Search code examples
terraformkeycloakopentofu

Use Terraform to assign realm-management role to service account user in Keycloak


I'm trying to automate the configuration of Keycloak for Netbird through the use of OpenTofu (Terraform) (using this provider) by following Netbird's Keycloak documentation, and converting the steps to Terraform code. I've mostly got there, but step 9 tells you to assign the view-users role to the service account roles as shown below:

enter image description here

I "translated" this into the following Terraform/Tofu code snippet:

resource "keycloak_openid_client_service_account_realm_role" "service_account_role_assignment" {
    realm_id                = keycloak_realm.realm.id
    service_account_user_id = keycloak_openid_client.netbird_backend_client.service_account_user_id
    role                    = "view-users"
}

However, this does not work as I get a role not found error:

enter image description here

I'm almost certain that the issue is that I need to pass a referenced name or Id to the role attribute within my snippet as the following would "work".

resource "keycloak_role" "view_users_role" {
    realm_id = keycloak_realm.realm.id
    name     = "view-users"
}

resource "keycloak_openid_client_service_account_realm_role" "service_account_role_assignment" {
    realm_id                = keycloak_realm.realm.id
    service_account_user_id = keycloak_openid_client.netbird_backend_client.service_account_user_id
    role                    = keycloak_role.view_users_role.name
}

Unfortunately, that just creates a duplicate role with the same name (1), rather than assigning the existing one (2), which only appears as I manually assigned it using the web UI for this screenshot, as shown below:

enter image description here

Question

What Terraform/Tofu code do I need to add in order to assign the existing "realm-managment" view-users role to the service account roles of my Keycloak client?


Solution

  • I managed to figure it out after realizing the realm-management pill (seen in the screenshots of the question) represented the name of another "client" that existed in the realm called realm-management that gets automatically created as part of creating the realm.

    enter image description here

    So one just needs to assign that client's view-users role, to our newly created client's service account user (two different clients). This was as easy as adding the following code snippet:

    # load in the existing realm-management client
    data "keycloak_openid_client" "realm_management_client" {
        realm_id = keycloak_realm.realm.id
        client_id = "realm-management"
    }
    
    # Assign the realm-management view-users role to the netbird backend client's service management
    resource "keycloak_openid_client_service_account_role" "service_account_role_assignment" {
        realm_id                = keycloak_realm.realm.id
        service_account_user_id = keycloak_openid_client.netbird_backend_client.service_account_user_id
        client_id               = data.keycloak_openid_client.realm_management_client.id // ID of the client the role belongs to, not ID of client assigning to.
        role                    = "view-users"
    }