Overview
This article explains a conflict that occurs when a user created and managed through Infrastructure as Code (IaC) with Auth0 using Terraform is later modified directly in the Auth0 Dashboard. When a subsequent update is attempted using Terraform, it will try to revert any changes made outside of its management, causing a conflict.
For example, a user is created using Terraform, and then the user’s app_metadata is modified in the Auth0 Dashboard. When an update is performed in Terraform this will cause a conflict and the following message will be seen in the Command Line Interface (CLI).
Terraform will perform the following actions:
# auth0_user.user will be updated in-place
~ resource "auth0_user" "user" {
- app_metadata = jsonencode(
{
- authorization = {
- groups = []
- permissions = []
- roles = []
}
}
) -> null
id = "auth0|67dab86aaaca804*********"
name = "Example User"
# (15 unchanged attributes hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
Applies To
- Terraform
Cause
This behavior is specific to how Terraform manages the resources. When Terraform sees a change to the user (which was not made through Terraform) and compares it with the resource, it will update the user with the values from the .tfstate file, overwriting the user.
Solution
Since the user is managed by Terraform, all updates should be made by modifying the Terraform resource code to track these changes. If changes are made outside of Terraform, subsequent terraform apply commands will overwrite them.
To reconcile changes made outside of Terraform without losing them, use the refresh-only option.
- Run the
terraform apply -refresh-onlycommand. This command fetches the current state of the resources from Auth0 and updates the local.tfstatefile to match, without applying any changes from the configuration files.
terraform apply -refresh-only
- Terraform will detect the changes made outside of its control and display a plan to update the state file.
auth0_user.user: Refreshing state... [id=auth0|67dab86aaa804c*********]
Note: Objects have changed outside of Terraform
Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:
# auth0_user.user has changed
~ resource "auth0_user" "user" {
+ app_metadata = jsonencode(
{
+ authorization = {
+ groups = []
+ permissions = []
+ roles = []
}
}
)
id = "auth0|67dab86aaa804c*********"
name = "Example User"
# (15 unchanged attributes hidden)
}
This is a refresh-only plan, so Terraform will not take any actions to undo
these. If you were expecting these changes then you can apply this plan to
record the updated values in the Terraform state without changing any remote
objects.
Would you like to update the Terraform state to reflect these detected changes?
Terraform will write these changes to the state without modifying any real infrastructure.
There is no undo. Only 'yes' will be accepted to confirm.
- Confirm the action by entering yes when prompted.