Description
Description
There doesn't seem to be any practical way to use the authorization_resource_server_id exposed by permissions resources such as keycloak_users_permissions, as there is no way to use it ito define policies for its scopes without creating dependency cycles. Since the realm-management client's resource server does not exist until fine-grained permissions are enabled on at least one resource within the realm, there's a chicken-and-egg scenario where in order to enable the resource server, you need at least one permission/scope created, but to define a scope, you need a policy, which requires a resource server.
Discussion
No response
Motivation
I want to create Keycloak policies on the realm-management client without manually enabling permissions, or working around the issue by deploying multiple keycloak_users_permissions resources (one with an empty config, and another defining the scopes that with policies that depend on the initial's resource server's resource id)
Details
It should be possible to define scopes using a separate resource. The examples for this resource should take in authorization_resource_server_id attribute from the relevant permissions resource
e.g.
resource "keycloak_users_impersonate_scope" "example" {
resource_server_id = keycloak_users_permissions.example_realm.authorization_resource_server_id
decision_strategy = "UNANIMOUS"
policies = []
}