed as it is populated with defaults after realm creation. Fixes keycloak#1257 Signed-off-by: Thomas Darimont <[email protected]>
thomasdarimont
force-pushed
the
issue/gh-1257-missing-state-check-for-security-settings
branch
from
e45bb10 to
91a5cc8
Compare
thomasdarimont
commented
Aug 18, 2025
Contributor
Author
thomasdarimont
left a comment
thomasdarimont
left a comment
There was a problem hiding this comment.
Some explanations.
| DefaultOptionalClientScopes []string `json:"defaultOptionalClientScopes,omitempty"` | ||
|
|
||
| BrowserSecurityHeaders BrowserSecurityHeaders `json:"browserSecurityHeaders"` | ||
| BrowserSecurityHeaders *BrowserSecurityHeaders `json:"browserSecurityHeaders,omitempty"` |
Contributor
Author
There was a problem hiding this comment.
omitempty allows us to leverage the BrowserSecurityHeader defaults from Keycloak.
| if realm.BruteForceProtected { | ||
| securityDefensesSettings["brute_force_detection"] = []interface{}{getBruteForceDetectionSettings(realm)} | ||
| } | ||
| data.Set("security_defenses", []interface{}{securityDefensesSettings}) |
Contributor
Author
There was a problem hiding this comment.
This populates the tfstate with the security defenses defaults configured generated by Keycloak.
| } | ||
|
|
||
| setRealmData(data, realm, keycloakVersion) | ||
| data.SetId(realm.Realm) |
Contributor
Author
There was a problem hiding this comment.
The call to setRealmData(...) was not necessary as it is already done by resourceKeycloakRealmRead(..), however we do need to set the realm ID via SetId before.
thomasdarimont
commented
Aug 18, 2025
Contributor
Author
thomasdarimont
left a comment
thomasdarimont
left a comment
There was a problem hiding this comment.
Some explanations.
…oak default securityDefensesHeaders configuration Signed-off-by: Thomas Darimont <[email protected]>
Contributor
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This ensures that the securityDefensesSettings propagated to the terraform state.
Previously we didn't set the security defenses settings configuration generated by Keycloak. As a consequence
terraform was not aware of the actual security defines configuration and attempted to perform a bigger update than necessary.
Fixes #1257