middleware_automation.keycloak/roles/keycloak_realm/tasks/manage_user_client_roles.yml

---
- name: "Get Realm for role"
  ansible.builtin.uri:
    url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ client_role.realm | default(keycloak_realm) }}"
    method: GET
    validate_certs: false
    status_code:
      - 200
    headers:
      Accept: "application/json"
      Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
  register: client_role_realm

- name: Check if Mapping is available
  ansible.builtin.uri:
    url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ client_role.realm | \
          default(keycloak_realm) }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | \
          selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}/available"
    method: GET
    validate_certs: false
    status_code:
      - 200
    headers:
      Accept: "application/json"
      Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
  register: client_role_user_available

- name: "Create Role Mapping"
  ansible.builtin.uri:
    url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ client_role.realm | \
          default(keycloak_realm) }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | \
          selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}"
    method: POST
    body:
      - id: "{{ item.id }}"
        clientRole: "{{ item.clientRole }}"
        containerId: "{{ item.containerId }}"
        name: "{{ item.name }}"
        composite: "{{ item.composite }}"
    validate_certs: false
    body_format: json
    headers:
      Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
    status_code: 204
  loop: "{{ client_role_user_available.json | flatten }}"
  when: item.name == client_role.role