search

zitadel / terraform-provider-zitadel

Official Terraform provider for ZITADEL
https://zitadel.com
Apache License 2.0
24 stars 15 forks source link

zitadel_login_policy resource trows errors #128

Open jobcespedes opened 11 months ago

jobcespedes commented 11 months ago

Preflight Checklist

Version

1.0.2

ZITADEL Version

v2.37.2

Describe the problem caused by this bug

Two problems related to 'zitadel_login_policy' resource:

  1. Error: Error: failed to create login policy: rpc error: code = AlreadyExists desc = Login Policy already exists. I believe this has something to do with manual modifications via "Login Behavior and Security" cloud web UI. If "Reset to instance default" is click in web UI, the error does not occur.
  2. Error: Error: failed to update login policy: rpc error: code = FailedPrecondition desc = Errors.Org.LoginPolicy.NotChanged in the second terraform apply after a first successful one.

To reproduce

For error 1:

  1. In cloud web UI, modify anything in "Login Behavior and Security".
  2. Create a "zitadel_login_policy" resource and apply it with terrform.
  3. Error 1 happens
  4. Click "Reset to instance default" in web UI
  5. Apply terraform again
  6. There is no error

For error 2:

  1. Create a "zitadel_login_policy" resource and apply it with terrform.
  2. No Error 1
  3. Apply terraform again
  4. Error 2 happens

Screenshots

No response

Expected behavior

No errors in both cases

Relevant Configuration

No response

Additional Context

No response

stebenz commented 10 months ago

@jobcespedes To error 1, this is correct behavior, as a resource managed with terraform was changed in some kind of way as that should not happen normally. To error 2, this is also correct behavior, as terraform should only update resources if there are changed in them, which should never result in the "NotChanged" error, did you apply the exact same resource again with the terraform state of the first apply?

jobcespedes commented 10 months ago

Hi @stebenz,

  1. To your first point: got it.
  2. To your second point: No, No changes were made between first and second run of terraform apply. I ended up adding a lifecycle block the resource.
stebenz commented 4 months ago

Hi @jobcespedes But with the lifecycle block, there should be no changes on the resource attributes that trigger the calling of the ZITADEL API and then result in the error as really nothing changed. How is the change in the second apply displayed?

vs-gtadeu commented 3 months ago

I've just run into this issue:

│ Error: failed to update login policy: rpc error: code = FailedPrecondition desc = Errors.Org.LoginPolicy.NotChanged (Org-5M9vdd)
│ 
│   with zitadel_login_policy.default,
│   on organizations.tf line 58, in resource "zitadel_login_policy" "default":
│   58: resource "zitadel_login_policy" "default" {

For context: We already had successfully terraformed the zitadel_login_policy previously. This error happened after we ran Terraform again with a set of changes unrelated to the zitadel_login_policy resource that caused the error.

Keeping existing resource parameters untouched is something completely normal in the lifecycle of a Terraform project.

vs-gtadeu commented 3 months ago

I'd also like to counter-argument this statement:

To error 1, this is correct behavior, as a resource managed with terraform was changed in some kind of way as that should not happen normally.

I've never seen this behavior with other Terraform providers. Usually, providers just display a warning in the Terraform plan output indicating that something was changed outside of Terraform:

image

More info can be found here.