diff --git a/openfaas/provider.go b/openfaas/provider.go
index 19fcbe5..1b42729 100644
--- a/openfaas/provider.go
+++ b/openfaas/provider.go
@@ -2,13 +2,14 @@ package openfaas
 
 import (
 	"crypto/tls"
-	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
-	"github.com/hashicorp/terraform-plugin-sdk/terraform"
 	"log"
 	"net"
 	"net/http"
 	"time"
 
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/terraform"
+
 	"github.com/openfaas/faas-cli/config"
 	"github.com/openfaas/faas-cli/proxy"
 )
@@ -65,7 +66,9 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 	log.Printf("[DEBUG] configuring provider")
 
 	gatewayURI := d.Get("uri").(string)
-	auth := newCLIAuth("", gatewayURI)
+	username := d.Get("user_name").(string)
+	password := d.Get("password").(string)
+	auth := newAuthChain(username, password, "", gatewayURI)
 	insecure := d.Get("tls_insecure").(bool)
 	transport := GetDefaultCLITransport(insecure, &defaultTimeout)
 	client := proxy.NewClient(auth, gatewayURI, transport, &defaultTimeout)
@@ -77,6 +80,21 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 	return providerConfig, nil
 }
 
+func newAuthChain(username, password, token, gateway string) proxy.ClientAuth {
+	if username != "" && password != "" {
+		log.Print("[DEBUG] configuring basic-auth authentication from Terraform provider credentials")
+
+		return &BasicAuth{
+			username: username,
+			password: password,
+		}
+	}
+
+	log.Print("[DEBUG] empty Terraform provider credentials - falling back to OpenFaaS configuration file")
+	return newCLIAuth(token, gateway)
+
+}
+
 func newCLIAuth(token string, gateway string) proxy.ClientAuth {
 	authConfig, _ := config.LookupAuthConfig(gateway)
 
@@ -87,6 +105,7 @@ func newCLIAuth(token string, gateway string) proxy.ClientAuth {
 	)
 
 	if authConfig.Auth == config.BasicAuthType {
+		log.Printf("[DEBUG] configuring basic-auth authentication")
 		username, password, _ = config.DecodeAuth(authConfig.Token)
 
 		return &BasicAuth{
@@ -97,6 +116,7 @@ func newCLIAuth(token string, gateway string) proxy.ClientAuth {
 	}
 
 	// User specified token gets priority
+	log.Printf("[DEBUG] configuring token authentication")
 	if len(token) > 0 {
 		bearerToken = token
 	} else {
diff --git a/openfaas/resource_openfaas_function.go b/openfaas/resource_openfaas_function.go
index e57b136..6b0cb50 100644
--- a/openfaas/resource_openfaas_function.go
+++ b/openfaas/resource_openfaas_function.go
@@ -168,9 +168,10 @@ func isFunctionNotFound(err error) bool {
 var whiteListLabels = map[string]string{
 	"labels.com.openfaas.function": "",
 	"labels.function":              "",
+	"labels.uid":                   "",
 }
 
-const extraProviderLabelsCount = 2
+const extraProviderLabelsCount = 3
 
 func labelsDiffFunc(k, old, new string, d *schema.ResourceData) bool {
 	if _, ok := whiteListLabels[k]; ok {
diff --git a/openfaas/structure.go b/openfaas/structure.go
index 88ab8f8..07c148b 100644
--- a/openfaas/structure.go
+++ b/openfaas/structure.go
@@ -11,6 +11,7 @@ func expandDeploymentSpec(d *schema.ResourceData, name string) *proxy.DeployFunc
 	deploySpec := &proxy.DeployFunctionSpec{
 		FunctionName: name,
 		Image:        d.Get("image").(string),
+		Update:       true,
 	}
 
 	if v, ok := d.GetOk("network"); ok {