developerkunal
commented
4 months ago Hey @sivakolisetti,
Thank you for providing such a detailed issue description ⭐, and I apologize for the delayed response. As a new member of the team handling this provider, I'll do my best to clarify the matter for you. Moving forward, we're striving for faster responses as we onboard new team members onto the project.
I've successfully reproduced the issue you mentioned and have understood its root cause. Let me explain:
From the provided HCL configuration snippet, it's clear that you are:
- Creating a role named example_role in Auth0 with the name and description provided by variables.
- Assigning permissions to this role. These permissions are defined by the
var.permission_namesvariable and are associated with the resource servers identified byvar.resource_server_identifier. - Iterating over the permissions list and attaching each permission to the role you created.
The issue arises from the use of the auth0_role_permissions resource. This resource effectively creates two separate resources due to the use of the count at the resource level.
The auth0_role_permissions resource manages all the permissions assigned to a role in bulk. You can only have one instance of this resource within your configuration. Otherwise, if you have multiple instances with different permissions, only the last applied resource will have any effect, as it overwrites changes from previous resources.
If you intend to add permissions in an append-only style, you'll need to switch your configuration to use a one-to-one resource relationship, the auth0_role_permission, instead of the auth0_role_permissions one-to-many resource, and use dynamic permissions blocks.
You're encountering constant changes because the two auth0_role_permissions resources created due to the count block at the resource level overwrite each other. Please also review the warning inside the docs: Auth0 Role Permissions Docs.
To fix your configuration, you have two options:
A) Use for_each or count at the resource level but with the auth0_role_permission resource instead (one-to-one relationship).
B) Use dynamic permissions blocks and for_each or count inside them to manage everything with only one auth0_role_permissions resource.
This is applicable when you want to add multiple permissions or update permissions in a loop.
Here's an example for both approaches:
auth0_resource_server, auth0_resource_server_scopes, auth0_role definitions
resource "auth0_resource_server" "my_api" {
name = "test"
identifier = "test.example.com"
signing_alg = "RS256"
token_lifetime = 86400
token_lifetime_for_web = 7200
enforce_policies = true
skip_consent_for_verifiable_first_party_clients = true
allow_offline_access = false
token_dialect = "access_token"
}
resource "auth0_resource_server_scopes" "my_api_scopes" {
resource_server_identifier = auth0_resource_server.my_api.identifier
scopes {
name = "access:store_contrib"
}
scopes {
name = "access:store_read"
}
scopes {
name = "access:serve_read"
}
}
resource "auth0_role" "my_role" {
name = "My Role"
}To keep using the auth0_role_permissions resource:
<auth0_resource_server, auth0_resource_server_scopes, auth0_role definitions>
resource "auth0_role_permissions" "my_role_perms" {
role_id = auth0_role.my_role.id
dynamic "permissions" {
for_each = auth0_resource_server_scopes.my_api_scopes.scopes
content {
name = permissions.value["name"]
resource_server_identifier = auth0_resource_server.my_api.identifier
}
}
}Or to use the auth0_role_permission resource:
<auth0_resource_server, auth0_resource_server_scopes, auth0_role definitions>
locals {
scopesList = [
for scope in auth0_resource_server_scopes.my_api_scopes.scopes : scope.name
]
}
resource "auth0_role_permission" "my_role_perm" {
for_each = toset(local.scopesList)
role_id = auth0_role.my_role.id
resource_server_identifier = auth0_resource_server.my_api.identifier
permission = each.value
}I hope this helps! Let me know if you need further assistance.
Checklist
Description
Intaillay,we are creating auth0 role and adding permissions. after some time we are updating one more permission to be added to role it's working. But again we are adding one more permission then old permission are geettig null values and latest permission only getting that permission name.
Expectation
it's should append permssions when ever we are adding permissions to role that permission only append remaining permission should not be deleted or updating.
resource "auth0_role" "example_role" { name = var.role_name description = var.description_name }
resource "auth0_role_permissions" "example_permissions" { role_id = auth0_role.example_role.id count = length(var.permission_names) permissions { name = var.permission_names[count.index] resource_server_identifier = var.resource_server_identifier } }
role_name="role_test_testrestapi_tester2" domain="dev-test.eu.auth0.com" description_name="Testing auth0 role for api permission" resource_server_identifier="http://test.restapi/" permission_names=["access:store_contrib","access:serve_read","access:store_read"]
Adding one more permission names.
Third time adding one more permission (issue we are facing here)
Reproduction
Auth0 Terraform Provider version
version = "1.1.2"
Terraform version
"terraform_version": "1.3.1"