alexkappa · willvedd · Jan 25, 2022 · Jan 24, 2022 · Jan 24, 2022 · Jan 25, 2022
diff --git a/auth0/resource_auth0_guardian.go b/auth0/resource_auth0_guardian.go
@@ -92,6 +92,11 @@ func newGuardian() *schema.Resource {
 					},
 				},
 			},
+			"email": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  false,
+			},
 		},
 	}
 }
@@ -103,6 +108,9 @@ func createGuardian(d *schema.ResourceData, m interface{}) error {
 func deleteGuardian(d *schema.ResourceData, m interface{}) error {
 	api := m.(*management.Management)
 	api.Guardian.MultiFactor.Phone.Enable(false)
+	if err := api.Guardian.MultiFactor.Email.Enable(false); err != nil {
+		return err
+	}
 	d.SetId("")
 	return nil
 }
@@ -118,7 +126,16 @@ func updateGuardian(d *schema.ResourceData, m interface{}) (err error) {
 			err = api.Guardian.MultiFactor.UpdatePolicy(&management.MultiFactorPolicies{p})
 		}
 	}
-	//TODO: Extend for other MFA types
+	if err := updatePhoneFactor(d, api); err != nil {
+		return err
+	}
+	if err := updateEmailFactor(d, api); err != nil {
+		return err
+	}
+	return readGuardian(d, m)
+}
+
+func updatePhoneFactor(d *schema.ResourceData, api *management.Management) error {
-func updatePhoneFactor(d *schema.ResourceData, api *management.Management) error {
+func updatePhoneFactor(d *schema.ResourceData, api *management.Management) error {
+    ok, err := factorShouldBeUpdated(d, "phone")
+    if err != nil {
+        return err
+    }
+    if ok {
+        if err := configurePhone(d, api); err != nil {
+            return err
+        }
+    }
+    
+    return api.Guardian.MultiFactor.Phone.Enable(ok)
+}
-func updatePhoneFactor(d *schema.ResourceData, api *management.Management) error {
+func updatePhoneFactor(d *schema.ResourceData, api *management.Management) error {
+    ok, err := factorShouldBeUpdated(d, "phone")
+    if err != nil {
+        return err
+    }
+    if ok {
+        if err := configurePhone(d, api); err != nil {
+            return err
+        }
+    }
+    
+    return api.Guardian.MultiFactor.Phone.Enable(ok)
+}
 	ok, err := factorShouldBeUpdated(d, "phone")
 	if err != nil {
 		return err
@@ -131,11 +148,20 @@ func updateGuardian(d *schema.ResourceData, m interface{}) (err error) {
 	} else {
 		api.Guardian.MultiFactor.Phone.Enable(false)
 	}
-	return readGuardian(d, m)
+	return nil
 }
 
-func configurePhone(d *schema.ResourceData, api *management.Management) (err error) {
+func updateEmailFactor(d *schema.ResourceData, api *management.Management) error {
+	if changed := d.HasChange("email"); changed {
+		enabled := d.Get("email").(bool)
+		if err := api.Guardian.MultiFactor.Email.Enable(enabled); err != nil {
+			return err
+		}
-		if err := api.Guardian.MultiFactor.Email.Enable(enabled); err != nil {
-			return err
-		}
+		return api.Guardian.MultiFactor.Email.Enable(enabled)
-		if err := api.Guardian.MultiFactor.Email.Enable(enabled); err != nil {
-			return err
-		}
+		return api.Guardian.MultiFactor.Email.Enable(enabled)
+	}
+	return nil
+}
 
+func configurePhone(d *schema.ResourceData, api *management.Management) (err error) {
 	md := make(MapData)
 	List(d, "phone").Elem(func(d ResourceData) {
 		md.Set("provider", String(d, "provider", HasChange()))
@@ -241,6 +267,7 @@ func readGuardian(d *schema.ResourceData, m interface{}) error {
 	if err != nil {
 		return err
 	}
+
 	ok, err := factorShouldBeUpdated(d, "phone")
 	if err != nil {
 		return err
@@ -254,6 +281,17 @@ func readGuardian(d *schema.ResourceData, m interface{}) error {
 	if err != nil {
 		return err
 	}
+
+	factors, err := api.Guardian.MultiFactor.List()
+	if err != nil {
+		return err
+	}
+	for _, v := range factors {
+		switch *v.Name {
+		case "email":
+			d.Set("email", v.Enabled)
+		}
+	}
 	return nil
 }
 

diff --git a/auth0/resource_auth0_guardian_test.go b/auth0/resource_auth0_guardian_test.go
@@ -86,6 +86,22 @@ func TestAccGuardian(t *testing.T) {
 					resource.TestCheckNoResourceAttr("auth0_guardian.foo", "phone"),
 				),
 			},
+
+			{
+				Config: testAccConfigureEmail,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("auth0_guardian.foo", "policy", "all-applications"),
+					resource.TestCheckResourceAttr("auth0_guardian.foo", "email", "true"),
+				),
+			},
+
+			{
+				Config: testAccConfigureEmailUpdate,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("auth0_guardian.foo", "policy", "all-applications"),
+					resource.TestCheckResourceAttr("auth0_guardian.foo", "email", "false"),
+				),
+			},
 		},
 	})
 }
@@ -161,3 +177,19 @@ resource "auth0_guardian" "foo" {
   policy = "all-applications"
 }
 `
+
+const testAccConfigureEmail = `
+
+resource "auth0_guardian" "foo" {
+  policy = "all-applications"
+  email  = true
+}
+`
+
+const testAccConfigureEmailUpdate = `
+
+resource "auth0_guardian" "foo" {
+  policy = "all-applications"
+  email  = false
+}
+`
diff --git a/docs/resources/guardian.md b/docs/resources/guardian.md
@@ -19,10 +19,11 @@ resource "auth0_guardian" "default" {
     provider      = "auth0"
     message_types = ["sms"]
     options {
-      enrollment_message   = "{{code}}} is your verification code for {{tenant.friendly_name}}. Please enter this code to verify your enrollment"
+      enrollment_message   = "{{code}} is your verification code for {{tenant.friendly_name}}. Please enter this code to verify your enrollment"
       verification_message = "{{code}} is your verification code for {{tenant.friendly_name}}"
     }
   }
+  email = true
 }
 ```
 
@@ -32,6 +33,7 @@ Arguments accepted by this resource include:
 
 * `policy` - (Required) String. Policy to use. Available options are `never`, `all-applications` and `confidence-score`. The option `confidence-score` means the trigger of MFA will be adaptive. See [Auth0 docs](https://auth0.com/docs/mfa/adaptive-mfa)
 * `phone` - (Optional) List(Resource). Configuration settings for the phone MFA. For details, see [Phone](#phone).
+* `email` - (Optional) Boolean. Indicates whether or not email MFA is enabled.
 
 ### Phone