Options not persisting in Terraform state for AD connections

[Mathematicaster]

Checklist

• I have looked into the README and have not found a suitable solution or answer.
• I have looked into the documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have upgraded to the latest version of this provider and the issue still persists.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

Attempting to set the disable_self_service_change_password option to true for an Active Directory / LDAP connection does not work.

Expectation

When removing the 'Forgot password' link by setting the disable_self_service_change_password option to true in an AD connection (as per the auth0/auth0 documentation), the 'Forgot password' link should no longer appear.

Reproduction

1. Given the following Terraform file:

terraform {
  required_version = "~> 1.6.0"

  required_providers {
    auth0 = {
      source  = "auth0/auth0"
      version = "~> 1.0.0"
    }
  }
}

provider "auth0" {
}

resource "auth0_connection" "test_connection" {
  name     = "test-connection"
  strategy = "ad"

  options {
    disable_self_service_change_password = false
  }
}

and appropriately set environment variables (AUTH0_DOMAIN, AUTH0_API_TOKEN)

2. When executing terraform apply via the CLI

3. Then this output is issued:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the
following symbols:
  + create

Terraform will perform the following actions:

  # auth0_connection.test_connection will be created
  + resource "auth0_connection" "test_connection" {
      + id                   = (known after apply)
      + is_domain_connection = (known after apply)
      + name                 = "test-connection"
      + realms               = (known after apply)
      + strategy             = "ad"

      + options {
          + allowed_audiences                    = (known after apply)
          + authorization_endpoint               = (known after apply)
          + disable_self_service_change_password = true
          + domain_aliases                       = (known after apply)
          + ips                                  = (known after apply)
          + issuer                               = (known after apply)
          + jwks_uri                             = (known after apply)
          + map_user_id_to_id                    = (known after apply)
          + non_persistent_attrs                 = (known after apply)
          + password_policy                      = (known after apply)
          + scopes                               = (known after apply)
          + sign_in_endpoint                     = (known after apply)
          + sign_out_endpoint                    = (known after apply)
          + signing_cert                         = (known after apply)
          + strategy_version                     = (known after apply)
          + token_endpoint                       = (known after apply)
          + userinfo_endpoint                    = (known after apply)
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

auth0_connection.test_connection: Creating...
auth0_connection.test_connection: Creation complete after 1s [id=con_XpLlODYWO4FVPT3X]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

However, this does not have the intended effect of disabling the 'Forgot password' link and an inspection of the connection via the API reveals that the disable_self_service_change_password option has not been set:

{
  "id": "con_XpLlODYWO4FVPT3X",
  "options": {
    "ips": null,
    "brute_force_protection": true
  },
  "strategy": "ad",
  "name": "test-connection",
  "provisioning_ticket_url": "https://tenant-name.au.auth0.com/p/ad/bnXaeoMsx7upaFWtJhCRK84YqIMHSqj3",
  "is_domain_connection": false,
  "show_as_button": false,
  "enabled_clients": [],
  "realms": [
    "test-connection"
  ]
}

2a. Furthermore, when executing terraform apply via the CLI a second time

3a. Then this output is issued:

auth0_connection.test_connection: Refreshing state... [id=con_XpLlODYWO4FVPT3X]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the
following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # auth0_connection.test_connection will be updated in-place
  ~ resource "auth0_connection" "test_connection" {
        id                   = "con_XpLlODYWO4FVPT3X"
        name                 = "test-connection"
        # (5 unchanged attributes hidden)

      ~ options {
          - brute_force_protection               = true -> null
          ~ disable_self_service_change_password = false -> true
          - set_user_root_attributes             = "on_each_login" -> null
            # (27 unchanged attributes hidden)
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

auth0_connection.test_connection: Modifying... [id=con_XpLlODYWO4FVPT3X]
auth0_connection.test_connection: Modifications complete after 1s [id=con_XpLlODYWO4FVPT3X]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

and inspection via the API reveals that disable_self_service_change_password is still not set, but this time the brute_force_protection option is no longer explicitly set. Any successive attempts to run terraform apply result in this plan:

Terraform will perform the following actions:

  # auth0_connection.test_connection will be updated in-place
  ~ resource "auth0_connection" "test_connection" {
        id                   = "con_XpLlODYWO4FVPT3X"
        name                 = "test-connection"
        # (5 unchanged attributes hidden)

      ~ options {
          ~ disable_self_service_change_password = false -> true
          - set_user_root_attributes             = "on_each_login" -> null
            # (28 unchanged attributes hidden)
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.

but no discernible difference in the connection.

Auth0 Terraform Provider version

v1.0.0

Terraform version

v1.6.2

[alarobric]

I see the same issue, with both disable_self_service_change_password and disable_signup.

[willvedd]

So as I understand correctly, any attempt to set the disable_self_service_change_password and disable_signup connection option properties results in failure. Looking at the code this is expected because these properties are only enabled for select connection strategies, we will need to account for them for others. It looks like this is specific to AD strategies, but are either of you aware of other strategies that need to be altered?

[adamc00]

@willvedd, I'm unclear what you are asking above? What I can add (I work with @Mathematicaster) is that we were informed by Auth0 support that the disable_self_service_change_password option existed for AD/LDAP connections. They mentioned that this also applied to database connections.

Note that we are able to update that value using the Auth0 API directly but it fails using the terraform provider as described in the OP in case that was unclear. We were directed to the following documentation.

https://community.auth0.com/t/how-to-remove-the-forgot-password-link-from-the-new-universal-login-page/92554
This option is also discoverable in the Management API reference for patching connections:
https://auth0.com/docs/api/management/v2/connections/patch-connections-by-id

[sergiught]

Hey folks, I'm actively looking into this now. @adamc00 can you confirm that enabling the disable_self_service_change_password through that API call directly gives back the intended result of removing that "Forgot Password" Link within the Universal Login page?

[Mathematicaster]

@sergiught That's correct. A PATCH request to /api/v2/connections/:id with "disable_self_service_change_password": true in the payload has the desired effect of disabling the "Forgot password" link.

[sergiught]

Thanks for confirming @Mathematicaster 👍🏻

I've added support for this field within the underling Go SDK we leverage for the API calls: auth0/go-auth0#308. Once that gets merged and released we can follow up with support within the provider as well. I'll circle back once I have an update.

Draft PR as well within the provider: #874

[sergiught]

Hey folks, this has been now fixed within https://github.com/auth0/terraform-provider-auth0/releases/tag/v1.1.0.