Churn for auth0_resource_server_scopes

[burck1]

Checklist

• I have looked into the README and have not found a suitable solution or answer.
• I have looked into the documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have upgraded to the latest version of this provider and the issue still persists.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

When running a terraform plan / terraform apply with the auth0_resource_server_scopes resource, scopes without a description are unexpectedly being destroyed and re-created.

This can cause issues when there exists Auth0 Roles that reference those corresponding permissions as terraform destroys the permission that is referenced by the role.

Expectation

If a scopes value on a auth0_resource_server_scopes resource does not change, then terraform should not attempt to modify it.

Reproduction

1. Given this terraform has already been applied.

resource "auth0_resource_server" "my_api" {
  identifier = "https://myapi.example.com"
  name       = "My API"
}

resource "auth0_resource_server_scopes" "my_api" {
  resource_server_identifier = auth0_resource_server.my_api.identifier

  scopes {
    name = "foobar"
  }
}

2. When adding a new scope

# ...

resource "auth0_resource_server_scopes" "my_api" {
  resource_server_identifier = auth0_resource_server.my_api.identifier

  # existing scope without a description
  scopes {
    name = "foobar"
  }

  # new scope
  scopes {
    description = "Fizz Buzz"
    name        = "fizzbuzz"
  }
}

3. Then the terraform plan shows that the existing foobar scope will be destroyed and re-created.

$ terraform plan
...

Terraform will perform the following actions:

  # auth0_resource_server_scopes.my_api will be updated in-place
  ~ resource "auth0_resource_server_scopes" "my_api" {
        id = "9999999999999999999999"
        # (1 unchanged attribute hidden)

      - scopes {
          - name        = "foobar" -> null
            # (1 unchanged attribute hidden)
        }
      + scopes {
          + description = "Fizz Buzz"
          + name        = "fizzbuzz"
        }
      + scopes {
          + name = "foobar"
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.

I would expect terraform to not show any changes for the foobar scope, but rather only show adding the fizzbuzz scope.

---

Workaround

Adding description = "" to the scopes without a description seems to prevent this issue from occuring, which leads me to think there is an issue with a "" != null check when the terraform plan runs.

# ...

resource "auth0_resource_server_scopes" "my_api" {
  resource_server_identifier = auth0_resource_server.my_api.identifier

  # existing scope with an empty string description
  scopes {
    description = ""
    name        = "foobar"
  }

  # new scope
  scopes {
    description = "Fizz Buzz"
    name        = "fizzbuzz"
  }
}

$ terraform plan
...

Terraform will perform the following actions:

  # auth0_resource_server_scopes.my_api will be updated in-place
  ~ resource "auth0_resource_server_scopes" "my_api" {
        id = "9999999999999999999999"
        # (1 unchanged attribute hidden)

      + scopes {
          + description = "Fizz Buzz"
          + name        = "fizzbuzz"
        }

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

I think this workaround is not ideal though. It would be better if either the provider correctly handled diffing the scope values when the state contains an empty string but the code contains a null value for the description, or if the provider made the description property required (not null but still allowing for an empty string) on the scopes parameter.

Auth0 Terraform Provider version

1.11.0

Terraform version

1.10.3

[duedares-rvj]

Thanks for reporting this. We will try to reproduce this and revert back.