Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

keycloak_default_roles cannot be used on RedHat SSO 7.5 (Keycloak 15.0.6) #720

Closed
svenreinhard opened this issue Aug 12, 2022 · 13 comments · Fixed by #721
Closed

keycloak_default_roles cannot be used on RedHat SSO 7.5 (Keycloak 15.0.6) #720

svenreinhard opened this issue Aug 12, 2022 · 13 comments · Fixed by #721

Comments

@svenreinhard
Copy link

Hello there. We are using RedHat SSO 7.5.2 based on Keycloak 15.0.6. So far I never had problems and are very happy with Mrparkers.

Howevery today I tried to use the resource type "keycloak_default_roles" for the first time. When I try to apply the config via Terraform I get the follwing error:
Error: this resource requires Keycloak v13 or higher

As the base of RH SSO 7.5.2 ist Keycloak 15.0.6, I thought it should work. Here is my setup:
RedHat SSP 7.5.2 GA
Terraform 1.2.7
Mrparkers 3.10.0

Is the use of RH SSO supported? Is this a known issue?
If you need any further info, please let me know.

Regards
Sven Reinhard
@mrparkers
Copy link
Contributor

Hi @svenreinhard, thanks for opening this issue. The provider uses the /auth/admin/serverinfo API to query for the Keycloak version in order to determine what features can or cannot be used. Right now, the provider only understands how to parse Keycloak versions, since I don't have a license for RedHat SSO to test against.

I can fix this issue, but I need your help in order to understand what version string is returned by RedHat SSO. Could you hit the /auth/admin/serverinfo API on your RedHat SSO instance and look at the JSON that's returned, and tell me what the .systemInfo.version property is?

Once I understand how that string is formatted, I think I can use the details here to build a mapping between RedHat SSO versions and Keycloak versions.

Thanks!

@svenreinhard
Copy link
Author

Hi @mrparkers,
thanks allot for the quick reply. I checked the API output and it shows:
"systemInfo": { "version": "7.5.2.GA" }
Unfortunately I did not see any field that tells this is RedHat SSO instead of Keycloak. Is the version string alone sufficient?

@mrparkers
Copy link
Contributor

Hmm... I was hoping there would be a bit more in there that would clearly identify it as being RedHat SSO.

Let's try something else - in the same JSON response, there's a field called .profileInfo.name. My Keycloak instance has this set to community. Is yours something different?

If not, I might just add a top-level provider attribute, something like redhat_sso = true, so if you specify that, the provider will interpret version strings differently. Let me know what you think about that.

Thanks!

@svenreinhard
Copy link
Author

profileInfo.name says "product"
So that could work. But I would also be fine with a top-level provider attribute.

@mrparkers
Copy link
Contributor

Yeah I'm not too happy with using the profileInfo field either. I think I'll just add that top-level provider attribute then. I'll try to get to that early this week, probably today or tomorrow. Thanks for your patience.

@mrparkers mrparkers mentioned this issue Aug 21, 2022
Merged
@mrparkers
Copy link
Contributor

@svenreinhard sorry for the delay, I've published a pre-release for you to test since I don't have the ability to test this myself. Can you try again with the new version v3.11.0-rc.0 and see if it works?

@svenreinhard
Copy link
Author

Hi @mrparkers. No problem. I gald you can help that fast. Thanky you for that.
How did you sovle it now? Do I have to set a top-level provider attribute or did you find a solution that it detect RH SSO automatically?

@mrparkers
Copy link
Contributor

Ha, yeah I probably should have told you how to test it, my bad 😅

I added a top level provider attribute that you can set: red_hat_sso = true

@svenreinhard
Copy link
Author

It seems I need a little help here. I don't know how to test the new version. If I try ist with "terraform.exe init -upgrade" the new version is not used. When I replace the file manually he compains about the checksum.
How can I use the manually downloaded provider file from Github?

And to be sure about the attribute. Is this correct:
provider "keycloak" {
client_id = "admin-cli"
url = var.KEYCLOAK_URL
username = var.KEYCLOAK_USERNAME
password = var.KEYCLOAK_PASSWORD
red_hat_sso = true
}

@mrparkers
Copy link
Contributor

No problem, I published this as a pre-release, so terraform init -upgrade won't pull it automatically. Instead, you need to manually specify the version you want via the terraform block:

terraform {
  required_providers {
    keycloak = {
      source = "mrparkers/keycloak"
      version = "3.11.0-rc.0"
    }
  }
}

@svenreinhard
Copy link
Author

Ah, thanks allot. That did it.

Now the new provider version is used. And now I can change default roles. It works.

@mrparkers
Copy link
Contributor

Perfect, I'm happy to hear that it's working for you.

I'll publish a real version (v3.11.0) later this week, but you can continue to use this version in the meantime. You'll just have to remember to update your terraform block once the new version is released.

Thanks again for the feedback!

@bolyachevets
Copy link

running into the same issue with RedHat "7.6.0.GA" on 4.0.1. I wonder if it is possible to implement manual override for KeyCloak version

@mustafaStakater mustafaStakater mentioned this issue Jan 30, 2024
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@mrparkers @bolyachevets @svenreinhard