The new feature of importing forms, flows and flow connections is not checking dependencies.

Question

The new feature of importing forms, flows and flow connections is not checking dependencies.

Closed this issue 21 days ago · 9 comments

Checklist

I have looked into the README and have not found a suitable solution or answer.
I have looked into the documentation and have not found a suitable solution or answer.
I have searched the issues and have not found a suitable solution or answer.
I have upgraded to the latest version of this tool and the issue still persists.
I have searched the Auth0 Community forums and have not found a suitable solution or answer.
I agree to the terms within the Auth0 Code of Conduct.

Description

In Version 8.3.0, the imports do not work correctly. The cli tries to import forms, which are dependent on flows and then which are dependent on Flow vault connections. If the dependencies are included correctly, then we shall be able to migrate, forms/flows from one tenant to another quite easily.

Expectation

The forms, flows and flow vault connections should be imported correctly in a blank tenant easily when migrated from another tenant.

Reproduction

Create forms, flows and vault connection in a tenant in the Development environment.
Export the data using CLI.
Update the config to point to the staging/test environment.
Try importing the data. It shall fail.

Deploy CLI version

8.3.0

Node version

20

Answer 1 · 2024-12-09T13:40:25.000Z

Hi, @ayushjain0702
Thank you for reporting this issue!
Our team is currently investigating the issue and will provide a fix as soon as possible.

Answer 2 · 2024-12-09T23:06:14.000Z

I guess we face the same issue. Export works but importing again fails due to "missing" flows for the forms.

Here is the debug output:

2024-12-09T22:59:11.153Z - error: Flow: Update KYB details not found for form:KYB - Onboarding, please verify the flow name.
...
ManagementApiError: Payload validation error: 'None of the valid schemas were met' on property nodes[5] ({description}). Inner errors: [ Payload validation error: 'Object didn't pass validation for format forms-flow-id: Validate address' on property nodes[5].config.flow_id. (also) Payload validation error: 'Invalid value "FLOW"' on property nodes[5].type. (also) Payload validation error: 'Additional properties not allowed: next_node,flow_id' on property nodes[5].config ({description}). (also) Payload validation error: 'Additional properties not allowed: flow_id' on property nodes[5].config ({description}). ].

Answer 3 · 2024-12-11T09:53:15.000Z

When exporting a tenant.yaml file I noticed that the vault connection is there but not the vault setup itself. This is what I received for my vault:

flowVaultConnections:
  - name: Vault Connection Name
    account_name: vault-tenant.eu.auth0.com
    app_id: AUTH0
    ready: true

I checked the "Network" tab when creating a Vault from the Auth0 Dashboard which gave me the idea of setup properties. I tried to use them and it worked successfully:

flowVaultConnections:
  - name: Vault Connection Name
    app_id: AUTH0
    setup:
      domain: vault-tenant.eu.auth0.com
      client_id: XXX
      client_secret: YYY
      type: OAUTH_APP

My request here is to also export the vault setup when running a0deploy export.

Answer 4 · 2024-12-11T10:15:07.000Z

Hi @bennycode ,
As the vault connections setup can contain credentials, So, the setup value is not returned via the API

Thanks!

Answer 5 · 2024-12-11T10:32:12.000Z

@kushalshit27 I understand the security concern, but it is somewhat surprising since other credentials are already exported when running a0deploy export. For example, connections.*.options.client_secret and action.secrets.*.value:

connections:
  - name: azure-connection
    strategy: waad
    display_name: Microsoft
    enabled_clients:
      - My Client App
    is_domain_connection: false
    options:
      domain: bennycode.com
      client_id: 123456
      use_wsfed: false
      ext_groups: false
      ext_profile: true
      identity_api: microsoft-identity-platform-v2.0
      basic_profile: false
      client_secret: VERY-SECRET-INFORMATION-BEING-EXPORTED
      tenant_domain: bennycode.com
      waad_protocol: openid-connect

How is it decided whether secrets are exported or not?

Answer 6 · 2024-12-12T04:04:20.000Z

Hi,
@bennycode,
Thanks for pointing that out; I will check with the team if we can make it uniform across the CLI.
I understand it would be better to manage vault connections setup. I have checked with the team; I hope they can do something about it in the future.
However, it can not be managed using CLI until API supports it. We appreciate your understanding and support.

Answer 7 · 2024-12-16T10:27:15.000Z

Hi,
The fix for this issue is now available in version 8.4.1. 🚀

Answer 8 · 2024-12-16T11:33:22.000Z

Hi @kushalshit27 I can confirm that Forms + Flows migration works with the new version IF the vaults are pre-setup and match the name of the old vault. Thank you!

Haven't tested @bennycode approach with extending the export yaml though.

Answer 9 · 2024-12-17T05:34:28.000Z

Thank you for confirming that the issue has been resolved! We appreciate your patience and cooperation. We are now closing this issue. If you encounter any further problems, please feel free to reopen it or create a new issue.