Deliver incremental realm updates


I’m trying to find out what is the best way to deliver keycloak realm changes out to production in a consistent and reliable manner.
Technically, this can be done to some extent by running create partialImport -f=/path/realm.json ifResourceExists=SKIP
As documented, this works great for adding entirely new and independent configurations, such as a new client, a new role and so on.
However it doesn’t work if you need to create a new role and associate with an existing client, this last part needs to be done manually, which costs time, effort, and is error prone.

It would be great to be able to update the realm incrementally, and have such updates versioned.
Something like opt/jboss/keycloak/migrations/realm/<realm-name> and within it have all the realm changes. Again this can be done for new elements, but it’s not possible for deletion or modification, so it’d be great to be able to make this happen somehow, maybe with a file naming convention


or a declarative way to describe this, e.g.

'add': {
  'clients': [{ 'clientId': 'other-client', 'values': {...} }],
  'realmRoles': [{ 'name': 'other-role',  'values': {...} }],
'modify': {
  'clients': [{ 
    'clientId': 'my-client', 
    'values': {
      'enabled': false,
      "realmRoles": [
'delete': {
  'clients': [{ 'clientId': 'custom-client' }],
  'realmRoles': [{ 'name': 'custom-role' }]

The concept is pretty much the same as schema migrations, except that we are dealing with configurations and as far as I’m aware, keycloak doesn’t provide a way to interpret and execute this kind of realm update. Of course this is a very simple and limited example to illustrate the concept, but it would be great to see this kind of evolution towards an easier way to deliver realm changes out to production in a transparent and reproducible way.

If there’s any ideas, suggestions, or solutions to this I’d be very happy to hear them.