Closed sivakolisetti closed 4 months ago
Hey @sivakolisetti,
Thank you for providing such a detailed issue description ⭐, and I apologize for the delayed response. As a new member of the team handling this provider, I'll do my best to clarify the matter for you. Moving forward, we're striving for faster responses as we onboard new team members onto the project.
I've successfully reproduced the issue you mentioned and have understood its root cause. Let me explain:
From the provided HCL configuration snippet, it's clear that you are:
var.permission_names
variable and are associated with the resource servers identified by var.resource_server_identifier
.The issue arises from the use of the auth0_role_permissions
resource. This resource effectively creates two separate resources due to the use of the count
at the resource level.
The auth0_role_permissions
resource manages all the permissions assigned to a role in bulk. You can only have one instance of this resource within your configuration. Otherwise, if you have multiple instances with different permissions, only the last applied resource will have any effect, as it overwrites changes from previous resources.
If you intend to add permissions in an append-only style, you'll need to switch your configuration to use a one-to-one resource relationship, the auth0_role_permission
, instead of the auth0_role_permissions
one-to-many resource, and use dynamic permissions
blocks.
You're encountering constant changes because the two auth0_role_permissions
resources created due to the count
block at the resource level overwrite each other. Please also review the warning inside the docs: Auth0 Role Permissions Docs.
To fix your configuration, you have two options:
A) Use for_each
or count
at the resource level but with the auth0_role_permission
resource instead (one-to-one relationship).
B) Use dynamic permissions
blocks and for_each
or count
inside them to manage everything with only one auth0_role_permissions
resource.
This is applicable when you want to add multiple permissions or update permissions in a loop.
Here's an example for both approaches:
auth0_resource_server
, auth0_resource_server_scopes
, auth0_role
definitions
resource "auth0_resource_server" "my_api" {
name = "test"
identifier = "test.example.com"
signing_alg = "RS256"
token_lifetime = 86400
token_lifetime_for_web = 7200
enforce_policies = true
skip_consent_for_verifiable_first_party_clients = true
allow_offline_access = false
token_dialect = "access_token"
}
resource "auth0_resource_server_scopes" "my_api_scopes" {
resource_server_identifier = auth0_resource_server.my_api.identifier
scopes {
name = "access:store_contrib"
}
scopes {
name = "access:store_read"
}
scopes {
name = "access:serve_read"
}
}
resource "auth0_role" "my_role" {
name = "My Role"
}
To keep using the auth0_role_permissions
resource:
<auth0_resource_server, auth0_resource_server_scopes, auth0_role definitions>
resource "auth0_role_permissions" "my_role_perms" {
role_id = auth0_role.my_role.id
dynamic "permissions" {
for_each = auth0_resource_server_scopes.my_api_scopes.scopes
content {
name = permissions.value["name"]
resource_server_identifier = auth0_resource_server.my_api.identifier
}
}
}
Or to use the auth0_role_permission
resource:
<auth0_resource_server, auth0_resource_server_scopes, auth0_role definitions>
locals {
scopesList = [
for scope in auth0_resource_server_scopes.my_api_scopes.scopes : scope.name
]
}
resource "auth0_role_permission" "my_role_perm" {
for_each = toset(local.scopesList)
role_id = auth0_role.my_role.id
resource_server_identifier = auth0_resource_server.my_api.identifier
permission = each.value
}
I hope this helps! Let me know if you need further assistance.
Hi @sivakolisetti ,
I hope you're having a pleasant day!
I just wanted to inform you that I'll be closing this issue shortly. However, if you have any more issues or questions, please feel free to open a new one. I'm here to assist you further.
Thank you for your cooperation.
Best regards,
Checklist
Description
Intaillay,we are creating auth0 role and adding permissions. after some time we are updating one more permission to be added to role it's working. But again we are adding one more permission then old permission are geettig null values and latest permission only getting that permission name.
Expectation
it's should append permssions when ever we are adding permissions to role that permission only append remaining permission should not be deleted or updating.
resource "auth0_role" "example_role" { name = var.role_name description = var.description_name }
resource "auth0_role_permissions" "example_permissions" { role_id = auth0_role.example_role.id count = length(var.permission_names) permissions { name = var.permission_names[count.index] resource_server_identifier = var.resource_server_identifier } }
role_name="role_test_testrestapi_tester2" domain="dev-test.eu.auth0.com" description_name="Testing auth0 role for api permission" resource_server_identifier="http://test.restapi/" permission_names=["access:store_contrib","access:serve_read","access:store_read"]
Adding one more permission names.
Third time adding one more permission (issue we are facing here)
Reproduction
Auth0 Terraform Provider version
version = "1.1.2"
Terraform version
"terraform_version": "1.3.1"