auth0_email_provider credentials reset when updating other fields despite ignore_changes lifecycle rule #1377
Description
Checklist
- I have looked into the README and have not found a suitable solution or answer.
- I have looked into the documentation and have not found a suitable solution or answer.
- I have searched the issues and have not found a suitable solution or answer.
- I have upgraded to the latest version of this provider and the issue still persists.
- I have searched the Auth0 Community forums and have not found a suitable solution or answer.
- I agree to the terms within the Auth0 Code of Conduct.
Description
When updating a field on an auth0_email_provider resource (e.g., adding or modifying the settings block), the credentials are silently reset to the values in the Terraform configuration, even when those fields are explicitly listed in an ignore_changes lifecycle block and do not appear in the Terraform execution plan. I have observed this specifically with the SES email provider, but I believe it would apply to other email providers as well.
This is problematic for the workflow in which the credentials are intentionally kept out of the Terraform state. For example, the auth0_email_provider may be created with "placeholder" values for the credentials and an ignore_changes directive on the credentials. Then the actual credential values may then be set via the Auth0 management API or Dashboard. A later Terraform apply can silently reset the credentials to the placeholder value, thereby stopping email delivery.
This issue is related to but distinct from #1107.
Expectation
When ignore_changes = [credentials] is set on an auth0_email_provider resource (or the provider detects no credential change):
- Updates to other fields (e.g., settings) should not modify the credentials stored in Auth0
- The credentials should not be included in the
PATCH /v2/emails/providerrequest to Auth0 when they haven't changed
Reproduction
The issue can be reproduced consistently via the following steps.
- Create an
auth0_email_providerresource with placeholder credentials (to keep the credentials out of state):
resource "auth0_email_provider" "ses" {
name = "ses"
enabled = true
default_from_address = "[email protected]"
credentials {
access_key_id = "placeholder"
secret_access_key = "placeholder"
region = "us-east-2"
}
lifecycle {
ignore_changes = [
credentials
]
}
}- Apply the configuration:
terraform apply - Manually update the credentials in the Auth0 dashboard to real values
- Validate that email delivery works correctly
- Add a settings block to the Terraform configuration:
resource "auth0_email_provider" "ses" {
name = "ses"
enabled = true
default_from_address = "[email protected]"
credentials {
access_key_id = "placeholder"
secret_access_key = "placeholder"
region = "us-east-2"
}
settings {
message {
configuration_set_name = "my-config-set"
}
}
lifecycle {
ignore_changes = [
credentials
]
}
}- Run a
terraform planand observe that only thesettingschange appears in the execution plan - Run
terraform apply - Validate that email delivery no longer works as credentials have been reset (for AWS SES, an error message like
Error sending email: The security token included in the request is invalid.can be observed)
The TF_LOG=debug AUTH0_DEBUG=true environment variables can be used to observe that the credentials are included in the PATCH /v2/emails/provider request that occurs during the terraform apply in Step 7.
Auth0 Terraform Provider version
1.31.0
Terraform version
1.13.3