/terraform-auth0-modules

Terraform modules from DasMeta to manage auth0 setup

Primary LanguageHCL

terraform-auth0-modules

This module allow you to create and manage clients, resource servers(api), client grants, connections, email providers and rules and roles, tenants as part of a Terraform deployment.

Example

[Auth0 multi resources create] (https://github.com/dasmeta/terraform-auth0-modules/tree/main/examples)

Using credentials from clients in actions

If you need the credentials from one of the managed clients for one of your actions you can refer to them like this:

actions = {
      "test" = {
        code   = file("${path.module}/actions-code/test.js")
        name   = "test"
        deploy = false
        client_secrets = [
          {
            name   = "CLIENT_ID"
            client = "Frontend (Test)"
            output = "client_id"
          }
        ]
      }
    }

...

clients = {
  "Frontend (Test)" = {
    name     = "Frontend (Test)"
    app_type = "non_interactive"
  },

...

name is the name of the secret which will be created. client is the name of the client which is already managed by this module. output is the name of the output field of the client. The value of the secret is read from this output.

Requirements

Name Version
terraform ~> 1.5.6
auth0 ~> 1.0.0

Providers

Name Version
auth0 ~> 1.0.0

Modules

Name Source Version
action ./modules/auth0-action n/a
auth0-auth-db ./modules/auth0-auth-db n/a
auth0-email ./modules/auth0-email n/a
auth0-goa ./modules/auth0-auth-google n/a
auth0-guardian ./modules/auth0-guardian n/a
auth0-org ./modules/auth0-org n/a
auth0-tenant ./modules/auth0-tenant n/a
auth0_api ./modules/auth0-api n/a
auth0_client ./modules/auth0-client n/a
auth0_role ./modules/auth0-role n/a
auth0_users ./modules/auth0-user/ n/a

Resources

Name Type
auth0_client_grant.my_client_grant resource
auth0_prompt.my_prompt resource
auth0_trigger_actions.trigger_binding resource

Inputs

Name Description Type Default Required
actions Actions are secure, tenant-specific, versioned functions written in Node.js that execute at certain points during the Auth0 runtime. Actions are used to customize and extend Auth0's capabilities with custom logic. 
list(object({
    name    = string
    code    = string
    runtime = optional(string, "node16")
    supported_triggers = optional(any, {
      id      = "post-change-password"
      version = "v2"
    })
    dependencies = optional(list(any), [])
    deploy       = optional(bool, false)
    client_secrets = optional(list(object({
      name   = string
      client = string
      output = string
    })), [])
    secrets = optional(list(object({
      name  = string
      value = string
    })), [])
  }))
 [] no
apis With this resource, you can set up APIs that can be consumed from your authorized applications. 
list(object({
    name                                            = string
    scopes                                          = list(any)
    identifier                                      = string
    enforce_policies                                = optional(bool, true)
    signing_alg                                     = optional(string, "RS256")
    skip_consent_for_verifiable_first_party_clients = optional(bool, true)
    token_lifetime                                  = optional(number, 86400)
    token_lifetime_for_web                          = optional(number, 7200)
    token_dialect                                   = optional(string, null)
    allow_offline_access                            = optional(bool, false)
  }))
 [] no
client-id Auth0 client id string n/a yes
client-secret Auth0 client secret string n/a yes
client_grants Auth0 uses various grant types, or methods by which you grant limited access to your resources to another entity without exposing credentials. any [] no
clients With this resource, you can set up applications that use Auth0 for authentication and configure allowed callback URLs and secrets for these applications. 
list(object({

    name                          = string
    app_type                      = string
    cross_origin_auth             = optional(bool, false)
    allowed_logout_urls           = optional(list(string), [])
    allowed_origins               = optional(list(string), [])
    callbacks                     = optional(list(string), [])
    web_origins                   = optional(list(string), [])
    organization_usage            = optional(string, null)
    organization_require_behavior = optional(string, null)
    custom_login_page_on          = optional(bool, false)
    custom_login_page             = optional(string, " ")
    token_endpoint_auth_method    = optional(string, "none")
    grant_types                   = optional(list(string), ["client_credentials"])
    token_endpoint_auth_method    = optional(string, "client_secret_post")
    logo_uri                      = optional(string, null)
    sso                           = optional(bool, false)
    jwt_configuration = optional(any, {
      alg                 = "RS256"
      lifetime_in_seconds = "36000"
      secret_encoded      = "false"
    })
    refresh_token = optional(any, {
      expiration_type              = "non-expiring"
      idle_token_lifetime          = "2592000"
      infinite_idle_token_lifetime = "true"
      infinite_token_lifetime      = "true"
      leeway                       = "0"
      rotation_type                = "non-rotating"
      token_lifetime               = "31557600"
    })
  }))
 [] no
db_connections With Auth0, you can define sources of users, otherwise known as connections, which may include identity providers database authentication methods. 
list(object({
    name                           = string
    password_policy                = optional(string, "good")
    password_history               = optional(any, { enable = true, size = 3 })
    password_no_personal_info      = optional(bool, true)
    password_dictionary            = optional(any, { enable = true, dictionary = [] })
    brute_force_protection         = optional(bool, true)
    custom_scripts                 = optional(any, {})
    enabled_database_customization = optional(bool, false)
    custom_scripts_configuration   = optional(any, {})
  }))
 [] no
domain Auth0 domain string n/a yes
emails With Auth0, you can have standard welcome, password reset, and account verification email-based workflows built right into Auth0. 
list(object({
    name                 = string
    default_from_address = string
    access_key_id        = optional(string, null)
    secret_access_key    = optional(string, null)
    region               = optional(string, null)
    api_key              = optional(string, null)
    email_template       = optional(any, {})
  }))
 [] no
google With Auth0, you can define sources of users, otherwise known as connections, which may include identity provider Google authentication methods. any [] no
mfa Multi-Factor Authentication works by requiring additional factors during the login process to prevent unauthorized access. 
list(object({
    policy           = optional(string, "all-applications")
    email            = optional(bool, false)
    otp              = optional(bool, false)
    recovery_code    = optional(bool, false)
    webauthn_roaming = optional(list(any), [])
    phone            = optional(list(any), [])
    push             = optional(list(any), [])
    duo              = optional(list(any), [])
  }))
 [] no
orgs The Organizations feature represents a broad update to the Auth0 platform that allows our business-to-business (B2B) customers to better manage their partners and customer 
list(object({
    name         = string
    display_name = string

    branding    = optional(list(any), [])
    connections = optional(list(any), [])
  }))
 [] no
prompts With this resource, you can manage your Auth0 prompts, including choosing the login experience version. any [] no
roles With this resource, you can create and manage collections of permissions that can be assigned to users, which are otherwise known as roles. list(any) 
[
  {
    "description": "Administrator role",
    "name": "Administrator",
    "permissions": []
  }
]
 no
tenant With this resource, you can manage Auth0 tenants 
list(object({
    friendly_name           = string
    allowed_logout_urls     = optional(list(string), [])
    default_audience        = optional(string, null)
    picture_url             = optional(string, null)
    enabled_locales         = optional(list(string), null)
    change_password         = optional(list(any), [])
    guardian_mfa_page       = optional(list(any), [])
    default_redirection_uri = string
    sandbox_version         = string
    error_page              = optional(list(any), [])
    default_directory       = optional(string, null)
    support_email           = optional(string, null)
    support_url             = optional(string, null)
    session_lifetime        = optional(number, 168)
    idle_session_lifetime   = optional(number, 72)
    session_cookie          = optional(string, "persistent")
    universal_login         = optional(any, [])
    flags = optional(any, {
      allow_legacy_delegation_grant_types    = "false"
      allow_legacy_ro_grant_types            = "false"
      allow_legacy_tokeninfo_endpoint        = "false"
      dashboard_insights_view                = "false"
      dashboard_log_streams_next             = "false"
      disable_clickjack_protection_headers   = "false"
      disable_fields_map_fix                 = "false"
      disable_management_api_sms_obfuscation = "false"
      enable_adfs_waad_email_verification    = "false"
      enable_apis_section                    = "false"
      enable_client_connections              = "false"
      enable_custom_domain_in_emails         = "false"
      enable_dynamic_client_registration     = "false"
      enable_idtoken_api2                    = "false"
      enable_legacy_logs_search_v2           = "false"
      enable_legacy_profile                  = "false"
      enable_pipeline2                       = "false"
      enable_public_signup_user_exists_error = "false"
      no_disclose_enterprise_connections     = "false"
      revoke_refresh_token_grant             = "false"
      universal_login                        = "true"
      use_scope_descriptions_for_consent     = "false"
    })

  }))
 [] no
users n/a 
list(object({
    name     = string
    email    = string
    roles    = list(string)
    password = string
  }))
 [] no

Outputs

Name Description
client_credentials Client credentials for each client created.