Skip to content

Inconsistent plan when enabling service account #432

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
pths opened this issue Nov 5, 2020 · 0 comments · Fixed by #437
Closed

Inconsistent plan when enabling service account #432

pths opened this issue Nov 5, 2020 · 0 comments · Fixed by #437

Comments

@pths
Copy link
Contributor

pths commented Nov 5, 2020

Hi,

We ran into the following issue when enabling and assigning roles to the service account of an existing openid client in the same execution:

Error: Provider produced inconsistent final plan

When expanding the plan for
keycloak_openid_client_service_account_role.client2_service_account_role to
include new values learned so far during apply, provider
"registry.terraform.io/mrparkers/keycloak" produced an invalid new value for
.service_account_user_id: was cty.StringVal(""), but now
cty.StringVal("f003cf56-6b6f-4b5c-b9c2-68d89e458799").

This is a bug in the provider, which should be reported in the provider's own
issue tracker.

To reproduce, first apply the following HCL:

data "keycloak_realm" "realm" {
  realm   = "master"
}

resource "keycloak_openid_client" "client1" {
  realm_id            = data.keycloak_realm.realm.id
  client_id           = "client1"
  access_type         = "BEARER-ONLY"
}

resource "keycloak_role" "client1_role" {
  realm_id    = data.keycloak_realm.realm.id
  client_id   = keycloak_openid_client.client1.id
  name        = "client1_role"
}

resource "keycloak_openid_client" "client2" {
  realm_id            = data.keycloak_realm.realm.id
  client_id           = "client2"

  access_type         = "CONFIDENTIAL"
  service_accounts_enabled = false
}

And then:

data "keycloak_realm" "realm" {
  realm   = "master"
}

resource "keycloak_openid_client" "client1" {
  realm_id            = data.keycloak_realm.realm.id
  client_id           = "client1"
  access_type         = "BEARER-ONLY"
}

resource "keycloak_role" "client1_role" {
  realm_id    = data.keycloak_realm.realm.id
  client_id   = keycloak_openid_client.client1.id
  name        = "client1_role"
}

resource "keycloak_openid_client" "client2" {
  realm_id            = data.keycloak_realm.realm.id
  client_id           = "client2"

  access_type         = "CONFIDENTIAL"
  service_accounts_enabled = true
}

resource "keycloak_openid_client_service_account_role" "client2_service_account_role" {
  realm_id                = data.keycloak_realm.realm.id
  service_account_user_id = keycloak_openid_client.client2.service_account_user_id
  client_id               = keycloak_openid_client.client1.id
  role                    = keycloak_role.client1_role.name
}

Note: the error doesn't occur if client2 and client2_service_account_role are created simultaneously.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix inconsistent plan when enabling service account pths/terraform-provider-keycloak
1 participant
@pths