The keycloak_group would break if the group name contains /

[chanhht]

Hello, as the company convention, we will name Keycloak groups following the format parent/sub/group (eg. cloud/company-x/developers). This works so far with Keycloak, however when we try to involve data keycloak-group if would fail with msg:
Error: unable to determine parent ID for group with path /cloud/company-x/developers
I dig in the code and see that the provider is trying to get the parentId by splitting / from the group path and iterate between parts, which will be incorrect in our case because our group name contains /.

As I check the Keycloak Rest spec:
https://www.keycloak.org/docs-api/10.0/rest-api/index.html
I am a bit doubtful on the need for setting parentId when working with keycloak_group resource/data

P/S: I tried to include a fix without breaking the interface, but that would require an additional call to get all KC groups.

[mrparkers]

Yeah, this is a tricky one.

When I first implemented the keycloak_group resource, I didn't think about the group name itself containing a backslash. To my knowledge, there isn't an API method that allows me to get a group's parent, or I would have used that instead.

The reason that computing the parent ID is important is because of Keycloak's ability to have nested groups. This allows you to create a group like cloud, that contains a subgroup company-x, that contains a subgroup developers, like this:

resource "keycloak_group" "cloud" {
  realm_id = keycloak_realm.test.id
  name     = "cloud"
}

resource "keycloak_group" "company_x" {
  realm_id  = keycloak_realm.test.id
  parent_id = keycloak_group.cloud.id
  name      = "company-x"
}

resource "keycloak_group" "developers" {
  realm_id  = keycloak_realm.test.id
  parent_id = keycloak_group.company_x.id
  name      = "developers"
}

It looks like you're trying to do something similar with your naming convention, but you're looking to create a single group instead of multiple, nested groups. If you want to proceed with your approach, then it'll definitely require an update to the provider, although I am not sure if there is an elegant way to do this without searching through all groups from the top down.

[tomrutsaert]

We could make it a setting on the provider itself?

provider "keycloak" {
  username  = var.keycloak_user
  password  = var.keycloak_password
  client_id = var.keycloak_client_id
  url       = var.keycloak_url
  group_hierarchy_divider = "#"
}

The default would be "/"

[chanhht]

@tomrutsaert the path value is returned from Keycloak and it is hardcoded the path divider to / so I think we cannot make the change on that.

@mrparkers do you think it would help if we add checking on group path startWith to reduce the number of nodes travel through?

Btw, think I found another issue with data keycloak_group when query a nested group

// First, run a TF apply for groups creation
data "keycloak_realm" "realm" {
    realm   = "master"
}

resource "keycloak_group" "parent_group" {
    realm_id = data.keycloak_realm.realm.id
    name     = "parent-group"
}

resource "keycloak_group" "child_group" {
    realm_id  = data.keycloak_realm.realm.id
    parent_id = keycloak_group.parent_group.id
    name      = "child-group"
}

// Then run another TF plan/apply for query groups by datasource
data "keycloak_group" "parent_group" {
    realm_id = data.keycloak_realm.realm.id
    name     = "parent-group"
}

data "keycloak_group" "child_group" {
    realm_id = data.keycloak_realm.realm.id
    name     = "child-group"
}

Then I received this error:

Error: no group with name child-group found

  on keycloak_test.tf line 30, in data "keycloak_group" "child_group":
  30: data "keycloak_group" "child_group" {

Both groups are present in Keycloak after the first creation run.