pulumi-auth0 icon indicating copy to clipboard operation
pulumi-auth0 copied to clipboard

Published 20 hours ago verified publisher icon pulumi

oidcBackchannelLogoutUrls were reset during deployment

Open dawidchmist opened this issue 9 months ago • 3 comments

Describe what happened

After deployment of new Auth0 configuration we've noticed that oidcBackchannelLogoutUrls were reset to empty values. Before that we had information about deprecation but pulumi preview or pulumi up outputs haven't specify that this will be deleted. During that deployment also some other values were changed like: name etc.

We fixed that by migrating that settings to oidcLogout struct.

Sample program

import * as pulumi from "@pulumi/pulumi";
import * as auth0 from "@pulumi/auth0";


const myApp = new auth0.Client("sample", {
    name: "My Application",
    appType: "regular_web",
    oidcBackchannelLogoutUrls: ["https://sample.com/logout"],

    callbacks: ["https://sample.com/callback"],
    allowedLogoutUrls: ["https://sample.com"],

});

export const clientId = myApp.clientId;
export const clientSecret = myApp.clientSecret;

Log output

No response

Affected Resource(s)

No response

Output of pulumi about

CLI Version 3.150.0 Go Version go1.23.6 Go Compiler gc

Plugins KIND NAME VERSION resource auth0 3.12.0 resource aws 6.53.0 language nodejs 3.150.0

Host OS darwin Version 15.1 Arch arm64

This project is written in nodejs: executable='/opt/homebrew/bin/node' version='v23.7.0'

Dependencies: NAME VERSION @pulumi/auth0 3.12.0 @pulumi/aws 6.53.0 @pulumi/pulumi 3.147.0 git-last-commit 1.0.1 @babel/helper-function-name 7.24.7 @babel/helper-hoist-variables 7.24.7 @eslint/eslintrc 3.1.0 @eslint/js 9.11.1 @ls-lint/ls-lint 2.2.3 @trivago/prettier-plugin-sort-imports 4.3.0 @types/jest 29.5.13 @types/node 20.16.9 @typescript-eslint/eslint-plugin 8.7.0 @typescript-eslint/parser 8.7.0 eslint 9.11.1 globals 15.9.0 jest 29.7.0 prettier 3.3.3 ts-jest 29.2.5 typescript 5.7.3

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

dawidchmist avatar Feb 20 '25 13:02 dawidchmist

Thanks for the sample code @dawidchmist

Am I understanding you correctly that you have had drift where the Pulumi program did not specify oidcBackchannelLogoutUrls but it was actually set in Auth0 itself, and then running pulumi preview and pulumi up you did not see any diff but Pulumi "fixed" the drift unexpectedly by resetting the resource to be in sync with the program?

t0yv0 avatar Feb 21 '25 19:02 t0yv0

I may be missing something here, so please feel free to provide more details, but at a surface it appears to be that the problem here is that Pulumi does not "refresh" or consult the actual cloud state by default. The Terraform-like behavior can be enabled by pulumi up --refresh though. I suspect in your case, if you ran with --refresh then Pulumi would show that it is about to reset oidcBackchannelLogoutUrls to empty values.

t0yv0 avatar Feb 21 '25 19:02 t0yv0

https://github.com/pulumi/pulumi/issues/2247 is tracking the idea of enabling this by default.

t0yv0 avatar Feb 21 '25 19:02 t0yv0