Dependency error between auth0_role_permissions and auth0_resource_server_scopes

[Nargonath]

Checklist

• [X] I have looked into the README and have not found a suitable solution or answer.
• [X] I have looked into the documentation and have not found a suitable solution or answer.
• [X] I have searched the issues and have not found a suitable solution or answer.
• [X] I have upgraded to the latest version of this provider and the issue still persists.
• [X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• [X] I agree to the terms within the Auth0 Code of Conduct.

Description

We manage resource servers and roles through Terraform. We added a new permission to a resource server and granted that permission on an existing role through a auth0_role_permissions resource block. We got an error from Terraform when applying:

Error: 404 Not Found: This permission does not exist:

We ran the apply a second time and it worked. This tells us that there was some dependencies problem at play. Terraform probably tried to add the permission to the role before it was created on the resource server.

We don't use the latest version of Auth0 provider but I read the changelog and nothing seems to relate to this problem.

Expectation

The block auth0_role_permissions has a ref to the resource server in the permissions block. I'd expect it to tell Terraform that there is a dependency between the auth0_role_permissions and the auth0_resource_server resources. The changes for the resource server should be applied before the auth0_role_permissions changes.

We plan on fixing the problem with a depends_on property on the auth0_role_permissions but I thought it shouldn't be needed (perhaps I'm wrong).

Reproduction

1. Create a auth0_resource_server.
2. Assign a permission to the resource server through a auth0_resource_server_scopes block.
3. Create an auth0_role.
4. Assign the permission to the role through a auth0_role_permissions block.

I haven't wrote a repro but this above might actually recreate the issue if all of these steps are performed in the same terraform apply. If not, we can then proceed to:

1. Add a new permission to the resource server.
2. Assign it to the role.
3. Apply these changes in the same terraform apply.

Auth0 Terraform Provider version

1.0.0

Terraform version

1.5.2

[jvanecek]

Any update on this bug? We got the same one using Terraform v1.6.4 + Provider version 1.2.0.

[developerkunal]

Hi @jvanecek,

I hope you're having a wonderful day!

Firstly, I want to apologize for the delay in my response. I understand that timely assistance is crucial, especially when you're facing challenges. Rest assured, I'm here now, and I'm committed to providing you with the support you need.

---

To better assist you, could you please provide an example of the resource configuration that's causing the error? Understanding the specific context will enable me to offer more targeted guidance.

In the meantime, I've prepared an example for utilizing auth0_role_permissions without explicitly relying on depends_on, as per your preference. This example should help illustrate the approach we discussed earlier.

resource "auth0_resource_server" "resource_server" {
  name       = "test"
  identifier = "test.example.com"
}

resource "auth0_resource_server_scopes" "resource_server_scopes" {
  resource_server_identifier = auth0_resource_server.resource_server.identifier

  scopes {
    name = "store:create"
  }
  scopes {
    name = "store:read"
  }
  scopes {
    name = "store:update"
  }
  scopes {
    name = "store:delete"
  }
}

resource "auth0_role" "my_role" {
  name = "My Role"
}

resource "auth0_role_permissions" "my_role_perms" {
  role_id = auth0_role.my_role.id

  dynamic "permissions" {
    for_each = auth0_resource_server_scopes.resource_server_scopes.scopes
    content {
      name                       = permissions.value.name
      resource_server_identifier = auth0_resource_server.resource_server.identifier
    }
  }
}

If you encounter any further questions or issues along the way, please don't hesitate to reach out. I'm here to help in any way I can.

Thank you for your patience and understanding.

[Nargonath]

Thanks @developerkunal for the example with the dynamic block. However how would go about it if you didn't need to have the whole set of scopes from the resource server assigned to your role?

[developerkunal]

Hi @Nargonath,

Could you provide an example of that use case so I can better understand and assist you?

Thank you.

[developerkunal]

Hi @Nargonath,

I'm not entirely certain if this aligns with your requirements, but here's another approach for selectively assigning scopes:

resource "auth0_role_permissions" "my_role_perms" {
    role_id = auth0_role.my_role.id

    permissions {
        name                       = tolist(auth0_resource_server_scopes.resource_server_scopes.scopes)[0].name  # Assuming you want to assign the first scope
        resource_server_identifier = auth0_resource_server.resource_server.identifier
    }

    permissions {
        name                       = tolist(auth0_resource_server_scopes.resource_server_scopes.scopes)[1].name  # Assuming you want to assign the second scope
        resource_server_identifier = auth0_resource_server.resource_server.identifier
    }

    # Add more permissions as needed
}

Feel free to let me know if you have any further questions or if there's anything else I can assist you with.

Thank you!

[Nargonath]

@developerkunal Thanks for the other suggestion.

I didn't write a full repro but I gave instructions in the OP, if that could be helpful.

One thing I don't understand though, how come we can have Terraform trying to apply permissions that are not yet created when in the auth0_role_permissions block, under the permissions property we have a dynamic link to the resource server through the resource_server_identifier property? Wouldn't it be enough for Terraform to determine whether the permission is already available or not?