Skip to content
This repository has been archived by the owner on Mar 8, 2022. It is now read-only.

auth0_role recreates roles if user got the role assigned #141

Closed
janfietz opened this issue Nov 27, 2019 · 5 comments · Fixed by #149
Closed

auth0_role recreates roles if user got the role assigned #141

janfietz opened this issue Nov 27, 2019 · 5 comments · Fixed by #149
Labels
verified

Comments

@janfietz
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

0.12.16

Affected Resource(s)

  • auth0_role

Terraform Configuration Files

resource "auth0_role" "monitor_user_role" {
  name        = "${var.client_name}:user"
  description = "User of ${var.client_name}"

  permissions {
    resource_server_identifier = auth0_resource_server.app_api.identifier
    name                       = "read:units"
  }

  permissions {
    resource_server_identifier = auth0_resource_server.app_api.identifier
    name                       = "read:systems"
  }
}

Debug Output

Panic Output

Expected Behavior

After creating the roles they should stay even if they got assigned to users.

Actual Behavior

Roles are destroyed and created. All users lost their assigned roles.

Steps to Reproduce

  1. terraform apply
  2. Assign roles to users with auth0 web site.
  3. terraform apply

Important Factoids

References
@alexkappa
Copy link
Owner

Hi @janfietz, could you provide some more elaborate reproduction steps? The example provided doesn't seem to have any relation to users.

Perhaps the Auth0 dashboard does some kind of housekeeping and deletes a role if its unassociated from all users? Of course this is just a guess, any help to validate this would be helpful.

@janfietz
Copy link
Author

Hi

a minimal sample would be:

resource "auth0_client" "app_client" {
  name                = "test_app"
  app_type            = "regular_web"
  callbacks           = ["https://testapp/callback"]
  allowed_logout_urls = ["https://testapp/logout"]
  web_origins         = ["https://testapp"]
  grant_types         = ["implicit", "authorization_code", "refresh_token", "client_credentials"]

  jwt_configuration {
    alg = "RS256"
  }
}

resource "auth0_resource_server" "app_api" {
  name                                            = "test_app"
  identifier                                      = "https://testapp"
  skip_consent_for_verifiable_first_party_clients = true

  enforce_policies = true

  scopes {
    value       = "read:everything"
    description = "Read all everything"
  }
}

resource "auth0_role" "user_role" {
  name        = "testapp:user"
  description = "User of testapp"

  permissions {
    resource_server_identifier = auth0_resource_server.app_api.identifier
    name                       = "read:everything"
  }
}

After apply it I used the auth0 dashboard to assign the role to my user.

I tried to apply it again with following output:

auth0_resource_server.app_api: Refreshing state... [id=5df2aa6f52b4b507e541767b]
auth0_client.app_client: Refreshing state... [id=tpkuLOl62xB5v084PUxWml2HkQurAO2R]
auth0_role.user_role: Refreshing state... [id=rol_oJSPxNImOLnLezCK]

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # auth0_role.user_role must be replaced
-/+ resource "auth0_role" "user_role" {
        description = "User of testapp"
      ~ id          = "rol_oJSPxNImOLnLezCK" -> (known after apply)
        name        = "testapp:user"
      ~ role_id     = "rol_oJSPxNImOLnLezCK" -> (known after apply)
      - user_ids    = [
          - "auth0|5a7c59ec9bf9bc6ee253d87e",
        ] -> null # forces replacement

        permissions {
            name                       = "read:everything"
            resource_server_identifier = "https://testapp"
        }
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Hope that helps.
Thanx

@alexkappa
Copy link
Owner

Hmm I think I understand whats going on. The user_ids are now changed since you’ve assigned a new user to that role.

Perhaps user_ids are defined with forceNew, which will drop and recreate the resource.

I am starting to believe that the best approach here is to split user assignment into its own resource (e.g. auth0_user_role) instead of letting the role own the relationship.

I’ll try and give it a go tomorrow.

Thanks @janfietz !

@alexkappa alexkappa added verified and removed triage labels Dec 12, 2019
@alexkappa alexkappa mentioned this issue Dec 13, 2019
Merged
@alexkappa
Copy link
Owner

@janfietz auth0_role.user_ids is now removed in favor of auth0_user.roles. This should make the owning entity of the relationship the user instead of the role.

I felt it easier to keep track of changes this way, as the role doesn't change, but who assumes the role does.

resource "auth0_user" "user" {
  ...
  roles = [ "${auth0_role.admin.id}" ]
}

resource auth0_role admin {
	name = "admin"
	description = "Administrator"
}

Also fixed some issues that user roles or role permissions wouldn't update correctly.

Feel free to give it a try using v0.4.0.

@janfietz
Copy link
Author

@alexkappa i tested version v0.4.0 and it worked as expected.

Good job.
Thank you

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
verified
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix role and permission handling alexkappa/terraform-provider-auth0
2 participants
@alexkappa @janfietz