Changes to the auth0_client_grant produce inconsistent results after apply

MyMirelHub commented 4 years ago

Description

When I make changes to the auth0_client and auth0_resource_server (in this example a simple name change) while keeping the same auth0_client_grant binding, I get the following error:

Error: Provider produced inconsistent result after apply

When applying changes to auth0_client_grant.foo_dev, provider "auth0"
produced an unexpected new value for was present, but now absent.

This is a bug in the provider, which should be reported in the provider's own
issue tracker.

The plan is:

Terraform Version

Terraform v0.12.6
+ provider.auth0 v0.10.2

Affected Resource(s)

auth0_client_grant

Terraform Configuration Files

resource "auth0_resource_server" "dev" {
  name        = "foo-dev-old"
  identifier  = "foo-dev-old"
  signing_alg = "redacted"

  allow_offline_access                            = redacted
  token_lifetime                                  = redacted
  skip_consent_for_verifiable_first_party_clients = redacted
}

resource "auth0_client" "foo_dev" {
  name                       = "foo-dev-old"
  description                = "foo dev client"
  app_type                   = "non_interactive"
  is_first_party             = redacted
  oidc_conformant            = redacted
  grant_types                = ["client_credentials"]
  token_endpoint_auth_method = "client_secret_post"
  jwt_configuration {
    lifetime_in_seconds = redacted
    secret_encoded      = redacted
    alg                 = "redacted"
  }
}

resource "auth0_client_grant" "foo_dev" {
  client_id = auth0_client.foo_dev.id
  audience  = auth0_resource_server.dev.identifier
  scope     = []
}

Expected Behavior

I would have expected it to have executed like in the plan, where after the names were changed on the client and resource server, the client_grant would bind them accordingly.

Resource actions are indicated with the following symbols:
  ~ update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # auth0_client.foo_dev will be updated in-place
  ~ resource "auth0_client" "foo_dev" {
        allowed_logout_urls                 = redacted
        allowed_origins                     = redacted
2020/05/27 16:23:59 [DEBUG] command: asking for input: "Do you want to perform these actions?"
        app_type                            = "non_interactive"
        callbacks                           = redacted
        client_id                           = "redacted"
        client_metadata                     = redacted
        client_secret                       = (sensitive value)
        cross_origin_auth                   = redacted
        custom_login_page_on                = redacted
        description                         = "foo dev client"
        encryption_key                      = redacted
        grant_types                         = [
            "client_credentials",
        ]
        id                                  = "redacted"
        is_first_party                      = redacted
        is_token_endpoint_ip_header_trusted = redacted
      ~ name                                = "foo-dev" -> "foo-dev-old"
        oidc_conformant                     = redacted
        sso                                 = redacted
        sso_disabled                        = redacted
        token_endpoint_auth_method          = "client_secret_post"
        web_origins                         = []

        jwt_configuration {
            alg                 = "redacted"
            lifetime_in_seconds = redacted
            scopes              = redacted
            secret_encoded      = redacted
        }
    }

  # auth0_client_grant.foo_dev will be updated in-place
  ~ resource "auth0_client_grant" "foo_dev" {
      ~ audience  = "foo-dev" -> "foo-dev-old"
        client_id = "redacted"
        id        = "redacted"
        scope     = []
    }

  # auth0_resource_server.dev must be replaced
-/+ resource "auth0_resource_server" "dev" {
        allow_offline_access                            = redacted
      - enforce_policies                                = false -> null
      ~ id                                              = "redacted" -> (known after apply)
      ~ identifier                                      = "foo-dev" -> "foo-dev-old" # forces replacement
      ~ name                                            = "foo-dev" -> "foo-dev-old"
      - options                                         = {} -> null
        signing_alg                                     = "redacted"
      + signing_secret                                  = (known after apply)
        skip_consent_for_verifiable_first_party_clients = redacted
        token_lifetime                                  = redacted
      ~ token_lifetime_for_web                          = redacted -> (known after apply)
    }

Actual Behavior

After the client and the resource server is updated, an inconsistent state error occurs when terraform tries to update auth0_client_grant tries to update the resource.

Steps to Reproduce

Create an auth0_resource_server, auth0_client, and bind them using an auth0_client_grant
Change the name on the auth0_resource_server and auth0_client
terraform apply

Debug Output

2020/05/27 16:24:02 [TRACE] <root>: eval: *terraform.EvalMaybeTainted
2020/05/27 16:24:02 [TRACE] <root>: eval: *terraform.EvalWriteState
2020/05/27 16:24:02 [TRACE] EvalWriteState: writing current state object for auth0_resource_server.dev
auth0_resource_server.dev: Creation complete after 0s [id=redacted]
auth0_client_grant.foo_dev: Modifying... [id=redacted]
2020/05/27 16:24:02 [DEBUG] auth0_client_grant.foo_dev: applying the planned Update change
2020/05/27 16:24:02 [TRACE] GRPCProvider: ApplyResourceChange
2020/05/27 16:24:02 [DEBUG] auth0_client_grant.foo_dev: apply errored, but we're indicating that via the Error pointer rather than returning it: Provider produced inconsistent result after apply: When applying changes to auth0_client_grant.foo_dev, provider "auth0" produced an unexpected new value for was present, but now absent.

This is a summary, full gist is: https://gist.github.com/MyMirelHub/2d38dbd024b22a1cbb6a705b5f434729#file-issue-txt

References

Possibly related to

186

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

alexkappa commented 4 years ago

Hi @MyMirelHub, I believe the provider should force a new resource upon changes to the client grants audience or client id. These fields are not allowed to be updated by the api.

Since your resource server is being re-created, the client grant changes and tries to update. But its not allowes to.

alexkappa commented 4 years ago

Feel free to give 0.11.0 a go. It should force a new resource if the auth0_client_grant's audience or client_id have changed.

alexkappa / terraform-provider-auth0