Closed hectorhuol closed 1 month ago
Hey @hectorhuol 👋🏻
Thanks for taking the time to put such a detailed issue together ⭐ and apologies for the time it took to get back to you. I'm no longer working on the provider but going forward the community should expect much faster replies as we're onboarding new team members to the project.
I was able to reproduce your issue and understand what's causing it. I'll attempt at clarifying this for you, but please don't hesitate to follow up with further questions if something's not clear.
From the HCL configuration snippet you provided above I can see that you're:
Now the issue you're encountering is caused by the fact that when you're using the auth0_role_permissions
resource, you're actually effectively creating 2 separate resources behind the scenes through the use of the for_each
at the resource level.
The auth0_role_permissions
resource manages all the permissions assigned to a role in bulk and you can only ever have 1 instance of this resource within your config, otherwise if you have multiple and they have different permissions, only the last resource that gets applied will have any effect, as that will overwrite the changes from a previous resource.
If you want the permissions to get added in an append only style you'll need to switch your config to use the 1 to 1 resource relationship instead auth0_role_permission
or use dynamic permission
blocks if you want to use the auth0_role_permissions
that manages everything in bulk through a 1 to many relationship. Does this make sense?
So you're effectively seeing a constant change because the 2 auth0_role_permissions
resources, that get created because of the for_each
block on the resource level, will overwrite each other. Please also check the warning inside the docs: https://registry.terraform.io/providers/auth0/auth0/latest/docs/resources/role_permissions for this.
So you have 2 options to fix your configuration:
A) Use for_each
at a resource level but with the auth0_role_permission
resource instead (1:1 relationship)
B) Use dynamic permissions
blocks and use the for_each
inside there to manage everything with only 1 auth0_role_permissions
resource.
This is only if you truly want to use 1 role for both APIs created. It would be great to understand from your side if that's intended or there's a missed for_each
block on the auth0_role
resource so you have a dedicate role for each environment.
If you want to use 1 role for both APIs and only use the auth0_role_permissions
resource, you'd have to modify your configuration as follows, so that you only have 1 auth0_role_permissions
resource created that won't overwrite others:
resource "auth0_role_permissions" "iq_saas_admin_support" {
role_id = auth0_role.iq_saas_admin_support.id
dynamic "permissions" {
for_each = var.configuration.environments
content {
name = "create:support-zip"
resource_server_identifier = auth0_resource_server.iq_saas_admin_apis[permissions.key].identifier
}
}
dynamic "permissions" {
for_each = var.configuration.environments
content {
name = "read:tenants"
resource_server_identifier = auth0_resource_server.iq_saas_admin_apis[permissions.key].identifier
}
}
}
The above will attach 4 permissions to the auth0_role
, create:support-zip
from the first API, create:support-zip
from the second API, read:tenants
from the first API and read:tenants
from the second API.
Hi @sergiught
Thanks for the detailed response, now I understand better how the auth0_role_permission
works, what you explained there makes a lot of sense. I tested with your suggestion, and the error I saw disappeared, thanks for the help!
Regards
Checklist
Description
I am creating some resources using the Auth0 Terraform provider and I am noticing this strange behavior with the
auth0_role_permissions
, and I am not sure if it is expected or not.What is happening to me, is that the first time I ran my Terraform, I got an error saying that one permission didn’t exist. I added the
depends_on
and the terraform worked fine and all my Auth0 resources are being created.Now what happens is that every time I run a terraform plan(without making any change to the terraform code) it says that it will update my role permissions, and the update is that it will delete the assigned permissions, like this:
If apply the terraform plan, then the role permissions are deleted, and if I run again the terraform plan(Again without making any change to the terraform code), what happens is that my role permissions will be updated again, but now all the permissions will be added, something like this:
I can keep doing the same all day, and I always get the same behavior, it first deletes the permissions, then adds them again. So in the end I never get the
No Changes
message I expect from Terraform.And if I try to put the next block on the
auth0_resource_server
resource:I am getting the next error from Terraform:
Expectation
I expect
auth0_role_permissions
resources to be saved on terraform state always, and I can get theNo Changes
message from TerraformTerraformReproduction
Use this Terraform Code as a reference:
resource "auth0_resource_server_scopes" "iq_saas_admin_api_scopes" { for_each = var.configuration.environments
resource_server_identifier = auth0_resource_server.iq_saas_admin_apis[each.key].identifier
scopes { name = "create:tenants" description = "Permission to create IQ SaaS tenants" }
scopes { name = "update:tenants" description = "Permission to update IQ SaaS tenants" }
scopes { name = "read:tenants" description = "Permission to read IQ SaaS tenants" }
scopes { name = "delete:tenants" description = "Permission to delete IQ SaaS tenants" }
scopes { name = "create:support-zip" description = "Permission to generate support zip files" } }
resource "auth0_role" "iq_saas_admin_support" { description = "Support access for the IQ SaaS Admin App" name = "IQ SaaS Admin App - Support" }
resource "auth0_role_permissions" "iq_saas_admin_support" { for_each = var.configuration.environments
role_id = auth0_role.iq_saas_admin_support.id
permissions { name = "create:support-zip" resource_server_identifier = auth0_resource_server.iq_saas_admin_apis[each.key].identifier } permissions { name = "read:tenants" resource_server_identifier = auth0_resource_server.iq_saas_admin_apis[each.key].identifier }
depends_on = [ auth0_resource_server_scopes.iq_saas_admin_api_scopes ] }