---

- name: "Reading users of realm {{ current_realm_name }}"
  uri:
    url: "{{ keycloak_server_url }}/auth/admin/realms/{{ current_realm_name }}/users"
    method: GET
    headers:
      Authorization: "Bearer {{ access_token}} "
    status_code: [200]
  register: realm_users
  delegate_to: 127.0.0.1
  become: false

- name: "Saving users of realm {{ current_realm_name }} as variable (fact)"
  set_fact: 
    realm_users_json: "{{ realm_users.json }}"
  delegate_to: 127.0.0.1
  become: false

- name: "Reading realm admin user id for <{{ current_realm_admin_user.username }}>"
  set_fact:  
    realm_admin_user_id: "{{ realm_users_json | json_query(jmesquery) | first | default('None') }}"
  vars:
    jmesquery: "[?username==`{{ current_realm_admin_user.username }}`].id"
  delegate_to: 127.0.0.1
  become: false

- name: "Printing realm admin user id for <{{ current_realm_admin_user.username }}>"
  debug:
    msg: "{{ realm_admin_user_id }}"
  delegate_to: 127.0.0.1
  become: false
  when:
   - debug

- name: "Reading realm clients"
  uri:
    url: "{{ keycloak_server_url }}/auth/admin/realms/{{ current_realm_name }}/clients"
    method: GET
    headers:
      Authorization: "Bearer {{ access_token}} "
    status_code: [200]
  register: realm_clients
  delegate_to: 127.0.0.1
  become: false

- name: "Saving clients of realm {{ current_realm_name }} as variable (fact)"
  set_fact: 
    realm_clients_json: "{{ realm_clients.json }}"
  delegate_to: 127.0.0.1
  become: false

- name: "Reading realm management client id"
  set_fact:  
     realm_management_client_id:  "{{ realm_clients_json | json_query(jmesquery) | first | default('None') }}"
  vars:
    jmesquery: "[?clientId=='realm-management'].id"
  delegate_to: 127.0.0.1
  become: false

- name: "Printing realm management client id"
  debug:
    msg: "{{ realm_management_client_id }}"
  delegate_to: 127.0.0.1
  become: false
  when:
   - debug

- name: "Reading available role mappings for realm management client"
  uri:
    url: "{{ keycloak_server_url }}/auth/admin/realms/{{ current_realm_name }}/users/{{ realm_admin_user_id }}/role-mappings/clients/{{ realm_management_client_id }}/available"
    method: GET
    headers:
      Authorization: "Bearer {{ access_token}} "
    status_code: [200]
  register: realm_admin_user_client_available_roles_response
  delegate_to: 127.0.0.1
  become: false

- name: "Reading realm admin role id for management client"
  set_fact:  
     realm_admin_role_id:  "{{ realm_admin_user_client_available_roles_response.json | json_query(jmesquery) | first | default('None') }}"
  vars:
    jmesquery: "[?name=='realm-admin'].id"
  delegate_to: 127.0.0.1
  become: false

- name: "Printing realm admin role id for management client"
  debug:
    msg: "{{ realm_admin_role_id }}"
  delegate_to: 127.0.0.1
  become: false
  when:
   - debug

- name: "Adding realm admin role to user {{ realm_admin_user_id }}"
  uri:
    url: "{{ keycloak_server_url }}/auth/admin/realms/{{ current_realm_name }}/users/{{ realm_admin_user_id }}/role-mappings/clients/{{ realm_management_client_id }}"
    method: POST
    body_format: json
    body: "{{ lookup('template','keycloak-become-realm-admin-user.json.j2') }}"
    headers:
      Content-Type: "application/json"
      Authorization: "Bearer {{ access_token }}"
    status_code: [204]
  changed_when: True
  when: realm_admin_role_id != 'None'
  delegate_to: 127.0.0.1
  become: false