Dependency error between auth0_role_permissions and auth0_resource_server_scopes

Question

Dependency error between auth0_role_permissions and auth0_resource_server_scopes

Closed this issue 2 months ago · 10 comments

Checklist

I have looked into the README and have not found a suitable solution or answer.
I have looked into the documentation and have not found a suitable solution or answer.
I have searched the issues and have not found a suitable solution or answer.
I have upgraded to the latest version of this provider and the issue still persists.
I have searched the Auth0 Community forums and have not found a suitable solution or answer.
I agree to the terms within the Auth0 Code of Conduct.

Description

We manage resource servers and roles through Terraform. We added a new permission to a resource server and granted that permission on an existing role through a auth0_role_permissions resource block. We got an error from Terraform when applying:

Error: 404 Not Found: This permission does not exist:

We ran the apply a second time and it worked. This tells us that there was some dependencies problem at play. Terraform probably tried to add the permission to the role before it was created on the resource server.

We don't use the latest version of Auth0 provider but I read the changelog and nothing seems to relate to this problem.

Expectation

The block auth0_role_permissions has a ref to the resource server in the permissions block. I'd expect it to tell Terraform that there is a dependency between the auth0_role_permissions and the auth0_resource_server resources. The changes for the resource server should be applied before the auth0_role_permissions changes.

We plan on fixing the problem with a depends_on property on the auth0_role_permissions but I thought it shouldn't be needed (perhaps I'm wrong).

Reproduction

Create a auth0_resource_server.
Assign a permission to the resource server through a auth0_resource_server_scopes block.
Create an auth0_role.
Assign the permission to the role through a auth0_role_permissions block.

I haven't wrote a repro but this above might actually recreate the issue if all of these steps are performed in the same terraform apply. If not, we can then proceed to:

Add a new permission to the resource server.
Assign it to the role.
Apply these changes in the same terraform apply.

Auth0 Terraform Provider version

1.0.0

Terraform version

1.5.2

Answer 1 · 2024-05-04T02:10:23.000Z

Any update on this bug? We got the same one using Terraform v1.6.4 + Provider version 1.2.0.

Answer 2 · 2024-05-28T07:00:16.000Z

Hi @jvanecek,

I hope you're having a wonderful day!

Firstly, I want to apologize for the delay in my response. I understand that timely assistance is crucial, especially when you're facing challenges. Rest assured, I'm here now, and I'm committed to providing you with the support you need.

To better assist you, could you please provide an example of the resource configuration that's causing the error? Understanding the specific context will enable me to offer more targeted guidance.

In the meantime, I've prepared an example for utilizing auth0_role_permissions without explicitly relying on depends_on, as per your preference. This example should help illustrate the approach we discussed earlier.

resource "auth0_resource_server" "resource_server" {
  name       = "test"
  identifier = "test.example.com"
}

resource "auth0_resource_server_scopes" "resource_server_scopes" {
  resource_server_identifier = auth0_resource_server.resource_server.identifier

  scopes {
    name = "store:create"
  }
  scopes {
    name = "store:read"
  }
  scopes {
    name = "store:update"
  }
  scopes {
    name = "store:delete"
  }
}

resource "auth0_role" "my_role" {
  name = "My Role"
}

resource "auth0_role_permissions" "my_role_perms" {
  role_id = auth0_role.my_role.id

  dynamic "permissions" {
    for_each = auth0_resource_server_scopes.resource_server_scopes.scopes
    content {
      name                       = permissions.value.name
      resource_server_identifier = auth0_resource_server.resource_server.identifier
    }
  }
}

If you encounter any further questions or issues along the way, please don't hesitate to reach out. I'm here to help in any way I can.

Thank you for your patience and understanding.

Answer 3 · 2024-05-28T07:13:53.000Z

Thanks @developerkunal for the example with the dynamic block. However how would go about it if you didn't need to have the whole set of scopes from the resource server assigned to your role?

Answer 4 · 2024-05-28T08:25:37.000Z

Hi @Nargonath,

Could you provide an example of that use case so I can better understand and assist you?

Thank you.

Answer 5 · 2024-05-28T08:42:56.000Z

Hi @Nargonath,

I'm not entirely certain if this aligns with your requirements, but here's another approach for selectively assigning scopes:

resource "auth0_role_permissions" "my_role_perms" {
    role_id = auth0_role.my_role.id

    permissions {
        name                       = tolist(auth0_resource_server_scopes.resource_server_scopes.scopes)[0].name  # Assuming you want to assign the first scope
        resource_server_identifier = auth0_resource_server.resource_server.identifier
    }

    permissions {
        name                       = tolist(auth0_resource_server_scopes.resource_server_scopes.scopes)[1].name  # Assuming you want to assign the second scope
        resource_server_identifier = auth0_resource_server.resource_server.identifier
    }

    # Add more permissions as needed
}

Feel free to let me know if you have any further questions or if there's anything else I can assist you with.

Thank you!

Answer 6 · 2024-05-29T13:27:50.000Z

@developerkunal Thanks for the other suggestion.

I didn't write a full repro but I gave instructions in the OP, if that could be helpful.

One thing I don't understand though, how come we can have Terraform trying to apply permissions that are not yet created when in the auth0_role_permissions block, under the permissions property we have a dynamic link to the resource server through the resource_server_identifier property? Wouldn't it be enough for Terraform to determine whether the permission is already available or not?

Answer 7 · 2024-08-20T21:53:56.000Z

Hey @Nargonath, I just ran into this issue as well.

I think the issue is that while Terraform is aware of the dependency that auth0_role_permissions has on the auth0_resource_server (via resource_server_identifier), the auth0_resource_server is not responsible for deploying the scopes/permissions into Auth0, the auth0_resource_server_scopes is.

There is no implicit dependency that Terraform can derive from the auth0_resource_server_scopes to the auth0_role_permissions resources unless you either use one of the suggestions from @developerkunal which will create an implicit dependency, or if you explicitly define the dependency by using depends_on, for example:

resource "auth0_resource_server" "this" {
  name       = "test"
  identifier = "test.example.com"
}

resource "auth0_resource_server_scopes" "this" {
  resource_server_identifier = auth0_resource_server.this.identifier

  scopes {
    name = "store:create"
  }
}

resource "auth0_role" "this" {
  name = "My Role"
}

resource "auth0_role_permissions" "this" {
  role_id = auth0_role.this.id

  dynamic "permissions" {
    content {
      name                       = "store:create"
      resource_server_identifier = auth0_resource_server.this.identifier
    }
  }

  depends_on = [auth0_resource_server_scopes.this]
}

Adding the depends_on in the auth0_role_permissions resolved the problem for me at least. Hope that helps.

Answer 8 · 2024-09-30T06:14:10.000Z

Hey @Nargonath,

Are you still facing the issue, or has it been resolved? I noticed that @jhulndev provided a suggestion and explained the solution. Can we close this if it's resolved?

Also, thank you @jhulndev! Your help is greatly appreciated.

Answer 9 · 2024-10-14T06:15:47.000Z

@Nargonath Gentle bump on this.

Answer 10 · 2024-10-30T05:39:32.000Z

@Nargonath, we are closing this issue, For any further queries please open a new issue or reopen this.