auth0-deploy-cli 7.12.3 → 7.14.0

package/docs/multi-environment-workflow.md

@@ -0,0 +1,98 @@
+# Incorporating Into Multi-environment Workflows
+
+The Deploy CLI supports working within a multi-tenant, multi-environment context. When integrated into your CI/CD development workflows, can be used to propagate Auth0 changes from feature development all the way through production.
+
+In general, the advised workflow is as follows:
+
+- Create a separate Auth0 tenant for each environment (ex: dev, staging, prod)
+- Create a single repository of resource configuration files for all environments
+- Add a step in your CI/CD pipeline when deploying to environments that applies the Auth0 resource configurations to the appropriate Auth0 tenant
+
+## Tenant to Environment
+
+It is recommended to have a separate Auth0 tenant/account for each environment you have. For example:
+
+| Environment | Tenant        |
+| ----------- | ------------- |
+| Development | travel0-dev   |
+| Testing     | travel0-uat   |
+| Staging     | travel0-stage |
+| Production  | travel0-prod  |
+
+## Resource configuration repository
+
+When exported, your Auth0 tenant state will be represented as a set of resource configuration files, either in a [YAML or JSON format](./available-resource-config-formats.md). In a multi-environment context it is expected to have a single repository of resource configurations that is applied to all environments. In practice, this may exist as a directory in your project’s codebase or in a separate codebase altogether.
+
+You should have at least one branch for each tenant in your repository, which allows you to make changes without deploying them (the changes would only deploy when you merged your branch into the master, or primary, branch). With this setup, you can have a continuous integration task for each environment that automatically deploys changes to the targeted environment whenever the master branch receives updates.
+
+Your workflow could potentially look something like this:
+
+1. Make changes to development.
+2. Merge changes to testing (or `uat`).
+3. Test changes to `uat`. When ready, move and merge the changes to `staging`.
+4. Test `staging`. When ready, move and merge the changes to `production`.
+
+You may want to set your production environment to deploy only when triggered manually.
+
+## Uni-directional Flow
+
+The multi-environment workflow works best when changes are propagated “up” in a single direction. Changes to the resource configuration files should first be applied to the lowest level environment (ex: dev) and then incrementally applied up through all other environments until applied to production. This uni-directional practice ensures sufficient testing and approval for changes to your tenant. Once set, it is recommended to not apply configurations directly to production through other means such as the Auth0 Dashboard or Management API unless those changes are captured by a subsequent Deploy CLI export. Otherwise, those changes are subject to overwrite.
+
+## Environment-specific values
+
+While it is expected that all environments will share the same set of resource configuration files, environment-specific values can be expressed through separate tool configuration files and dynamic [keyword replacement](keyword-replacement.md).
+
+### Separate Config Files
+
+Specifying a separate tool configuration file per environment can be used to keep the resource configuration files agnostic of environment but still cater for the needs of each environment. At a minimum, you will need to provide separate credentials for each environment, but it is also possible to exclude certain resources, enable deletion and perform dynamic keyword replacement on a per-environment basis.
+
+### Example file structure
+
+```
+project-root
+│
+└───auth0
+│   │   config-dev.json   # Dev env config file
+│   │   config-test.json  # Test env config file
+│   │   config-prod.json  # Prod env config file
+│   │   ... all other resource configuration files
+│
+└───src
+    │   ... your project code
+```
+
+### Dynamic Values via Keyword Replacement
+
+Once separate configurations files are adopted for each environment, keyword replacement via the `AUTH0_KEYWORD_REPLACE_MAPPINGS` configuration property can be used to express the dynamic replacement values depending on the environment. For example, you may find it necessary to have a separate set of allowed origins for your clients (see below). To learn more, see [Keyword Replacement](keyword-replacement.md).
+
+#### Example `config-dev.json`
+
+```json
+{
+  "AUTH0_DOMAIN": "travel0-dev.us.auth0.com",
+  "AUTH0_CLIENT_ID": "PdwQpGy62sHcsV6ufZNEVrV4GDlDhm74",
+  "AUTH0_ALLOW_DELETE": true,
+  "AUTH0_KEYWORD_REPLACE_MAPPINGS": {
+    "ENV": "dev",
+    "ALLOWED_ORIGINS": ["http://localhost:3000", "http://dev.travel0.com"]
+  }
+}
+```
+
+#### Example `config-prod.json`
+
+```json
+{
+  "AUTH0_DOMAIN": "travel0.us.auth0.com",
+  "AUTH0_CLIENT_ID": "vZCEFsDYzXc1x9IomB8dF185e4cdVah5",
+  "AUTH0_ALLOW_DELETE": false,
+  "AUTH0_KEYWORD_REPLACE_MAPPINGS": {
+    "ENV": "prod",
+    "ALLOWED_ORIGINS": ["http://travel0.com"]
+  }
+}
+```
+
+---
+
+[[table of contents]](../README.md#documentation)

package/docs/terraform-provider.md

@@ -0,0 +1,20 @@
+# Auth0 Terraform Provider
+
+The Deploy CLI is not the only tool available for managing your Auth0 tenant configuration, there is also an [officially supported Terraform Provider](https://github.com/auth0/terraform-provider-auth0). [Terraform](https://terraform.io/) is a third-party tool for representing your cloud resources’s configurations as code. It has an established plug-in framework that supports a wide array of cloud providers, including Auth0.
+
+Both the Deploy CLI and Terraform Provider exist to help you manage your Auth0 tenant configurations, but each has their own set of pros and cons.
+
+You may want to consider the Auth0 Terraform Provider if:
+
+- Your development workflows already leverages Terraform
+- Your tenant management needs are granular or only pertain to a few specific resources
+
+You may **not** want to consider the Auth0 Terraform Provider if:
+
+- Your development workflow does not use Terraform, requiring extra setup upfront
+- Your development workflows are primarily concerned with managing your tenants in bulk
+- Your tenant has lots of existing resources, may require significant effort to “import”
+
+---
+
+[[table of contents]](../README.md#documentation)

package/docs/using-as-cli.md

@@ -0,0 +1,89 @@
+# Using as a CLI
+
+The Deploy CLI can be used as a standalone command line utility. Doing so provides a simple way to manage your Auth0 tenant configuration in CI/CD workflows.
+
+## `export` command
+
+Fetching configurations from Auth0 tenant to the local machine.
+
+### `--output_folder`, `-o`
+
+Path. Specifies the target directory for configuration files to be written to.
+
+### `--config_file`, `-c`
+
+Path. Specifies the user-defined configuration file (`config.json`). Refer to the list of [all configurable properties](./configuring-the-deploy-cli.md).
+
+### `--format`, `-f`
+
+Options: yaml or directory. Determines the file format of the exported resource configuration files. See: [Available Resource Config Formats](available-resource-config-formats).
+
+### `--export_ids`, `-e`
+
+Boolean. When enabled, will export the identifier fields for each resource. Default: `false`.
+
+### `--env`
+
+Boolean. Indicates if the tool should ingest environment variables or not. Default: `true`.
+
+### `--debug`
+
+Boolean. Enables more verbose error logging; useful during troubleshooting. Default: `false`.
+
+### `--proxy_url`, `-p`
+
+A url for proxying requests. Only set this if you are behind a proxy.
+
+### Examples
+
+```shell
+# Fetching Auth0 tenant configuration in the YAML format
+a0deploy export -c=config.json --format=yaml --output_folder=local
+
+# Fetching Auth0 tenant configuration in directory (JSON) format
+a0deploy export -c=config.json --format=directory --output_folder=local
+
+# Fetching Auth0 tenant configurations with IDs of all assets
+a0deploy export -c=config.json --format=yaml --output_folder=local --export_ids=true
+```
+
+## `import` command
+
+Applying configurations from local machine to Auth0 tenant.
+
+### `--input_file`, `-i`
+
+Path. Specifies the location of the resource configuration files. For YAML formats, this will point to the `tenant.yaml` file, for directory formats, this will point to the resource configuration directory.
+
+### `--config_file`, `-c`
+
+Path. Specifies the user-defined configuration file (config.json). Refer to the list of [all configurable properties](./configuring-the-deploy-cli.md).
+
+### `--env`
+
+Boolean. Indicates if the tool should ingest environment variables or not. Default: `true`.
+
+### `--proxy_url`, `-p`
+
+A url for proxying requests. Only set this if you are behind a proxy.
+
+### `--debug`
+
+Boolean. Enables more verbose error logging; useful during troubleshooting. Default: `false`.
+
+### Examples
+
+```shell
+# Deploying configuration for YAML formats
+a0deploy import -c=config.json --input_file=local/tenant.yaml
+
+# Deploying configuration for directory format
+a0deploy import -c=config.json --input_file=local
+
+# Deploying configuration with environment variables ignored
+a0deploy import -c=config.json --input_file=local/tenant.yaml --env=false
+```
+
+---
+
+[[table of contents]](../README.md#documentation)

package/docs/using-as-node-module.md

@@ -0,0 +1,114 @@
+# Using as a Node Module
+
+The Deploy CLI can not only be used as a standalone CLI, but as a node module. Doing so allows you to manage Auth0 resources within expressive node scripts.
+
+## `dump` function
+
+Fetches configurations from Auth0 tenant to the local machine.
+
+### Example
+
+```ts
+import { dump } from 'auth0-deploy-cli';
+
+dump({
+  output_folder: './local',
+  format: 'yaml',
+  config: {
+    AUTH0_DOMAIN: '<YOUR_AUTH0_TENANT_DOMAIN>',
+    AUTH0_CLIENT_ID: '<YOUR_AUTH0_CLIENT_ID>',
+    AUTH0_CLIENT_SECRET: '<YOUR_AUTH0_CLIENT_SECRET>',
+  },
+})
+  .then(() => {
+    console.log('Auth0 configuration export successful');
+  })
+  .catch((err) => {
+    console.log('Error during Auth0 configuration export:', err);
+  });
+```
+
+## Argument parameters
+
+#### `format`
+
+Options: `yaml` or `directory`. Determines the file format of the exported resource configuration files. See: [Available Resource Configuration Formats](available-resource-config-formats).
+
+#### `output_folder`
+
+Path. Specifies the target directory for configuration files to be written to.
+
+#### `config`
+
+Object. Configures behavior of utility. Refer to the list of [all configurable properties](./configuring-the-deploy-cli.md).
+
+#### `config_file`
+
+Path. Specifies the user-defined configuration file (config.json). Refer to the list of [all configurable properties](./configuring-the-deploy-cli.md).
+
+#### `export_ids`
+
+Boolean: When enabled, will export the identifier fields for each resource. Default: false.
+
+#### `env`
+
+Boolean. Indicates if the tool should ingest environment variables or not. Default: `false`.
+
+#### `proxy_url`
+
+A url for proxying requests. Only set this if you are behind a proxy.
+
+## `deploy` function
+
+Applies configurations from local machine to Auth0 tenant.
+
+### Argument parameters
+
+#### `input_file`
+
+Path. Specifies the location of the resource configuration files. For YAML formats, this will point to the tenant.yaml file. For directory formats, this will point to the resource configuration directory.
+
+#### `config`
+
+Object. Configures behavior of utility. Refer to the list of [all configurable properties](./configuring-the-deploy-cli.md).
+
+#### `config_file`
+
+Path. Specifies the user-defined configuration file (config.json). Refer to the list of [all configurable properties](./configuring-the-deploy-cli.md).
+
+#### `export_ids`
+
+Boolean: When enabled, will export the identifier fields for each resource. Default: `false`.
+
+#### `env`
+
+Boolean. Indicates if the tool should ingest environment variables or not. Default: `false`.
+
+#### `proxy_url`
+
+A url for proxying requests. Only set this if you are behind a proxy.
+
+### Example
+
+```ts
+import { deploy } from 'auth0-deploy-cli';
+
+deploy({
+  input_file: './local/tenant.yaml',
+  config: {
+    AUTH0_DOMAIN: '<YOUR_AUTH0_TENANT_DOMAIN>',
+    AUTH0_CLIENT_ID: '<YOUR_AUTH0_CLIENT_ID>',
+    AUTH0_CLIENT_SECRET: '<YOUR_AUTH0_CLIENT_SECRET>',
+  },
+})
+  .then(() => {
+    console.log('Auth0 configuration applied to tenant successful');
+  })
+  .catch((err) => {
+    console.log('Error when applying configuration to Auth0 tenant:', err);
+  });
+```
+
+---
+
+[[table of contents]](../README.md#documentation)

package/lib/commands/import.d.ts

@@ -1,2 +1,4 @@
 import { ImportParams } from '../args';
+import { Assets } from '../types';
 export default function importCMD(params: ImportParams): Promise<void>;
+export declare const findUnreplacedKeywords: (assets: Assets) => void;

package/lib/commands/import.js

@@ -12,6 +12,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.findUnreplacedKeywords = void 0;
 const nconf_1 = __importDefault(require("nconf"));
 const configFactory_1 = require("../configFactory");
 const tools_1 = require("../tools");
@@ -40,9 +41,43 @@ function importCMD(params) {
         yield context.load();
         const config = (0, configFactory_1.configFactory)();
         config.setProvider((key) => nconf_1.default.get(key));
-        //@ts-ignore because context and assets still need to be typed TODO: type assets and type context
+        (0, exports.findUnreplacedKeywords)(context.assets);
         yield (0, tools_1.deploy)(context.assets, context.mgmtClient, config);
         logger_1.default.info('Import Successful');
     });
 }
 exports.default = importCMD;
+const findUnreplacedKeywords = (assets) => {
+    const recursiveFindUnreplacedKeywords = (target) => {
+        let unreplaced = [];
+        if (target === undefined || target === null)
+            return [];
+        if (Array.isArray(target)) {
+            target.forEach((child) => {
+                unreplaced.push(...recursiveFindUnreplacedKeywords(child));
+            });
+        }
+        else if (typeof target === 'object') {
+            Object.values(target).forEach((child) => {
+                unreplaced.push(...recursiveFindUnreplacedKeywords(child));
+            });
+        }
+        if (typeof target === 'string') {
+            const arrayMatches = target.match(/(?<=@@).*(?=@@)/g);
+            if (arrayMatches !== null) {
+                return arrayMatches;
+            }
+            const keywordMatches = target.match(/(?<=##).*(?=##)/g);
+            if (keywordMatches !== null) {
+                return keywordMatches;
+            }
+        }
+        return unreplaced;
+    };
+    const unreplacedKeywords = recursiveFindUnreplacedKeywords(assets);
+    if (unreplacedKeywords.length > 0) {
+        throw `Unreplaced keywords found: ${unreplacedKeywords.join(', ')}. Either correct these values or add to AUTH0_KEYWORD_REPLACE_MAPPINGS configuration.`;
+    }
+    return;
+};
+exports.findUnreplacedKeywords = findUnreplacedKeywords;

package/lib/context/directory/handlers/index.js

@@ -31,6 +31,7 @@ const branding_1 = __importDefault(require("./branding"));
 const logStreams_1 = __importDefault(require("./logStreams"));
 const prompts_1 = __importDefault(require("./prompts"));
 const customDomains_1 = __importDefault(require("./customDomains"));
+const themes_1 = __importDefault(require("./themes"));
 const directoryHandlers = {
     rules: rules_1.default,
     rulesConfigs: rulesConfigs_1.default,
@@ -60,5 +61,6 @@ const directoryHandlers = {
     logStreams: logStreams_1.default,
     prompts: prompts_1.default,
     customDomains: customDomains_1.default,
+    themes: themes_1.default,
 };
 exports.default = directoryHandlers;

package/lib/context/directory/handlers/themes.d.ts

@@ -0,0 +1,6 @@
+import { DirectoryHandler } from '.';
+import { ParsedAsset } from '../../../types';
+import { Theme } from '../../../tools/auth0/handlers/themes';
+declare type ParsedThemes = ParsedAsset<'themes', Theme[]>;
+declare const themesHandler: DirectoryHandler<ParsedThemes>;
+export default themesHandler;

package/lib/context/directory/handlers/themes.js

@@ -0,0 +1,48 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const path_1 = __importDefault(require("path"));
+const fs_extra_1 = require("fs-extra");
+const utils_1 = require("../../../utils");
+const tools_1 = require("../../../tools");
+function parse(context) {
+    const baseFolder = path_1.default.join(context.filePath, tools_1.constants.THEMES_DIRECTORY);
+    if (!(0, utils_1.existsMustBeDir)(baseFolder)) {
+        return { themes: null };
+    }
+    const themeDefinitionsFiles = (0, utils_1.getFiles)(baseFolder, ['.json']);
+    if (!themeDefinitionsFiles.length) {
+        return { themes: [] };
+    }
+    const themes = themeDefinitionsFiles.map((themeDefinitionsFile) => (0, utils_1.loadJSON)(themeDefinitionsFile, context.mappings));
+    return { themes };
+}
+function dump(context) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const { themes } = context.assets;
+        if (!themes) {
+            return;
+        }
+        const baseFolder = path_1.default.join(context.filePath, tools_1.constants.THEMES_DIRECTORY);
+        (0, fs_extra_1.ensureDirSync)(baseFolder);
+        themes.forEach((themeDefinition, i) => {
+            (0, utils_1.dumpJSON)(path_1.default.join(baseFolder, `theme${i ? i : ''}.json`), themeDefinition);
+        });
+    });
+}
+const themesHandler = {
+    parse,
+    dump,
+};
+exports.default = themesHandler;

package/lib/context/yaml/handlers/index.js

@@ -31,6 +31,7 @@ const branding_1 = __importDefault(require("./branding"));
 const logStreams_1 = __importDefault(require("./logStreams"));
 const prompts_1 = __importDefault(require("./prompts"));
 const customDomains_1 = __importDefault(require("./customDomains"));
+const themes_1 = __importDefault(require("./themes"));
 const yamlHandlers = {
     rules: rules_1.default,
     hooks: hooks_1.default,
@@ -60,5 +61,6 @@ const yamlHandlers = {
     logStreams: logStreams_1.default,
     prompts: prompts_1.default,
     customDomains: customDomains_1.default,
+    themes: themes_1.default,
 };
 exports.default = yamlHandlers;

package/lib/context/yaml/handlers/pages.js

@@ -44,7 +44,7 @@ function dump(context) {
             // Dump html to file
             const htmlFile = path_1.default.join(pagesFolder, `${page.name}.html`);
             logger_1.default.info(`Writing ${htmlFile}`);
-            fs_extra_1.default.writeFileSync(htmlFile, page.html);
+            fs_extra_1.default.writeFileSync(htmlFile, page.html || '');
             return Object.assign(Object.assign({}, page), { html: `./pages/${page.name}.html` });
         });
         return { pages };

package/lib/context/yaml/handlers/themes.d.ts

@@ -0,0 +1,6 @@
+import { YAMLHandler } from '.';
+import { ParsedAsset } from '../../../types';
+import { Theme } from '../../../tools/auth0/handlers/themes';
+declare type ParsedThemes = ParsedAsset<'themes', Theme[]>;
+declare const themesHandler: YAMLHandler<ParsedThemes>;
+export default themesHandler;

package/lib/context/yaml/handlers/themes.js

@@ -0,0 +1,26 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+function parseAndDump(context) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const { themes } = context.assets;
+        if (!themes)
+            return { themes: null };
+        return {
+            themes,
+        };
+    });
+}
+const themesHandler = {
+    parse: parseAndDump,
+    dump: parseAndDump,
+};
+exports.default = themesHandler;

package/lib/index.d.ts

@@ -79,6 +79,7 @@ declare const _default: {
             LOG_STREAMS_DIRECTORY: string;
             PROMPTS_DIRECTORY: string;
             CUSTOM_DOMAINS_DIRECTORY: string;
+            THEMES_DIRECTORY: string;
         };
         deploy: typeof import("./tools").deploy;
         keywordReplace: typeof import("./tools").keywordReplace;

package/lib/tools/auth0/handlers/index.d.ts

@@ -55,6 +55,11 @@ declare const _default: {
         excludeSchema?: any;
         schema: any;
     };
+    themes: {
+        default: typeof APIHandler;
+        excludeSchema?: any;
+        schema: any;
+    };
     attackProtection: {
         default: typeof APIHandler;
         excludeSchema?: any;

package/lib/tools/auth0/handlers/index.js

@@ -52,6 +52,7 @@ const organizations = __importStar(require("./organizations"));
 const attackProtection = __importStar(require("./attackProtection"));
 const logStreams = __importStar(require("./logStreams"));
 const customDomains = __importStar(require("./customDomains"));
+const themes = __importStar(require("./themes"));
 const auth0ApiHandlers = {
     rules,
     rulesConfigs,
@@ -82,5 +83,6 @@ const auth0ApiHandlers = {
     attackProtection,
     logStreams,
     customDomains,
+    themes,
 };
 exports.default = auth0ApiHandlers; // TODO: apply stronger types to schema properties

package/lib/tools/auth0/handlers/prompts.js

@@ -164,7 +164,8 @@ class PromptsHandler extends default_1.default {
             const supportedLanguages = yield this.client.tenant
                 .getSettings()
                 .then(({ enabled_locales }) => enabled_locales);
-            const data = yield Promise.all(supportedLanguages.flatMap((language) => {
+            const data = yield Promise.all(supportedLanguages
+                .map((language) => {
                 return promptTypes.map((promptType) => {
                     return this.client.prompts
                         .getCustomTextByLanguage({
@@ -180,7 +181,9 @@ class PromptsHandler extends default_1.default {
                         };
                     });
                 });
-            })).then((customTextData) => {
+            })
+                .reduce((acc, val) => acc.concat(val), []) // TODO: replace .map().reduce() with .flatMap() once we officially eliminate Node v10 support
+            ).then((customTextData) => {
                 return customTextData
                     .filter((customTextData) => {
                     return customTextData !== null;

package/lib/tools/auth0/handlers/tenant.d.ts

@@ -1,11 +1,22 @@
 import DefaultHandler from './default';
-import { Asset, Assets } from '../../../types';
+import { Asset, Assets, Language } from '../../../types';
 export declare const schema: {
     type: string;
 };
+export declare type Tenant = Asset & {
+    enabled_locales: Language[];
+    flags: {
+        [key: string]: boolean;
+    };
+};
 export default class TenantHandler extends DefaultHandler {
+    existing: Tenant;
     constructor(options: DefaultHandler);
     getType(): Promise<Asset>;
     validate(assets: Assets): Promise<void>;
     processChanges(assets: Assets): Promise<void>;
 }
+export declare const sanitizeMigrationFlags: ({ existingFlags, proposedFlags, }: {
+    existingFlags: Tenant['flags'];
+    proposedFlags: Tenant['flags'];
+}) => Tenant['flags'];

package/lib/tools/auth0/handlers/tenant.js

@@ -41,7 +41,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.schema = void 0;
+exports.sanitizeMigrationFlags = exports.schema = void 0;
 const validationError_1 = __importDefault(require("../../validationError"));
 const default_1 = __importStar(require("./default"));
 const pages_1 = require("./pages");
@@ -61,6 +61,7 @@ class TenantHandler extends default_1.default {
     getType() {
         return __awaiter(this, void 0, void 0, function* () {
             const tenant = yield this.client.tenant.getSettings();
+            this.existing = tenant;
             blockPageKeys.forEach((key) => {
                 if (tenant[key])
                     delete tenant[key];
@@ -84,10 +85,18 @@ class TenantHandler extends default_1.default {
     processChanges(assets) {
         return __awaiter(this, void 0, void 0, function* () {
             const { tenant } = assets;
-            if (tenant && Object.keys(tenant).length > 0) {
-                yield this.client.tenant.updateSettings(tenant);
+            // Do nothing if not set
+            if (!tenant)
+                return;
+            const existingTenant = this.existing || (yield this.getType());
+            const updatedTenant = Object.assign(Object.assign({}, tenant), { flags: (0, exports.sanitizeMigrationFlags)({
+                    existingFlags: existingTenant.flags,
+                    proposedFlags: tenant.flags,
+                }) });
+            if (updatedTenant && Object.keys(updatedTenant).length > 0) {
+                yield this.client.tenant.updateSettings(updatedTenant);
                 this.updated += 1;
-                this.didUpdate(tenant);
+                this.didUpdate(updatedTenant);
             }
         });
     }
@@ -96,3 +105,29 @@ __decorate([
     (0, default_1.order)('100')
 ], TenantHandler.prototype, "processChanges", null);
 exports.default = TenantHandler;
+const sanitizeMigrationFlags = ({ existingFlags = {}, proposedFlags = {}, }) => {
+    /*
+    Tenants can only update migration flags that are already configured.
+    If moving configuration from one tenant to another, there may be instances
+    where different migration flags exist and cause an error on update. This
+    function removes any migration flags that aren't already present on the target
+    tenant. See: https://github.com/auth0/auth0-deploy-cli/issues/374
+    */
+    const tenantMigrationFlags = [
+        'disable_clickjack_protection_headers',
+        'enable_mgmt_api_v1',
+        'trust_azure_adfs_email_verified_connection_property',
+        'include_email_in_reset_pwd_redirect',
+        'include_email_in_verify_email_redirect',
+    ];
+    return Object.keys(proposedFlags).reduce((acc, proposedKey) => {
+        const isMigrationFlag = tenantMigrationFlags.includes(proposedKey);
+        if (!isMigrationFlag)
+            return Object.assign(Object.assign({}, acc), { [proposedKey]: proposedFlags[proposedKey] });
+        const keyCurrentlyExists = existingFlags[proposedKey] !== undefined;
+        if (keyCurrentlyExists)
+            return Object.assign(Object.assign({}, acc), { [proposedKey]: proposedFlags[proposedKey] });
+        return acc;
+    }, {});
+};
+exports.sanitizeMigrationFlags = sanitizeMigrationFlags;