Skip to content

v5.6.0: keycloak_openid_client authorization.allow_remote_resource_management keeps flipping (perpetual diff) #1446

Description

@votanphuc

Describe the bug

Hi, Since I do not limit the provider (>=5.0.0) and it get latest to v5.6.0 recently, then the plan below will happen without any update from the Terraform config or UI

  # module.xxx will be updated in-place

  ~ resource "keycloak_openid_client" "keycloak_client_oidc_client_credentials_authoriza
tion" {
        id                                         = "2d63cf11-b27c-4d90-8210-47db7c4b1c
28"
        name                                       = "gcpeu_btxdata_partner"
        # (30 unchanged attributes hidden)

      - authorization {
          - allow_remote_resource_management = true -> null
          - decision_strategy                = "UNANIMOUS" -> null
          - keep_defaults                    = false -> null
          - policy_enforcement_mode          = "ENFORCING" -> null
        }
      + authorization {
          + allow_remote_resource_management = false
          + decision_strategy                = "UNANIMOUS"
          + keep_defaults                    = false
          + policy_enforcement_mode          = "ENFORCING"
        }
    }

Observed behavior:

  • The status monitor in the UI is no change (keeping true)
  • terraform apply succeeds
  • No manual change in Keycloak Admin UI
  • Next terraform plan shows the same diff again
  • Results in non-idempotent plans

Another use case as:

  • There is no config relates to fieldterraform
  • Manually change UI to false
  • Plan auto asking to apply value to true
  • Applied => check again UI => no affect

Version

5.6.0

Expected behavior

No plan changes

Actual behavior

Plan change showing without any update from UI or terraform

How to Reproduce?

  • A client created (may be with an older version) with authorization is turned on. (Authorization tab available)
  • Upgrade to the version 5.6.0 and check

Anything else?

Please

  • Reproduce and check again
  • Explain if it is a feature, and guide how to handle that
  • Fixing if it is a bug

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions