I am using the a0deploy CLI tool to copy over my dev tenant setup to my prod tenant using keyword replacement. I created a M2M Application in both my Dev and Prod Tenants, and provided those credentials to the a0deploy CLI tool when doing the export from dev and again import into prod, which all works great. The problem is that when I do the export, the M2M application from my Dev tenant is copied over to my Prod tenant, so now I have the dev AND prod M2M Applications in my prod tenant.
Given the recent deprecation of resource exclusion by ID is there another way to exclude this M2M application, or am i mistaken in that I needed to manually create the M2M Application in my Prod tenant to do the import?
From what I gather from the GitHub (this post) and the official documentation, you can use auth0_excluded instead of the legacy exclusion by IDs.
In my case, for testing purposes, I gave the same name to both Apps (you need one on each Tenant since this is how you allow you local CLI to access your Tenants Management APIs). Therefore I didn’t have this issue but this is only ok for testing since ideally, the Apps should be configured with minimal access privilege (in your case, your Dev Tenant needs to be Read and the Prod one needs to be written).
Another way, a bit trivial, if you’re not fully automating this process, is to exclude the Deploy CLI app itself from the YAML file by deleting the corresponding node (if you’re exporting in YAML using --format=yaml) or by deleting the JSON that corresponds to the Deploy CLI app in the export directory (under the “clients”) subfolder.
Hi @sylvainf thank you for the response! My understanding was that with AUTH0_EXCLUDED you’re only allowed to exclude resources (so if i put clients then all clients would be excluded). Is that accurate?
If I give the same name to both apps, wouldn’t they still have different IDs and therefore be considered different clients?
You’re absolutely right, these new methods are used to exclude object types rather than specific IDs so it doesn’t really answer your question.
Actually, Apps created by the CLI tool from an import will always have a different ID, therefore it seems that it actually uses the name to figure if it should create an App or Not. Also, the grants are configured at API level so my comment about using an app with the same name might actually be a better solution than tweaking the YAML file / folder output. If for any reason this doesn’t work, you could also add a script to your pipeline to automate the removal of this App from your Exports before Importing.
Please let me know if the above doesn’t make sense.