Excluding Resources From Management

In some cases, you may find it useful to exclude resources from being managed. This could be because your tenant has a large number of a particular resource and it’s operationally burdensome to manage them, or your development workflow only pertains to a specific subset of resources and you’d like to omit all other resources for performance. Regardless, there are several options available for excluding resources when using the Deploy CLI.

For more complex tenants, you may find yourself wanting to omit entire resource types. For example:

• Enterprise tenant with thousands of organizations, where managing all would be operationally burdensome.

• CI/CD process only focuses on managing roles, and you want to exclude all others.

• Feature development pertains to hook, and you want to temporarily exclude all others to optimize performance.

This type of exclusion is expressed by passing an array of resource names into the AUTH0_EXCLUDED configuration property. This works bi-directionally (both when exporting from and importing to Auth0), regardless if the resource configuration files exist.

 All supported resource values for exclusion: actions, attackProtection, branding, clientGrants, clients, connections, customDomains, databases, emailProvider, emailTemplates, guardianFactorProviders, guardianFactorTemplates, guardianFactors, guardianPhoneFactorMessageTypes, guardianPhoneFactorSelectedProvider, guardianPolicies, hooks, logStreams, migrations, organizations, pages, prompts, resourceServers, roles, rules, rulesConfigs, tenant, triggers.

The following example shows how you could exclude clients, connections, databases, and organizations from being managed by the Deploy CLI.

{
  "AUTH0_DOMAIN": "example-site.us.auth0.com",
  "AUTH0_CLIENT_ID": "<YOUR_AUTH0_CLIENT_ID>",
  "AUTH0_EXCLUDED": ["clients", "connections", "databases", "organizations"]
}

Some resource types support exclusions of the individual resource by ID. This is useful if you work in a multi-environment context and wish to omit a production-specific resource from your lower-level environments.

This method is supported for rules, clients, databases, connections and resource servers with the AUTH0_EXCLUDED_RULES, AUTH0_EXCLUDED_CLIENTS, AUTH0_EXCLUDED_DATABASES, AUTH0_EXCLUDED_CONNECTIONS, AUTH0_EXCLUDED_RESOURCE_SERVERS configuration values respectively.

{
  "AUTH0_DOMAIN": "example-site.us.auth0.com",
  "AUTH0_CLIENT_ID": "<YOUR_AUTH0_CLIENT_ID>",
  "AUTH0_EXCLUDED_CLIENTS": ["PdmQpGy72sHksV6ueVNZVrV4GDlDDm76"],
  "AUTH0_EXCLUDED_CONNECTIONS": ["con_O1H3KyRMFP1IWRq3", "con_9avEYuj19ihqKBOs"]
}

In addition to excluding resources, which forcefully ignore configurations bi-directionally, the Auth0 Deploy  CLI supports two similar concepts: omission and empty states.

Resource configuration that is absent, either intentionally or unintentionally, will be skipped during import. For example, if your resource configuration were deleted, it would be skipped during import and would not alter the state of the remote tenant.

There is no concept of omission for exporting. Unless specifically excluded, all your tenant configurations will be written to resource configuration files.

roles: # roles configuration is not omitted
  - name: Admin
    description: Can read and write things
    permissions: []
  - name: Reader
    description: Can only read things
    permissions: []
# The omission of all other configurations means they'll be skipped over

Resource configuration that is explicitly defined as empty. For set-based configurations like hooks, organizations, and actions, setting these configurations to an empty set expresses an intentional emptying of those resources. This would signal a deletion, so long as the AUTH0_ALLOW_DELETE deletion configuration property is enabled. For non-set-based resource configuration like tenant and branding, the concept of emptiness does not apply, and will not trigger any deletions or removals.

hooks: [] # Empty hooks
connections: [] # Empty connections
tenant: {} # Effectively a no-op, emptiness does not apply to non-set resource config