I am creating some resources using the Auth0 Terraform provider and I am noticing this strange behavior with the auth0_role_permissions, and I am not sure if is expected or not.
What is happening to me, is that the first time I ran my Terraform, I got an error saying that one permission didn’t exist. I added the depends_on and the terraform worked fine and all my Auth0 resources are being created.
Now what happens is that every time I run a terraform plan(without making any change to the terraform code) it says that it will update my role permissions, and the update is that it will delete the assigned permissions, like this:
# module.iq_saas_admin[0].auth0_role_permissions.iq_saas_admin_support["staging"] will be updated in-place
~ resource "auth0_role_permissions" "iq_saas_admin_support" {
id = "rol_v0XKG2RYOinLzPtZ"
# (1 unchanged attribute hidden)
- permissions {
- description = "Permission to generate support zip files" -> null
- name = "create:support-zip" -> null
- resource_server_identifier = "https://dev.app.dev/" -> null
- resource_server_name = "dev-iq-saas-admin-api" -> null
}
- permissions {
- description = "Permission to read IQ SaaS tenants" -> null
- name = "read:tenants" -> null
- resource_server_identifier = "https://dev.appdev/" -> null
- resource_server_name = "dev-iq-saas-admin-api" -> null
}
# (2 unchanged blocks hidden)
}
If apply the terraform plan, then the role permissions are deleted, and if I run again the terraform plan(Again without making any change to the terraform code), what happens is that my role permissions will be updated again, but now all the permissions will be added, something like this:
# module.iq_saas_admin[0].auth0_role_permissions.iq_saas_admin_support["dev"] will be updated in-place
~ resource "auth0_role_permissions" "iq_saas_admin_support" {
id = "rol_v0XKG2RYOinLzPtZ"
# (1 unchanged attribute hidden)
+ permissions {
+ description = (known after apply)
+ name = "create:support-zip"
+ resource_server_identifier = "https://dev.app.dev/"
+ resource_server_name = (known after apply)
}
+ permissions {
+ description = (known after apply)
+ name = "read:tenants"
+ resource_server_identifier = "https://dev.appdev/"
+ resource_server_name = (known after apply)
}
}
So in the end I never get the No Changesmessage I expect from Terraform. Maybe do you know if I am doing something wrong?
Here is my current terraform code for reference:
resource "auth0_resource_server" "iq_saas_admin_apis" {
for_each = var.configuration.environments
name = each.value.api.name
identifier = each.value.api.identifier
signing_alg = "RS256"
token_lifetime = 86400
token_lifetime_for_web = 7200
enforce_policies = true
skip_consent_for_verifiable_first_party_clients = true
allow_offline_access = false
token_dialect = "access_token"
}
resource "auth0_resource_server_scopes" "iq_saas_admin_api_scopes" {
for_each = var.configuration.environments
resource_server_identifier = auth0_resource_server.iq_saas_admin_apis[each.key].identifier
scopes {
name = "create:tenants"
description = "Permission to create IQ SaaS tenants"
}
scopes {
name = "update:tenants"
description = "Permission to update IQ SaaS tenants"
}
scopes {
name = "read:tenants"
description = "Permission to read IQ SaaS tenants"
}
scopes {
name = "delete:tenants"
description = "Permission to delete IQ SaaS tenants"
}
scopes {
name = "create:support-zip"
description = "Permission to generate support zip files"
}
}
resource "auth0_role" "iq_saas_admin_support" {
description = "Support access for the IQ SaaS Admin App"
name = "IQ SaaS Admin App - Support"
}
resource "auth0_role_permissions" "iq_saas_admin_support" {
for_each = var.configuration.environments
role_id = auth0_role.iq_saas_admin_support.id
permissions {
name = "create:support-zip"
resource_server_identifier = auth0_resource_server.iq_saas_admin_apis[each.key].identifier
}
permissions {
name = "read:tenants"
resource_server_identifier = auth0_resource_server.iq_saas_admin_apis[each.key].identifier
}
depends_on = [
auth0_resource_server_scopes.iq_saas_admin_api_scopes
]
}