Skip to content

Updating a tenant removes webhook added by a fusionauth_webhook resource #164

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
sjauld opened this issue Dec 8, 2022 · 5 comments
Closed

Updating a tenant removes webhook added by a fusionauth_webhook resource #164

sjauld opened this issue Dec 8, 2022 · 5 comments

Comments

@sjauld
Copy link
Contributor

sjauld commented Dec 8, 2022

Related to #113

Because we use a PUT request to update a tenant, we currently remove any existing webhooks.

Webhooks are not part of the Tenant struct, but are attached on the TenantRequest struct (see FusionAuth/fusionauth-issues#1984). Since we are already managing webhooks via the fusionauth_webhook resource, I don't think it's a good idea to add them to the tenant resource - furthermore, webhooks aren't available on the TenantResponse struct anyway.

If we use PatchTenant instead of UpdateTenant, this problem will go away. PR to follow.
@ccp-void
Copy link

ccp-void commented Mar 13, 2025
edited
Loading

Can someone from the FusionAuth team chime in on this? What is the current status of this issue?

We've experienced this behavior on numerous occasions in the past with the gpsinsight provider and only just now found that the fusionauth team has adopted the provider for further maintenance (SEO is not always great...), is it correct to assume that since this issue is not closed, the problem still remains?

Should we be using the fusionauth_webhook resource's tenant_ids field to set the webhook associations, or should we use the webhook_ids field on the fusionauth_tenant resource?

This is a very critical behavior/bug which has bitten us in production as well, now we're on v0.2.0 of the fusionauth/fusionauth provider, and would like to get confidence that this is a thing of the past.

@TomKimber
Copy link
Collaborator

@ccp-void This is still an active issue but will be fixed as part of the next release.

@TomKimber
Copy link
Collaborator

@sjauld @ccp-void Having investigating this further I think the best solution is to maintain the ability to attach webhooks within the tenant resource. However this should only be used if you're passing the ID directly as a string e.g. only use the tenant webhook_ids parameter if you're referencing a webhook that is not being deployed via a "fusionauth_webhook" resource. This maintains the ability to attach webhooks if they're not being deployed via Terraform and will not show a diff for the webhook resource as no such resource is present.

If you are deploying the webhook via the "fusionauth_webhook" resource and wish to associate it with tenants then this should be done via the tenant_ids parameter in the "fusionauth_webhook" resource which will not show a diff in the tenant resource. This will be clarified in the documentation in the next release but functions in the way described in v0.2.0.

@TomKimber TomKimber mentioned this issue Mar 31, 2025
Merged
@mgmarino
Copy link

mgmarino commented Apr 9, 2025
edited
Loading

We ran into this problem as well. The issue:

  1. Create a webhook using fusionauth_webhook. Associated with a tenant ID within that resource .
  2. Sometime later, update the tenant (fusionauth_tenant) => Voila, webhooks are disabled on the tenant.

This bit us on a production instance last week where we lost synchronization of users. This was a pain to fix.

@TomKimber It's not clear how simply adding documentation will fix this issue? Is it also the case that tenant is no longer updated using PUT?

EDIT: Found this commit: 0345e7b that seems to indicate this functionality was removed from the webhook resource (which seems the correct thing to do, since the ids can be referenced in the tenant), so I assume the comment above is simply no longer correct.

Note, as a workaround until the new version lands, we added the webhook ids on the tenant, and then added the following:

  lifecycle {
    ignore_changes = [
      // Will be fixed in version 1.0.0
      // https://github.com/FusionAuth/terraform-provider-fusionauth/pull/322/commits/0345e7b85bae6d9f285f883da52905b041ab8ddf
      tenant_ids,
    ]
  }

on the fusionauth_webhook resources to keep them from being updated.

@TomKimber
Copy link
Collaborator

@ccp-void @mgmarino You're absolutely correct that a documentation update was not enough to resolve this problem. This was down to a misunderstanding of the SDK implementation on my part.

Additionally, you're absolutely correct that removing this parameter from the webhook resource is the solution for now. This is because in the tenant request object in the SDK there's an additional field for webhook_ids, if this is not specified, then the default value of nil is used which was what was removing the webhooks attached to a given tenant previously. The issue with supporting this field in both resources is that the tenant response object in the SDK does not currently return the associated webhook_ids and so cannot easily be written back to the tenant state without additional querying of the webhook API.

This functionality has been fixed as part of the v1.0.0-pre1 release (https://github.com/FusionAuth/terraform-provider-fusionauth/releases/tag/v1.0.0-pre1) and so the tenant_id parameter has been removed from the webhook resource and must be specified exclusively on the tenant resource.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mgmarino @TomKimber @sjauld @ccp-void