Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Client grant fails after a manual change in the Auth0 UI #255

Closed
matthias-vanaverbeke opened this issue Jul 20, 2022 · 5 comments
Closed
Labels

Comments

@matthias-vanaverbeke
Copy link

matthias-vanaverbeke commented Jul 20, 2022

Describe the problem

We have defined a terraform client grant for accessing the Management API. This works well, until someone manually toggles the grant off and back on in the management UI (e.g. for debugging). Any subsequent terraform plan tries to recreate the grant, resulting in a 409 error because there can only exist 1 grant between a client and a resource server:
409 Conflict: A client grant already exists between <client id> and <audience>

Toggling the grant in the UI results in a new grant id so our assumption is that the grant id is used in the terraform plan phase.

What was the expected behavior?

The manually created grant should be updated.

Reproduction

  1. create a grant between an application and an api
resource "auth0_client_grant" "management_api_client_grant" {
  client_id = "<any client id>"
  audience  = "<ani existing API audience>"
  scope     = [
    "read:users"
  ]
}
  1. terraform plan && terraform apply
  2. Manually toggle the grant off and back on in the management UI
  3. Rerun terraform plan && terraform apply

Environment

  • Version of terraform-provider-auth0 used: 0.31.0
  • Other modules/plugins/libraries that might be involved: none
@sergiught
Copy link
Contributor

sergiught commented Aug 26, 2022

Hey @matthias-vanaverbeke 👋🏻

Every time the client grant gets toggled on or off inside the Management Dashboard it will delete and recreate a new grant with a brand new ID.

Your assumption is correct, terraform manages its resources based on the ID so unfortunately whenever the grant ID is no longer available, it will try to re-create it. However if the toggle is already on you get the 409 Conflict Error.

This isn't really an issue with the provider but rather a "unique" way of managing grants from the Management API.

As a guideline:

  • If you toggle the grant off inside the dashboard, but want to toggle it back on, you can let terraform do that for you by simply running terraform apply.
  • If you toggle the grant on inside the dashboard and manage it through terraform, you'll have to re-import using the grant_id that got generated. (more info on how to import here: https://registry.terraform.io/providers/auth0/auth0/latest/docs/resources/client_grant#import)
  • Ideally you toggle the grant on and off strictly using terraform (you can switch it off by doing a terraform destroy on the grant only e.g. terraform destroy -target auth0_client_grant.management_api_client_grant

Unfortunately every time you do out of bound changes you have to re-adjust the terraform state.

Let me know if you have any follow up questions. Happy to clarify further.

@matthias-vanaverbeke
Copy link
Author

Hi @sergiught

Indeed, ideally we strictly use terraform for configuring Auth0. However, in a development workflow, making changes in the management UI is sometimes the quickest way to validate Auth0 behavior.
I think it would make sense to not use the grant id but rather use a a composite id (client - API) for a better developer experience. Manually toggling the grant off and on again would not break the apply phase because the functional state is the same.

@Aaronius
Copy link

We just ran into this as well. From a user perspective, toggling the grant off and on in the UI doesn't suggest I'm removing the resource and adding a new one.

@sergiught
Copy link
Contributor

Thanks for bumping this again, I'll reopen the issue and reassess if there's anything else we can do to improve the DX.

@sergiught
Copy link
Contributor

Hey folks 👋🏻

There's an improvement available now in the latest release v0.45.0. Please give it a go and let us know if you have any issues with it. Thanks!

Docs: https://registry.terraform.io/providers/auth0/auth0/0.45.0/docs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants