Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoiding creating new realm if it already exists #1056

Open
arnabkaycee opened this issue Jan 7, 2025 · 2 comments
Open

Avoiding creating new realm if it already exists #1056

arnabkaycee opened this issue Jan 7, 2025 · 2 comments

Comments

@arnabkaycee
Copy link

Description

When declaring a new realm resource like the following

resource "keycloak_realm" "realm" {}

I want to be able to specify if the realm already exists and the provider should just proceed with modifying the existing realm instead of creating it again.
This is because, when I provision Keycloak, I can create multiple realms, each provisioned with a service account.
The service account can then be used by this provider to connect using client credentials grant to modify the realm further.

Having to import the realm to tell terraform it exists seems a very incoherent experience for me.

Discussion

No response

Motivation

Using the client credentials grant otherwise becomes incompatible with the realm resource creation.

Details

No response
@mwalser
Copy link

mwalser commented Jan 8, 2025

I'm not part of the project and came across this issue by chance. Just sharing my two cents on the topic:

I would argue the opposite: It’s highly unusual for a Terraform provider to silently import an existing resource and then lie to Terraform and tell it that it just created the resource.

You are probably best served by using an import block. If hashicorp/terraform#33633 is ever implemented, you could even make the import conditional on whether the resource already exists.

@arnabkaycee
Copy link
Author

arnabkaycee commented Jan 16, 2025
edited
Loading

@mwalser I agree to your point.
I have the following scenario.
I want to set up Keycloak with multiple realms and then configure each realm with this terraform provider.
Admin creation can only be done with the master realm with admin credentials. When configuring this terraform provider with the admin credentials of the master realm to create new realms, I use one terraform pass having a terraform state.

Next, I would want to configure each of these realms. Note, that realm configuration could be an incremental process. When configuring such realms, I would want to use credentials that are inferior to the admin credentials of the master realm. Separating this concern is important for me because I don't want to be always using around master realm credentials for a change in a specific realm. This contains the blast radius should something go wrong.

Now, the realm creation done by first terraform pass needs to be recognized by the realm creation of the second terraform pass. While all this is feasible with imports, I cannot really bundle my terraform modules with having the import statements in them (because import statements would only be supported as top level declarations).

Also, I am not advocating for silent imports. I was suggesting for a similar config flag import as it already exists in the provider when declaring open id client resources.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@arnabkaycee @mwalser