Unable to create resources in master realm that depend on Keycloak generated entities

[zam6ak]

Describe the bug

Background/Context

(following is based on my understanding how Keycloak works):

When a new realm is created, Keycloak will automatically generate representative client for that realm in master realm.
So if you create a realm called apps there will be apps-realm client in master .
This client, apps-realm defines series or roles (18 in total, 2 of which are composite) that can be assigned, to other clients as well

We have 2 realms (so far), let's call them "A", and "B", and are wanting to create a confidential client in master realm (e..g app-admin-cli) ,
that our application can then use with Keycloak admin client (Node.js) to perform user management and other activities.
For that reason, we just want this client to have manage-users (for now), for realm "A", and "B" so the client app-admin-cli is assigned 2 client roles, namely A-realm.manage-users and B-realm.manage-users.
This works great, and allows for more secure approach

The Issue

The only way I was able to make the above scenario work, was to put depends_on in master realm module on realms "A" and "B".
I had to "tell" TF that resources in master realm needed to be created only after realms "A", and "B" were done creating...

The problem with this is that any modification (adding/changing/removing resources), in either realm "A" or "B" then forces resources in master realm to be recreated even when the resources in master realm have not changed (i.e. # forces replacement)

The Demo

Attached is a ZIP file with sample TF project outlining the problem
reproduce_issue_depends_on_modules.zip

And some instructions to run the demo:

# change provider settings in root "main.tf" to match your environment, 
# then init and verify install providers
terraform init
terraform providers

# preview and then apply changes
terraform plan
terraform apply

# go to either "A" or "B" realm (or both) and uncomment "keycloak_realm_events" resource, then:
terraform plan

# notice the output specifying that all resources in "master" realm  "must be replaced" (even though nothing changed in "master" realm itself)
# if you destroy everything, and then comment out "depends_on" in the root "main.tf", and then try to run "plan"/"apply" - it will fail...

Questions

1. Maybe this is not a bug, and perhaps I am going about this the wrong way? I could create admin clients in each realm and use built in realm-management client roles to restrict access... The problem with that is "the sprawl" of clients as number of realms grows... We have several applications that each would need to use admin client so instead of having each app use 1 we'd end up with num_apps x num_realms clients... Not optimal at all! And it still does not solve the problem of "how can I use realm generated resources in master realm"...
2. Is there a way to enforce depends_on only once?
3. Or is there perhaps some other way to accomplish the above without depends_on ?

Version

26.1.0

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

No response

Anything else?

No response