ignore_changes for auth0_connection client_id and client_secret not respected

[scorgatelli]

Checklist

• I have looked into the README and have not found a suitable solution or answer.
• I have looked into the documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have upgraded to the latest version of this provider and the issue still persists.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

We are using terraform to provision Azure AD connections that are intended to be used with the new Self-Service Single Sign-On feature. Our process looks like this:

1. We provision the connection using terraform using a place holder value for options.client_id and options.client_secret.
2. lifecycle.ignore_changes is used to ignore any changes to the client_id and secret since these will be set via the self-service setup.
3. We then use the self-service profile (that is also managed via terraform) to manually create a ticket for the connection created in step 1 and send that to the customer who then updates the client id and secret.

The actual behavior is that any change to the connection properties or configuration drift results in the credentials being reset to the place holder values, breaking the connection.

Additionally, there is no indication in the terraform plan that these values will be modified. We recently deployed a change that, based on the plan, looked like it would have no impact. However, it silently reverted the client id and secret and broke the customer connection requiring us to have them reconfigure the parameters via the self-service SSO setup.

This issue makes using the self-service SSO setup unreliable when the connection is provisioned via terraform.

Expectation

The intended behavior is that future changes via terraform, or other manual drift updates will not update the credentials set by the customer when ignored using lifecycle.ignore_changes.

Reproduction

1. Apply the following resource

resource "auth0_connection" "waad_self_service" {
  name           = "test-aad"
  strategy       = "waad"
  display_name   = "Test Self-Service Connection"
  show_as_button = false

  options {
    identity_api             = "microsoft-identity-platform-v2.0"
    client_id                = "placeholder"
    client_secret            = "placeholder"
    domain                   = "test.com"
    tenant_domain            = "test.com"
    waad_protocol            = "openid-connect"
    waad_common_endpoint     = false
    set_user_root_attributes = "on_each_login"
    scopes                   = ["ext_nested_groups", "ext_groups", "ext_profile"]
  }

  lifecycle {
    ignore_changes = [options[0].client_id, options[0].client_secret]
  }
}

2. Update the client id and secret via the Auth0 admin portal or the SSO self-service page
3. Update the display_name or any other property
4. Reapply
5. Go back to the admin portal to see that the client id and secret have been reverted to the place holder values

Auth0 Terraform Provider version

1.22.0

Terraform version

v1.6.3

[duedares-rvj]

Hello @scorgatelli 👋

I looked into this and based on my investigation this doesn't look like a provider issue, but usual behaviour demonstrated by terraform core.

Please refer to these comments:
hashicorp/terraform#30027 (comment)

Also:
hashicorp/terraform#28803 (comment)
hashicorp/terraform#28803 (comment)

For your use case, here's what I'd recommend:

1. Perform steps 1-3 as mentioned on the description.
2. Since the terraform managed field has been altered outside of terraform, consider running terraform apply -refresh-only to bring back the state into sync.
3. Try terraform plan or terraform apply and you'll not see any further diffs.

Let me know if that helps. :)

Thanks!

[scorgatelli]

Hi @duedares-rvj ,

Thank you for your reply. I tried using -refresh-only as you suggested. This does help prevent unintended change if there is configuration drift. However, it does not help if a managed property is intentionally updated in terraform.

For example, as I mentioned in the repro steps, if I change the display_name and reapply, the client_id and client_secret are still reverted to the placeholder values, even if I run a -refresh-only first. Below is an example of plan snippet when I change the name. Even though only the name is being changed, the client_id and client_secret values are reverted to the place holder values.

  # auth0_connection.waad_self_service will be updated in-place
  ~ resource "auth0_connection" "waad_self_service" {
      ~ display_name         = "Test Self-Service Connection" -> "Test Self-Service Connection 2"
        id                   = "con_aOHwLHQ2Fe39NF5r"
        name                 = "test-aad"
        # (5 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Additionally, I tested ignoring the options entirely. I still see the same behavior. Even though all options should be ignored, the client_id and client_secret are still reverted to place holder values when I change the display_name.

  lifecycle {
    # ignore_changes = [options[0].client_id, options[0].client_secret]
    ignore_changes = [options]
  }

This seems to me to be a clear indicator that this is a provider issue. We use ignore_changes in many places with other providers where there are properties that are managed outside of terraform and do not see this behavior. This seems similar to the issue #860 and PR #903 which seems to have addressed the issue for action secrets.

Currently, the only way I have found to make this safe for use with self-service SSO is to ignore all resource changes.

[jacobkretz-bf]

This just bit us as well. This should be fixed asap. We are using the same (commented out) configuration as above.

[jacobkretz-bf]

Some addtional information on the connection resource.

1. Metadata key/values are not removed (planned for removal, yes) on apply.
2. There are several items within options that continuously should as add or changed. It looks like if the initial create includes these fields it doesn't show a change, but if not it always shows a diff. The current fields we see are

domain
identity_api
max_group_to_retrieve
scopes (all entries)
set_user_root_attributes
should_trust_email_verification_connection
strategy_version
tenant_domain
user_id_attribute
waad_protocol

I should be able to get someone to look at this next week for a PR.

[ivanenkomaksym]

Same issue at our side. However, I checked and it apparently works for Google Workspace connections:
strategy = "google-apps"

[duedares-rvj]

@scorgatelli @jacobkretz-bf @ivanenkomaksym Hello everyone.

We further looked into this, but I think it presently boils down to this comment:

Unfortunately adding a lifecycle ignore changes block won't work for any of the connection options, as due to API limitations the inner options block behaves like a PUT instead of a PATCH, so all options configs need to be set in order to prevent erasing them.

This is presently by API design but on the provider level, we are exploring ways to address it for the options block. We don't have strict timelines but at some point we plan to migrate to the Plugin Framework and handle this case better.

Meanwhile, I'm going to park this into discussions for any further input from the community.
Thank you!