drift detected immediately after apply

[zam6ak]

Describe the bug

Hi
We have a TF project using Keycloak provider v5.1.0 that creates several realms, multiple clients in each, users, etc, etc.
So far this is working but we have noticed that specific resources, after they are created, are "drifting"

So if we run terraform apply and then immediately follow up with terraform apply -refresh-only, I get a lot of resources noted as

Objects have changed outside of Terraform

I am noticing a pattern where some attributes of certain resources are causing this drift
Below is a paired down output of terraform apply -refresh-only shows examples of attributes in keycloak_realm, keycloak_openid_client and keycloak_user but there are others as well

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan:

  # module.keycloak.module.realm_apps.keycloak_openid_client.account has changed
  ~ resource "keycloak_openid_client" "account" {
      + extra_config                               = {}
        id                                         = "67c5ffdb-b94c-888c-8ac2-32e76c41819b"
        name                                       = "${client_account}"
        # (39 unchanged attributes hidden)
    }

  # module.keycloak.module.realm_apps.keycloak_openid_client.account-console has changed
  ~ resource "keycloak_openid_client" "account-console" {
      + extra_config                               = {}
        id                                         = "f53919a3-ef8a-999b-9f3c-0fefe4023d19"
        name                                       = "${client_account-console}"
        # (39 unchanged attributes hidden)
    }

  # module.keycloak.module.realm_apps.keycloak_realm.this has changed
  ~ resource "keycloak_realm" "this" {
      + default_default_client_scopes            = []
      + default_optional_client_scopes           = []
        id                                       = "apps"
        # (50 unchanged attributes hidden)

        # (5 unchanged blocks hidden)
    }

  # module.keycloak.module.realm_master.keycloak_user.kcadmin[0] has changed
  ~ resource "keycloak_user" "kcadmin" {
      + attributes       = {}
        id               = "2b8452ce-80dd-4c36-a7cf-a96998ffb6c5"
      + required_actions = []
        # (8 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }


This is a refresh-only plan, so Terraform will not take any actions to undo these. If you were expecting these changes then you can apply this plan to record the updated values in the Terraform state
without changing any remote objects.

Version

26.1.0

Expected behavior

no drift should exist immediately after terraform apply

Actual behavior

No response

How to Reproduce?

No response

Anything else?

No response

[sschu]

@zam6ak I tried to reproduce this using just a realm as a simple example and everything worked as expected. Can you try to provide a minimal example I can use to reproduce this?

[zam6ak]

Can you try to provide a minimal example I can use to reproduce this?

@sschu I can certainly try
Attached ZIP file has sample TF project with modules per realm

# change provider settings in root "main.tf" to match your environment, 
# then init and verify install providers
terraform init
terraform providers

# preview and then apply changes
terraform plan
terraform apply

# recheck plan - shows no changes
terraform plan

# but drift exists when using -refresh-only
terraform plan -refresh-only

notice the "Object have changed outside of Terraform" output...
here is the output I am getting

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan:

  # module.realm_A.keycloak_realm.A has changed
  ~ resource "keycloak_realm" "A" {
      + attributes                               = {}
      + default_default_client_scopes            = []
      + default_optional_client_scopes           = []
        id                                       = "A"
        # (49 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # module.realm_B.keycloak_realm.B has changed
  ~ resource "keycloak_realm" "B" {
      + attributes                               = {}
      + default_default_client_scopes            = []
      + default_optional_client_scopes           = []
        id                                       = "B"
        # (49 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # module.realm_master.keycloak_user.admin has changed
  ~ resource "keycloak_user" "admin" {
      + attributes       = {}
        id               = "b903fa04-82d2-4e01-b3e3-e25863149ea3"
      + required_actions = []
        # (8 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }


This is a refresh-only plan, so Terraform will not take any actions to undo these. If you were expecting these changes then you can apply this plan to record the updated values in the Terraform state
without changing any remote objects.

reproduce_issue_drift_modules.zip

[sschu]

@zam6ak I can reproduce it. It doesn't seem to be a regression, the behavior is the same also with older versions of the provider. I am wondering how important this is. What is your use case for using --refresh-only?

[zam6ak]

@sschu

What is your use case for using --refresh-only?

Each customer of our application gets its own "instance". We need a standardized "template" deployment that is then customized further for each customer needs. Because we cannot TF each of these customizations, we start with common setup, manually customize environments and then "synchronize the drift" to each customer's state backend.

This then also allows us to check if there are any further manual changes done before we upgrade customer.
Being able to detect "drift" outside of TF (and then choose to merge it into state or not) is very important.

[sschu]

I see. And this used to work for you before?