Root resource was present, but now absent for auth0_connection_client

[ccrossprovidertrust]

Checklist

• I have looked into the README and have not found a suitable solution or answer.
• I have looked into the documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have upgraded to the latest version of this provider and the issue still persists.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

Hello!

When adding the auth0_connection_client resource, we're intermittently getting the below error.

Error: Provider produced inconsistent results after apply

When applying changes to auth0_connection_client.my_conn_client_assoc,
provider "provider[\"registry.terraform.io/auth0/auth0\"]" produced an
unexpected new value: Root resource was present, but now absent.

If we wait a little bit and re-apply the resource is created successfully. We've tried adding some depends_on statements to ensure the client and connection are created before attempting to associate them, but that doesn't seem to help.

Happy to help troubleshoot in any way, just not sure what would be the most helpful.

Expectation

That the auth0_connection_client resource would be created successfully without errors and without having to re-apply.

Reproduction

resource "auth0_resource_server" "auth0_api" {
  name                                            = "auth0_api"
  identifier                                      = "https://api.hostname.com"
  signing_alg                                     = "RS256"
  allow_offline_access                            = true
  enforce_policies                                = false
  token_lifetime                                  = 43200
  token_lifetime_for_web                          = 43200
  skip_consent_for_verifiable_first_party_clients = true

  scopes {
    value       = "ROLE_MACHINE_USER"
    description = "ROLE_MACHINE_USER"
  }
}

resource "auth0_connection" "auth0_database" {
  name                 = "auth0_database"
  is_domain_connection = false
  strategy             = "auth0"

  options {
    password_policy                = "good"
    brute_force_protection         = true
    enabled_database_customization = false
    import_mode                    = false
    requires_username              = false
    disable_signup                 = true

    password_history {
      enable = false
    }

    password_no_personal_info {
      enable = false
    }

    password_dictionary {
      enable = false
    }

    password_complexity_options {
      min_length = 8
    }
  }
}


resource "auth0_client" "my_client" {
  count                               = var.enabled == true ? 1 : 0
  name                                = "my app"
  app_type                            = "non_interactive"
  cross_origin_auth                   = false
  custom_login_page_on                = true
  grant_types                         = ["client_credentials"]
  is_first_party                      = true
  is_token_endpoint_ip_header_trusted = false
  oidc_conformant                     = true
  sso_disabled                        = false

  jwt_configuration {
    alg                 = "RS256"
    lifetime_in_seconds = 36000
    secret_encoded      = false
  }

  refresh_token {
    expiration_type              = "non-expiring"
    idle_token_lifetime          = 2592000
    infinite_idle_token_lifetime = true
    infinite_token_lifetime      = true
    leeway                       = 0
    token_lifetime               = 31557600
    rotation_type                = "non-rotating"
  }

  depends_on = [
    auth0_connection.auth0_database
  ]

}

resource "auth0_client_grant" "my_client_grant" {
  count     = var.enabled == true ? 1 : 0
  client_id = auth0_client.integration_management_auth0_app[count.index].id
  audience  = auth0_resource_server.auth0_api.identifier
  scope = [
    "ROLE_MACHINE_USER"
  ]
}

resource "auth0_connection_client" "my_client_assoc_auth0_database" {
  count         = var.enabled == true ? 1 : 0
  connection_id = auth0_connection.auth0_database.id
  client_id     = auth0_client.my_client[count.index].id

  depends_on = [
    auth0_connection.auth0_database,
    auth0_client.my_client
  ]
}

Auth0 Terraform Provider version

0.40.0

Terraform version

1.3.6

[landro]

We're seeing this too!

[sergiught]

Hey folks, thanks a lot for reporting! I'm actively taking a look at this today and will raise a fix.

In short the issue is caused by the fact that we're allowing enabled_clients to be managed by both the enabled_clients property on the auth0_connection resource and also the new auth0_connection_client resource. So what happens is that clients will get enabled on the connection through auth0_connection_client after the plan is finalized for the auth0_connection resource resulting in another diff.

We're gonna have to take a hard stance and remove the possibility of managing enabled_clients on the auth0_connection resource and just manage it through the auth0_connection_client resources.

However until we do that and make a new version release, to fix your current config you'll need to make the flow of resource application deterministic by making use of a series of depends_on attributes by ensuring that the auth0_connection_client always gets applied as the last thing.

[sergiught]

We've released a fix for this in https://github.com/auth0/terraform-provider-auth0/releases/tag/v0.41.0, but unfortunately there was no way to avoid the breaking changes. From now on the only way to manage enabled_clients will have to be through the dedicated auth0_connection_client resource.

Please try the new version and let us know if you encounter any issues!

[Dan-Bird-ON]

Hi all,

I'm experiencing the same issue when trying to add permissions to a role.

resource "auth0_role" "my_role" {
  name        = "Custom Role"
  description = "A custom role"
}

resource "auth0_role_permissions" "custom_permissions" {
  role_id = auth0_role.my_role.id

  permissions {
    resource_server_identifier = auth0_resource_server.my_resource_server.identifier
    name                       = "group:custom_user"
  }
}

Error:

Error: Provider produced inconsistent result after apply

When applying changes to
auth0_role_permissions.custom_permissions, provider
"provider[\"registry.terraform.io/auth0/auth0\"]" produced an unexpected new
value: Root resource was present, but now absent.

This is a bug in the provider, which should be reported in the provider's own
issue tracker.

I'm using the latest version of the provider, 0.49.

The role is created fine, just failing on the permissions part.

[sergiught]

Hey @Dan-Bird-ON 👋🏻

The issue you're experiencing is most likely happening because the permissions block is deprecated on the auth0_role resource and you've migrated to using the auth0_role_permissions resource without adding the ignore_changes block on the lifecycle meta attribute as specified in the migration guide.

Can you try the following config and let us know 🙏🏻

resource "auth0_role" "my_role" {
  name        = "Custom Role"
  description = "A custom role"

  lifecycle {
    ignore_changes = [ permissions ]
  }
}

resource "auth0_role_permissions" "custom_permissions" {
  role_id = auth0_role.my_role.id

  permissions {
    resource_server_identifier = auth0_resource_server.my_resource_server.identifier
    name                       = "group:custom_user"
  }
}

This change is only necessary until we completely remove the permissions attribute from the auth0_role (upcoming v1).

If this doesn't fix your issue please open a separate GitHub issue and we'll have a deeper and focused dive on the issue 🙏🏻

[Dan-Bird-ON]

Hey @sergiught

Thanks for your speedy response! I did originally have that lifecycle block within the auth0_role and was experiencing the same error. I took it out to see if anything changed 😕. I'll open a separate issue as you suggested 👍.