Skip to content

[BUG] - 409 error for keycloak on deployment (we are managing keycloak outside of tf?) #3188

New issue
New issue
Open
Open
[BUG] - 409 error for keycloak on deployment (we are managing keycloak outside of tf?)#3188
Labels
needs: triage 🚦Someone needs to have a look at this issue and triagetype: bug 🐛Something isn't working
@asmacdo

Description

@asmacdo
asmacdo
opened on Dec 1, 2025

Describe the bug

I think this is caused by importing from backup/syncing users with keycloak directly. IMO it is better to do that directly with keycloak, but I'd like to not have to delete those groups, then restore keycloak from backup each deploy

output 
[tofu]: data.keycloak_role.view-users: Reading...
[tofu]: data.keycloak_role.query-users: Reading...
[tofu]: data.keycloak_role.manage-users: Reading...
[tofu]: data.keycloak_role.query-groups: Reading...
[tofu]: data.keycloak_role.realm-admin: Reading...
[tofu]: data.keycloak_role.query-users: Read complete after 0s [id=24de488a-8128-4fd0-965d-39318a2863c0]
[tofu]: data.keycloak_role.view-users: Read complete after 0s [id=92ca1e83-c7a5-4684-b94d-7772eae16903]
[tofu]: keycloak_user_roles.user_roles: Refreshing state... [id=master/0b1d3e95-425e-4a76-b7d4-d0f71e6f27dc]
[tofu]: data.keycloak_role.manage-users: Read complete after 0s [id=8b226316-921e-4e9c-83e1-d95341c8de90]
[tofu]: data.keycloak_role.realm-admin: Read complete after 0s [id=67e31a4f-64df-48df-ba27-e244772bc666]
[tofu]: keycloak_group_roles.superadmin_roles: Refreshing state... [id=nebari/b1e7907e-b16f-46ff-b85e-fc7a7d2905e5]
[tofu]: data.keycloak_role.query-groups: Read complete after 0s [id=d1917caa-cfbd-448f-8dd3-0aa75b279628]
[tofu]: keycloak_group_roles.admin_roles: Refreshing state... [id=nebari/1cd3d1b8-f248-4bf0-a35a-c5727fb70183]
[tofu]: 
[tofu]: Note: Objects have changed outside of OpenTofu
[tofu]: 
[tofu]: OpenTofu detected the following changes made outside of OpenTofu since the
[tofu]: last "tofu apply" which may have affected this plan:
[tofu]: 
[tofu]:   # keycloak_group.groups["superadmin"] has been deleted
[tofu]:   - resource "keycloak_group" "groups" {
[tofu]:       - id       = "b1e7907e-b16f-46ff-b85e-fc7a7d2905e5" -> null
[tofu]:         name     = "superadmin"
[tofu]:         # (2 unchanged attributes hidden)
[tofu]:     }
[tofu]: 
[tofu]: 
[tofu]: Unless you have made equivalent changes to your configuration, or ignored the
[tofu]: relevant attributes using ignore_changes, the following plan may include
[tofu]: actions to undo or respond to these changes.
[tofu]: 
[tofu]: ─────────────────────────────────────────────────────────────────────────────
[tofu]: 
[tofu]: OpenTofu used the selected providers to generate the following execution
[tofu]: plan. Resource actions are indicated with the following symbols:
[tofu]:   + create
[tofu]:   ~ update in-place
[tofu]: 
[tofu]: OpenTofu will perform the following actions:
[tofu]: 
[tofu]:   # keycloak_default_groups.default will be updated in-place
[tofu]:   ~ resource "keycloak_default_groups" "default" {
[tofu]:       ~ group_ids = [
[tofu]:           - "213bde14-004d-4778-9b5b-0a1e315cad2f",
[tofu]:         ] -> (known after apply)
[tofu]:         id        = "nebari/default-groups"
[tofu]:         # (1 unchanged attribute hidden)
[tofu]:     }
[tofu]: 
[tofu]:   # keycloak_group.groups["analyst"] will be created
[tofu]:   + resource "keycloak_group" "groups" {
[tofu]:       + id       = (known after apply)
[tofu]:       + name     = "analyst"
[tofu]:       + path     = (known after apply)
[tofu]:       + realm_id = "nebari"
[tofu]:     }
[tofu]: 
[tofu]:   # keycloak_group.groups["developer"] will be created
[tofu]:   + resource "keycloak_group" "groups" {
[tofu]:       + id       = (known after apply)
[tofu]:       + name     = "developer"
[tofu]:       + path     = (known after apply)
[tofu]:       + realm_id = "nebari"
[tofu]:     }
[tofu]: 
[tofu]:   # keycloak_group.groups["superadmin"] will be created
[tofu]:   + resource "keycloak_group" "groups" {
[tofu]:       + id       = (known after apply)
[tofu]:       + name     = "superadmin"
[tofu]:       + path     = (known after apply)
[tofu]:       + realm_id = "nebari"
[tofu]:     }
[tofu]: 
[tofu]:   # keycloak_group_roles.superadmin_roles will be created
[tofu]:   + resource "keycloak_group_roles" "superadmin_roles" {
[tofu]:       + exhaustive = false
[tofu]:       + group_id   = (known after apply)
[tofu]:       + id         = (known after apply)
[tofu]:       + realm_id   = "nebari"
[tofu]:       + role_ids   = [
[tofu]:           + "67e31a4f-64df-48df-ba27-e244772bc666",
[tofu]:         ]
[tofu]:     }
[tofu]: 
[tofu]: Plan: 4 to add, 1 to change, 0 to destroy.
[tofu]: keycloak_group.groups["developer"]: Creating...
[tofu]: keycloak_group.groups["superadmin"]: Creating...
[tofu]: keycloak_group.groups["analyst"]: Creating...
[tofu]: ╷
[tofu]: │ Error: error sending POST request to /auth/admin/realms/nebari/groups: 409 Conflict. Response body: {"errorMessage":"Top level group named 'analyst' already exists."}
[tofu]: │ 
[tofu]: │   with keycloak_group.groups["analyst"],
[tofu]: │   on main.tf line 71, in resource "keycloak_group" "groups":
[tofu]: │   71: resource "keycloak_group" "groups" {
[tofu]: │ 
[tofu]: ╵
[tofu]: ╷
[tofu]: │ Error: error sending POST request to /auth/admin/realms/nebari/groups: 409 Conflict. Response body: {"errorMessage":"Top level group named 'developer' already exists."}
[tofu]: │ 
[tofu]: │   with keycloak_group.groups["developer"],
[tofu]: │   on main.tf line 71, in resource "keycloak_group" "groups":
[tofu]: │   71: resource "keycloak_group" "groups" {
[tofu]: │ 
[tofu]: ╵
[tofu]: ╷
[tofu]: │ Error: error sending POST request to /auth/admin/realms/nebari/groups: 409 Conflict. Response body: {"errorMessage":"Top level group named 'superadmin' already exists."}
[tofu]: │ 
[tofu]: │   with keycloak_group.groups["superadmin"],
[tofu]: │   on main.tf line 71, in resource "keycloak_group" "groups":
[tofu]: │   71: resource "keycloak_group" "groups" {
[tofu]: │ 
[tofu]: ╵

Expected behavior

should be ok if group already exists

OS and architecture in which you are running Nebari

fedora locally, aws for cloud

How to Reproduce the problem?

Not entirely sure, seems to be restore keycloak from backup, then attempt to redeploy.

Command output



Versions and dependencies used.


No response


Compute environment


None


Integrations


No response


Anything else?


No response
Metadata
Metadata
Assignees
No one assigned
    Labels
    needs: triage 🚦Someone needs to have a look at this issue and triagetype: bug 🐛Something isn't working
    Type
    No type
    Projects
    🪴 Nebari Project Management
    Status
    New 🚦
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions