add support for Management API tokens

[kevinschoonover]

Proposed Changes

• add support for Management API tokens for authenticating to auth0

Acceptance Test Output

I ran the acceptance tests using AUTH0_MANAGEMENT_TOKENS tokens so I'm not sure if the test failures are flaky tests, problems with using a management token, or expected behavior.

output

$ make testacc TESTS=TestAccXXX
?   	github.com/alexkappa/terraform-provider-auth0	[no test files]
=== RUN   TestAccAction
--- PASS: TestAccAction (5.20s)
=== RUN   TestAccBranding
--- PASS: TestAccBranding (10.02s)
=== RUN   TestAccClientGrant
--- PASS: TestAccClientGrant (27.15s)
=== RUN   TestAccClient
--- PASS: TestAccClient (1.64s)
=== RUN   TestAccClientZeroValueCheck
--- PASS: TestAccClientZeroValueCheck (10.03s)
=== RUN   TestAccClientRotateSecret
--- PASS: TestAccClientRotateSecret (2.57s)
=== RUN   TestAccClientInitiateLoginUri
--- PASS: TestAccClientInitiateLoginUri (0.08s)
=== RUN   TestAccClientJwtScopes
--- PASS: TestAccClientJwtScopes (8.75s)
=== RUN   TestAccClientMobile
--- PASS: TestAccClientMobile (2.23s)
=== RUN   TestAccClientMobileValidationError
--- PASS: TestAccClientMobileValidationError (0.02s)
=== RUN   TestAccConnection
--- PASS: TestAccConnection (8.70s)
=== RUN   TestAccConnectionAD
--- PASS: TestAccConnectionAD (1.21s)
=== RUN   TestAccConnectionAzureAD
--- PASS: TestAccConnectionAzureAD (2.07s)
=== RUN   TestAccConnectionOIDC
--- PASS: TestAccConnectionOIDC (8.88s)
=== RUN   TestAccConnectionOAuth2
--- PASS: TestAccConnectionOAuth2 (2.87s)
=== RUN   TestAccConnectionWithEnbledClients
--- PASS: TestAccConnectionWithEnbledClients (14.40s)
=== RUN   TestAccConnectionSMS
--- PASS: TestAccConnectionSMS (1.48s)
=== RUN   TestAccConnectionEmail
--- PASS: TestAccConnectionEmail (8.76s)
=== RUN   TestAccConnectionSalesforce
--- PASS: TestAccConnectionSalesforce (1.58s)
=== RUN   TestAccConnectionGoogleOAuth2
--- PASS: TestAccConnectionGoogleOAuth2 (1.47s)
=== RUN   TestAccConnectionFacebook
--- PASS: TestAccConnectionFacebook (5.30s)
=== RUN   TestAccConnectionApple
--- PASS: TestAccConnectionApple (2.76s)
=== RUN   TestAccConnectionLinkedin
    testing.go:705: Step 1 error: errors during apply:

        Error: request failed: Get "https://<domain>.us.auth0.com/api/v2/connections/con_7yBDenELOvPA6LaK": read tcp [2601:282:4700:e370:926c:69dd:5f5e:8392]:44394->[2606:4700::6810:abfd]:443: read: connection reset by peer

          on /run/user/1000/tf-test985585983/main.tf line 3:
          (source code not available)


--- FAIL: TestAccConnectionLinkedin (8.50s)
=== RUN   TestAccConnectionGitHub
--- PASS: TestAccConnectionGitHub (1.28s)
=== RUN   TestAccConnectionWindowslive
--- PASS: TestAccConnectionWindowslive (2.61s)
=== RUN   TestAccConnectionConfiguration
--- PASS: TestAccConnectionConfiguration (9.01s)
=== RUN   TestAccConnectionSAML
--- PASS: TestAccConnectionSAML (2.06s)
=== RUN   TestAccCustomDomain
    testing.go:705: Step 0 error: errors during apply:

        Error: 403 Forbidden: The account is not allowed to perform this operation, please contact our support team

          on /run/user/1000/tf-test015103310/main.tf line 3:
          (source code not available)


--- FAIL: TestAccCustomDomain (0.26s)
=== RUN   TestAccCustomDomainVerification
    testing.go:705: Step 0 error: errors during apply:

        Error: 403 Forbidden: The account is not allowed to perform this operation, please contact our support team

          on /run/user/1000/tf-test956613040/main.tf line 10:
          (source code not available)


--- FAIL: TestAccCustomDomainVerification (0.26s)
=== RUN   TestAccEmailTemplate
--- PASS: TestAccEmailTemplate (8.27s)
=== RUN   TestAccEmail
--- PASS: TestAccEmail (9.81s)
=== RUN   TestAccGlobalClient
--- PASS: TestAccGlobalClient (3.56s)
=== RUN   TestAccGuardian
--- PASS: TestAccGuardian (65.38s)
=== RUN   TestAccHook
--- PASS: TestAccHook (1.40s)
=== RUN   TestAccHookSecrets
--- PASS: TestAccHookSecrets (11.78s)
=== RUN   TestAccLogStreamHTTP
--- PASS: TestAccLogStreamHTTP (9.47s)
=== RUN   TestAccLogStreamEventBridge
--- PASS: TestAccLogStreamEventBridge (11.41s)
=== RUN   TestAccLogStreamEventGrid
    resource_auth0_log_stream_test.go:201: this test requires an active subscription
--- SKIP: TestAccLogStreamEventGrid (0.00s)
=== RUN   TestAccLogStreamDatadog
--- PASS: TestAccLogStreamDatadog (3.12s)
=== RUN   TestAccLogStreamSplunk
--- PASS: TestAccLogStreamSplunk (8.50s)
=== RUN   TestAccLogStreamSumo
--- PASS: TestAccLogStreamSumo (2.04s)
=== RUN   TestAccOrganization
--- PASS: TestAccOrganization (32.57s)
=== RUN   TestAccPrompt
--- PASS: TestAccPrompt (1.67s)
=== RUN   TestAccResourceServer
--- PASS: TestAccResourceServer (8.57s)
=== RUN   TestAccRole
--- PASS: TestAccRole (11.74s)
=== RUN   TestAccRolePermissions
--- PASS: TestAccRolePermissions (11.31s)
=== RUN   TestAccRuleConfig
--- PASS: TestAccRuleConfig (9.53s)
=== RUN   TestAccRule
--- PASS: TestAccRule (1.04s)
=== RUN   TestAccTenant
--- PASS: TestAccTenant (1.86s)
=== RUN   TestAccTriggerBinding
--- PASS: TestAccTriggerBinding (16.88s)
=== RUN   TestAccUserMissingRequiredParams
--- PASS: TestAccUserMissingRequiredParams (0.01s)
=== RUN   TestAccUser
    testing.go:705: Step 0 error: errors during apply:

        Error: 400 Bad Request: Cannot set username for connection without requires_username

          on /run/user/1000/tf-test431826711/main.tf line 3:
          (source code not available)


--- FAIL: TestAccUser (0.31s)
=== RUN   TestAccUserIssue218
    testing.go:705: Step 0 error: errors during apply:

        Error: 400 Bad Request: Cannot set username for connection without requires_username

          on /run/user/1000/tf-test712170849/main.tf line 3:
          (source code not available)


--- FAIL: TestAccUserIssue218 (0.21s)
=== RUN   TestAccUserChangeUsername
    testing.go:705: Step 0 error: errors during apply:

        Error: 400 Bad Request: Cannot set username for connection without requires_username

          on /run/user/1000/tf-test910243899/main.tf line 3:
          (source code not available)


--- FAIL: TestAccUserChangeUsername (0.30s)
FAIL
coverage: 70.2% of statements
FAIL	github.com/alexkappa/terraform-provider-auth0/auth0	381.927s
?   	github.com/alexkappa/terraform-provider-auth0/auth0/internal/debug	[no test files]
?   	github.com/alexkappa/terraform-provider-auth0/auth0/internal/digitalocean	[no test files]
testing: warning: no tests to run
PASS
coverage: 0.0% of statements
ok  	github.com/alexkappa/terraform-provider-auth0/auth0/internal/hash	0.013s	coverage: 0.0% of statements [no tests to run]
testing: warning: no tests to run
PASS
coverage: 0.0% of statements
ok  	github.com/alexkappa/terraform-provider-auth0/auth0/internal/random	0.020s	coverage: 0.0% of statements [no tests to run]
testing: warning: no tests to run
PASS
coverage: 0.0% of statements
ok  	github.com/alexkappa/terraform-provider-auth0/auth0/internal/validation	0.002s	coverage: 0.0% of statements [no tests to run]
?   	github.com/alexkappa/terraform-provider-auth0/version	[no test files]
FAIL
make: *** [GNUmakefile:26: testacc] Error 1

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

[alexkappa]

Hi @kevinschoonover, most of the errors I can account for, except for TestAccConnectionLinkedin which seems out of the ordinary. Does that occur consistently?

TestAccCustomDomain and TestAccCustomDomainVerification are expected if your tenant does not have this feature enabled.
TestAccUser probably has something to do with the default connection Username-Password-Authentication which is expected to have requires_username set to true.

[kevinschoonover]

@alexkappa just ran the tests again fixing the connection and think everything is good.

output

==> Checking that code complies with gofmt requirements...
?   	github.com/alexkappa/terraform-provider-auth0	[no test files]
=== RUN   TestAccAction
--- PASS: TestAccAction (10.22s)
=== RUN   TestAccBranding
--- PASS: TestAccBranding (3.00s)
=== RUN   TestAccClientGrant
--- PASS: TestAccClientGrant (32.78s)
=== RUN   TestAccClient
--- PASS: TestAccClient (1.22s)
=== RUN   TestAccClientZeroValueCheck
--- PASS: TestAccClientZeroValueCheck (9.73s)
=== RUN   TestAccClientRotateSecret
--- PASS: TestAccClientRotateSecret (2.46s)
=== RUN   TestAccClientInitiateLoginUri
--- PASS: TestAccClientInitiateLoginUri (0.02s)
=== RUN   TestAccClientJwtScopes
--- PASS: TestAccClientJwtScopes (7.28s)
=== RUN   TestAccClientMobile
--- PASS: TestAccClientMobile (2.28s)
=== RUN   TestAccClientMobileValidationError
--- PASS: TestAccClientMobileValidationError (0.03s)
=== RUN   TestAccConnection
--- PASS: TestAccConnection (8.25s)
=== RUN   TestAccConnectionAD
--- PASS: TestAccConnectionAD (1.21s)
=== RUN   TestAccConnectionAzureAD
--- PASS: TestAccConnectionAzureAD (1.78s)
=== RUN   TestAccConnectionOIDC
--- PASS: TestAccConnectionOIDC (7.35s)
=== RUN   TestAccConnectionOAuth2
--- PASS: TestAccConnectionOAuth2 (2.25s)
=== RUN   TestAccConnectionWithEnbledClients
--- PASS: TestAccConnectionWithEnbledClients (15.14s)
=== RUN   TestAccConnectionSMS
--- PASS: TestAccConnectionSMS (1.19s)
=== RUN   TestAccConnectionEmail
--- PASS: TestAccConnectionEmail (8.49s)
=== RUN   TestAccConnectionSalesforce
--- PASS: TestAccConnectionSalesforce (1.26s)
=== RUN   TestAccConnectionGoogleOAuth2
--- PASS: TestAccConnectionGoogleOAuth2 (1.25s)
=== RUN   TestAccConnectionFacebook
--- PASS: TestAccConnectionFacebook (8.61s)
=== RUN   TestAccConnectionApple
--- PASS: TestAccConnectionApple (1.99s)
=== RUN   TestAccConnectionLinkedin
--- PASS: TestAccConnectionLinkedin (8.17s)
=== RUN   TestAccConnectionGitHub
--- PASS: TestAccConnectionGitHub (1.11s)
=== RUN   TestAccConnectionWindowslive
--- PASS: TestAccConnectionWindowslive (8.32s)
=== RUN   TestAccConnectionConfiguration
--- PASS: TestAccConnectionConfiguration (2.14s)
=== RUN   TestAccConnectionSAML
--- PASS: TestAccConnectionSAML (8.35s)
=== RUN   TestAccCustomDomain
    testing.go:705: Step 0 error: errors during apply:

        Error: 403 Forbidden: The account is not allowed to perform this operation, please contact our support team

          on /run/user/1000/tf-test228635405/main.tf line 3:
          (source code not available)


--- FAIL: TestAccCustomDomain (0.35s)
=== RUN   TestAccCustomDomainVerification
    testing.go:705: Step 0 error: errors during apply:

        Error: 403 Forbidden: The account is not allowed to perform this operation, please contact our support team

          on /run/user/1000/tf-test656193735/main.tf line 10:
          (source code not available)


--- FAIL: TestAccCustomDomainVerification (0.27s)
=== RUN   TestAccEmailTemplate
--- PASS: TestAccEmailTemplate (8.35s)
=== RUN   TestAccEmail
--- PASS: TestAccEmail (9.03s)
=== RUN   TestAccGlobalClient
--- PASS: TestAccGlobalClient (3.34s)
=== RUN   TestAccGuardian
--- PASS: TestAccGuardian (65.06s)
=== RUN   TestAccHook
--- PASS: TestAccHook (1.44s)
=== RUN   TestAccHookSecrets
--- PASS: TestAccHookSecrets (11.71s)
=== RUN   TestAccLogStreamHTTP
--- PASS: TestAccLogStreamHTTP (8.94s)
=== RUN   TestAccLogStreamEventBridge
--- PASS: TestAccLogStreamEventBridge (10.92s)
=== RUN   TestAccLogStreamEventGrid
    resource_auth0_log_stream_test.go:201: this test requires an active subscription
--- SKIP: TestAccLogStreamEventGrid (0.00s)
=== RUN   TestAccLogStreamDatadog
--- PASS: TestAccLogStreamDatadog (3.24s)
=== RUN   TestAccLogStreamSplunk
--- PASS: TestAccLogStreamSplunk (8.17s)
=== RUN   TestAccLogStreamSumo
--- PASS: TestAccLogStreamSumo (2.21s)
=== RUN   TestAccOrganization
--- PASS: TestAccOrganization (33.55s)
=== RUN   TestAccPrompt
--- PASS: TestAccPrompt (1.75s)
=== RUN   TestAccResourceServer
--- PASS: TestAccResourceServer (8.40s)
=== RUN   TestAccRole
--- PASS: TestAccRole (11.41s)
=== RUN   TestAccRolePermissions
--- PASS: TestAccRolePermissions (10.92s)
=== RUN   TestAccRuleConfig
--- PASS: TestAccRuleConfig (9.36s)
=== RUN   TestAccRule
--- PASS: TestAccRule (1.16s)
=== RUN   TestAccTenant
--- PASS: TestAccTenant (8.17s)
=== RUN   TestAccTriggerBinding
--- PASS: TestAccTriggerBinding (16.20s)
=== RUN   TestAccUserMissingRequiredParams
--- PASS: TestAccUserMissingRequiredParams (0.04s)
=== RUN   TestAccUser
--- PASS: TestAccUser (27.12s)
=== RUN   TestAccUserIssue218
--- PASS: TestAccUserIssue218 (2.98s)
=== RUN   TestAccUserChangeUsername
--- PASS: TestAccUserChangeUsername (10.36s)
FAIL
coverage: 74.9% of statements
FAIL	github.com/alexkappa/terraform-provider-auth0/auth0	430.392s
?   	github.com/alexkappa/terraform-provider-auth0/auth0/internal/debug	[no test files]
?   	github.com/alexkappa/terraform-provider-auth0/auth0/internal/digitalocean	[no test files]
testing: warning: no tests to run
PASS
coverage: 0.0% of statements
ok  	github.com/alexkappa/terraform-provider-auth0/auth0/internal/hash	0.006s	coverage: 0.0% of statements [no tests to run]
testing: warning: no tests to run
PASS
coverage: 0.0% of statements
ok  	github.com/alexkappa/terraform-provider-auth0/auth0/internal/random	0.016s	coverage: 0.0% of statements [no tests to run]
testing: warning: no tests to run
PASS
coverage: 0.0% of statements
ok  	github.com/alexkappa/terraform-provider-auth0/auth0/internal/validation	0.001s	coverage: 0.0% of statements [no tests to run]
?   	github.com/alexkappa/terraform-provider-auth0/version	[no test files]
FAIL
make: *** [GNUmakefile:26: testacc] Error 1

[alexkappa]

Hi @kevinschoonover, thanks for giving this a go! I've made some suggestions for your consideration 🙏

[alexkappa]

Do you think we can work with RequiredWith or ConflictsWith to handle us requiring either a client id/secret or a token?

[kevinschoonover]

Happy to do this if thats what you're looking for. I think the error messages leave a bit to be desired IMO

if none are specified

if only client_id is specified

if all are specified

I don't see any technical reason wrong with them. I think its just nicer to include the environment variables and what not.

[kevinschoonover]

@alexkappa should be all done! let me know what your thoughts are about the error messages

[willvedd]

Hey @kevinschoonover , thanks for submitting this! Despite my volume of feedback, I'm actually very in favor of your proposed changes and would like to work with you to craft this solution a bit further.

Aside from a few minor code comments, I have two concerns:

• Documentation: Because there was only one method of authentication before, it was clear what the required arguments are. With this change, we need to be a bit clearer in the docs about the potential authentication strategies a dev could use.
  -Testing: We can manually verify that the declarative rules in the schema work, but I'd like us to consider applying a basic test to ensure that these rules don't change from under us.

One thing to note is that this project is migrating over to the Auth0 organization soon, and there is no way to migrate PRs. So we will either need to close and re-open this PR or merge before then.

[kevinschoonover]

@willvedd I've been digging into adding tests and running into a lot of trouble. Using the following code

> cat provider_test.go
...
func TestProvider_configValidation(t *testing.T) {
	testCases := []struct {
		name           string
		environment    map[string]string
		expectedErrors []error
	}{
		{
			name:           "empty",
			environment:    map[string]string{"AUTH0_DOMAIN": "TEST", "AUTH0_CLIENT_ID": "test", "AUTH0_CLIENT_SECRET": "test2", "AUTH0_TOKEN": "TEST"},
			expectedErrors: []error{},
		},
	}

	for _, test := range testCases {
		t.Run(test.name, func(t *testing.T) {
			for k, v := range test.environment {
				fmt.Println(k, v)
				os.Unsetenv(k)
				os.Setenv(k, v)
			}

			c := terraform.NewResourceConfigRaw(nil)
			p := Provider()

			r, errs := p.Validate(c)
			assert.Equal(t, test.expectedErrors, errs)
			fmt.Println(r, errs)

			for k := range test.environment {
				os.Unsetenv(k)
			}
		})
	}
}

I keep getting the following error:

> go test -test.run TestProvider_configValidation -test.v
...
provider_test.go:107:
        	Error Trace:	provider_test.go:107
        	Error:      	Not equal:
        	            	expected: []error{}
        	            	actual  : []error{(*errors.errorString)(0xc0005c49e0), (*errors.errorString)(0xc0005c4af0)}
        	            	
        	            	Diff:
        	            	--- Expected
        	            	+++ Actual
        	            	@@ -1,2 +1,4 @@
        	            	-([]error) {
        	            	+([]error) (len=2) {
        	            	+ (*errors.errorString)("client_id": all of `client_id,client_secret` must be specified),
        	            	+ (*errors.errorString)("client_secret": all of `client_id,client_secret` must be specified)
        	            	 }
        	Test:       	TestProvider_configValidation/empty
...

Reading into the terraform-plugin-sdk, I think this has something to do with the value 'client_id' and 'client_secret' not being concurrently populated from the environment using the 'DefaultFunc' so it thinks the other one does not exist when it calls the validateRequiredWithAttribute function. I'm not really sure why this works running it via CLI though.

As a temporary workaround, I can use NewResourceConfigRaw to test the schema validation; however, it won't cover the normal case where users will pass these in as environment variables. Let me know your thoughts (and if this explanation makes sense)

[kevinschoonover]

@willvedd updated the tests, let me know your thoughts. Happy to change anything about them!

[willvedd]

@kevinschoonover Thanks for making those changes, it's really coming together. Those tests are what I had in mind, I'll just need to pull down and run them locally. But as far as feedback goes, I don't have anything major.

Because this is a change in the fundamental operation of the provider, I'd like @sergiughf 's approval too.

[sergiught]

Great contribution @kevinschoonover! Only left a few comments I'd be happy for us to discuss.

[sergiught]

Thanks a lot for the super quick follow up on our review! Once we tackle the last comments we're ready to merge.

[kevinschoonover]

@sergiughf Comments should now be addressed! Let me know if there is anything else!

[sergiught]

I ran the full test suite locally and unfortunately having both resourceConfig set up and the env vars messes up with running everything in 1 go as the env vars will be unset for the subsequent acceptance tests. To fix this we could either:

A) keep track of env vars before setting the ones in the tests and replace the original values after they run
B) test only with the resourceConfig values

Apologies for having missed this before @kevinschoonover. Would you be able to remove the env vars from these tests and just keep the resourceConfig as that should already cover our intended behavior change in the auth mechanism?

[kevinschoonover]

I think we need to do A) because I ran the acceptance test again removing this code and its pulling client_id and client_secret from the environment breaking the existing tests.

> AUTH0_DOMAIN="https://<tenant>.auth0.com" AUTH0_CLIENT_ID="<id>" AUTH0_CLIENT_SECRET="<id>" make testacc
=== RUN   TestProvider_configValidation
=== RUN   TestProvider_configValidation/missing_client_id
    provider_test.go:134: actual did not match expected. len(expected) != len(actual). expected: ["client_secret": all of `client_id,client_secret` must be specified], actual: ["client_secret": all of `client_id,client_secret` must be specified "client_id": all of `client_id,client_secret` must be specified]
=== RUN   TestProvider_configValidation/missing_client_secret
    provider_test.go:134: actual did not match expected. len(expected) != len(actual). expected: ["client_id": all of `client_id,client_secret` must be specified], actual: ["client_id": all of `client_id,client_secret` must be specified "client_secret": all of `client_id,client_secret` must be specified]
=== RUN   TestProvider_configValidation/conflicting_auth0_client_and_management_token_without_domain
    provider_test.go:134: actual did not match expected. len(expected) != len(actual). expected: ["domain": required field is not set "client_id": conflicts with api_token "client_secret": conflicts with api_token "api_token": conflicts with client_id], actual: ["api_token": conflicts with client_id "client_id": conflicts with api_token "client_secret": conflicts with api_token]
=== RUN   TestProvider_configValidation/valid_auth0_client
=== RUN   TestProvider_configValidation/valid_auth0_token
    provider_test.go:134: actual did not match expected. len(expected) != len(actual). expected: [], actual: ["client_secret": all of `client_id,client_secret` must be specified "client_id": all of `client_id,client_secret` must be specified]
--- FAIL: TestProvider_configValidation (0.06s)
    --- FAIL: TestProvider_configValidation/missing_client_id (0.01s)
    --- FAIL: TestProvider_configValidation/missing_client_secret (0.01s)
    --- FAIL: TestProvider_configValidation/conflicting_auth0_client_and_management_token_without_domain (0.01s)
    --- PASS: TestProvider_configValidation/valid_auth0_client (0.01s)
    --- FAIL: TestProvider_configValidation/valid_auth0_token (0.01s)

[willvedd]

Am able to confirm that all acceptance tests pass and the TestProvider_configValidation unit test passes reliably. So with that I say, great work! And thank you for your patience.

[sergiught]

Great work @kevinschoonover !