Ability to update role's associated roles with new resource rather then while creating it with keycloak_role resource

[BoyFromDubai]

Description

Allow to update role's associated roles with new resource, that will allow only update associated roles of an existing one, rather then associate roles while only creating a new role

Discussion

No response

Motivation

While creating roles using a loop, you cannot update here composite_roles, as you get Cycle error:

resource "keycloak_role" "this" {
  for_each = { for entry in local.roles : entry.name_link => entry }

  realm_id  = var.realms[each.value.realm_name].id
  name      = each.value.name
  client_id = lookup(each.value, "client_name", null) != null ? var.client_ids["${each.value.realm_name}.${each.value.client_name}"] : null
  composite_roles = [
       keycloak_role.this[each.value.composite_role_name]
  ]
  description = each.value.description
}

And also you cannot use another keycloak_role resource to update associated roles as tf throws an error that this role already exists because it tries to create a new one with the same name

Details

It would be great to have a resource like this:

resource "keycloak_composite_role" "this" {
  for_each = { for entry in local.roles : entry.name_link => entry }

  realm_id  = var.realms[each.value.realm_name].id
  role_id = main_role_id
  composite_roles = [
    some_role_id,
    another_role_id
  ]
}

And this resource will only update already existing role and add them associated roles

[denniskniep]

@BoyFromDubai not 100% sure if I got what you are aiming for, but in the current main branch there is a new property on the role resource named import. If set to true this resource will only update already existing roles (i.e. associated roles property).

Can you build the provider locally from the main branch and check if it does what you expect?

[BoyFromDubai]

denniskniep not really, because we have built a variable in locals like this:

roles = [
  {
    "associated_roles" = tolist([
      "DevOps-log-viewer",
      "DevOps-smth",
    ])
    "client_name" = "ArgoCD"
    "description" = "Role for ArgoCD admins"
    "name" = "DevOps-admin"
    "realm_name" = "REALM"
    "users" = tolist([
      "smb",
    ])
  },
  {
    "associated_roles" = tolist([])
    "client_name" = "ArgoCD"
    "description" = "Role for ArgoCD admins"
    "name" = "DevOps-log-viewer"
    "realm_name" = "REALM"
    "users" = tolist([])
  },
  {
    "associated_roles" = tolist([])
    "client_name" = "ArgoCD"
    "description" = "Role for ArgoCD admins"
    "name" = "DevOps-smth"
    "realm_name" = "REALM"
    "users" = tolist([])
  },
  {
    "associated_roles" = tolist([
      "DevOps-log-viewer",
    ])
    "client_name" = "ArgoCD"
    "description" = "Role for ArgoCD admins"
    "name" = "business-admin"
    "realm_name" = "REALM"
    "users" = tolist([
      "smb",
    ])
  },
  {
    "associated_roles" = tolist([])
    "description" = "QQ"
    "name" = "qqq"
    "realm_name" = "REALM"
    "users" = tolist([
      "smb1",
    ])
  },
]

And it would be greate to iterate over the whole list of objects for creating all roles using only one resource as I showed previously; smth like this:

resource "keycloak_role" "this" {
  for_each = { for entry in local.roles : entry.name => entry }

  realm_id  = var.realms[each.value.realm_name].id
  name      = each.value.name
  client_id = lookup(each.value, "client_name", null) != null ? var.client_ids["${each.value.realm_name}.${each.value.client_name}"] : null
  composite_roles = [
       for child in each.value.associated_roles : keycloak_role.this[child]
  ]
  description = each.value.description
}

But I cannot do this because of Cycle error as I'm trying to use keycloak_role.this in keycloak_role.this
So using this approach I cannot build role hierarchy because of terraform limitations