auth0_action: action does not get deployed
RishikeshDarandale opened this issue ยท 19 comments
Description
I had imported the existing deployed action using terraform import. Later if I am applying the changes via terraform apply with deploy = true, then its giving following error:
Error: 400 Bad Request: A draft must be in the 'built' state before it can be deployed.
I see that new code changes has been saved, but not deployed.
Terraform Version
Terraform v1.0.7
on linux_amd64
+ provider registry.terraform.io/alexkappa/auth0 v0.24.0
+ provider registry.terraform.io/hashicorp/local v2.0.0
Your version of Terraform is out of date! The latest version
is 1.0.11. You can update by downloading from https://www.terraform.io/downloads.htmlAffected Resource(s)
- auth0_action
Terraform Configuration Files
esource "auth0_action" "test-action" {
name = "test"
supported_triggers {
id = "pre-user-registration"
version = "v2"
}
code = file("test.js")
runtime = "node16"
dependencies {
name = "Dep1"
version = "v1"
}
dependencies {
name = "Dep2"
version = "v2"
}
secrets {
name = "SOME_KEY"
value = "SOME_VALUE"
}
deploy = true
}Expected Behavior
Action should get deployed as well and should not give above mentioned error.
Actual Behavior
error:
Error: 400 Bad Request: A draft must be in the 'built' state before it can be deployed.
Steps to Reproduce
terraform apply
Debug Output
Panic Output
Important Factoids
References
- same issue with auth0-deploy-cli
Community Note
- Please vote on this issue by adding a ๐ reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Hi @RishikeshDarandale, thanks for reporting this. I would need a little more info from your side to help get to the bottom of this.
Could you run terraform apply with the following environment variables set?
TF_LOG=DEBUG AUTH0_DEBUG=1 terraform apply
I would like to see the requests & responses from the Auth0 Management API. Please make sure to hide any sensitive information. A gist would be ideal ๐
I suspect that the code may not be able to build successfully. When creating an action, its status field will initially be pending and in a few seconds, it should turn to built. What does it show in the case of your action?
@alexkappa , Sorry, I will not be able to share the complete logs here, but definitely I will share the code snippet with replaced text as below:
The patch call happens to /actions as below:
2021-11-22T17:03:38.491+0530 [DEBUG] auth0_action.my-action: applying the planned Update change
2021-11-22T17:03:38.493+0530 [DEBUG] provider.terraform-provider-auth0_v0.24.0: 2021/11/22 17:03:38
2021-11-22T17:03:38.493+0530 [DEBUG] provider.terraform-provider-auth0_v0.24.0: PATCH /api/v2/actions/actions/uuid1 HTTP/1.1
2021-11-22T17:03:38.493+0530 [DEBUG] provider.terraform-provider-auth0_v0.24.0: Host: my-tenant.us.auth0.com
2021-11-22T17:03:38.493+0530 [DEBUG] provider.terraform-provider-auth0_v0.24.0: User-Agent: Terraform-Provider-Auth0/dev (Go-Auth0-SDK/5.21.1; Terraform-SDK/1.16.1; Terraform/1.0.7)
2021-11-22T17:03:38.493+0530 [DEBUG] provider.terraform-provider-auth0_v0.24.0: Content-Length: 2823
2021-11-22T17:03:38.493+0530 [DEBUG] provider.terraform-provider-auth0_v0.24.0: Content-Type: application/json
2021-11-22T17:03:38.493+0530 [DEBUG] provider.terraform-provider-auth0_v0.24.0: Accept-Encoding: gzip
2021-11-22T17:03:38.493+0530 [DEBUG] provider.terraform-provider-auth0_v0.24.0:
2021-11-22T17:03:38.493+0530 [DEBUG] provider.terraform-provider-auth0_v0.24.0: {"name":"my-action","supported_triggers":[{"id":"pre-user-registration","version":"v2"}],"code":"// https://www.npmjs.com/package/@sideway/address\nconst address = require('@sideway/address');\n// https://www.npmjs.com/package/winston\nconst winston = require('winston');\n","dependencies":[{"name":"@sideway/address","version":"4.1.2"},{"name":"winston","version":"3.3.3"}],"runtime":"node16"}
Code is trimmed out, if you see secrets have not been added. Same mentioned here #472 (FYI: I already had action which was imported using terraform import and applying new changes with terraform apply with deploy=true option)
The response to this PATCH call is like below:
2021-11-22T17:03:40.100+0530 [DEBUG] provider.terraform-provider-auth0_v0.24.0: 2021/11/22 17:03:40
2021-11-22T17:03:40.100+0530 [DEBUG] provider.terraform-provider-auth0_v0.24.0: HTTP/2.0 200 OK
2021-11-22T17:03:40.100+0530 [DEBUG] provider.terraform-provider-auth0_v0.24.0: Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
2021-11-22T17:03:40.100+0530 [DEBUG] provider.terraform-provider-auth0_v0.24.0: Cache-Control: no-cache
2021-11-22T17:03:40.100+0530 [DEBUG] provider.terraform-provider-auth0_v0.24.0: Cf-Cache-Status: DYNAMIC
2021-11-22T17:03:40.100+0530 [DEBUG] provider.terraform-provider-auth0_v0.24.0: Cf-Ray: 6b21d8196d006eb3-BOM
2021-11-22T17:03:40.100+0530 [DEBUG] provider.terraform-provider-auth0_v0.24.0: Content-Type: application/json; charset=utf-8
2021-11-22T17:03:40.100+0530 [DEBUG] provider.terraform-provider-auth0_v0.24.0: Date: Mon, 22 Nov 2021 11:33:40 GMT
2021-11-22T17:03:40.100+0530 [DEBUG] provider.terraform-provider-auth0_v0.24.0: Expect-Ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
2021-11-22T17:03:40.100+0530 [DEBUG] provider.terraform-provider-auth0_v0.24.0: Ot-Baggage-Auth0-Request-Id: 6b21d8196d006eb3
2021-11-22T17:03:40.100+0530 [DEBUG] provider.terraform-provider-auth0_v0.24.0: Ot-Tracer-Sampled: true
2021-11-22T17:03:40.100+0530 [DEBUG] provider.terraform-provider-auth0_v0.24.0: Ot-Tracer-Spanid: 517c36e36e9b0ed5
2021-11-22T17:03:40.100+0530 [DEBUG] provider.terraform-provider-auth0_v0.24.0: Ot-Tracer-Traceid: 745f56c954ef20f2
2021-11-22T17:03:40.100+0530 [DEBUG] provider.terraform-provider-auth0_v0.24.0: Server: cloudflare
2021-11-22T17:03:40.100+0530 [DEBUG] provider.terraform-provider-auth0_v0.24.0: Strict-Transport-Security: max-age=31536000
2021-11-22T17:03:40.100+0530 [DEBUG] provider.terraform-provider-auth0_v0.24.0: Vary: origin,accept-encoding
2021-11-22T17:03:40.100+0530 [DEBUG] provider.terraform-provider-auth0_v0.24.0: X-Content-Type-Options: nosniff
2021-11-22T17:03:40.100+0530 [DEBUG] provider.terraform-provider-auth0_v0.24.0: X-Ratelimit-Limit: 10
2021-11-22T17:03:40.100+0530 [DEBUG] provider.terraform-provider-auth0_v0.24.0: X-Ratelimit-Remaining: 9
2021-11-22T17:03:40.100+0530 [DEBUG] provider.terraform-provider-auth0_v0.24.0: X-Ratelimit-Reset: 1637580821
2021-11-22T17:03:40.100+0530 [DEBUG] provider.terraform-provider-auth0_v0.24.0:
2021-11-22T17:03:40.101+0530 [DEBUG] provider.terraform-provider-auth0_v0.24.0: {"id":"UUID1","name":"my-action","supported_triggers":[{"id":"pre-user-registration","version":"v2"}],"created_at":"2021-08-27T08:24:38.279322925Z","updated_at":"2021-11-22T11:33:39.902133960Z","code":"// https://www.npmjs.com/package/@sideway/address\nconst address = require('@sideway/address');\n","dependencies":[{"name":"@sideway/address","version":"4.1.2"},{"name":"winston","version":"3.3.3"}],"runtime":"node16","status":"pending","secrets":[{"name":"KEY","updated_at":"2021-08-31T13:02:19.162044825Z"}],"current_version":{"id":"cdd5b8ae-e3cb-4715-a15c-e99b9c537e30","code":"// https://www.npmjs.com/package/@sideway/address\nconst address = require('@sideway/address');\n// https://www.npmjs.com/package/winston\nconst winston = require('winston');\n","runtime":"node16","status":"BUILT","number":18,"build_time":"2021-11-18T10:18:18.307375352Z","created_at":"2021-11-18T10:18:18.188489472Z","updated_at":"2021-11-18T10:18:18.308187840Z"},"deployed_version":{"code":"// https://www.npmjs.com/package/@sideway/address\nconst address = require('@sideway/address');\n// https://www.npmjs.com/package/winston\nconst winston = require('winston');\n","dependencies":[{"name":"@sideway/address","version":"4.1.2"},{"name":"winston","version":"3.3.3"}],"id":"cdd5b8ae-e3cb-4715-a15c-e99b9c537e30","deployed":true,"number":18,"built_at":"2021-11-18T10:18:18.307375352Z","secrets":[{"name":"KEY","updated_at":"2021-08-31T13:02:19.162044825Z"}],"status":"built","created_at":"2021-11-18T10:18:18.188489472Z","updated_at":"2021-11-18T10:18:18.308187840Z","runtime":"node16"},"all_changes_deployed":false}As you stated the status is PENDING, thus deploy API call might be failing.
Let me know if you need further debugging logs. Thanks!
@alexkappa , Did you looked at the above logs?
Hi @RishikeshDarandale, thanks for sharing the logs. Indeed it confirms my suspicion regarding the pending state. I would like to look into how secrets play a role in this issue as it might be related.
I don't have a timeline, but I will look into it as soon as I have some time.
Hi @RishikeshDarandale, thanks for sharing the logs. Indeed it confirms my suspicion regarding the
pendingstate. I would like to look into how secrets play a role in this issue as it might be related.I don't have a timeline, but I will look into it as soon as I have some time.
Just FYI, after this unsuccessful attempt using terraform, if I go and deploy the action from console, it works and existing secret remains as it is.
@alexkappa I tried with 0.24.1 and still it's failing with same error.
Observations are as below:
patchcall toactionsstill do not havesecretspatchcall is successful withstatusaspending
Hi @RishikeshDarandale, sorry to hear that. Just to make sure we have all angles covered, did you notice the note in the docs about secrets not being importable?
As with all secrets, the Auth0 Management API doesn't return the values back to consumers. Thats due to security reasons I imagine as the values get hashed/encrypted server-side. So for this provider to work with secrets they must be defined by the configuration.
Hi @RishikeshDarandale, sorry to hear that. Just to make sure we have all angles covered, did you notice the note in the docs about secrets not being importable?
As with all secrets, the Auth0 Management API doesn't return the values back to consumers. Thats due to security reasons I imagine as the values get hashed/encrypted server-side. So for this provider to work with secrets they must be defined by the configuration.
Yes @alexkappa , I went through your pull request that documents that secrets can not be imported. Let me try removing the resource from state and re-import. Then I will try to apply a new change with terraform.
Let me know if you have any comments.
@alexkappa , this is what I tried with 0.24.1
- Removed the
auth0_actionresource from the state and removed the related HCL code. - No infrastructure changes detected by terraform with
terraform plan - Added back HCL code as mentioned in this issue, but this time without
secrets. - Import was successful
- Done a small change in console log in code and added the existing secret to the
actionresource terraform planwas showing the correct diff to update to action with secrets add and modify the code.- When applied the change, same observations found
patchcall toactionsstill do not havesecretspatchcall is successful withstatusaspending
IMO, update/patch action should add the secrets if plan is showing.
Okay, thanks for letting me know. I will need to reproduce this and see what might be causing the update to not include secrets.
Also, should we find when the update action returns status as pending from auth0? How to poll the status to change it to built?
@alexkappa , I tried with sending the secrets in body for patch api call, the api still returns the status as pending. When I tried to get an action using get api call, then I got the status as built. I think, we need to update the logic as below:
update_action() {
//update the action with required field
updateAction();
if (!err) {
// may be with sleep time and max retry count 3
untill getActionStatus() !== `built`
if (status === 'built`) {
deployAction()
} else {
console.error('Action is still not built...');
}
}
}
I am not aware of go syntax, otherwise could have created a pull request.
I found how auth0-deploy-cli is doing they are retrying in deployAction ! See here
async deployAction(action) {
try {
await this.client.actions.deploy({ id: action.id });
} catch (err) {
// Retry if pending build.
if (err.message && err.message.includes('must be in the \'built\' state')) {
if (!action.retry_count) {
log.info(`[${this.type}]: Waiting for build to complete ${this.objString(action)}`);
action.retry_count = 1;
}
if (action.retry_count > MAX_ACTION_DEPLOY_RETRY) {
throw err;
}
await sleep(1000);
action.retry_count += 1;
await this.deployAction(action);
}
}
}We also experiment some failures either regarding action deployment and secrets update.
Yes @shouze , currently the updated secrets are not passed to mgmt api of auth0 from terraform. @alexkappa is looking into it.
Deploy action is failing due to it is not in built state.
Thanks @alexkappa . Now, the action deployment works perfectly. But, in patch request call the new secrets are not being sent/included. Should we reopen #472 ?
Hi @RishikeshDarandale, yes please, or better if we create a new issue. I think we covered some of the scope in this issue and #472 so perhaps better do a new one.
@alexkappa , created #477. Let me know if you need anything more on the issue!