Use a block-style declaration for everything related to initial password

docs/resources/keycloak_user.md

@@ -23,6 +23,21 @@ resource "keycloak_user" "user" {
     first_name = "Bob"
     last_name  = "Bobson"
 }
+
+resource "keycloak_user" "user_with_initial_password" {
+    realm_id   = "${keycloak_realm.realm.id}"
+    username   = "alice"
+    enabled    = true
+    
+    email      = "alice@domain.com"
+    first_name = "Alice"
+    last_name  = "Aliceberg"
+
+    initial_password {
+      value     = "some password"
+      temporary = true
+    }
+}
 ```
 
 ### Argument Reference
@@ -31,9 +46,10 @@ The following arguments are supported:
 
 - `realm_id` - (Required) The realm this user belongs to.
 - `username` - (Required) The unique username of this user.
-- `initial_password` (Optional) When given, the user's initial password will be set to this value.
+- `initial_password` (Optional) When given, the user's initial password will be set.
    This attribute is only respected during initial user creation.
-- `initial_password_temporary` (Optional) Forces the initial password to be renewed on first login. Default to `false`.
+  - `value` (Required) The initial password.
+  - `temporary` (Optional) If set to `true`, the initial password is set up for renewal on first use. Default to `false`.
 - `enabled` - (Optional) When false, this user cannot log in. Defaults to `true`.
 - `email` - (Optional) The user's email.
 - `first_name` - (Optional) The user's first name.

example/main.tf

@@ -55,8 +55,10 @@ resource "keycloak_user" "user_with_password" {
 	email                      = "user-with-password@fakedomain.com"
 	first_name                 = "Testy"
 	last_name                  = "Tester"
-	initial_password           = "my password"
-	initial_password_temporary = false
+	initial_password {
+		value = "my password"
+		temporary = false
+  }
 }
 
 

provider/keycloak_user.go

@@ -40,15 +40,24 @@ func resourceKeycloakUser() *schema.Resource {
 				Optional: true,
 			},
 			"initial_password": {
-				Type:             schema.TypeString,
-				Optional:         true,
-				Sensitive:        true,
-				DiffSuppressFunc: onlyDiffOnCreate,
-			},
-			"initial_password_temporary": {
-				Type:             schema.TypeBool,
+				Type:             schema.TypeList,
 				Optional:         true,
 				DiffSuppressFunc: onlyDiffOnCreate,
+				MaxItems:         1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"value": {
+							Type:      schema.TypeString,
+							Required:  true,
+							Sensitive: true,
+						},
+						"temporary": {
+							Type:     schema.TypeBool,
+							Optional: true,
+							Default:  false,
+						},
+					},
+				},
 			},
 			"enabled": {
 				Type:     schema.TypeBool,
@@ -96,11 +105,12 @@ func resourceKeycloakUserCreate(data *schema.ResourceData, meta interface{}) err
 		return err
 	}
 
-	initialPassword, isPasswordSet := data.GetOk("initial_password")
-	if isPasswordSet {
-		isPasswordTemporary, isTemporaryFlagSet := data.GetOk("initial_password_temporary")
-		isTemporary := isTemporaryFlagSet && isPasswordTemporary.(bool)
-		err := keycloakClient.ResetUserPassword(user.RealmId, user.Id, initialPassword.(string), isTemporary)
+	v, isInitialPasswordSet := data.GetOk("initial_password")
+	if isInitialPasswordSet {
+		passwordBlock := v.([]interface{})[0].(map[string]interface{})
+		passwordValue := passwordBlock["value"].(string)
+		isPasswordTemporary := passwordBlock["temporary"].(bool)
+		err := keycloakClient.ResetUserPassword(user.RealmId, user.Id, passwordValue, isPasswordTemporary)
 		if err != nil {
 			return err
 		}

provider/keycloak_user_test.go

@@ -391,7 +391,10 @@ resource "keycloak_openid_client" "client" {
 resource "keycloak_user" "user" {
 	realm_id         = "${keycloak_realm.realm.id}"
 	username         = "%s"
-  initial_password = "%s"
+	initial_password {
+		value = "%s"
+		temporary = false
+	}
 }
 	`, realm, clientId, username, password)
 }