export fails on triggers with error: "cannot list action bindings for an entity-bound trigger"

[bhaugeea]

Checklist

• I have looked into the README and have not found a suitable solution or answer.
• I have looked into the documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have upgraded to the latest version of this tool and the issue still persists.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

Given "triggers" as an included resource type, Deploy CLI gets all triggers and then for each one gets all bindings. For entity-bound triggers, Auth0 Management API responds with 400 cannot list action bindings for an entity-bound trigger. Deploy CLI then fails with that error. There is no logic that I can see in Deploy CLI to check whether a trigger is entity-bound before trying to list bindings.

Expectation

Deploy CLI should gracefully exclude off-limits entities from both export and import. I'm happy to open a PR to check whether the trigger is entity-bound, but I'm not sure if simply excluding that data from the export would create diffing/import problems. Just let me know.

Reproduction

I am testing in a more or less fresh tenant as a new Auth0 customer, and this is my first time trying to use Deploy CLI. The issue is consistent and can be seen in the code linked in the description and also in the Management API test request described below. I'm not sure what if any customizations could be made in the tenant to avoid the error, and similarly not sure why others aren't encountering/reporting it.

1. Check the response that Auth0 Management API returns for the offending request here with custom-token-exchange, which in my case is said by GET /triggers to be (the only) entity-bound. It is the error thrown by Deploy CLI.
2. Run the Deploy CLI export command with "triggers" included, and with adequate scopes applied to the token.
3. Deploy CLI throws above-mentioned error.

If you have trouble replicating, start by using the /triggers endpoint to see if you have any entity-bound triggers (I say this naively; maybe you are guaranteed to, but I'm not sure). If not, then that is why you aren't encountering the error.

Deploy CLI version

8.2.0

Node version

22.7.0

[lucaslacerdacl-o2ebrands]

Same issue here.

2024-11-26T20:02:41.070Z - error: Problem running command export
2024-11-26T20:02:41.070Z - error: Problem loading tenant data from Auth0 ManagementApiError: cannot list action bindings for an entity-bound trigger

[averyberry]

me too

2024-11-27T03:35:17.866Z - error: Problem running command export
2024-11-27T03:35:17.866Z - error: Problem loading tenant data from Auth0 ManagementApiError: cannot list action bindings for an entity-bound trigger

Of note, This was not happening last night as of 7pm ish PST. I exported my tenant with no errors and there haven't been any changes since to the tenant configuration so this appears to be very fresh.

[nathanKramer]

Same issue here.

[anuradha-dunuhappawa]

Same issue here too!

[patruvlad]

We have the same issue on our side, this also blocks the import into Auth0 for us not only the export

[jvallejodiaz]

Same here!

[Ryan-Tassat]

Looks like Auth0 may have released the custom-token-exchange trigger which was previously custom-token-exchange-beta. The binding policy for the custom-token-exchange-beta trigger was "trigger-bound" and so it worked fine. The custom-token-exchange binding policy is "entity-bound" which breaks things.

I put a workaround in locally to "fix" this for now. I modified my local (js) version of https://github.com/auth0/auth0-deploy-cli/blob/master/src/tools/auth0/handlers/triggers.ts#L88

I just added a warn which allows things to carry on as usual if the response from the call to triggerBindings comes back with "cannot list action bindings for an entity-bound trigger".

if (err.message === "cannot list action bindings for an entity-bound trigger") {
    logger_1.default.warn(`${err.message.charAt(0).toUpperCase()}${err.message.slice(1)} (${triggerId})`);
    return {};
}

Edit:
The PR I opened is a very basic & messy fix and honestly, there are likely better ways to handle things. My TS is rusty so the PR automated testing actually failed as it can't see the definition of "triggerId" - Somebody who's a better dev may want to recommend a fix or push a different PR that won't fail. I feel like this warning is a good enough (for now) method to ensure we can still get triggers exported, minus this new one.

[seanmcnamee45]

Same issue on my end

[seanmcnamee45]

Per kushalshit27's comment on the above-mentioned PR to temporarily suppress the warning, I was able to exclude the "triggers" in my config during export, then continue with my typical import (without excluding the triggers).

That exclusion seems to be a good workaround on export if you don't need to track recent changes to your trigger bindings.

[lucaslacerdacl-o2ebrands]

Is there any update on this? The PR was closed...

[zdicesare]

This is a significant issue as it amounts to a breaking change in Auth0 and affects our ability to take backups of our Auth0 tenants

[kushalshit27]

We are making good progress on the fix. Thank you for your patience as we work to resolve this issue.

[kushalshit27]

The fix for this issue is now available in version 8.3.0. 🚀

[lucaslacerdacl-o2ebrands]

It's working! Thank you guys!