ansible-collections · felixfontein · Sep 18, 2025 · Sep 15, 2025 · Sep 15, 2025 · Sep 15, 2025
diff --git a/changelogs/fragments/10829-fix-keycloak-role-changed-status.yml b/changelogs/fragments/10829-fix-keycloak-role-changed-status.yml
@@ -0,0 +1,2 @@
+bugfixes:
+  - keycloak_role - fixes an issue where the module incorrectly returns ``changed=true`` when using the alias ``clientId`` in composite roles (https://github.com/ansible-collections/community.general/pull/10829).
diff --git a/plugins/modules/keycloak_role.py b/plugins/modules/keycloak_role.py
@@ -361,7 +361,7 @@ def main():
 
     else:
         if state == 'present':
-            compare_exclude = []
+            compare_exclude = ['clientId']
             if 'composites' in desired_role and isinstance(desired_role['composites'], list) and len(desired_role['composites']) > 0:
                 composites = kc.get_role_composites(rolerep=before_role, clientid=clientid, realm=realm)
                 before_role['composites'] = []

diff --git a/tests/integration/targets/keycloak_role/README.md b/tests/integration/targets/keycloak_role/README.md
@@ -13,7 +13,7 @@ Source Ansible env-setup from ansible github repository
 
 Run integration tests:
 
-    ansible-test integration keycloak_role --python 3.10 --allow-unsupported
+    ansible-test integration -v keycloak_role --allow-unsupported --docker fedora35 --docker-network host
 
 Cleanup:
 

diff --git a/tests/integration/targets/keycloak_role/tasks/main.yml b/tests/integration/targets/keycloak_role/tasks/main.yml
@@ -3,6 +3,15 @@
 # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
 # SPDX-License-Identifier: GPL-3.0-or-later
 
+- name: Delete realm if exists
+  community.general.keycloak_realm:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    realm: "{{ realm }}"
+    state: absent
+
 - name: Create realm
   community.general.keycloak_realm:
     auth_keycloak_url: "{{ url }}"
@@ -297,6 +306,29 @@
       - result is not changed
       - result.end_state.composites | length == 3
 
+- name: Change realm role with composites using aliases no change
+  community.general.keycloak_role:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    name: "{{ keycloak_role_name }}"
+    realm: "{{ realm }}"
+    description: "{{ keycloak_role_description }}"
+    composite: "{{ keycloak_role_composite }}"
+    composites: "{{ keycloak_role_composites_with_aliases }}"
+    state: present
+  register: result
+
+- name: Debug
+  debug:
+    var: result
+
+- name: Assert realm role with composites using aliases have not changed
+  assert:
+    that:
+      - result is not changed
+
 - name: Remove composite from realm role with composites
   community.general.keycloak_role:
     auth_keycloak_url: "{{ url }}"

diff --git a/tests/integration/targets/keycloak_role/vars/main.yml b/tests/integration/targets/keycloak_role/vars/main.yml
@@ -25,6 +25,15 @@ keycloak_role_composites:
     state: present
   - name: offline_access
     state: present
+keycloak_role_composites_with_aliases:
+  - name: view-clients
+    clientId: "realm-management"
+    state: present
+  - name: query-clients
+    clientId: "realm-management"
+    state: present
+  - name: offline_access
+    state: present
 keycloak_client_id: test-client
 keycloak_client_name: test-client
 keycloak_client_description: This is a client for testing purpose
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		bugfixes:
		- keycloak_role - fixes an issue where the module incorrectly returns ``changed=true`` when using the alias ``clientId`` in composite roles (https://github.com/ansible-collections/community.general/pull/10829).