keycloak_openid_client_permissions and keycloak_users_permissions require to explicitely define all scopes

[acolombier]

Issue

A keycloak_openid_client_permissions without all the scopes defined leads to a crash at refresh

resource "keycloak_openid_client_permissions" "example" {
  realm_id  = "MyRealm"
  client_id = "MyClientId"

  token_exchange_scope {
    policies = [
      "MyPolicyId,
    ]
    description       = "A description"
    decision_strategy = "UNANIMOUS"
  }
}

Similarly, a keycloak_users_permissions without all the scopes defined leads to a crash at refresh

resource "keycloak_users_permissions" "example" {
  realm_id  = "MyRealm"

  manage_scope {
    policies = [
      "MyPolicyId,
    ]
    description       = "A description"
    decision_strategy = "UNANIMOUS"
  }
}

Traceback

(keycloak_openid_client_permissions)

Stack trace from the terraform-provider-keycloak_v3.3.0 plugin:

panic: interface conversion: interface {} is nil, not string

goroutine 232 [running]:
github.com/mrparkers/terraform-provider-keycloak/provider.resourceKeycloakUsersPermissionsRead(0xc00081cf80, 0x102e2e0, 0xc0007b8ae0, 0x178fa10, 0xc000808400)
        github.com/mrparkers/terraform-provider-keycloak/provider/resource_keycloak_users_permissions.go:127 +0xcff
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).read(0xc00065b5e0, 0x11d42e8, 0xc0006a7440, 0xc00081cf80, 0x102e2e0, 0xc0007b8ae0, 0x0, 0x0, 0x0)
        github.com/hashicorp/terraform-plugin-sdk/v2@v2.7.0/helper/schema/resource.go:335 +0x1ee
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).RefreshWithoutUpgrade(0xc00065b5e0, 0x11d42e8, 0xc0006a7440, 0xc00072d420, 0x102e2e0, 0xc0007b8ae0, 0xc00037c710, 0x0, 0x0, 0x0)
        github.com/hashicorp/terraform-plugin-sdk/v2@v2.7.0/helper/schema/resource.go:624 +0x1cb
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ReadResource(0xc00000cde0, 0x11d42e8, 0xc0006a7440, 0xc0006a7480, 0xc0006a7440, 0x40b965, 0xfa9040)
        github.com/hashicorp/terraform-plugin-sdk/v2@v2.7.0/helper/schema/grpc_provider.go:575 +0x43b
github.com/hashicorp/terraform-plugin-go/tfprotov5/server.(*server).ReadResource(0xc0005e8860, 0x11d4390, 0xc0006a7440, 0xc000677f20, 0xc0005e8860, 0xc000797620, 0xc00016dba0)
        github.com/hashicorp/terraform-plugin-go@v0.3.0/tfprotov5/server/server.go:298 +0x105
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ReadResource_Handler(0xfe6d40, 0xc0005e8860, 0x11d4390, 0xc000797620, 0xc000677ec0, 0x0, 0x11d4390, 0xc000797620, 0xc00071a180, 0x171)
        github.com/hashicorp/terraform-plugin-go@v0.3.0/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:344 +0x214
google.golang.org/grpc.(*Server).processUnaryRPC(0xc0004e41c0, 0x11dcb58, 0xc000102900, 0xc000394c00, 0xc000796930, 0x174fed0, 0x0, 0x0, 0x0)
        google.golang.org/grpc@v1.32.0/server.go:1194 +0x52b
google.golang.org/grpc.(*Server).handleStream(0xc0004e41c0, 0x11dcb58, 0xc000102900, 0xc000394c00, 0x0)
        google.golang.org/grpc@v1.32.0/server.go:1517 +0xd0c
google.golang.org/grpc.(*Server).serveStreams.func1.2(0xc0004c0190, 0xc0004e41c0, 0x11dcb58, 0xc000102900, 0xc000394c00)
        google.golang.org/grpc@v1.32.0/server.go:859 +0xab
created by google.golang.org/grpc.(*Server).serveStreams.func1
        google.golang.org/grpc@v1.32.0/server.go:857 +0x1fd

Error: The terraform-provider-keycloak_v3.3.0 plugin crashed!

(keycloak_users_permissions)

Stack trace from the terraform-provider-keycloak_v3.3.0 plugin:

panic: interface conversion: interface {} is nil, not string

goroutine 157 [running]:
github.com/mrparkers/terraform-provider-keycloak/provider.resourceKeycloakUsersPermissionsRead(0xc0000f6b80, 0x102e2e0, 0xc0003864e0, 0x178fa10, 0xc000680000)
        github.com/mrparkers/terraform-provider-keycloak/provider/resource_keycloak_users_permissions.go:127 +0xcff
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).read(0xc0002175e0, 0x11d42e8, 0xc000317680, 0xc0000f6b80, 0x102e2e0, 0xc0003864e0, 0x0, 0x0, 0x0)
        github.com/hashicorp/terraform-plugin-sdk/v2@v2.7.0/helper/schema/resource.go:335 +0x1ee
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).RefreshWithoutUpgrade(0xc0002175e0, 0x11d42e8, 0xc000317680, 0xc0001481c0, 0x102e2e0, 0xc0003864e0, 0xc00011c3c0, 0x0, 0x0, 0x0)
        github.com/hashicorp/terraform-plugin-sdk/v2@v2.7.0/helper/schema/resource.go:624 +0x1cb
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ReadResource(0xc000304618, 0x11d42e8, 0xc000317680, 0xc0003176c0, 0xc000317680, 0x40b965, 0xfa9040)
        github.com/hashicorp/terraform-plugin-sdk/v2@v2.7.0/helper/schema/grpc_provider.go:575 +0x43b
github.com/hashicorp/terraform-plugin-go/tfprotov5/server.(*server).ReadResource(0xc00038a420, 0x11d4390, 0xc000317680, 0xc00068ca80, 0xc00038a420, 0xc0004fb290, 0xc00047bba0)
        github.com/hashicorp/terraform-plugin-go@v0.3.0/tfprotov5/server/server.go:298 +0x105
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ReadResource_Handler(0xfe6d40, 0xc00038a420, 0x11d4390, 0xc0004fb290, 0xc00068ca20, 0x0, 0x11d4390, 0xc0004fb290, 0xc00058c780, 0x171)
        github.com/hashicorp/terraform-plugin-go@v0.3.0/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:344 +0x214
google.golang.org/grpc.(*Server).processUnaryRPC(0xc0003356c0, 0x11dcb58, 0xc000643e00, 0xc00037e600, 0xc0001d1530, 0x174fed0, 0x0, 0x0, 0x0)
        google.golang.org/grpc@v1.32.0/server.go:1194 +0x52b
google.golang.org/grpc.(*Server).handleStream(0xc0003356c0, 0x11dcb58, 0xc000643e00, 0xc00037e600, 0x0)
        google.golang.org/grpc@v1.32.0/server.go:1517 +0xd0c
google.golang.org/grpc.(*Server).serveStreams.func1.2(0xc0001221b0, 0xc0003356c0, 0x11dcb58, 0xc000643e00, 0xc00037e600)
        google.golang.org/grpc@v1.32.0/server.go:859 +0xab
created by google.golang.org/grpc.(*Server).serveStreams.func1
        google.golang.org/grpc@v1.32.0/server.go:857 +0x1fd

Error: The terraform-provider-keycloak_v3.3.0 plugin crashed!

How to reproduce

• Paste the example provided above, and replace it with correct values
• Apply the change
• Plan

Expected

A plan should be provided with no detected changes to keycloak_openid_client_permissions.example or keycloak_users_permissions

Context

Terraform version: 1.0.4
Provider version: 3.3.0

Actual

The provider crashes with the traceback provided above

Workaround

Defining all the scopes (before any apply, state corrupted otherwise) solves the issue

resource "keycloak_openid_client_permissions" "example" {
  realm_id  = "MyRealm"
  client_id = "MyClientId"

  view_scope {
    policies          = []
    description       = "Unused"
    decision_strategy = "UNANIMOUS"
  }

  manage_scope {
    policies          = []
    description       = "Unused"
    decision_strategy = "UNANIMOUS"
  }

  map_roles_scope {
    policies          = []
    description       = "Unused"
    decision_strategy = "UNANIMOUS"
  }

  token_exchange_scope {
    policies = [
      "MyPolicyId,
    ]
    description       = "A description"
    decision_strategy = "UNANIMOUS"
  }
}

resource "keycloak_users_permissions" "example" {
  realm_id  = "MyRealm"

  view_scope {
    policies          = []
    description       = ""
    decision_strategy = "UNANIMOUS"
  }

  manage_scope {
    policies          = []
    description       = ""
    decision_strategy = "UNANIMOUS"
  }

  map_roles_scope {
    policies          = []
    description       = ""
    decision_strategy = "UNANIMOUS"
  }

  manage_group_membership_scope {
    policies          = []
    description       = ""
    decision_strategy = "UNANIMOUS"
  }

  user_impersonated_scope {
    policies          = []
    description       = ""
    decision_strategy = "UNANIMOUS"
  }

  impersonate_scope {
    policies          = ["MyPolicy"]
    description       = ""
    decision_strategy = "UNANIMOUS"
  }
}

(Hope my issue template is complete enough!)

[acolombier]

Let me know if you would like me to split this into two issues!

[acolombier]

It appears that the main reason for this crash is actually related to a drift (in my case keycloak-operator disabling the user permission) and no workaround to not have a provider crash.

Perhaps if you give me tips on how I can implement a fix, I can issue a PR for it?

[mrparkers]

So it looks like the only problem was with the keycloak_users_permissions resource, as verified by the helpful stacktraces you've posted. Unlike the keycloak_openid_client_permissions resource, the keycloak_users_permissions doesn't check if permissions were disabled outside of Terraform, so the crash was related to a nil pointer dereference where the provider was trying to access data that wasn't there. I opened #591 to fix this.

After this change, when drift occurs in your configuration, the resource will remove itself from state, causing a following apply to recreate the keycloak_users_permissions resource.

[acolombier]

Thank you very much for this quick reaction and the explaination. I had guessed on the nil pointer issue, but my lack of knowledge in Go was blocking me from making the fix.

Once there is a new provider version, I can test it if you would like?