Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

keycloak_realm_user_profile: should support 'unmanagedAttributePolicy' #946

Open
scottescue opened this issue Apr 9, 2024 · 8 comments · May be fixed by #976
Open

keycloak_realm_user_profile: should support 'unmanagedAttributePolicy' #946

scottescue opened this issue Apr 9, 2024 · 8 comments · May be fixed by #976

Comments

@scottescue
Copy link

The unmanagedAttributePolicy attribute has been added to the User Profile Config definition as of Keycloak version 24. This is exposed in the Admin UI as the Unmanaged Attributes realm setting.

Allowed values are:

  • omitted - Disabled
  • ENABLED - Enabled
  • ADMIN_VIEW - Only administrators can view
  • ADMIN_EDIT - Only administrators can write

The provider should allow this new attribute to be set in the keycloak_realm_user_profile resource.

@ericwalterb
Copy link

This is something we also hope gets added. Since upgrading to Keycloak 24, we have to manually enable Unmanaged Attributes. However, every time we run the terraform plan, it gets set back to null.

@bradhead
Copy link

bradhead commented May 1, 2024

@ericwalterb Were you able to apply the keycloak_realm_user_profile resource at all? I get a failure that username can't be removed.. I am not trying to remove it.. seems the state thinks it is creating the profile for the first time and it does not support import. Did you sort out how to set unmanaged attributes?

@soulchild
Copy link

@ericwalterb Interesting! We have the option manually set to "Only administrators can write" and a Terraform run does not seem to touch/change the option. Are you sure you're seeing changes to the option after applying the Terraform plan? I'm really worried that this gets reset without us noticing which would cause a lot of headaches for us.

@grolingm-VU
Copy link

grolingm-VU commented Jun 11, 2024

We also had to manually enable the option. First, we left the option to the default value. We have a number of users that we import through this provider and stored a number of custom user attributes (now called unmanaged user attributes) on these users. Having the default keycloak completely ignores these user attributes and doesn't even store them.

Currently, we have to enable this option manually after each installation of the keycloak. This is very tideous work as we switch between both instances of the cluster after each deployment and those instances are set-up from scratch. I really appreaciate the option to have managed and unmanaged user attributes as it would give us a better handling of user attributes in general. However, having neither the possibility to enable the option nor the possibility to really define all managed attributes via keycloak_realm_user_profile is a challenging problem.

There are two discussions open targeting the problem on a broader level:
Keycloak version >= 24 support? #944
and
The health of this repo, an open discussion. #964

The only work-around, we are discussing, is using a restful provider such as magodo/restful:

  • GET request to {keycloak}/admin/realms/:realm/users/profile
  • change the response JSON and switch the attribute ... "unmanagedAttributePolicy": "DISABLED", ... to "ENABLED", "ADMIN_EDIT" or "ADMIN_VIEW"
  • PUT request the the same interface with the just updated JSON

But this solution is far from ideal

@CMithilReddy
Copy link

Hi, is it possible to add unmanagedAttributePolicy as a custom attribute to Keycloak_realm resource ?? I followed this documentation https://registry.terraform.io/providers/mrparkers/keycloak/latest/docs/resources/realm#attributes and did something like:

resource "keycloak_realm" "realm" {
   realm                          = var.realm_name
   enabled                        = var.realm_enabled
   display_name                   = var.display_name
   attributes  = {
    unmanagedAttributePolicy    = "ENABLED"
     }
  }

On applying the terraform state changes to our dev instance, the changes were not applied to the realm. Could some one help me on this issue. Thank you !!

@onlyTars
Copy link

Is there anything new on this subject? We encounter the same problem

@jpetre0
Copy link

jpetre0 commented Sep 27, 2024

Any update on this please? We are also encountering the same issue

@MartinNowak
Copy link

MartinNowak commented Dec 20, 2024

Hi, is it possible to add unmanagedAttributePolicy as a custom attribute to Keycloak_realm resource ?? I followed this documentation https://registry.terraform.io/providers/mrparkers/keycloak/latest/docs/resources/realm#attributes and did something like:

No, it's part of the user profile configuration. Would also be nice to set the unmanagedAttributePolicy while keeping the default user profile.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

9 participants