Can't set disable_clickjack_protection_headers = false

[garthk]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.19
terraform-provider-auth0 at f3bab1e

Affected Resource(s)

• auth0_tenant

Terraform Configuration Files

resource "auth0_tenant" "default" {
  flags {
    disable_clickjack_protection_headers = false
  }
}

Debug Output

Expected Behavior

• disable_clickjack_protection_headers gets set to false

Actual Behavior

• Terraform's plan says it'll set disable_clickjack_protection_headers = false every time
• If I check the clickjacking protection settings, “Disable clickjacking protection for Classic Universal Login” is still enabled
• Auth0's logs show a sapi with description “Update tenant settings”, in which details.request.body.flags sets enable_custom_domain_in_emails = true and enable_public_signup_user_exists_error = true despite the plan not needing either to change, and doesn't contain disable_clickjack_protection_headers = false
• terraform state pull shows the flags in the state as:

{
  "change_pwd_flow_v1": false,
  "disable_clickjack_protection_headers": true,
  "enable_apis_section": false,
  "enable_client_connections": false,
  "enable_custom_domain_in_emails": true,
  "enable_dynamic_client_registration": false,
  "enable_legacy_logs_search_v2": false,
  "enable_pipeline2": false,
  "enable_public_signup_user_exists_error": true,
  "universal_login": false
}

I note the enable_custom_domain_in_emails and enable_public_signup_user_exists_error flags you're telling Auth0 to set aren't present in the state.

Steps to Reproduce

1. terraform apply

Important Factoids

None of which I'm aware.

References

None of which I'm aware.

[alexkappa]

Hi @garthk, thank you for submitting this issue. As we've solved the previous bugs with zero values, unfortunately nested values inside maps still exhibit the bug.

I've added a test case to the tenant, so we can figure out a fix for it soon.

[vbabitskiy]

Hello @alexkappa.
I'm having the same issue with:

• Terraform 0.13.3
• Provider 0.15.2

Error: 400 Bad Request: You are not allowed to set flag 'disable_clickjack_protection_headers' for this tenant

I'm able to run terraform plan/apply without disable_clickjack_protection_headers flag with no error.

[sseg]

I've got this error whether specifying or not specifying the flag in the tenant settings (since it gets passed by default in the PATCH). It seems to occur on my Auth0 enterprise tenants, but not those provisioned in the public cloud instances.

Do all flags need to be sent as defaults during an update-in-place? From my testing with the API this flags object seems to support partial updates without blowing away the original object.

[rene00]

Hi @vbabitskiy 👋 Could you provide the terraform config you're using that generates the 400 request? Thanks,

[arevenes]

Having the same issue trying, not even applying the flag, just trying to set sandbox_version to 12, see TF below:

resource "auth0_tenant" "tenant" { sandbox_version = "12" }

Response: 400 Bad Request: You are not allowed to set flag 'disable_clickjack_protection_headers' for this tenant.

Did check that the application has the update:tenant_settings permission. Not using latest provider atm. though

Terraform 0.12.24
Provider: 0.14.0

[emilhdiaz]

Upvoted this issue already, but I wanted to add some additional color. We're also an enterprise customer and are seeing this 400 Bad Request: You are not allowed to set flag 'disable_clickjack_protection_headers' for this tenant. error on an application of the terraform plan.

I investigated the behavior of the Auth0 PATCH /api/v2/tenants/settings API directly through the API explorer (and directly with curl) and it seems that several tenant setting flags are not allowed to be updated for enterprise tenants:

• disable_clickjack_protection_headers
• trust_azure_adfs_email_verified_connection_property
• enable_sso

Also verified that the application has the update:tenant_settings permission.

I think this provider should not send default values for these flags unless the provider consumer has explicitly declared them in the auth0_tenant resource.

[sergiught]

Thank you to everyone for the detailed information on this issue. I'll be closing this down in favor of #513 as that will likely fix this too. We'll be working on fixing this very soon.