// own client
module "keycloak_client_tofu" {
  source = "./keycloak-client"

  realm = keycloak_realm.dev.id
  vault_mount = vault_mount.static_secrets.path

  client_id = "tofu"
  service_accounts_enabled = true
}

data "keycloak_openid_client" "realm_management" {
    realm_id = keycloak_realm.dev.id
    client_id = "realm-management"
}

resource "keycloak_openid_client_service_account_role" "client_service_account_role" {
  realm_id                = keycloak_realm.dev.id
  client_id               = data.keycloak_openid_client.realm_management.id
  service_account_user_id = module.keycloak_client_tofu.service_account_user_id
  role                    = "realm-admin"
}