terraform-provider-auth0
terraform-provider-auth0 copied to clipboard
auth0
tf apply: Too few properties defined (0), minimum 1' on property encryption_key (The client's encryption key).
Checklist
- [X] I have looked into the README and have not found a suitable solution or answer.
- [X] I have looked into the documentation and have not found a suitable solution or answer.
- [X] I have searched the issues and have not found a suitable solution or answer.
- [X] I have upgraded to the latest version of this provider and the issue still persists.
- [X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
- [X] I agree to the terms within the Auth0 Code of Conduct.
Description
We used the auth0-cli tool to generate the Terraform representation for a tenant.
Everything except this one provider is imported correctly.
We encountered the following diff, which seems reasonable (identifiers elided for safety) but on apply, it fails with the error below:
# auth0_client.aws_login_cli will be updated in-place
~ resource "auth0_client" "<client_name>" {
id = "<client_id>"
name = "<client_name>"
# (21 unchanged attributes hidden)
~ addons {
+ samlp {
+ audience = "<aud_url>"
+ create_upn_claim = false
+ digest_algorithm = "sha1"
+ include_attribute_name_format = false
+ lifetime_in_seconds = 0
+ map_identities = false
+ map_unknown_claims_as_is = false
+ mappings = {
+ "email" = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
+ "name" = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
}
+ name_identifier_format = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
+ name_identifier_probes = [
+ "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
]
+ passthrough_claims_with_no_mapping = false
+ recipient = "<recipient_url>"
+ sign_response = false
+ signature_algorithm = "rsa-sha1"
+ typed_attributes = false
}
}
# (3 unchanged blocks hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
auth0_client.<client_name>: Modifying... [id=<client_id>]
╷
│ Error: 400 Bad Request: Payload validation error: 'Too few properties defined (0), minimum 1' on property encryption_key (The client's encryption key).
│
│ with auth0_client.<client_name>,
│ on main.tf line 1329, in resource "auth0_client" "<client_name>":
│ 1329: resource "auth0_client" "<client_name>" {
Expectation
The SAML properties of the application client are updated correctly.
Reproduction
I do not know if this is a problem specific to our tenant or the application client.
However the encryption_key is empty in Terraform.
This is the relevant application client resource - certain bits elided.
# __generated__ by Terraform from "<client_id>"
resource "auth0_client" "<client_name>" {
allowed_clients = []
allowed_logout_urls = []
allowed_origins = []
app_type = "spa"
callbacks = ["<callback_url>"]
client_aliases = []
client_metadata = {}
cross_origin_auth = false
cross_origin_loc = null
custom_login_page = null
custom_login_page_on = true
description = null
encryption_key = {}
form_template = null
grant_types = ["authorization_code", "implicit", "refresh_token"]
initiate_login_uri = null
is_first_party = true
is_token_endpoint_ip_header_trusted = false
logo_uri = null
name = "<client_id>"
oidc_backchannel_logout_urls = []
oidc_conformant = true
organization_require_behavior = null
organization_usage = null
require_pushed_authorization_requests = false
sso = false
sso_disabled = false
web_origins = []
addons {
samlp {
audience = "<audience_url>"
authn_context_class_ref = null
binding = null
create_upn_claim = false
destination = null
digest_algorithm = null
include_attribute_name_format = false
issuer = null
lifetime_in_seconds = 0
map_identities = false
map_unknown_claims_as_is = false
mappings = {
email = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
name = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
}
name_identifier_format = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
name_identifier_probes = ["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
passthrough_claims_with_no_mapping = false
recipient = "<recipient_url>"
sign_response = false
signature_algorithm = null
signing_cert = null
typed_attributes = false
}
}
jwt_configuration {
alg = "RS256"
lifetime_in_seconds = 36000
scopes = {}
secret_encoded = false
}
native_social_login {
apple {
enabled = false
}
facebook {
enabled = false
}
}
refresh_token {
expiration_type = "expiring"
idle_token_lifetime = 1296000
infinite_idle_token_lifetime = false
infinite_token_lifetime = false
leeway = 0
rotation_type = "rotating"
token_lifetime = 2592000
}
}
Any ideas?
Auth0 Terraform Provider version
1.1.2
Terraform version
1.5.7
The generated resources may not always be perfect and abide by server-side validations. As the error suggests, the encryption_key object is not allowed to be empty. The resolution here is to delete encryption_key = {} from the generated resource definition.
hi @willvedd - thanks - it did indeed remove that error. It then went with:
│ Error: 403 Forbidden: Please upgrade your subscription to use oidc_logout.
Fair enough, I removed oidc_logout but now the error is:
│ Error: 403 Forbidden: The account is not allowed to perform this operation, please contact our support team.
Which implies it's trying to change something it's not permitted to do - however those values in the diff look like the defaults.
Switching to a "known good" configuration from another tenant gives:
# auth0_client.<client_name> will be updated in-place
~ resource "auth0_client" "<client_name>" {
id = "<client_id>"
name = "<client_name>"
# (21 unchanged attributes hidden)
~ addons {
~ samlp {
+ digest_algorithm = "sha1"
~ include_attribute_name_format = false -> true
~ lifetime_in_seconds = 0 -> 3600
+ signature_algorithm = "rsa-sha1"
~ typed_attributes = false -> true
# (10 unchanged attributes hidden)
}
}
# (3 unchanged blocks hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
auth0_client.aws_login_cli: Modifying... [id=<client_id>]
╷
│ Error: 403 Forbidden: The account is not allowed to perform this operation, please contact our support team.
Any ideas?
Just FYI, I tried to drop the app_client from the state file and re-import it from auth0 - the result is the same - it imports but doesn't include the samlp configuration, even though it's enabled in Auth0.
The same thing happened. First there was an error about encryption_key and when I removed it I got an error:
│ Error: 403 Forbidden: The account is not allowed to perform this operation, please contact our support team.
After verifying the properties one by one, terrafrom apply succeeded when I removed the "require_pushed_authorization_requests".
I think it's because the import command does not refer to the status of the tenant.
@astronoka : that was it!
Weird because the property is false on other application clients in Terraform and there wasn't a problem.
Yes, it has, thank you.
On Mon, May 13, 2024, 12:31 KunalOfficial @.***> wrote:
Hi @bdellegrazie https://github.com/bdellegrazie, Has the issue been resolved? Can we close it now?
— Reply to this email directly, view it on GitHub https://github.com/auth0/terraform-provider-auth0/issues/909#issuecomment-2107218170, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAHNVKGMLDAPB4RQHJWRW7DZCCJBDAVCNFSM6AAAAABCFMI2USVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMBXGIYTQMJXGA . You are receiving this because you were mentioned.Message ID: @.***>