alexkappa · alexkappa · Jun 4, 2020 · Jun 3, 2020 · Jun 3, 2020 · Jun 4, 2020
diff --git a/auth0/resource_auth0_client.go b/auth0/resource_auth0_client.go
@@ -560,7 +560,7 @@ func expandClient(d *schema.ResourceData) *management.Client {
 	c := &management.Client{
 		Name:                           String(d, "name"),
 		Description:                    String(d, "description"),
-		AppType:                        String(d, "app_type", IsNewResource(), HasChange()),
+		AppType:                        String(d, "app_type"),
 		LogoURI:                        String(d, "logo_uri"),
 		IsFirstParty:                   Bool(d, "is_first_party"),
 		IsTokenEndpointIPHeaderTrusted: Bool(d, "is_token_endpoint_ip_header_trusted"),
@@ -573,20 +573,20 @@ func expandClient(d *schema.ResourceData) *management.Client {
 		SSO:                            Bool(d, "sso"),
 		SSODisabled:                    Bool(d, "sso_disabled"),
 		CrossOriginAuth:                Bool(d, "cross_origin_auth"),
-		CrossOriginLocation:            String(d, "cross_origin_loc", IsNewResource(), HasChange()),
+		CrossOriginLocation:            String(d, "cross_origin_loc"),
 		CustomLoginPageOn:              Bool(d, "custom_login_page_on"),
 		CustomLoginPage:                String(d, "custom_login_page"),
 		CustomLoginPagePreview:         String(d, "custom_login_page_preview"),
 		FormTemplate:                   String(d, "form_template"),
-		TokenEndpointAuthMethod:        String(d, "token_endpoint_auth_method", IsNewResource(), HasChange()),
+		TokenEndpointAuthMethod:        String(d, "token_endpoint_auth_method"),
 		InitiateLoginURI:               String(d, "initiate_login_uri"),
 	}
 
 	List(d, "jwt_configuration").Elem(func(d ResourceData) {
 		c.JWTConfiguration = &management.ClientJWTConfiguration{
-			LifetimeInSeconds: Int(d, "lifetime_in_seconds", IsNewResource(), HasChange()),
+			LifetimeInSeconds: Int(d, "lifetime_in_seconds"),
 			SecretEncoded:     Bool(d, "secret_encoded", IsNewResource()),
-			Algorithm:         String(d, "alg", IsNewResource(), HasChange()),
+			Algorithm:         String(d, "alg"),
 			Scopes:            Map(d, "scopes"),
 		}
 	})

diff --git a/auth0/resource_auth0_client_grant.go b/auth0/resource_auth0_client_grant.go
@@ -24,10 +24,12 @@ func newClientGrant() *schema.Resource {
 			"client_id": {
 				Type:     schema.TypeString,
 				Required: true,
+				ForceNew: true,
 			},
 			"audience": {
 				Type:     schema.TypeString,
 				Required: true,
+				ForceNew: true,
 			},
 			"scope": {
 				Type:     schema.TypeList,

diff --git a/auth0/resource_auth0_client_grant_test.go b/auth0/resource_auth0_client_grant_test.go
@@ -37,6 +37,12 @@ func TestAccClientGrant(t *testing.T) {
 					resource.TestCheckResourceAttr("auth0_client_grant.my_client_grant", "scope.#", "0"),
 				),
 			},
+			{
+				Config: random.Template(testAccClientGrantConfigUpdateChangeClient, rand),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("auth0_client_grant.my_client_grant", "scope.#", "0"),
+				),
+			},
 		},
 	})
 }
@@ -89,3 +95,18 @@ resource "auth0_client_grant" "my_client_grant" {
 	scope = [ ]
 }
 `
+
+const testAccClientGrantConfigUpdateChangeClient = testAccClientGrantAuxConfig + `
+
+resource "auth0_client" "my_client_alt" {
+	name = "Acceptance Test - Client Grant Alt - {{.random}}"
+	custom_login_page_on = true
+	is_first_party = true
+}
+
+resource "auth0_client_grant" "my_client_grant" {
+	client_id = "${auth0_client.my_client_alt.id}"
+	audience = "${auth0_resource_server.my_resource_server.identifier}"
+	scope = [ ]
+}
+`
diff --git a/auth0/resource_auth0_global_client.go b/auth0/resource_auth0_global_client.go
@@ -13,13 +13,34 @@ func newGlobalClient() *schema.Resource {
 	client.Create = createGlobalClient
 	client.Delete = deleteGlobalClient
 
-	name := client.Schema["name"]
-	name.Required = false
-	name.Computed = true
+	exclude := []string{"client_secret_rotation_trigger"}
+
+	// Mark all values computed and optional. This because the global client has
+	// already been created for all tenants.
+	for key := range client.Schema {
+
+		// Exclude certain fields from being marked as computed.
+		if in(key, exclude) {
+			continue
+		}
+
+		client.Schema[key].Required = false
+		client.Schema[key].Optional = true
+		client.Schema[key].Computed = true
+	}
 
 	return client
 }
 
+func in(needle string, haystack []string) bool {
+	for i := 0; i < len(haystack); i++ {
+		if needle == haystack[i] {
+			return true
+		}
+	}
+	return false
+}
+
 func createGlobalClient(d *schema.ResourceData, m interface{}) error {
 	if err := readGlobalClientId(d, m); err != nil {
 		return err

diff --git a/auth0/resource_auth0_global_client_test.go b/auth0/resource_auth0_global_client_test.go
@@ -39,8 +39,7 @@ func TestAccGlobalClient(t *testing.T) {
 				),
 			},
 			{
-				Config:             testAccGlobalClientConfigDefault,
-				ExpectNonEmptyPlan: true,
+				Config: testAccGlobalClientConfigDefault,
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("auth0_global_client.global", "custom_login_page", "<html>TEST123</html>"),
 					resource.TestCheckResourceAttr("auth0_global_client.global", "custom_login_page_on", "true"),

diff --git a/auth0/resource_auth0_user.go b/auth0/resource_auth0_user.go
@@ -5,6 +5,7 @@ import (
 	"net/http"
 	"strings"
 
+	"github.com/hashicorp/go-multierror"
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/helper/structure"
 	"github.com/hashicorp/terraform-plugin-sdk/helper/validation"
@@ -195,6 +196,9 @@ func updateUser(d *schema.ResourceData, m interface{}) error {
 	if err != nil {
 		return err
 	}
+	if err = validateUser(u); err != nil {
+		return err
+	}
 	api := m.(*management.Management)
 	if userHasChange(u) {
 		if err := api.User.Update(d.Id(), u); err != nil {
@@ -228,44 +232,81 @@ func buildUser(d *schema.ResourceData) (u *management.User, err error) {
 
 	u = new(management.User)
 	u.ID = String(d, "user_id", IsNewResource())
-	u.Connection = String(d, "connection_name", IsNewResource(), HasChange())
+	u.Connection = String(d, "connection_name")
+
+	u.Name = String(d, "name")
+	u.FamilyName = String(d, "family_name")
+	u.GivenName = String(d, "given_name")
+	u.Nickname = String(d, "nickname")
+
 	u.Username = String(d, "username", IsNewResource(), HasChange())
-	u.Name = String(d, "name", IsNewResource(), HasChange())
-	u.FamilyName = String(d, "family_name", IsNewResource(), HasChange())
-	u.GivenName = String(d, "given_name", IsNewResource(), HasChange())
-	u.Nickname = String(d, "nickname", IsNewResource(), HasChange())
-	u.PhoneNumber = String(d, "phone_number", IsNewResource(), HasChange())
+
+	u.Email = String(d, "email", IsNewResource(), HasChange())
 	u.EmailVerified = Bool(d, "email_verified", IsNewResource(), HasChange())
 	u.VerifyEmail = Bool(d, "verify_email", IsNewResource(), HasChange())
+
+	u.PhoneNumber = String(d, "phone_number", IsNewResource(), HasChange())
 	u.PhoneVerified = Bool(d, "phone_verified", IsNewResource(), HasChange())
-	u.Email = String(d, "email", IsNewResource(), HasChange())
+
 	u.Password = String(d, "password", IsNewResource(), HasChange())
-	u.Blocked = Bool(d, "blocked", IsNewResource(), HasChange())
-	u.Picture = String(d, "picture", IsNewResource(), HasChange())
 
-	u.UserMetadata, err = JSON(d, "user_metadata", IsNewResource(), HasChange())
+	u.Blocked = Bool(d, "blocked")
+	u.Picture = String(d, "picture")
+
+	u.UserMetadata, err = JSON(d, "user_metadata")
 	if err != nil {
 		return nil, err
 	}
 
-	u.AppMetadata, err = JSON(d, "app_metadata", IsNewResource(), HasChange())
+	u.AppMetadata, err = JSON(d, "app_metadata")
 	if err != nil {
 		return nil, err
 	}
 
-	if u.Username != nil || u.Password != nil || u.EmailVerified != nil || u.PhoneVerified != nil {
-		// When updating email_verified, phone_verified, username or password
-		// we need to specify the connection property too.
-		//
-		// https://auth0.com/docs/api/management/v2#!/Users/patch_users_by_id
-		//
-		// As the builtin String function internally checks if the key has been
-		// changed, we retrieve the value of "connection_name" regardless of
-		// change.
-		u.Connection = auth0.String(d.Get("connection_name").(string))
+	return u, nil
+}
+
+func validateUser(u *management.User) error {
+	var validation error
+	for _, fn := range []validateUserFunc{
+		validateNoUsernameAndPasswordSimultaneously(),
+		validateNoUsernameAndEmailVerifiedSimultaneously(),
+		validateNoPasswordAndEmailVerifiedSimultaneously(),
+	} {
+		if err := fn(u); err != nil {
+			validation = multierror.Append(validation, err)
+		}
+	}
+	return validation
+}
+
+type validateUserFunc func(*management.User) error
+
+func validateNoUsernameAndPasswordSimultaneously() validateUserFunc {
+	return func(u *management.User) (err error) {
+		if u.Username != nil && u.Password != nil {
+			err = fmt.Errorf("Cannot update username and password simultaneously")
+		}
+		return
 	}
+}
 
-	return u, nil
+func validateNoUsernameAndEmailVerifiedSimultaneously() validateUserFunc {
+	return func(u *management.User) (err error) {
+		if u.Username != nil && u.EmailVerified != nil {
+			err = fmt.Errorf("Cannot update username and email_verified simultaneously")
+		}
+		return
+	}
+}
+
+func validateNoPasswordAndEmailVerifiedSimultaneously() validateUserFunc {
+	return func(u *management.User) (err error) {
+		if u.Password != nil && u.EmailVerified != nil {
+			err = fmt.Errorf("Cannot update password and email_verified simultaneously")
+		}
+		return
+	}
 }
 
 func assignUserRoles(d *schema.ResourceData, m interface{}) error {

diff --git a/auth0/resource_auth0_user_test.go b/auth0/resource_auth0_user_test.go
@@ -237,3 +237,69 @@ resource auth0_user auth0_user_issue_218 {
   password = "MyPass123$"
 }
 `
+
+func TestAccUserChangeUsername(t *testing.T) {
+
+	rand := random.String(4)
+
+	resource.Test(t, resource.TestCase{
+		Providers: map[string]terraform.ResourceProvider{
+			"auth0": Provider(),
+		},
+		Steps: []resource.TestStep{
+			{
+				Config: random.Template(testAccUserChangeUsernameCreate, rand),
+				Check: resource.ComposeTestCheckFunc(
+					random.TestCheckResourceAttr("auth0_user.auth0_user_change_username", "username", "user_{{.random}}", rand),
+					random.TestCheckResourceAttr("auth0_user.auth0_user_change_username", "email", "change.username.{{.random}}@acceptance.test.com", rand),
+					resource.TestCheckResourceAttr("auth0_user.auth0_user_change_username", "password", "MyPass123$"),
+				),
+			},
+			{
+				Config: random.Template(testAccUserChangeUsernameUpdate, rand),
+				Check: resource.ComposeTestCheckFunc(
+					random.TestCheckResourceAttr("auth0_user.auth0_user_change_username", "username", "user_x_{{.random}}", rand),
+					random.TestCheckResourceAttr("auth0_user.auth0_user_change_username", "email", "change.username.{{.random}}@acceptance.test.com", rand),
+					resource.TestCheckResourceAttr("auth0_user.auth0_user_change_username", "password", "MyPass123$"),
+				),
+			},
+			{
+				Config:      random.Template(testAccUserChangeUsernameAndPassword, rand),
+				ExpectError: regexp.MustCompile("Cannot update username and password simultaneously"),
+			},
+		},
+	})
+}
+
+const testAccUserChangeUsernameCreate = `
+
+resource auth0_user auth0_user_change_username {
+  connection_name = "Username-Password-Authentication"
+  username = "user_{{.random}}"
+  email = "change.username.{{.random}}@acceptance.test.com"
+  email_verified = true
+  password = "MyPass123$"
+}
+`
+
+const testAccUserChangeUsernameUpdate = `
+
+resource auth0_user auth0_user_change_username {
+  connection_name = "Username-Password-Authentication"
+  username = "user_x_{{.random}}"
+  email = "change.username.{{.random}}@acceptance.test.com"
+  email_verified = true
+  password = "MyPass123$"
+}
+`
+
+const testAccUserChangeUsernameAndPassword = `
+
+resource auth0_user auth0_user_change_username {
+  connection_name = "Username-Password-Authentication"
+  username = "user_{{.random}}"
+  email = "change.username.{{.random}}@acceptance.test.com"
+  email_verified = true
+  password = "MyPass123456$"
+}
+`