Changing user_metadata on auth0_user results in an API error

[risotto-master]

Checklist

• I have looked into the README and have not found a suitable solution or answer.
• I have looked into the documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have upgraded to the latest version of this provider and the issue still persists.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

Unable to change user_metadata on users associated with a google-oauth2 connection.
I have a Google OAuth2 connection defined by the following resource:

resource "auth0_connection" "google" {
  enabled_clients = [
    auth0_client.app.id,
  ]

  is_domain_connection = false
  metadata             = {}
  name                 = "my-google-oauth2"

  strategy = "google-oauth2"
}

and a user that has been created outside of Terraform context (since Management API does not support creating users with this connection). Once the user has been created I import it into Terraform state, and wish to apply common set of user attributes:

resource "auth0_user" "users" {
  for_each        = { for user in local.admins : user.email => user }
  email           = each.key
  email_verified  = true
  connection_name = auth0_connection.google.name
  family_name     = each.value.last_name
  given_name      = each.value.first_name
  name            = "${each.value.first_name} ${each.value.last_name}"
  nickname        = each.value.nickname
  user_metadata = jsonencode(
    {
      some_key = "value"
    }
  )
}

Terraform plan makes sense:

  # module.auth0.auth0_user.users["[email protected]"] will be updated in-place
  ~ resource "auth0_user" "users" {
        id              = "google-oauth2|..."
        name            = "My Name"
      + user_metadata   = jsonencode(
            {
              + some_key = "value"
            }
        )
        # (12 unchanged attributes hidden)
    }

but apply still fails with:

Error: 400 Bad Request: The following user attributes cannot be updated: family_name, given_name, name, nickname. The connection (prod-google-oauth2) must either be a database connection (using the Auth0 store), a passwordless connection (email or sms) or has disabled 'Sync user profile attributes at each login'. For more information, see https://auth0.com/docs/dashboard/guides/connections/configure-connection-sync

As you can see, plan does not change any of the mentioned attributes. If I add:

  lifecycle {
    ignore_changes = [
      user_metadata
    ]
  }

to auth0_user.users, the plan goes through but this beats the purpose of me using Terraform for Auth0 users in this case.

Expectation

Plan application to succeed and user_metadata to be updated.

Reproduction

Here's a close-to-minimal repro:

terraform {
  required_providers {
    auth0 = {
      source  = "auth0/auth0"
      version = ">= 0.40" # Refer to docs for latest version
    }
  }
}

locals {
  admins = []
}

resource "auth0_connection" "google" {
  enabled_clients = []

  is_domain_connection = false
  metadata             = {}
  name                 = "my-google-oauth2"

  strategy = "google-oauth2"
}

resource "auth0_organization" "acme" {
  display_name = "acme"
  metadata     = {}
  name         = "acme"
}


resource "auth0_organization_connection" "acme_google" {
  organization_id            = auth0_organization.acme.id
  connection_id              = auth0_connection.google.id
  assign_membership_on_login = true
}

resource "auth0_organization_member" "acme_members" {
  for_each        = auth0_user.users
  organization_id = auth0_organization.acme.id
  user_id         = each.value.id
  roles           = []
}

resource "auth0_user" "users" {
  for_each        = { for user in local.admins : user.email => user }
  email           = each.key
  email_verified  = true
  connection_name = auth0_connection.google.name
  family_name     = each.value.last_name
  given_name      = each.value.first_name
  name            = "${each.value.first_name} ${each.value.last_name}"
  nickname        = each.value.nickname
  roles           = []
  user_metadata = jsonencode(
    {
      some_key = "value"
    }
  )

  lifecycle {
    ignore_changes = [
      # plan fails if this is not ignored
      # user_metadata
    ]
  }
}

This should apply cleanly.
User goes to the app, logs in with Google in order to create a User object in Auth0.
Import the user:

tf import auth0_user.users[\"[email protected]\"] "google-oauth2|103273465557629152599"

Then, to add user metadata, change local.admins:

locals {
  admins = [
    {
      email : "[email protected]",
      first_name : "Name",
      last_name : "Last Name",
      nickname : "name",
    },
  ]
}

Plan can be computed, by applying will fail due to mentioned error.

Auth0 Terraform Provider version

0.34, 0.40

Terraform version

v1.2.4

[sergiught]

Hey @risotto-master 👋🏻

Thanks for bringing this to our attention.

After a bit of digging it seems the issue is not with the user_metadata property but with the fact that we're trying to always push an update to the API with name, given_name, family_name and nickname within the payload.

These unfortunately cannot be present in the payload if the connection is not a db or passwordless connection or if the Sync user profile attributes at each login is toggled on. For more info you can read https://auth0.com/docs/manage-users/user-accounts/user-profiles/configure-connection-sync-with-auth0.

I have a fix for this in https://github.com/auth0/terraform-provider-auth0/pull/453/files that also updates the docs with the above info. It will be available on the upcoming release, ~ ETA: this week.

As a tip if you want to keep those attributes managed by your identity provider (google in this case) I'd suggest removing them from the terraform configuration block to prevent issues such as the one above.

[sergiught]

Hey @risotto-master 👋🏻 this is now fixed within the latest release https://github.com/auth0/terraform-provider-auth0/releases/tag/v0.43.0. Please check it out and let us know if you encounter any issues.