Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

zitadel_login_policy resource trows errors #128

Open
2 tasks done
jobcespedes opened this issue Oct 1, 2023 · 9 comments
Open
2 tasks done

zitadel_login_policy resource trows errors #128

jobcespedes opened this issue Oct 1, 2023 · 9 comments
Labels
bug Something isn't working resources

Comments

@jobcespedes
Copy link

Preflight Checklist

  • I could not find a solution in the documentation, the existing issues or discussions
  • I have joined the ZITADEL chat

Version

1.0.2

ZITADEL Version

v2.37.2

Describe the problem caused by this bug

Two problems related to 'zitadel_login_policy' resource:

  1. Error: Error: failed to create login policy: rpc error: code = AlreadyExists desc = Login Policy already exists. I believe this has something to do with manual modifications via "Login Behavior and Security" cloud web UI. If "Reset to instance default" is click in web UI, the error does not occur.
  2. Error: Error: failed to update login policy: rpc error: code = FailedPrecondition desc = Errors.Org.LoginPolicy.NotChanged in the second terraform apply after a first successful one.

To reproduce

For error 1:

  1. In cloud web UI, modify anything in "Login Behavior and Security".
  2. Create a "zitadel_login_policy" resource and apply it with terrform.
  3. Error 1 happens
  4. Click "Reset to instance default" in web UI
  5. Apply terraform again
  6. There is no error

For error 2:

  1. Create a "zitadel_login_policy" resource and apply it with terrform.
  2. No Error 1
  3. Apply terraform again
  4. Error 2 happens

Screenshots

No response

Expected behavior

No errors in both cases

Relevant Configuration

No response

Additional Context

No response
@jobcespedes jobcespedes added the bug Something isn't working label Oct 1, 2023
@stebenz
Copy link
Contributor

stebenz commented Oct 10, 2023

@jobcespedes
To error 1, this is correct behavior, as a resource managed with terraform was changed in some kind of way as that should not happen normally.
To error 2, this is also correct behavior, as terraform should only update resources if there are changed in them, which should never result in the "NotChanged" error, did you apply the exact same resource again with the terraform state of the first apply?

@jobcespedes
Copy link
Author

Hi @stebenz,

  1. To your first point: got it.
  2. To your second point: No, No changes were made between first and second run of terraform apply. I ended up adding a lifecycle block the resource.

@hifabienne hifabienne moved this to 🧐 Investigating in Product Management Oct 11, 2023
@stebenz
Copy link
Contributor

stebenz commented Apr 23, 2024

Hi @jobcespedes
But with the lifecycle block, there should be no changes on the resource attributes that trigger the calling of the ZITADEL API and then result in the error as really nothing changed.
How is the change in the second apply displayed?

@vs-gtadeu
Copy link

I've just run into this issue:

│ Error: failed to update login policy: rpc error: code = FailedPrecondition desc = Errors.Org.LoginPolicy.NotChanged (Org-5M9vdd)
│ 
│   with zitadel_login_policy.default,
│   on organizations.tf line 58, in resource "zitadel_login_policy" "default":
│   58: resource "zitadel_login_policy" "default" {

For context: We already had successfully terraformed the zitadel_login_policy previously. This error happened after we ran Terraform again with a set of changes unrelated to the zitadel_login_policy resource that caused the error.

Keeping existing resource parameters untouched is something completely normal in the lifecycle of a Terraform project.

@vs-gtadeu
Copy link

I'd also like to counter-argument this statement:

To error 1, this is correct behavior, as a resource managed with terraform was changed in some kind of way as that should not happen normally.

I've never seen this behavior with other Terraform providers. Usually, providers just display a warning in the Terraform plan output indicating that something was changed outside of Terraform:

image

More info can be found here.

@stebenz
Copy link
Contributor

stebenz commented Sep 30, 2024

I'd also like to counter-argument this statement:

To error 1, this is correct behavior, as a resource managed with terraform was changed in some kind of way as that should not happen normally.

I've never seen this behavior with other Terraform providers. Usually, providers just display a warning in the Terraform plan output indicating that something was changed outside of Terraform:

image

More info can be found here.

I tried to find out how to produce this warning, the problem here is not the content of the resource changed, but that the terraform provider is used to create a resource which is already existing, which results then in an error.

As I see it currently we could technically handle this situation, as to check if the resource is already existing during create, but at the same time it is expected as to avoid handling the same resource from 2 different runtimes.

@skillpoint-dev
Copy link

I am facing error 2 right now:

Zitadel Helm Chart: 8.4.0 (meaning AppVersion: 2.61.0)
Zitadel TF Provider: 2.0.1
Flux TF Controller: 0.16.0-rc.4

I have a "resource zitadel_login_policy" "default" {" where the only thing that changed was "mfa_init_skip_lifetime" from "720h0m0s" to "0".

The update of the login policy works fine and then the tf controller runs at a certain interval. There was no change after the update of the login policy but after running again he tells me...

zitadel_login_policy.default: Modifying... [id=]

Error: failed to update login policy: rpc error: code = FailedPrecondition desc = Errors.Org.LoginPolicy.NotChanged (Org-...)

  with zitadel_login_policy.default,
  on main.tf line 118, in resource "zitadel_login_policy" "default":
 118: resource "zitadel_login_policy" "default" {

This then loops on forever and obviously prevents flux from further reconciliation. Any idea how to prevent this would be appreciated.

@stebenz
Copy link
Contributor

stebenz commented Dec 18, 2024

I am facing error 2 right now:

Zitadel Helm Chart: 8.4.0 (meaning AppVersion: 2.61.0) Zitadel TF Provider: 2.0.1 Flux TF Controller: 0.16.0-rc.4

I have a "resource zitadel_login_policy" "default" {" where the only thing that changed was "mfa_init_skip_lifetime" from "720h0m0s" to "0".

The update of the login policy works fine and then the tf controller runs at a certain interval. There was no change after the update of the login policy but after running again he tells me...

zitadel_login_policy.default: Modifying... [id=]

Error: failed to update login policy: rpc error: code = FailedPrecondition desc = Errors.Org.LoginPolicy.NotChanged (Org-...)

  with zitadel_login_policy.default,
  on main.tf line 118, in resource "zitadel_login_policy" "default":
 118: resource "zitadel_login_policy" "default" {

This then loops on forever and obviously prevents flux from further reconciliation. Any idea how to prevent this would be appreciated.

As this seems like a similar issue but not the same reason, I would prefer to open up a new issue next time.

Besides that, are you sure that you handle the state correctly? Could it be that the state is not persistet?
As if there is no change in the LoginPolicy terraform should also not try to change it, and the resulting error should not occur.

@skillpoint-dev
Copy link

I am facing error 2 right now:
Zitadel Helm Chart: 8.4.0 (meaning AppVersion: 2.61.0) Zitadel TF Provider: 2.0.1 Flux TF Controller: 0.16.0-rc.4
I have a "resource zitadel_login_policy" "default" {" where the only thing that changed was "mfa_init_skip_lifetime" from "720h0m0s" to "0".
The update of the login policy works fine and then the tf controller runs at a certain interval. There was no change after the update of the login policy but after running again he tells me...
zitadel_login_policy.default: Modifying... [id=]

Error: failed to update login policy: rpc error: code = FailedPrecondition desc = Errors.Org.LoginPolicy.NotChanged (Org-...)

  with zitadel_login_policy.default,
  on main.tf line 118, in resource "zitadel_login_policy" "default":
 118: resource "zitadel_login_policy" "default" {

This then loops on forever and obviously prevents flux from further reconciliation. Any idea how to prevent this would be appreciated.

As this seems like a similar issue but not the same reason, I would prefer to open up a new issue next time.

Besides that, are you sure that you handle the state correctly? Could it be that the state is not persistet? As if there is no change in the LoginPolicy terraform should also not try to change it, and the resulting error should not occur.

The changes can be seen in Zitadel after the first run, so the state is persistet fine he just tries to run again afterwards for whatever reason. How is this different though than described by the original report error 2 case?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working resources
Projects
Product Management
Status: 🧐 Investigating
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jobcespedes @skillpoint-dev @hifabienne @stebenz @vs-gtadeu