oidcBackchannelLogoutUrls were reset during deployment

[dawidchmist]

Describe what happened

After deployment of new Auth0 configuration we've noticed that oidcBackchannelLogoutUrls were reset to empty values. Before that we had information about deprecation but pulumi preview or pulumi up outputs haven't specify that this will be deleted.
During that deployment also some other values were changed like: name etc.

We fixed that by migrating that settings to oidcLogout struct.

Sample program

import * as pulumi from "@pulumi/pulumi";
import * as auth0 from "@pulumi/auth0";


const myApp = new auth0.Client("sample", {
    name: "My Application",
    appType: "regular_web",
    oidcBackchannelLogoutUrls: ["https://sample.com/logout"],

    callbacks: ["https://sample.com/callback"],
    allowedLogoutUrls: ["https://sample.com"],

});

export const clientId = myApp.clientId;
export const clientSecret = myApp.clientSecret;

Log output

No response

Affected Resource(s)

No response

Output of pulumi about

CLI
Version 3.150.0
Go Version go1.23.6
Go Compiler gc

Plugins
KIND NAME VERSION
resource auth0 3.12.0
resource aws 6.53.0
language nodejs 3.150.0

Host
OS darwin
Version 15.1
Arch arm64

This project is written in nodejs: executable='/opt/homebrew/bin/node' version='v23.7.0'

Dependencies:
NAME VERSION
@pulumi/auth0 3.12.0
@pulumi/aws 6.53.0
@pulumi/pulumi 3.147.0
git-last-commit 1.0.1
@babel/helper-function-name 7.24.7
@babel/helper-hoist-variables 7.24.7
@eslint/eslintrc 3.1.0
@eslint/js 9.11.1
@ls-lint/ls-lint 2.2.3
@trivago/prettier-plugin-sort-imports 4.3.0
@types/jest 29.5.13
@types/node 20.16.9
@typescript-eslint/eslint-plugin 8.7.0
@typescript-eslint/parser 8.7.0
eslint 9.11.1
globals 15.9.0
jest 29.7.0
prettier 3.3.3
ts-jest 29.2.5
typescript 5.7.3

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[t0yv0]

Thanks for the sample code @dawidchmist

Am I understanding you correctly that you have had drift where the Pulumi program did not specify oidcBackchannelLogoutUrls but it was actually set in Auth0 itself, and then running pulumi preview and pulumi up you did not see any diff but Pulumi "fixed" the drift unexpectedly by resetting the resource to be in sync with the program?

[t0yv0]

I may be missing something here, so please feel free to provide more details, but at a surface it appears to be that the problem here is that Pulumi does not "refresh" or consult the actual cloud state by default. The Terraform-like behavior can be enabled by pulumi up --refresh though. I suspect in your case, if you ran with --refresh then Pulumi would show that it is about to reset oidcBackchannelLogoutUrls to empty values.

[t0yv0]

pulumi/pulumi#2247 is tracking the idea of enabling this by default.