auth0_connection: Ability to make updates without wiping secrets.

[tim-hutchinson]

Checklist

• I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

Wasn't sure whether to flag this as a feature or bug, since there's aspects of both.

When using an auth0_connection that was imported, or some other mechanism used for populating a client_secret option, any updates to the auth0_connection (e.g., setting a new value on metadata) resource will update everything, which wipes out any values that aren't available locally, even if they're in lifecycle.ignore_changes, since lifecycle only prevents the changes from triggering an update, not the update behavior when triggered.

Describe the ideal solution

We'd like to keep be able to keep the client_secret out of TF state. Ideally, if secret attributes are unchanged in the TF plan from the TF state, they'd be excluded from the update. That way, we could set them up as null/`"changeme"/etc, and then any updates to the resource would only happen if we'd explicitly changed it in our Terraform.

Alternatives and current workarounds

What we do for now is place the client secret into vaulted secret storage. However, this does mean that it's available to be retrieved (given the right permissions).

Additional context

We discovered this via an incident, because the Terraform plan for the auth0_connection update didn't show that it would make a change, but our authentication stopped working since the client_secret was wrong. This was on an environment that had been manually provisioned previously, then imported into Terraform.

I did look at the Management API docs and it looks like the problem comes from that API expecting all options values to be present. However, this behavior seems possible, given that the web UI can make updates to only some attributes, without unsetting a secret.