auth0_connection SAML configuration option "sign_saml_request" not updatable

[tb00-cloud]

Checklist

• [X] I have looked into the README and have not found a suitable solution or answer.
• [X] I have looked into the documentation and have not found a suitable solution or answer.
• [X] I have searched the issues and have not found a suitable solution or answer.
• [X] I have upgraded to the latest version of this provider and the issue still persists.
• [X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• [X] I agree to the terms within the Auth0 Code of Conduct.

Description

When modifying auth0_connection resources the parameter sign_saml_request is always set to false regardless of the config. On the next run, the drift will be detected but applying will do nothing.

note - I've seen the same behaviour elsewhere in other resources. This one happens to be an example I can always reproduce.

Expectation

Modifying the resource will not reset the parameter sign_saml_request. Also modifying the parameter sign_saml_request will be effective.

Reproduction

1. Deploy the auth0_connection resource with the "samlp" strategy.

   resource "auth0_connection" "this" {
   name     = var.name
   strategy = "samlp"
   
   options {
     debug                    = var.enable_debug_logging
     signing_cert             = var.signing_cert 
     sign_in_endpoint         = var.sign_in_endpoint
     sign_out_endpoint        = var.single_signout_endpoint
     disable_sign_out         = var.single_signout_endpoint == "" ? true : false
     tenant_domain            = var.tenant_domain
     sign_saml_request        = true
     protocol_binding         = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
     request_template         = var.custom_request_template
     user_id_attribute        = var.user_id_attribute_nane
     signature_algorithm      = "rsa-sha256"
     digest_algorithm         = "sha256"
     metadata_xml             = var.idp_metadata_xml
     fields_map               = jsonencode(var.mappers)
     set_user_root_attributes = "on_each_login"
   }
   }

2. Make a change such as setting debug to false.

3. Apply the change.

4. Observe the option to sign requests has now been set to false even though you did not specify it.

5. Run a new apply with no changes.

6. Observe terraform detecting the drift.

7. Run another plan/appy.

8. Observe terraform detecting the drift.

9. and so on...

Auth0 Terraform Provider version

0.50.0

Terraform version

1.5.3

[tb00-cloud]

Dropping in the output from Terraform debug when modifying this resource:

2023-07-14T14:53:46.052+0100 [WARN] Provider "provider[\"registry.terraform.io/auth0/auth0\"]" produced an unexpected new value for module.saml.auth0_connection.this, but we are tolerating it because it is using the legacy plugin SDK. The following problems may be the cause of any confusing errors from downstream operations:

• .options[0].sign_saml_request: was cty.True, but now cty.False

[tb00-cloud]

Quick update, I had previously not been passing the block signing_key. So I tried it with these params being passed but the outcome was the same.

[sergiught]

Hey @tb00-cloud 👋🏻

Thanks for taking the time to raise this with us. I tried to reproduce your issue but I am unable to.

Given the following:

resource "auth0_connection" "this" {
  name     = "Test-Connection"
  strategy = "samlp"

  options {
    debug                    = true
    disable_sign_out         = false
    tenant_domain            = "example.com"
    sign_saml_request        = false
    protocol_binding         = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    user_id_attribute        = "https://saml.provider/imi/ns/identity-200810"
    signature_algorithm      = "rsa-sha256"
    digest_algorithm         = "sha256"
    set_user_root_attributes = "on_each_login"

    fields_map = jsonencode({
      "name" : ["name"]
      "email" : ["emailaddress", "nameidentifier"]
      "family_name" : "appelido"
    })

    metadata_url = "https://raw.githubusercontent.com/auth0/terraform-provider-auth0/132b28c30dfafbe018db0efe3ce2c98c452d4f9c/test/data/saml_metadata.xml"
  }
}

When I run terraform apply I get the following:

terraform apply                                                                                                       ✔  14:17:24
auth0_connection.this: Refreshing state... [id=con_XXXX]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # auth0_connection.this will be updated in-place
  ~ resource "auth0_connection" "this" {
        id                   = "con_XXXX"
        name                 = "Test-Connection"
        # (6 unchanged attributes hidden)

      ~ options {
          ~ sign_saml_request                    = true -> false
            # (39 unchanged attributes hidden)
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

auth0_connection.this: Modifying... [id=con_XXXX]
auth0_connection.this: Modifications complete after 0s [id=con_XXXX]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

terraform apply                                                                                                       ✔  14:17:33
auth0_connection.this: Refreshing state... [id=con_XXXX]

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

I'm suspecting that perhaps a certain combination of properties that you're setting override the sign_saml_request property. But I'm unable to confirm unless you specify exactly what the true/false values of

      debug                    = var.enable_debug_logging
      signing_cert             = var.signing_cert 
      sign_in_endpoint         = var.sign_in_endpoint
      sign_out_endpoint        = var.single_signout_endpoint
      disable_sign_out         = var.single_signout_endpoint == "" ? true : false

are? Also are you ensuring you're not overriding any of those properties through the metadata xml? As that has precedence.

[tb00-cloud]

Hey @sergiught. You were right it was the metadata file taking precedence.

I'd say it's definitely worth a quick note in the docs about the precedence to avoid this one coming back.

Thanks for your help!

[sergiught]

Thanks for the feedback @tb00-cloud, I followed up in https://github.com/auth0/terraform-provider-auth0/pull/740/files to clarify that. Let me know if you think it's enough or not.