Skip to content
This repository has been archived by the owner on Mar 8, 2022. It is now read-only.

Inconsistent state changes for auth0 connection #237

Closed
relu opened this issue May 19, 2020 · 6 comments · Fixed by #241
Closed

Inconsistent state changes for auth0 connection #237

relu opened this issue May 19, 2020 · 6 comments · Fixed by #241

Comments

@relu
Copy link
Contributor

relu commented May 19, 2020

Description

Here's the use case:
I have an auth0 database connection configured through terraform with:

password_policy = "low"
enabled_database_customization = true
import_mode = true

After applying a change to custom_scripts for example the provider will disable the above-mentioned values in Auth0 without showing the changes in the state even after apply (requires manual testing).

Terraform Version

v0.12.24

Affected Resource(s)

  • auth0_connection (auth0 strategy)

Terraform Configuration Files

resource "auth0_connection" "auth0" {
  name            = "Username-Password-Authentication"               
  strategy = "auth0"
                                                               
  options {
    password_policy                = "low"
    enabled_database_customization = true
    import_mode                    = true

    custom_scripts = {
      login    = "someScript"
    }
  }
}

After initially applying, all configuration is correct, after making a change to custom scripts for instance, it will reset the other options (disable them).

Expected Behavior

The provider should not change attributes in Auth0 not reflected in the state changes.

Actual Behavior

The provider changes attributes in Auth0 not reflected in state changes.

Steps to Reproduce

  1. terraform apply
  2. Check Auth0 Database Connection settings: "Import Users to Auth0", "Password Policy" and "Custom Database"
  3. Change custom_scripts.login to something else
  4. terraform apply
  5. Repeat the check from .2

References

I looked into it a bit and discovered that if I remove the conditions parameters "IsNewResource(), HasChange()" from the Bool function calls the problem disappears. https://github.com/alexkappa/terraform-provider-auth0/blob/master/auth0/structure_auth0_connection.go#L295-L301

The relevant change that introduced these: 0bbfa19#diff-cc37c481ef51c6d38cccadee845a916aR245

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
@chiel
Copy link

chiel commented Jun 3, 2020

Hello! We're just getting started with using terraform for our auth0 tenant and were also running into some weird behaviour with certain options not being retained. It turns out this behaviour is actually documented in auth0's api documentation:

https://auth0.com/docs/api/management/v2/#!/Connections/patch_connections_by_id

Note: if you use the options parameter, the whole options object will be overridden, so ensure that all parameters are present

Examining the outgoing requests and incoming responses (using TF_LOG=true), it's clear that not the entire options object is being sent (beautified the json objects for readability):

Initial creation of a auth0_connection resource:

POST /api/v2/connections HTTP/1.1
Host: getfeedback-staging.eu.auth0.com
User-Agent: Terraform-Provider-Auth0/0.10.3 (Go-Auth0-SDK/4.3.6; Terraform-SDK/1.12.0; Terraform/0.12.24)
Content-Length: 313
Content-Type: application/json
Accept-Encoding: gzip

{
  "name": "acc-mgmt",
  "strategy": "auth0",
  "options": {
    "passwordPolicy": "none",
    "enabledDatabaseCustomization": true,
    "requires_username": false,
    "customScripts": {
      "login": "function login(email, password, callback) {\n\treturn callback(new Error(\"Whoops!\"));\n}\n"
    }
  },
  "enabled_clients": ["l0nuuAjtPoEPMLRj1RTqwy1gdkt5iiYU"]
}

HTTP/2.0 201 Created
Cache-Control: no-cache
Content-Type: application/json; charset=utf-8
Date: Wed, 03 Jun 2020 16:23:18 GMT
Ot-Baggage-Auth0-Request-Id: cf74e29a00173b6c6c1ee334
Ot-Tracer-Sampled: true
Ot-Tracer-Spanid: 5d97961b41e40a2a
Ot-Tracer-Traceid: 692cb1671816a2e1
Server: nginx
Strict-Transport-Security: max-age=15768000
Vary: origin,accept-encoding
X-Ratelimit-Limit: 10
X-Ratelimit-Remaining: 9
X-Ratelimit-Reset: 1591201399

{
  "id": "con_0UYvFjKAvfvwJ95b",
  "options": {
    "mfa": {
      "active": true,
      "return_enroll_settings": true
    },
    "passwordPolicy": null,
    "enabledDatabaseCustomization": true,
    "requires_username": false,
    "customScripts": {
      "login": "function login(email, password, callback) {\n\treturn callback(new Error(\"Whoops!\"));\n}\n"
    },
    "strategy_version": 2,
    "brute_force_protection": true
  },
  "strategy": "auth0",
  "name": "acc-mgmt",
  "is_domain_connection": false,
  "enabled_clients": ["l0nuuAjtPoEPMLRj1RTqwy1gdkt5iiYU"],
  "realms": ["acc-mgmt"]
}

All good so far, now when changing an unrelated option (options.password_policy = "none" to "good") terraform presents the following diff:

  ~ resource "auth0_connection" "account_management" {
        enabled_clients      = [
            "l0nuuAjtPoEPMLRj1RTqwy1gdkt5iiYU",
        ]
        id                   = "con_0UYvFjKAvfvwJ95b"
        is_domain_connection = false
        name                 = "acc-mgmt"
        realms               = [
            "acc-mgmt",
        ]
        strategy             = "auth0"

      ~ options {
            allowed_audiences              = []
            api_enable_users               = false
            brute_force_protection         = false
            configuration                  = (sensitive value)
            custom_scripts                 = {
                "login" = <<~EOT
                    function login(email, password, callback) {
                        return callback(new Error("Whoops!"));
                    }
                EOT
            }
            disable_cache                  = false
            disable_signup                 = false
            domain_aliases                 = []
            enabled_database_customization = true
            import_mode                    = false
            ips                            = []
          ~ password_policy                = "none" -> "good"
            requires_username              = false
            scopes                         = []
            strategy_version               = 0
            use_cert_auth                  = false
            use_kerberos                   = false
            use_wsfed                      = false
            validation                     = {}
            waad_common_endpoint           = false
        }
    }

And the following PATCH request is issued:

PATCH /api/v2/connections/con_0UYvFjKAvfvwJ95b HTTP/1.1
Host: getfeedback-staging.eu.auth0.com
User-Agent: Terraform-Provider-Auth0/0.10.3 (Go-Auth0-SDK/4.3.6; Terraform-SDK/1.12.0; Terraform/0.12.24)
Content-Length: 243
Content-Type: application/json
Accept-Encoding: gzip

{
  "is_domain_connection": false,
  "options": {
    "passwordPolicy": "good",
    "customScripts": {
      "login": "function login(email, password, callback) {\n\treturn callback(new Error(\"Whoops!\"));\n}\n"
    }
  },
  "enabled_clients":["l0nuuAjtPoEPMLRj1RTqwy1gdkt5iiYU"]
}

HTTP/2.0 200 OK
Cache-Control: no-cache
Content-Type: application/json; charset=utf-8
Date: Wed, 03 Jun 2020 16:28:45 GMT
Ot-Baggage-Auth0-Request-Id: 4027089812efb3a0ef017090
Ot-Tracer-Sampled: true
Ot-Tracer-Spanid: 03012d7b3bdc82b9
Ot-Tracer-Traceid: 612681b16847edca
Server: nginx
Strict-Transport-Security: max-age=15768000
Vary: origin,accept-encoding
X-Ratelimit-Limit: 10
X-Ratelimit-Remaining: 9
X-Ratelimit-Reset: 1591201727

{
  "id": "con_0UYvFjKAvfvwJ95b",
  "options": {
    "customScripts": {
      "login": "function login(email, password, callback) {\n\treturn callback(new Error(\"Whoops!\"));\n}\n"
    },
    "passwordPolicy": "good",
    "brute_force_protection": true
  },
  "strategy": "auth0",
  "name": "acc-mgmt",
  "is_domain_connection": false,
  "enabled_clients": ["l0nuuAjtPoEPMLRj1RTqwy1gdkt5iiYU"],
  "realms": ["acc-mgmt"]
}

So here we only see the scripts (I guess they are always added?) and the passwordPolicy change - enabledDatabaseCustomization is missing (which in our case is causing the issue).

Which is confirmed by a subsequent GET:

GET /api/v2/connections/con_0UYvFjKAvfvwJ95b HTTP/1.1
Host: getfeedback-staging.eu.auth0.com
User-Agent: Terraform-Provider-Auth0/0.10.3 (Go-Auth0-SDK/4.3.6; Terraform-SDK/1.12.0; Terraform/0.12.24)
Content-Length: 5
Content-Type: application/json
Accept-Encoding: gzip

null

HTTP/2.0 200 OK
Cache-Control: no-cache
Content-Type: application/json; charset=utf-8
Date: Wed, 03 Jun 2020 16:28:45 GMT
Ot-Baggage-Auth0-Request-Id: 1315d5981039e890dd45b878
Ot-Tracer-Sampled: true
Ot-Tracer-Spanid: 095637291462a118
Ot-Tracer-Traceid: 5aeabdba6a498781
Server: nginx
Strict-Transport-Security: max-age=15768000
Vary: origin,accept-encoding
X-Ratelimit-Limit: 10
X-Ratelimit-Remaining: 8
X-Ratelimit-Reset: 1591201727

{
  "id": "con_0UYvFjKAvfvwJ95b",
  "options": {
    "customScripts": {
      "login": "function login(email, password, callback) {\n\treturn callback(new Error(\"Whoops!\"));\n}\n"
    },
    "passwordPolicy": "good",
    "brute_force_protection": true
  },
  "strategy": "auth0",
  "name": "acc-mgmt",
  "is_domain_connection": false,
  "enabled_clients": ["l0nuuAjtPoEPMLRj1RTqwy1gdkt5iiYU"],
  "realms": ["acc-mgmt"]
}

Hope this helps!

@alexkappa
Copy link
Owner

Hi @relu, @chiel, thank you for submitting this issue and the detailed reports.

I will look into it and get back to you soon. Cheers!

@chiel
Copy link

chiel commented Jun 4, 2020

Thanks! Please let me know if there's anything else I can do to help, happy to reproduce things and whatnot. :)

@alexkappa alexkappa mentioned this issue Jun 4, 2020
Merged
@alexkappa
Copy link
Owner

Hi @chiel, could you please try out 0.11.0 and see if this resolves the issue?

@chiel
Copy link

chiel commented Jun 4, 2020 

PATCH /api/v2/connections/con_0UYvFjKAvfvwJ95b HTTP/1.1
Host: getfeedback-staging.eu.auth0.com
User-Agent: Terraform-Provider-Auth0/0.11.0 (Go-Auth0-SDK/4.3.6; Terraform-SDK/1.12.0; Terraform/0.12.24)
Content-Length: 379
Content-Type: application/json
Accept-Encoding: gzip

{
  "is_domain_connection": false,
  "options": {
    "passwordPolicy": "none",
    "enabledDatabaseCustomization": true,
    "brute_force_protection": false,
    "import_mode": false,
    "disable_signup":false,
    "requires_username": false,
    "customScripts": {
      "login": "function login(email, password, callback) {\n\treturn callback(new Error(\"Whoops!\"));\n}\n"
    }
  },
  "enabled_clients": ["l0nuuAjtPoEPMLRj1RTqwy1gdkt5iiYU"]
}

It's now sending all options despite me now only changing the password policy and I can verify in the dashboard that the switch is now toggled on again!

Thanks so much for the super fast turn around on this. :)

@alexkappa
Copy link
Owner

Excellent! Happy to help @chiel.

@mbenabda mbenabda mentioned this issue Jun 5, 2020
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@chiel @relu @alexkappa