Circular loop applying plan

[jsoref]

Checklist

• [X] I have looked into the README and have not found a suitable solution or answer.
• [X] I have looked into the documentation and have not found a suitable solution or answer.
• [X] I have searched the issues and have not found a suitable solution or answer.
• [X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• [X] I agree to the terms within the Auth0 Code of Conduct.

Description

I have a terraform config with a corresponding auth0 instance (and credentials for the instance are available to the terraform config).

I run terraform plan + terraform apply and then terraform plan again, and the result is the same plan as the original plan.

Expectation

There should be nothing to do once the plan is applied the first time.

Reproduction

Steps

Generate first plan

TF_LOGS=debug /atlantis-data/bin/terraform0.12.26 plan -out x.plan > x.out 2> x.err

Note that x.err is empty.

Output of plan

$ tail -160 x.out |head -155
------------------------------------------------------------------------

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # auth0_client.system_api_demo will be updated in-place
  ~ resource "auth0_client" "system_api_demo" {
        allowed_logout_urls                 = [
            "https://demo.system.example.com",
            "https://demo.system.example.com/home",
        ]
        allowed_origins                     = []
        app_type                            = "spa"
        callbacks                           = [
            "https://demo.system.example.com/callback",
            "https://demo.system.example.com/login",
        ]
        client_id                           = "censored"
        client_metadata                     = {}
        client_secret                       = (sensitive value)
        cross_origin_auth                   = false
        custom_login_page_on                = true
        encryption_key                      = {}
        grant_types                         = [
            "implicit",
        ]
        id                                  = "censored"
      - initiate_login_uri                  = "https://demo.system.example.com/login" -> null
        is_first_party                      = true
        is_token_endpoint_ip_header_trusted = false
        name                                = "Demo system"
        oidc_conformant                     = false
        sso                                 = false
        sso_disabled                        = false
        token_endpoint_auth_method          = "none"
        web_origins                         = [
            "https://demo.system.example.com",
        ]

        jwt_configuration {
            lifetime_in_seconds = 36000
            scopes              = {}
            secret_encoded      = false
        }

        refresh_token {
            expiration_type = "non-expiring"
            leeway          = 0
            rotation_type   = "non-rotating"
            token_lifetime  = 2592000
        }
    }

  # auth0_client.system_api_test will be updated in-place
  ~ resource "auth0_client" "system_api_test" {
        allowed_logout_urls                 = [
            "https://test.system.example.com",
            "https://test.system.example.com/home",
        ]
      ~ allowed_origins                     = [
          - "http://10.1.2.3",
          - "http://10.4.5.6",
        ]
        app_type                            = "spa"
        callbacks                           = [
            "https://test.system.example.com/callback",
            "https://test.system.example.com/login",
        ]
        client_id                           = "censored"
        client_metadata                     = {}
        client_secret                       = (sensitive value)
        cross_origin_auth                   = false
        custom_login_page_on                = true
        encryption_key                      = {}
        grant_types                         = [
            "implicit",
        ]
        id                                  = "censored"
        is_first_party                      = true
        is_token_endpoint_ip_header_trusted = false
        name                                = "Test system"
        oidc_conformant                     = false
        sso                                 = false
        sso_disabled                        = false
        token_endpoint_auth_method          = "none"
        web_origins                         = [
            "https://test.system.example.com",
        ]

        jwt_configuration {
            lifetime_in_seconds = 36000
            scopes              = {}
            secret_encoded      = false
        }

        refresh_token {
            expiration_type = "non-expiring"
            leeway          = 0
            rotation_type   = "non-rotating"
            token_lifetime  = 2592000
        }
    }

  # auth0_resource_server.backend will be updated in-place
  ~ resource "auth0_resource_server" "backend" {
        allow_offline_access                            = true
        enforce_policies                                = false
        id                                              = "censored"
        identifier                                      = "backend"
        name                                            = "Backend API"
        options                                         = {}
        signing_alg                                     = "RS256"
        skip_consent_for_verifiable_first_party_clients = true
      - token_dialect                                   = "access_token" -> null
        token_lifetime                                  = 86400
        token_lifetime_for_web                          = 7200

        scopes {
            description = "Read profiles"
            value       = "profile:read"
        }
    }

  # auth0_user.user will be updated in-place
  ~ resource "auth0_user" "user" {
      - app_metadata    = jsonencode(
            {
              - createdIn = [
                  - "test",
                  - "demo",
                ]
            }
        ) -> null
        blocked         = false
        connection_name = "Username-Password-Authentication"
        email           = "user@example.com"
        email_verified  = true
        id              = "censored"
        name            = "user@example.com"
        nickname        = "user"
        password        = (sensitive value)
        phone_verified  = false
        picture         = "censored"
        roles           = []
        user_id         = "censored"
        verify_email    = false
    }

Plan: 0 to add, 4 to change, 0 to destroy.

------------------------------------------------------------------------

$

Apply plan

TF_LOGS=debug /atlantis-data/bin/terraform0.12.26 apply x.plan > y.out 2> y.err

Note that y.err is empty.

Output of apply

y.out:

auth0_resource_server.backend: Modifying... [id=censored]
auth0_user.system_root: Modifying... [id=censored]
auth0_client.system_api_demo: Modifying... [id=censored]
auth0_client.system_api_test: Modifying... [id=censored]
auth0_resource_server.backend: Modifications complete after 0s [id=censored]
auth0_client.system_api_test: Modifications complete after 0s [id=censored]
auth0_client.system_api_demo: Modifications complete after 0s [id=censored]
auth0_user.system_root: Modifications complete after 1s [id=censored]

Apply complete! Resources: 0 added, 4 changed, 0 destroyed.

Plan again

TF_LOGS=debug /atlantis-data/bin/terraform0.12.26 plan -out z.plan > z.out 2> z.err

Results

Note that z.err is empty.

There is absolutely no difference between the contents of x.out and z.out (I had another colleague watch me do this).

Auth0 Terraform Provider version

0.14.0

Terraform version

0.12.26

[sergiught]

Hey @jsoref thanks for taking the time to put this together!

At a first glance I'm noticing that you're not actually using this provider but https://github.com/alexkappa/terraform-provider-auth0 instead if you're using version 0.14.0. Please upgrade to the latest version of our provider (this repo): https://github.com/auth0/terraform-provider-auth0/releases/tag/v0.35.0 as it comes with a big amount of features and several bug fixes especially on the resources you're using.

Please be however mindful that a breaking change was introduced in https://github.com/auth0/terraform-provider-auth0/releases/tag/v0.32.0 and you'll need to follow the notes provided in the release to correctly upgrade.

Let us know if the issue still persists after upgrading. If it does, another thing that we're missing from the issue is the actual terraform config and not just the plan output.

[sergiught]

Hey @jsoref unfortunately we'll have to close this down as the version you're using is not coming from this provider but from https://registry.terraform.io/providers/alexkappa/auth0/latest instead, which is roughly 2 years old. Since then, we took over the project and have shipped several fixes, improvements and features.

If after upgrading you're still experiencing this issue we can reopen and continue the conversation here.