Execution plan incorrect and failure : try to update a role which was detroyed by the same plan

[semangard]

Hello,

I have the following error into the same TF execution plan:

keycloak_role.vaccination_comment: Destroying... [id=62945a59-2d7b-47af-9554-afa2c32c9390]
....
Error: error sending GET request to /auth/admin/realms/collaborator/roles-by-id/62945a59-2d7b-47af-9554-afa2c32c9390: 404 Not Found. Response body: {"error":"Could not find role with id"}

==> Why a resource is updated whereas it was just destroyed by the same execution plan ?

---

Full execution plan

Initializing provider plugins...
- Finding mrparkers/keycloak versions matching ">= 2.0.0"...
- Finding hashicorp/local versions matching ">= 2.0.0"...
- Installing mrparkers/keycloak v3.0.1...
- Installed mrparkers/keycloak v3.0.1 (self-signed, key ID C50867915E116CD2)
- Installing hashicorp/local v2.1.0...
- Installed hashicorp/local v2.1.0 (self-signed, key ID 34365D9472D7468F)

Partner and community providers are signed by their developers.
If you'd like to know more about provider signing, you can read about it here:
https://www.terraform.io/docs/plugins/signing.html

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
Selecting TF workspace [accounts.hcuge.ch-dev-collaborator] ...

Switched to workspace "accounts.hcuge.ch-dev-collaborator".
Executing TF: terraform apply -var-file=envs/dev/dev.tfvars -auto-approve ...

keycloak_role.vaccination_comment: Refreshing state... [id=62945a59-2d7b-47af-9554-afa2c32c9390]
module.greco2_admin_service.keycloak_openid_client.openid_client_public: Refreshing state... [id=ee788799-a71b-488f-b2d1-24eff3230ff0]
module.topgroups_v1.keycloak_group.root_group_v1: Refreshing state... [id=ea3ba4eb-6577-442d-8840-bcb9f134a091]
module.scheduler_service.keycloak_openid_client.openid_client_public: Refreshing state... [id=6ee77559-5c0f-40d9-94c7-9cbfa6a07120]
module.convocation_service.keycloak_openid_client.openid_client_public: Refreshing state... [id=04672723-7b2f-49ec-9faf-e6dbb36d481c]
module.appointment_service.keycloak_openid_client.openid_client_public: Refreshing state... [id=70990192-e12f-4c7d-b471-da42e80caccf]
module.person_service.keycloak_openid_client.openid_client_public: Refreshing state... [id=a23688b7-2f72-4a1d-9a49-f06ce3ae1cfb]
module.dpa_eds_proxy.keycloak_openid_client.openid_client_public: Refreshing state... [id=39a7fc8a-3888-4fa9-ac98-6bebdd434b6a]
module.barcode_service.keycloak_openid_client.openid_client_public: Refreshing state... [id=663eb74b-2034-4039-b199-df3337530972]
module.patient_service.keycloak_openid_client.openid_client_public: Refreshing state... [id=2699f039-9377-4ed7-be63-2c0a4acee2b8]
module.vaccination_service.keycloak_openid_client.openid_client_public: Refreshing state... [id=14901b1f-5172-4a93-ba25-67ac1effcb85]
module.greco2_service.keycloak_openid_client.openid_client_public: Refreshing state... [id=6916522d-0392-4a20-9af3-40a16279a7a6]
module.topgroups_v1.keycloak_group.kc_apps_group_v1: Refreshing state... [id=9a622dca-d2f1-4d36-b2f0-16eb23756075]
module.topgroups_v1.keycloak_group.ad_apps_group_v1: Refreshing state... [id=164904b5-746a-44f5-bc19-c72a56ddd3d5]
keycloak_role.appointment_search: Refreshing state... [id=8134267e-a889-4f91-8a18-fa1800a22733]
keycloak_role.appointment_read: Refreshing state... [id=3928e392-7103-4740-8cee-da5e01ea6798]
keycloak_role.appointment_write: Refreshing state... [id=c5a110b9-dc6d-44c6-81b9-89e6801c99ad]
keycloak_role.appointment_delete: Refreshing state... [id=2518ddde-04cd-4a34-9407-3f08c14db8f0]
keycloak_role.convocation_delete: Refreshing state... [id=e94df5a6-2799-4c61-ac3b-c6f8f4241556]
keycloak_role.convocation_admin: Refreshing state... [id=e08c013b-dbe8-4e9c-a6a3-843702234a87]
keycloak_role.convocation_zap_admin: Refreshing state... [id=f0643e4d-a210-45a6-9596-2b8bf70566df]
keycloak_role.convocation_read: Refreshing state... [id=7f31f50a-4c3c-46d4-92e5-53008eca7354]
keycloak_role.convocation_write: Refreshing state... [id=c0df1d55-a4a7-4661-bdc0-802e372f6ab9]
keycloak_role.greco2_zap_admin: Refreshing state... [id=34509ef2-6c2b-4355-a5e8-84815493ffcd]
keycloak_role.greco2_admin: Refreshing state... [id=31c92a81-03ef-4841-8baf-f8a919273aca]
keycloak_role.careepisode_read: Refreshing state... [id=66a9a3c3-45c8-4bbf-bcd4-1787ad8b432c]
keycloak_role.careepisodes_read: Refreshing state... [id=0dffac51-4c48-4d4c-b121-9d04dc0c9f8f]
keycloak_role.barcode_read: Refreshing state... [id=d8490af9-c5fb-49fb-b99d-c988a70ebf41]
keycloak_role.barcode_write: Refreshing state... [id=802ac288-b673-484b-affd-dccb92e518bc]
keycloak_role.person_read: Refreshing state... [id=baa69a52-74dc-4b6c-a26c-cc8fd2a4950e]
keycloak_role.person_search: Refreshing state... [id=f55692c4-3d54-4260-9cc7-34012879f2cd]
keycloak_role.person_address_read: Refreshing state... [id=0cca02d4-82fe-4239-97d2-2bcf934103c9]
keycloak_role.person_telecom_read: Refreshing state... [id=cb550360-f881-4b6c-b436-32e73bd12eb2]
keycloak_role.patient_read: Refreshing state... [id=0028aebb-da70-49f7-963c-6cd839fb5ba6]
keycloak_role.patient_telecom_read: Refreshing state... [id=a82ac176-abcc-421e-a76a-2761817530b3]
keycloak_role.patient_search: Refreshing state... [id=abd9328d-a1aa-4203-93bf-6ddefc1509ee]
keycloak_role.patient_address_read: Refreshing state... [id=c7af7eb9-4253-4c7b-8de1-fb9b1dabe9d6]
keycloak_role.disease_write: Refreshing state... [id=93afce6a-e0c0-43f8-883b-c58ed7d335b8]
keycloak_role.vaccination_write: Refreshing state... [id=a0694cd9-6518-47df-80fc-02faf4836385]
keycloak_role.vaccination_read: Refreshing state... [id=e141b5e5-2849-4b22-8469-da7b8b75a5e4]
keycloak_role.preventing_read: Refreshing state... [id=f1309da4-abe1-4dde-a877-799947cf9185]
keycloak_role.preventing_write: Refreshing state... [id=3265f62b-f1ca-4c1e-91bb-46d65ace0fe9]
keycloak_role.greco2_delete: Refreshing state... [id=a5b71f37-64a8-4e23-96ef-5865a1deba7e]
keycloak_role.disease_read: Refreshing state... [id=77dc0fa6-fcee-4d26-be51-dd1f8fbffcbd]
keycloak_group.test_kc_group1: Refreshing state... [id=9e5dcc39-04c9-42b7-8d05-39dea1c48f4c]
keycloak_role.scheduler_available_slots_read: Refreshing state... [id=aec107dd-1313-4aec-a518-a49901d27b61]
keycloak_role.scheduler_activity_canvas_read: Refreshing state... [id=4059f441-083e-4010-bf0c-a0af5e3f4290]
keycloak_role.greco2_read: Refreshing state... [id=68230a60-03be-47bf-bfee-755f00bcea51]
keycloak_role.greco2_write: Refreshing state... [id=305f1274-c604-4a5c-b2df-f3dce02960ac]
keycloak_group_roles.DPI_VACCINATION_COMMENT_WRITE_roles: Refreshing state... [id=collaborator/32ea50aa-71e2-4221-bc06-3a9ec56fbf6a]
keycloak_group.test_ad_group1: Refreshing state... [id=06d75634-5504-46f6-a996-47de559b84ec]
keycloak_group_roles.DPI_VACCINATION_READ_roles: Refreshing state... [id=collaborator/a1f61342-fd1e-46f1-8ddd-dd736a940477]
keycloak_group_roles.DPI_VACCINATION_WRITE_roles: Refreshing state... [id=collaborator/d3300331-a361-4eaf-9f0d-009d5cf5fe5f]
keycloak_group_roles.AGDGRECO2_ADMIN_GLOBALE_roles: Refreshing state... [id=collaborator/dda75e26-60ab-4cf4-aafb-2f45287f8d25]
keycloak_group_roles.AGDGRECO2_SYNCHRO_EXCHANGE_AGI_roles: Refreshing state... [id=collaborator/f8792774-bb23-42cf-a372-84638b45bf75]
keycloak_group_roles.AGDGRECO2_PLANIFICATION_RDV_roles: Refreshing state... [id=collaborator/1d022941-4eab-475f-8d35-b4783292aa33]
keycloak_group_roles.AGDGRECO2_CONFIGURATION_SERVICE_roles: Refreshing state... [id=collaborator/243f7f41-3635-4428-9dea-7b34320905b5]
keycloak_role.vaccination_comment: Destroying... [id=62945a59-2d7b-47af-9554-afa2c32c9390]
keycloak_role.vaccination_update: Creating...
keycloak_role.patient_consent_read: Creating...
keycloak_role.patient_identifier_read: Creating...
keycloak_role.vaccination_search: Creating...
keycloak_role.vaccination_comment_search: Creating...
keycloak_role.vaccine_read: Creating...
keycloak_role.vaccination_comment_update: Creating...
keycloak_role.vaccination_comment_read: Creating...
keycloak_role.patient_consent_search: Creating...
keycloak_role.vaccination_update: Creation complete after 1s [id=13ffb276-1430-4714-808c-3ee636dcc800]
keycloak_role.patient_consent_read: Creation complete after 1s [id=c58c17fd-1fb0-4ee6-ba93-ae2e34213f5f]
keycloak_role.patient_identifier_read: Creation complete after 1s [id=490daf78-d6dd-4e6d-99f1-354139423a22]
keycloak_role.vaccine_read: Creation complete after 1s [id=c0e9ddc6-c842-4550-82cd-c6131ac1fa06]
keycloak_role.vaccine_update: Creating...
keycloak_role.vaccination_create: Creating...
keycloak_role.patient_consent_create: Creating...
keycloak_group_roles.AGDGRECO2_SYNCHRO_EXCHANGE_AGI_roles: Modifying... [id=collaborator/f8792774-bb23-42cf-a372-84638b45bf75]
keycloak_role.vaccination_search: Creation complete after 1s [id=fe04a183-eaa6-4c0e-aee2-754da19a5d59]
keycloak_role.vaccine_create: Creating...
keycloak_role.vaccination_comment_update: Creation complete after 1s [id=31c3e0e0-86e9-4f3b-90a4-2f5888f40501]
keycloak_role.patient_identifier_create: Creating...
keycloak_role.patient_consent_search: Creation complete after 1s [id=a2ba8f54-3b8d-4d2f-8208-31ee0703d3e2]
keycloak_role.disease_search: Creating...
keycloak_role.vaccination_comment_read: Creation complete after 1s [id=7e292b07-b5cf-4d67-823b-255c261db7fc]
keycloak_role.vaccine_search: Creating...
keycloak_role.vaccination_comment_search: Creation complete after 1s [id=e64d6d25-ffd3-414d-9541-7140c12e6b82]
keycloak_role.appointment_update: Creating...
keycloak_role.vaccination_comment: Destruction complete after 1s
keycloak_role.patient_identifier_search: Creating...
keycloak_role.vaccination_create: Creation complete after 0s [id=f04d8cd1-70ad-47cf-8eb7-a507a5c84af1]
keycloak_role.patient_consent_delete: Creating...
keycloak_role.patient_identifier_create: Creation complete after 0s [id=a276e4d0-d700-4ad3-b928-5e88b792c195]
keycloak_role.vaccination_comment_create: Creating...
keycloak_role.patient_consent_create: Creation complete after 0s [id=d98fcd7b-5da4-4309-bd77-6560e5e46564]
keycloak_role.vaccination_comment_delete: Creating...
keycloak_role.vaccine_create: Creation complete after 0s [id=b1673071-54d4-47ac-8571-2a8774cced6a]
keycloak_role.vaccine_update: Creation complete after 0s [id=82bd9930-91a9-486f-88e8-07b754eaabe6]
keycloak_role.patient_identifier_delete: Creating...
keycloak_role.preventing_search: Creating...
keycloak_role.disease_search: Creation complete after 0s [id=76e6ed56-48eb-48e7-93af-d47bf605dc0a]
keycloak_role.vaccine_search: Creation complete after 0s [id=fe12baa6-f687-4c11-9fdf-5095f08f9987]
keycloak_role.appointment_update: Creation complete after 0s [id=2a2d6102-5432-41cd-88e9-ed549261c839]
keycloak_group_roles.AGDGRECO2_CONFIGURATION_SERVICE_roles: Modifying... [id=collaborator/243f7f41-3635-4428-9dea-7b34320905b5]
keycloak_group_roles.AGDGRECO2_PLANIFICATION_RDV_roles: Modifying... [id=collaborator/1d022941-4eab-475f-8d35-b4783292aa33]
keycloak_group_roles.AGDGRECO2_ADMIN_GLOBALE_roles: Modifying... [id=collaborator/dda75e26-60ab-4cf4-aafb-2f45287f8d25]
keycloak_group_roles.AGDGRECO2_SYNCHRO_EXCHANGE_AGI_roles: Modifications complete after 0s [id=collaborator/f8792774-bb23-42cf-a372-84638b45bf75]
keycloak_role.vaccination_comment_delete: Creation complete after 0s [id=1071dbed-329b-4ce9-b2ef-b87ae7c77312]
keycloak_role.patient_identifier_delete: Creation complete after 0s [id=f12c658c-f5ef-4f72-8b0c-b5e84973ce78]
keycloak_role.patient_consent_delete: Creation complete after 0s [id=d9b8a303-ed81-4e7b-8a84-0c8a59f779ad]
keycloak_group_roles.DPI_VACCINATION_WRITE_roles: Modifying... [id=collaborator/d3300331-a361-4eaf-9f0d-009d5cf5fe5f]
keycloak_role.vaccination_comment_create: Creation complete after 0s [id=b41ecb54-c2bc-4c21-9fa4-1d04b5b73b4f]
keycloak_role.patient_identifier_search: Creation complete after 0s [id=88c58b9f-7bc0-4401-842e-53f9f1e94c78]
keycloak_group_roles.DPI_VACCINATION_COMMENT_WRITE_roles: Modifying... [id=collaborator/32ea50aa-71e2-4221-bc06-3a9ec56fbf6a]
keycloak_role.preventing_search: Creation complete after 0s [id=18882b8c-f1a2-447a-82b8-67b46960ffe4]
keycloak_group_roles.DPI_VACCINATION_READ_roles: Modifying... [id=collaborator/a1f61342-fd1e-46f1-8ddd-dd736a940477]
keycloak_group_roles.DPI_VACCINATION_WRITE_roles: Modifications complete after 0s [id=collaborator/d3300331-a361-4eaf-9f0d-009d5cf5fe5f]
keycloak_group_roles.AGDGRECO2_CONFIGURATION_SERVICE_roles: Modifications complete after 0s [id=collaborator/243f7f41-3635-4428-9dea-7b34320905b5]
keycloak_group_roles.AGDGRECO2_PLANIFICATION_RDV_roles: Modifications complete after 0s [id=collaborator/1d022941-4eab-475f-8d35-b4783292aa33]
keycloak_group_roles.DPI_VACCINATION_READ_roles: Modifications complete after 0s [id=collaborator/a1f61342-fd1e-46f1-8ddd-dd736a940477]
keycloak_group_roles.AGDGRECO2_ADMIN_GLOBALE_roles: Modifications complete after 0s [id=collaborator/dda75e26-60ab-4cf4-aafb-2f45287f8d25]

Error: error sending GET request to /auth/admin/realms/collaborator/roles-by-id/62945a59-2d7b-47af-9554-afa2c32c9390: 404 Not Found. Response body: {"error":"Could not find role with id"}

[mrparkers]

Hi @semangard 👋

Based on the logs you provided, it looks like the role with ID 62945a59-2d7b-47af-9554-afa2c32c9390 was destroyed, but that ID was still being used within a keycloak_group_roles resource, or within another keycloak_role resource that's using composite roles. It's not super clear what the problem is.

Would you be able to provide a minimal Terraform configuration that reproduces this issue?

[semangard]

Hello @mrparkers,
I do not have the same analysis of the issue.

• The role with ID 62945a59-2d7b-47af-9554-afa2c32c9390 was assigned previously to a group.
• Then I deciced to remove the role and thus also to remove its assignment to the group.
• But it seems that the TF provider :
  -> started deleting the role
  -> and then tryied to remove the assignment which failed because the role was 1st deleted

According to me the order of the steps should be the opposite:

1. Remove the assignment of the role to the group
2. Delete the role

Here is my commit where the role deleted was also unassigned to the group (commented it)

Please not:

• that TF PLAN was correct... I checked it before executing TF APPLY and got the failure.
• I did not removed only things I also added things (roles and assigments to same group), maybe it can influence the way order is defined....

[semangard]

I have been able to reproduce it the failure at 100%:

Here is the plan:

Here is the execution with the failure at the end:

keycloak_role.client1_role11: Refreshing state... [id=d6ace9c8-66ca-41f8-8625-5cb66ddd3817]
module.topgroups_v1.keycloak_group.root_group_v1: Refreshing state... [id=41b811cc-40f7-4e2a-b7bd-c265037f0fa7]
module.topgroups_v1.keycloak_group.kc_apps_group_v1: Refreshing state... [id=50eba6f3-d2c9-4335-90ee-644b4a504bc1]
module.topgroups_v1.keycloak_group.ad_apps_group_v1: Refreshing state... [id=7545e862-65c4-4de9-bcfb-bc6d9d6e239b]
keycloak_role.client2_role21: Refreshing state... [id=cd2b279c-1ab2-4843-84df-0537629131f1]
keycloak_role.client2_role22: Refreshing state... [id=857b3a5c-a7c5-48dd-b66e-c317c0bbb35e]
keycloak_group.test_group2: Refreshing state... [id=0a80dbc1-de4a-431c-93e5-0f8d15ae8a56]
keycloak_role.client3_roles[74]: Refreshing state... [id=d8374042-2305-4a1e-b6d7-6978a9346d42]
keycloak_role.client3_roles[69]: Refreshing state... [id=8fff15f0-b99e-49a0-8bfa-6690f5acf799]
keycloak_role.client3_roles[73]: Refreshing state... [id=3f466135-3ec0-4b1d-82d2-b813dc9511e0]
keycloak_role.client3_roles[32]: Refreshing state... [id=1deb5a05-f14e-4cf7-9535-4736b0dccee2]
keycloak_role.client3_roles[28]: Refreshing state... [id=5612de00-797b-4af4-9596-4959bda059e2]
keycloak_role.client3_roles[46]: Refreshing state... [id=aad2682c-51ab-4f7f-b82f-2e98aafd866a]
keycloak_role.client3_roles[80]: Refreshing state... [id=218f5297-a19d-49f6-aa1b-c4238c188e7c]
keycloak_role.client3_roles[31]: Refreshing state... [id=84c538ab-2981-4e3c-a69e-a1219e6d7415]
keycloak_role.client3_roles[16]: Refreshing state... [id=1071f385-4a8f-4a8d-a93c-5fa8a8f61a7d]
keycloak_role.client3_roles[63]: Refreshing state... [id=901fe845-c40d-412c-976d-70f729e9ef4e]
keycloak_role.client3_roles[5]: Refreshing state... [id=bf330b24-8888-4d13-82dd-1fd48d9fb767]
keycloak_role.client3_roles[14]: Refreshing state... [id=d92a93fc-932d-4bdf-9126-b1d0647358b7]
keycloak_role.client3_roles[45]: Refreshing state... [id=b31f6b5a-938f-4597-b42c-15dc749d955c]
keycloak_role.client3_roles[21]: Refreshing state... [id=f54f7cdc-4407-4ddb-bef2-d866d4ec1795]
keycloak_role.client3_roles[54]: Refreshing state... [id=a622d718-5df2-4f6d-86f7-316b6567a579]
keycloak_role.client3_roles[71]: Refreshing state... [id=e6a7a937-af16-4f73-8fad-77da6ba95eee]
keycloak_role.client3_roles[35]: Refreshing state... [id=b3564cfd-678b-451b-8f7a-db21b5cc964c]
keycloak_role.client3_roles[33]: Refreshing state... [id=fc25c342-41ea-43af-8bed-8ace4666c468]
keycloak_role.client3_roles[96]: Refreshing state... [id=9cb43376-14a6-4a55-a84d-b4f77bc0167d]
keycloak_role.client3_roles[9]: Refreshing state... [id=0009c84a-bb0b-4c5a-9fbf-27eee29200b5]
keycloak_role.client3_roles[17]: Refreshing state... [id=30cd083e-ee53-4035-b324-f46d20f5a039]
keycloak_role.client3_roles[22]: Refreshing state... [id=c86a9eb1-df35-45de-b7d4-579fafe7369a]
keycloak_role.client3_roles[15]: Refreshing state... [id=7662acfd-c16e-4813-8d76-955e9ce134b3]
keycloak_role.client3_roles[1]: Refreshing state... [id=0854c807-e7bc-4097-9633-95799849baf6]
keycloak_role.client3_roles[8]: Refreshing state... [id=12cd0f89-2553-43fe-9aef-62068a96a340]
keycloak_role.client3_roles[72]: Refreshing state... [id=812c57e8-c777-4db5-ad20-60303172be1f]
keycloak_role.client3_roles[84]: Refreshing state... [id=49952d39-30c1-41c4-8177-1fb15c668536]
keycloak_role.client3_roles[49]: Refreshing state... [id=bac94c5e-e337-4bd6-bbb1-43f4ef8b6461]
keycloak_role.client3_roles[56]: Refreshing state... [id=728e12c9-f76d-4c70-9f48-dd92d8537c74]
keycloak_role.client3_roles[90]: Refreshing state... [id=fa6bcaab-9203-4d74-9d9a-d08ef8888ca0]
keycloak_role.client3_roles[41]: Refreshing state... [id=d64cc6d6-31ae-4c1d-858f-b9e55469b307]
keycloak_role.client3_roles[60]: Refreshing state... [id=43bc1466-c5e2-4788-af08-bb8fddffdf6b]
keycloak_role.client3_roles[93]: Refreshing state... [id=43b9de4f-391f-40e3-b46c-36debd82412c]
keycloak_role.client3_roles[36]: Refreshing state... [id=4b5a7237-8a2f-445f-b575-893e424bcec5]
keycloak_role.client3_roles[67]: Refreshing state... [id=b7392aeb-5f77-4335-8758-6d15135b4d13]
keycloak_role.client3_roles[3]: Refreshing state... [id=d7a027e9-511f-4034-ba32-b766c309a83e]
keycloak_role.client3_roles[12]: Refreshing state... [id=99c12003-a5dc-4846-95d8-f869f53b1879]
keycloak_role.client3_roles[4]: Refreshing state... [id=84825cb4-091b-434b-890a-939ac5217e1e]
keycloak_role.client3_roles[39]: Refreshing state... [id=ca08f1d3-ce1f-4a6e-8cd2-1c194185d6f6]
keycloak_role.client3_roles[51]: Refreshing state... [id=68a0ef05-74f2-405d-9021-da6d63179adb]
keycloak_role.client3_roles[89]: Refreshing state... [id=4cdc595a-8879-4ac2-ad61-67ce0a9379b6]
keycloak_role.client3_roles[53]: Refreshing state... [id=5533466f-9c84-41aa-b2f9-ab62c25d74ac]
keycloak_role.client3_roles[94]: Refreshing state... [id=6f438da0-fb79-4c25-b358-f50bb1c2bd1d]
keycloak_role.client3_roles[58]: Refreshing state... [id=b827cfb2-8561-40ab-9b00-9982f7f59fe7]
keycloak_role.client3_roles[97]: Refreshing state... [id=160c1563-600d-42b3-ba97-c5d3dcfa861b]
keycloak_role.client3_roles[27]: Refreshing state... [id=a6ff5fd4-2f50-43cb-a949-06aeda96610d]
keycloak_role.client3_roles[79]: Refreshing state... [id=1f014af6-6a32-4e28-8f9f-13c2ab70f75a]
keycloak_role.client3_roles[68]: Refreshing state... [id=86832459-1a60-4791-a7c5-6873e94b3cdc]
keycloak_role.client3_roles[83]: Refreshing state... [id=693f7c1f-4569-4dd1-b366-ee1891d869ef]
keycloak_role.client3_roles[6]: Refreshing state... [id=75cdf7b1-92d4-4f25-aed8-2873936e542b]
keycloak_role.client3_roles[20]: Refreshing state... [id=e1daaab3-f358-4ea2-8867-19783562052b]
keycloak_role.client3_roles[62]: Refreshing state... [id=f1d1ad74-3d7e-4aa7-85a1-10c07eaff64b]
keycloak_role.client3_roles[91]: Refreshing state... [id=8e580bc8-1988-4df8-97df-d87451ce6f70]
keycloak_role.client3_roles[37]: Refreshing state... [id=4a354658-37c1-43f8-9f8f-81c8ea80a1dd]
keycloak_role.client3_roles[75]: Refreshing state... [id=4e705bdc-168f-4617-8815-2c6b711a746a]
keycloak_role.client3_roles[99]: Refreshing state... [id=c4fa6002-1f84-460a-ae96-0cde4e1fbed0]
keycloak_role.client3_roles[61]: Refreshing state... [id=e3666be7-7248-46c7-bb6a-71dde4b61e25]
keycloak_role.client3_roles[78]: Refreshing state... [id=9ef9d22b-c141-451e-86cc-56b319b6bfe9]
keycloak_role.client3_roles[82]: Refreshing state... [id=60c7a695-40f5-4b6a-891f-e21ad252e14e]
keycloak_role.client3_roles[47]: Refreshing state... [id=92aaf7a8-c4d1-4a90-bb36-f8a3ca62de73]
keycloak_role.client3_roles[98]: Refreshing state... [id=ed48831a-aaa2-466c-aec0-ddbe5a01398b]
keycloak_role.client3_roles[81]: Refreshing state... [id=635fa11e-627a-4bf7-9a5b-3a878612c6c1]
keycloak_role.client3_roles[19]: Refreshing state... [id=c3cb2543-5fa9-4c46-8406-0217b6b7a3a9]
keycloak_role.client3_roles[24]: Refreshing state... [id=a0f6c129-741d-492a-b76e-c4b8bbcb7258]
keycloak_role.client3_roles[55]: Refreshing state... [id=e25c99f9-be31-4049-9501-ee1e66fb9c34]
keycloak_role.client3_roles[52]: Refreshing state... [id=df0cfc06-4bdc-4bde-a48e-eff54f4714ab]
keycloak_role.client3_roles[64]: Refreshing state... [id=a4dd9aca-e30d-42c3-b58a-7d46ba0fa484]
keycloak_role.client3_roles[18]: Refreshing state... [id=f79c9400-5540-4bea-b706-3a5fcd7a2f77]
keycloak_role.client3_roles[66]: Refreshing state... [id=ea587581-3a69-40d5-b175-330c08570cf4]
keycloak_role.client3_roles[77]: Refreshing state... [id=313ed25c-20fd-4b8c-963c-993fc9c9717a]
keycloak_role.client3_roles[88]: Refreshing state... [id=a274c0d8-d471-4bad-a52e-14a9c8bbf0a8]
keycloak_role.client3_roles[25]: Refreshing state... [id=7ee1c449-b68e-49b8-a9a7-9c0a06470ad9]
keycloak_role.client3_roles[0]: Refreshing state... [id=f771ffe6-23a2-42c2-ac3e-b41dfaa98f9e]
keycloak_role.client3_roles[7]: Refreshing state... [id=c76b074d-4b10-455d-a894-4bfae158e8a3]
keycloak_role.client3_roles[23]: Refreshing state... [id=ecb30397-a8a2-4c07-94e2-1527d66b52f5]
keycloak_role.client3_roles[43]: Refreshing state... [id=6d670c09-e3dc-4469-9009-ed562dfa6cf5]
keycloak_role.client3_roles[30]: Refreshing state... [id=0af8be92-45f3-464e-b417-fefc86b6eb44]
keycloak_role.client3_roles[50]: Refreshing state... [id=eacc8142-8f35-4664-9b22-d31bd53bbdea]
keycloak_role.client3_roles[65]: Refreshing state... [id=f566a5cf-0a19-4daa-9818-5a63c8fff335]
keycloak_role.client3_roles[86]: Refreshing state... [id=192cc2e9-c54d-46cd-a1c0-d36abfe43990]
keycloak_role.client3_roles[34]: Refreshing state... [id=ba96658d-26bd-490f-a7c2-aecf45425cfd]
keycloak_role.client3_roles[42]: Refreshing state... [id=5a8ca6a8-aed1-4181-abd8-279c90903e33]
keycloak_role.client3_roles[38]: Refreshing state... [id=cdf040ae-ca8d-43e4-80bb-d682aab73ab5]
keycloak_role.client3_roles[70]: Refreshing state... [id=ef5faa10-f1a9-4935-90f5-5067ca026349]
keycloak_role.client3_roles[44]: Refreshing state... [id=cbf17f1c-aeba-4760-b856-402621f37483]
keycloak_role.client3_roles[59]: Refreshing state... [id=98c4f35c-0ce5-452b-a292-c1f00c2855a5]
keycloak_role.client3_roles[2]: Refreshing state... [id=cb473519-502a-4e56-8572-175e7b58977c]
keycloak_role.client3_roles[13]: Refreshing state... [id=af277081-a800-40b4-8f6e-dacca6d6efa9]
keycloak_role.client3_roles[85]: Refreshing state... [id=d063e9c8-c53e-4319-a1da-65c594eaa542]
keycloak_role.client3_roles[10]: Refreshing state... [id=0786975e-6c9d-414f-b3c0-051445a10613]
keycloak_role.client3_roles[40]: Refreshing state... [id=0504b694-2488-4fff-9af8-c40cf4a7ac73]
keycloak_role.client3_roles[48]: Refreshing state... [id=106b17e7-4092-482e-b3e5-6edec35f5d21]
keycloak_role.client3_roles[95]: Refreshing state... [id=f9f2c4a0-1b77-436e-94a5-befb0ac5c72c]
keycloak_role.client3_roles[92]: Refreshing state... [id=3f2ebef7-51ab-4163-82d2-e47cb7cf4367]
keycloak_role.client3_roles[26]: Refreshing state... [id=fed76365-1420-4de7-b940-14dedf647fb1]
keycloak_role.client3_roles[11]: Refreshing state... [id=9a839173-dff9-44d9-8f0b-b3dac5f4980c]
keycloak_role.client3_roles[29]: Refreshing state... [id=df0912b4-a126-439c-927f-7d879d9a745d]
keycloak_role.client3_roles[87]: Refreshing state... [id=e035aff4-b115-42b2-9a97-912ef2c79bab]
keycloak_role.client3_roles[76]: Refreshing state... [id=3b3aa791-2aae-46d4-b600-e62d3d1f4e93]
keycloak_role.client3_roles[57]: Refreshing state... [id=53864175-fea4-4214-9ada-4f5561969f59]
keycloak_group.test_group1: Refreshing state... [id=035d6236-0ea6-410e-9bc1-18242108c64f]
keycloak_group_roles.group0_roles: Refreshing state... [id=test-terraform1/9ea6ee41-1542-4e82-81cb-dd86ad821f01]
keycloak_group_roles.groupUP1_roles: Refreshing state... [id=test-terraform1/0a80dbc1-de4a-431c-93e5-0f8d15ae8a56]
keycloak_group_roles.group1_roles: Refreshing state... [id=test-terraform1/035d6236-0ea6-410e-9bc1-18242108c64f]
keycloak_role.client1_role11: Destroying... [id=d6ace9c8-66ca-41f8-8625-5cb66ddd3817]
keycloak_role.client1_role12: Creating...
keycloak_role.client1_role11: Destruction complete after 0s
keycloak_role.client1_role12: Creation complete after 0s [id=64c95d1e-a7b8-47c7-87fe-15a2b6c8a491]
keycloak_group_roles.group0_roles: Modifying... [id=test-terraform1/9ea6ee41-1542-4e82-81cb-dd86ad821f01]

Error: error sending GET request to /auth/admin/realms/test-terraform1/roles-by-id/d6ace9c8-66ca-41f8-8625-5cb66ddd3817: 404 Not Found. Response body: {"error":"Could not find role with id"}

[semangard]

@mrparkers : do you confirm my analysis (cf. reproduce case) and thus that there is a bug ?

[mrparkers]

Hey @semangard, I was able to reproduce this locally. Thanks for the detailed bug report. I opened #538 to fix this.

[semangard]

Hi @mrparkers
👍

BTW I am wondering if we could face the same issue with other realtionships (associations between objects) like for example:

• users <-> groups
• composite roles <-> roles
• ...

Maybe it should be checked also.

[mrparkers]

Good point - although I did check for this before I submitted the PR. The keycloak_group_roles resource is a bit different due to the need to differentiate between client roles and realm roles, so we have to query for each role before computing the changes to make. That's where the 404 error was coming from in your logs.

[semangard]

Hello @mrparkers
I still have the issue this morning

Despite I am using latest version :

Have you released the fix ?
Or could you please re-open the issue ?

[semangard]

Hi @mrparkers
Could you please check ?

[mrparkers]

Hey @semangard, this seems like a different issue. I can try to reproduce this if you can give me a sample HCL snippet to work with.

[semangard]

Roles are associated to groups :

When i did these changes all at a time then I got the error
Please notice that I executed the same code on 3 differents envs : I always got at least one error but it seems the execution is not exactly always the same (for sure due to parallelism) and thus I could have more or less errors
After a 2nd execution on the same env then it is OK : no more error

According to me it is still more or less the same kind of issue : order on how things are applied : if a role is deleted or recreated (here because roles are moved from a managed resource to a read-only resource => new ID) then this role sould be:
-1- removed to associated groups.
-2- deleted / recreated
-3- associated to groups again (name of the role is still the same but its ID is different)

[mrparkers]

Hey @semangard, I tried to follow your instructions, but I wasn't able to reproduce this.

I tried writing some HCL similar to what I saw in your screenshots - an openid client, a few client roles, a few groups, and some group role assignments. Then, I added a data source for the openid client and referenced that with the roles, and got no changes from Terraform (as expected). I also tried adding a new client and moving the roles to that client, and everything was recreated auccessfully.

It would help me if you could give me some exact HCL to copy/paste, and instructions on how to modify the HCL to reproduce this. Thanks!

[semangard]

Hi @mrparkers
I tried to build a smaller example in order to share it with you
but I was unable to reproduce it
the only change is that I am using now the version v3.2.0 of your provider
if it happens again I will then tell you

[mrparkers]

Closing for now, feel free to open if this issue comes back.