Skip to content
This repository has been archived by the owner on Mar 8, 2022. It is now read-only.

Changes to the auth0_client_grant produce inconsistent results after apply #239

Closed
MyMirelHub opened this issue May 27, 2020 · 2 comments · Fixed by #241
Closed

Changes to the auth0_client_grant produce inconsistent results after apply #239

MyMirelHub opened this issue May 27, 2020 · 2 comments · Fixed by #241

Comments

@MyMirelHub
Copy link

Description

When I make changes to the auth0_client and auth0_resource_server (in this example a simple name change) while keeping the same auth0_client_grant binding, I get the following error:

Error: Provider produced inconsistent result after apply

When applying changes to auth0_client_grant.foo_dev, provider "auth0"
produced an unexpected new value for was present, but now absent.

This is a bug in the provider, which should be reported in the provider's own
issue tracker.

The plan is:

Terraform Version

Terraform v0.12.6
+ provider.auth0 v0.10.2

Affected Resource(s)

  • auth0_client_grant

Terraform Configuration Files

resource "auth0_resource_server" "dev" {
  name        = "foo-dev-old"
  identifier  = "foo-dev-old"
  signing_alg = "redacted"

  allow_offline_access                            = redacted
  token_lifetime                                  = redacted
  skip_consent_for_verifiable_first_party_clients = redacted
}

resource "auth0_client" "foo_dev" {
  name                       = "foo-dev-old"
  description                = "foo dev client"
  app_type                   = "non_interactive"
  is_first_party             = redacted
  oidc_conformant            = redacted
  grant_types                = ["client_credentials"]
  token_endpoint_auth_method = "client_secret_post"
  jwt_configuration {
    lifetime_in_seconds = redacted
    secret_encoded      = redacted
    alg                 = "redacted"
  }
}

resource "auth0_client_grant" "foo_dev" {
  client_id = auth0_client.foo_dev.id
  audience  = auth0_resource_server.dev.identifier
  scope     = []
}

Expected Behavior

I would have expected it to have executed like in the plan, where after the names were changed on the client and resource server, the client_grant would bind them accordingly.

Resource actions are indicated with the following symbols:
  ~ update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # auth0_client.foo_dev will be updated in-place
  ~ resource "auth0_client" "foo_dev" {
        allowed_logout_urls                 = redacted
        allowed_origins                     = redacted
2020/05/27 16:23:59 [DEBUG] command: asking for input: "Do you want to perform these actions?"
        app_type                            = "non_interactive"
        callbacks                           = redacted
        client_id                           = "redacted"
        client_metadata                     = redacted
        client_secret                       = (sensitive value)
        cross_origin_auth                   = redacted
        custom_login_page_on                = redacted
        description                         = "foo dev client"
        encryption_key                      = redacted
        grant_types                         = [
            "client_credentials",
        ]
        id                                  = "redacted"
        is_first_party                      = redacted
        is_token_endpoint_ip_header_trusted = redacted
      ~ name                                = "foo-dev" -> "foo-dev-old"
        oidc_conformant                     = redacted
        sso                                 = redacted
        sso_disabled                        = redacted
        token_endpoint_auth_method          = "client_secret_post"
        web_origins                         = []

        jwt_configuration {
            alg                 = "redacted"
            lifetime_in_seconds = redacted
            scopes              = redacted
            secret_encoded      = redacted
        }
    }

  # auth0_client_grant.foo_dev will be updated in-place
  ~ resource "auth0_client_grant" "foo_dev" {
      ~ audience  = "foo-dev" -> "foo-dev-old"
        client_id = "redacted"
        id        = "redacted"
        scope     = []
    }

  # auth0_resource_server.dev must be replaced
-/+ resource "auth0_resource_server" "dev" {
        allow_offline_access                            = redacted
      - enforce_policies                                = false -> null
      ~ id                                              = "redacted" -> (known after apply)
      ~ identifier                                      = "foo-dev" -> "foo-dev-old" # forces replacement
      ~ name                                            = "foo-dev" -> "foo-dev-old"
      - options                                         = {} -> null
        signing_alg                                     = "redacted"
      + signing_secret                                  = (known after apply)
        skip_consent_for_verifiable_first_party_clients = redacted
        token_lifetime                                  = redacted
      ~ token_lifetime_for_web                          = redacted -> (known after apply)
    }

Actual Behavior

After the client and the resource server is updated, an inconsistent state error occurs when terraform tries to update auth0_client_grant tries to update the resource.

Steps to Reproduce

  1. Create an auth0_resource_server, auth0_client, and bind them using an auth0_client_grant
  2. Change the name on the auth0_resource_server and auth0_client
  3. terraform apply

Debug Output

2020/05/27 16:24:02 [TRACE] <root>: eval: *terraform.EvalMaybeTainted
2020/05/27 16:24:02 [TRACE] <root>: eval: *terraform.EvalWriteState
2020/05/27 16:24:02 [TRACE] EvalWriteState: writing current state object for auth0_resource_server.dev
auth0_resource_server.dev: Creation complete after 0s [id=redacted]
auth0_client_grant.foo_dev: Modifying... [id=redacted]
2020/05/27 16:24:02 [DEBUG] auth0_client_grant.foo_dev: applying the planned Update change
2020/05/27 16:24:02 [TRACE] GRPCProvider: ApplyResourceChange
2020/05/27 16:24:02 [DEBUG] auth0_client_grant.foo_dev: apply errored, but we're indicating that via the Error pointer rather than returning it: Provider produced inconsistent result after apply: When applying changes to auth0_client_grant.foo_dev, provider "auth0" produced an unexpected new value for was present, but now absent.

This is a summary, full gist is: https://gist.github.com/MyMirelHub/2d38dbd024b22a1cbb6a705b5f434729#file-issue-txt

References

Possibly related to

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
@alexkappa alexkappa mentioned this issue Jun 4, 2020
Merged
@alexkappa
Copy link
Owner

Hi @MyMirelHub, I believe the provider should force a new resource upon changes to the client grants audience or client id. These fields are not allowed to be updated by the api.

Since your resource server is being re-created, the client grant changes and tries to update. But its not allowes to.

@alexkappa
Copy link
Owner

Feel free to give 0.11.0 a go. It should force a new resource if the auth0_client_grant's audience or client_id have changed.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@alexkappa @MyMirelHub