From 04dfd7b9f8773d81275d0b1844a922d774266f11 Mon Sep 17 00:00:00 2001
From: Michael Parker <michael@parker.gg>
Date: Wed, 26 May 2021 10:51:56 -0500
Subject: [PATCH] fix: handle deleted role when removing role assignment from
 keycloak_group_roles resource

---
 .../resource_keycloak_group_roles_test.go     | 48 +++++++++++++++++++
 provider/role_mapping_helpers.go              |  5 ++
 2 files changed, 53 insertions(+)

diff --git a/provider/resource_keycloak_group_roles_test.go b/provider/resource_keycloak_group_roles_test.go
index 2c40ad0bd..a3719e5de 100644
--- a/provider/resource_keycloak_group_roles_test.go
+++ b/provider/resource_keycloak_group_roles_test.go
@@ -290,6 +290,27 @@ func TestAccKeycloakGroupRoles_updateNonExhaustive(t *testing.T) {
 	})
 }
 
+func TestAccKeycloakGroupRoles_simultaneousRoleAndAssignmentUpdate(t *testing.T) {
+	t.Parallel()
+
+	groupName := acctest.RandomWithPrefix("tf-acc")
+
+	resource.Test(t, resource.TestCase{
+		ProviderFactories: testAccProviderFactories,
+		PreCheck:          func() { testAccPreCheck(t) },
+		Steps: []resource.TestStep{
+			{
+				Config: testKeycloakGroupRoles_simultaneousRoleAndAssignmentUpdate(groupName, 1),
+				Check:  testAccCheckKeycloakGroupHasRoles("keycloak_group_roles.group_roles", true),
+			},
+			{
+				Config: testKeycloakGroupRoles_simultaneousRoleAndAssignmentUpdate(groupName, 2),
+				Check:  testAccCheckKeycloakGroupHasRoles("keycloak_group_roles.group_roles", true),
+			},
+		},
+	})
+}
+
 func testAccCheckKeycloakGroupHasRoles(resourceName string, exhaustive bool) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		rs, ok := s.RootModule().Resources[resourceName]
@@ -702,3 +723,30 @@ resource "keycloak_group_roles" "group_roles2" {
 }
 	`, testAccRealm.Realm, openIdClientName, samlClientName, realmRoleOneName, realmRoleTwoName, openIdRoleOneName, openIdRoleTwoName, samlRoleOneName, samlRoleTwoName, groupName, tfRoleIds1, tfRoleIds2)
 }
+
+func testKeycloakGroupRoles_simultaneousRoleAndAssignmentUpdate(groupName string, id int) string {
+	return fmt.Sprintf(`
+data "keycloak_realm" "realm" {
+	realm = "%s"
+}
+
+resource "keycloak_role" "realm_role_%[2]d" {
+	name     = "role-%[2]d"
+	realm_id = data.keycloak_realm.realm.id
+}
+
+resource "keycloak_group" "group" {
+	realm_id = data.keycloak_realm.realm.id
+	name     = "%s"
+}
+
+resource "keycloak_group_roles" "group_roles" {
+	realm_id = data.keycloak_realm.realm.id
+	group_id = keycloak_group.group.id
+
+	role_ids = [
+		keycloak_role.realm_role_%[2]d.id
+	]
+}
+`, testAccRealm.Realm, id, groupName)
+}
diff --git a/provider/role_mapping_helpers.go b/provider/role_mapping_helpers.go
index 1429b21ea..6bb53441f 100644
--- a/provider/role_mapping_helpers.go
+++ b/provider/role_mapping_helpers.go
@@ -34,6 +34,11 @@ func getExtendedRoleMapping(keycloakClient *keycloak.KeycloakClient, realmId str
 	for _, roleId := range roleIds {
 		role, err := keycloakClient.GetRole(realmId, roleId)
 		if err != nil {
+			// if the role doesn't exist anymore, skip it
+			if keycloak.ErrorIs404(err) {
+				continue
+			}
+
 			return nil, err
 		}