Rename scope on Resource Server causes 400 error

[nitrag]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

12.10

Affected Resource(s)

• auth0_resource_server

Terraform Configuration Files

resource "auth0_resource_server" "core_api" {
  name       = "core-api"
  identifier = "https://api.${var.cluster_name}.${var.domain_name}/"

  allow_offline_access                            = false
  enforce_policies                                = true
  skip_consent_for_verifiable_first_party_clients = true
  signing_alg                                     = "RS256"
  token_dialect                                   = "access_token_authz"
  token_lifetime                                  = 86400
  token_lifetime_for_web                          = 7200

  scopes {
    value       = var.default_scopes.admin_org.value
    description = var.default_scopes.admin_org.description
  }
  scopes {
    value       = var.default_scopes.view_org.value
    description = var.default_scopes.view_org.description
  }
  scopes {
    value       = var.default_scopes.admin_user.value
    description = var.default_scopes.admin_user.description
  }
  scopes {
    value       = var.default_scopes.view_user.value
    description = var.default_scopes.view_user.description
  }
  scopes {
    value       = var.default_scopes.admin_job.value
    description = var.default_scopes.admin_job.description
  }
  scopes {
    value       = var.default_scopes.edit_job.value
    description = var.default_scopes.edit_job.description
  }
  scopes {
    value       = var.default_scopes.view_job.value
    description = var.default_scopes.view_job.description
  }
  scopes {
    value       = var.default_scopes.admin_facility.value
    description = var.default_scopes.admin_facility.description
  }
  scopes {
    value       = var.default_scopes.view_facility.value
    description = var.default_scopes.view_facility.description
  }
  scopes {
    value       = var.default_scopes.admin_customer.value
    description = var.default_scopes.admin_customer.description
  }
  scopes {
    value       = var.default_scopes.view_customer.value
    description = var.default_scopes.view_customer.description
  }
}

variable "default_scopes" {
  description = "Scopes that are exposed through the application"
  type        = map(any)
  default = {
    "admin_org" = {
      value       = "admin:organizations"
      description = "Administer - Create, edit, update and delete organization"
    },
    "view_org" = {
      value       = "view:organizations"
      description = "View organization"
    },
    "admin_user" = {
      value       = "admin:users"
      description = "Administer - Create, edit, update and delete user account"
    },
    "view_user" = {
      value       = "view:users"
      description = "View user information"
    },
    "admin_job" = {
      value       = "admin:jobs"
      description = "Administer - Create, edit, update and delete jobs"
    },
    "edit_job" = {
      value       = "edit:jobs"
      description = "View and edit jobs"
    },
    "view_job" = {
      value       = "view:jobs"
      description = "View jobs"
    },
    "admin_facility" = {
      value       = "admin:facilities"
      description = "Administer - Create, edit, update and delete facilities"
    },
    "view_facility" = {
      value       = "view:facilities"
      description = "View facilities"
    },
    "admin_customer" = {
      value       = "admin:customers"
      description = "Administer - Create, edit, update and delete customers"
    },
    "view_customer" = {
      value       = "view:customers"
      description = "View customers"
    }
  }
}

Debug Output

# module.auth0.auth0_resource_server.core_api will be updated in-place
  ~ resource "auth0_resource_server" "core_api" {
        allow_offline_access                            = false
      ~ enforce_policies                                = false -> true
        id                                              = "5e39a99e700e7f0742db7a1f"
        identifier                                      = "https://api.*******************/"
        name                                            = "core-api"
        options                                         = {}
        signing_alg                                     = "RS256"
        skip_consent_for_verifiable_first_party_clients = true
      + token_dialect                                   = "access_token_authz"
        token_lifetime                                  = 86400
        token_lifetime_for_web                          = 7200
        scopes {
            description = "Administer - Create, edit, update and delete customers"
            value       = "admin:customers"
        }
        scopes {
2020-04-07T12:52:22.631-0400 [DEBUG] plugin: plugin process exited: path=/usr/bin/terraform pid=26213
2020-04-07T12:52:22.631-0400 [DEBUG] plugin: plugin exited
2020-04-07T12:52:22.631-0400 [DEBUG] plugin: plugin process exited: path=/usr/bin/terraform pid=26159
2020-04-07T12:52:22.631-0400 [DEBUG] plugin: plugin exited
            description = "Administer - Create, edit, update and delete facilities"
            value       = "admin:facilities"
        }
        scopes {
            description = "Administer - Create, edit, update and delete jobs"
            value       = "admin:jobs"
        }
      + scopes {
          + description = "Administer - Create, edit, update and delete organization"
          + value       = "admin:organizations"
        }
      - scopes {
          - description = "Administer - Create, edit, update and delete organizations" -> null
          - value       = "admin:organizations" -> null
        }
      + scopes {
          + description = "Administer - Create, edit, update and delete user account"
          + value       = "admin:users"
        }
      - scopes {
          - description = "Administer - Create, edit, update and delete user accounts" -> null
          - value       = "admin:users" -> null
        }
        scopes {
            description = "View and edit jobs"
            value       = "edit:jobs"
        }
        scopes {
            description = "View customers"
            value       = "view:customers"
        }
        scopes {
            description = "View facilities"
            value       = "view:facilities"
        }
        scopes {
            description = "View jobs"
            value       = "view:jobs"
        }
      + scopes {
          + description = "View organization"
          + value       = "view:organizations"
        }
      - scopes {
          - description = "View organizations" -> null
          - value       = "view:organizations" -> null
        }
      + scopes {
          + description = "View user information"
          + value       = "view:users"
        }
      - scopes {
          - description = "View users" -> null
          - value       = "view:users" -> null
        }
    }
Plan: 0 to add, 1 to change, 0 to destroy.

module.auth0.auth0_resource_server.core_api: Modifying... [id=5e39a99e700e7f0742db7a1f]
2020/04/07 12:52:38 [DEBUG] module.auth0.auth0_resource_server.core_api: applying the planned Update change
2020/04/07 12:52:38 [TRACE] GRPCProvider: ApplyResourceChange
2020/04/07 12:52:38 [DEBUG] module.auth0.auth0_resource_server.core_api: apply errored, but we're indicating that via the Error pointer rather than returning it: 400 Bad Request: Payload validation error: 'Missing required property: value' on property scopes[9].
2020/04/07 12:52:38 [TRACE] module.auth0: eval: *terraform.EvalMaybeTainted
2020/04/07 12:52:38 [TRACE] module.auth0: eval: *terraform.EvalWriteState
2020/04/07 12:52:38 [TRACE] EvalWriteState: writing current state object for module.auth0.auth0_resource_server.core_api
2020/04/07 12:52:38 [ERROR] module.auth0: eval: *terraform.EvalApplyPost, err: 400 Bad Request: Payload validation error: 'Missing required property: value' on property scopes[9].
2020/04/07 12:52:38 [ERROR] module.auth0: eval: *terraform.EvalSequence, err: 400 Bad Request: Payload validation error: 'Missing required property: value' on property scopes[9].

Warning: Resource targeting is in effect

You are creating a plan with the -target option, which means that the result
of this plan may not represent all of the changes requested by the current
configuration.
		
The -target option is not for routine use, and is provided only for
exceptional situations such as recovering from errors or mistakes, or when
Terraform specifically suggests to use it as part of an error message.


Warning: Applied changes may be incomplete

The plan was created with the -target option in effect, so some changes
requested in the configuration may have been ignored and the output values may
not be fully updated. Run the following command to verify that no other
changes are pending:
    terraform plan
	
Note that the -target option is not suitable for routine use, and is provided
only for exceptional situations such as recovering from errors or mistakes, or
when Terraform specifically suggests to use it as part of an error message.


Error: 400 Bad Request: Payload validation error: 'Missing required property: value' on property scopes[9].

  on 04-Auth0/core.tf line 30, in resource "auth0_resource_server" "core_api":
  30: resource "auth0_resource_server" "core_api" {


2020-04-07T12:52:38.543-0400 [DEBUG] plugin: plugin process exited: path=/usr/bin/terraform pid=26584
2020-04-07T12:52:38.543-0400 [DEBUG] plugin: plugin exited
2020-04-07T12:52:38.543-0400 [DEBUG] plugin: plugin process exited: path=/usr/bin/terraform pid=26527
2020-04-07T12:52:38.543-0400 [DEBUG] plugin: plugin exited
2020-04-07T12:52:38.544-0400 [DEBUG] plugin: plugin process exited: path=/usr/bin/terraform pid=26618
2020-04-07T12:52:38.544-0400 [DEBUG] plugin: plugin exited
2020-04-07T12:52:38.544-0400 [DEBUG] plugin: plugin process exited: path=/mnt/jenkins_workspace/workspace/PVTerraformMaster/.terraform/plugins/linux_amd64/terraform-provider-auth0_v0.8.1_x4 pid=26631
2020-04-07T12:52:38.544-0400 [DEBUG] plugin: plugin exited

Expected Behavior

Scope value/description updated, not set to null + created?

Actual Behavior

400 error

Steps to Reproduce

1. Import existing resource server
2. Modify scopes
3. terraform apply

Important Factoids

Imported resources.

[nitrag]

Actually it's just a modification of the description. The value remains the same yet the provider wants to delete/create.

[alexkappa]

@nitrag which version of the provider were you using?

[nitrag]

@alexkappa
0.8.2

[alexkappa]

I could verify the bug and worked on a fix which should be available soon. Keep an eye for 0.9.0 here https://releases.hashicorp.com/terraform-provider-auth0/

[alexkappa]

Closing, but feel free to re-open if the problem persists.

Cheers,
Alex