/terraform-auth0-modules

Terraform modules from DasMeta to manage auth0 setup

Primary LanguageHCL

terraform-auth0-modules

This module allow you to create and manage clients, resource servers(api), client grants, connections, email providers and rules and roles, tenants as part of a Terraform deployment.

Example

[Auth0 multi resources create] (https://github.com/dasmeta/terraform-auth0-modules/tree/main/examples)

Requirements

Name Version
terraform ~> 1.3.0
auth0 ~> 0.40.0

Providers

Name Version
auth0 ~> 0.40.0

Modules

Name Source Version
action ./modules/auth0-action n/a
auth0-auth-db ./modules/auth0-auth-db n/a
auth0-email ./modules/auth0-email n/a
auth0-goa ./modules/auth0-auth-google n/a
auth0-guardian ./modules/auth0-guardian n/a
auth0-org ./modules/auth0-org n/a
auth0-tenant ./modules/auth0-tenant n/a
auth0_api ./modules/auth0-api n/a
auth0_client ./modules/auth0-client n/a
auth0_role ./modules/auth0-role n/a
auth0_users ./modules/auth0-user/ n/a

Resources

Name Type
auth0_client_grant.my_client_grant resource
auth0_prompt.my_prompt resource
auth0_trigger_binding.trigger_binding resource

Inputs

Name Description Type Default Required
actions Actions are secure, tenant-specific, versioned functions written in Node.js that execute at certain points during the Auth0 runtime. Actions are used to customize and extend Auth0's capabilities with custom logic. 
list(object({
    name    = string
    code    = string
    runtime = optional(string, "node16")
    supported_triggers = optional(any, {
      id      = "post-change-password"
      version = "v2"
    })
    dependencies = optional(list(any), [])
    deploy       = optional(bool, false)
  }))
 [] no
apis With this resource, you can set up APIs that can be consumed from your authorized applications. 
list(object({
    name                                            = string
    scopes                                          = list(any)
    identifier                                      = string
    enforce_policies                                = optional(bool, true)
    signing_alg                                     = optional(string, "RS256")
    skip_consent_for_verifiable_first_party_clients = optional(bool, true)
    token_lifetime                                  = optional(number, 86400)
    token_lifetime_for_web                          = optional(number, 7200)
    token_dialect                                   = optional(string, null)
  }))
 [] no
client-id Auth0 client id string n/a yes
client-secret Auth0 client secret string n/a yes
client_grants Auth0 uses various grant types, or methods by which you grant limited access to your resources to another entity without exposing credentials. any [] no
clients With this resource, you can set up applications that use Auth0 for authentication and configure allowed callback URLs and secrets for these applications. 
list(object({

    name                          = string
    app_type                      = string
    cross_origin_auth             = optional(bool, false)
    allowed_logout_urls           = optional(list(string), [])
    allowed_origins               = optional(list(string), [])
    callbacks                     = optional(list(string), [])
    web_origins                   = optional(list(string), [])
    organization_usage            = optional(string, null)
    organization_require_behavior = optional(string, null)
    custom_login_page_on          = optional(bool, true)
    custom_login_page             = optional(string, "")
    token_endpoint_auth_method    = optional(string, "none")
    grant_types                   = optional(list(string), ["client_credentials"])
    token_endpoint_auth_method    = optional(string, "client_secret_post")
    logo_uri                      = optional(string, null)
    sso                           = optional(bool, false)
    jwt_configuration = optional(any, {
      alg                 = "RS256"
      lifetime_in_seconds = "36000"
      secret_encoded      = "false"
    })
    refresh_token = optional(any, {
      expiration_type              = "non-expiring"
      idle_token_lifetime          = "2592000"
      infinite_idle_token_lifetime = "true"
      infinite_token_lifetime      = "true"
      leeway                       = "0"
      rotation_type                = "non-rotating"
      token_lifetime               = "31557600"
    })
  }))
 [] no
db_connections With Auth0, you can define sources of users, otherwise known as connections, which may include identity providers database authentication methods. 
list(object({
    name                      = string
    password_policy           = optional(string, "good")
    password_history          = optional(any, { enable = true, size = 3 })
    password_no_personal_info = optional(bool, true)
    password_dictionary       = optional(any, { enable = true, dictionary = [] })
    brute_force_protection    = optional(bool, true)
  }))
 [] no
domain Auth0 domain string n/a yes
emails With Auth0, you can have standard welcome, password reset, and account verification email-based workflows built right into Auth0. 
list(object({
    name                 = string
    default_from_address = string
    access_key_id        = optional(string, null)
    secret_access_key    = optional(string, null)
    region               = optional(string, null)
    api_key              = optional(string, null)
    email_template       = optional(any, {})
  }))
 [] no
google With Auth0, you can define sources of users, otherwise known as connections, which may include identity provider Google authentication methods. any [] no
mfa Multi-Factor Authentication works by requiring additional factors during the login process to prevent unauthorized access. 
list(object({
    policy           = optional(string, "all-applications")
    email            = optional(bool, false)
    otp              = optional(bool, false)
    recovery_code    = optional(bool, false)
    webauthn_roaming = optional(list(any), [])
    phone            = optional(list(any), [])
    push             = optional(list(any), [])
    duo              = optional(list(any), [])
  }))
 [] no
orgs The Organizations feature represents a broad update to the Auth0 platform that allows our business-to-business (B2B) customers to better manage their partners and customer 
list(object({
    name         = string
    display_name = string

    branding    = optional(list(any), [])
    connections = optional(list(any), [])
  }))
 [] no
prompts With this resource, you can manage your Auth0 prompts, including choosing the login experience version. any [] no
roles With this resource, you can create and manage collections of permissions that can be assigned to users, which are otherwise known as roles. list(any) 
[
  {
    "description": "Administrator role",
    "name": "Administrator",
    "permissions": []
  }
]
 no
tenant With this resource, you can manage Auth0 tenants 
list(object({
    friendly_name           = string
    allowed_logout_urls     = optional(list(string), [])
    default_audience        = optional(string, null)
    picture_url             = optional(string, null)
    enabled_locales         = optional(list(string), null)
    change_password         = optional(list(any), [])
    guardian_mfa_page       = optional(list(any), [])
    default_redirection_uri = string
    sandbox_version         = string
    error_page              = optional(list(any), [])
    default_directory       = optional(string, null)
    support_email           = optional(string, null)
    support_url             = optional(string, null)
    session_lifetime        = optional(number, 168)
    idle_session_lifetime   = optional(number, 72)
    session_cookie          = optional(string, "persistent")
    universal_login         = optional(list(any), [])
    flags = optional(any, {
      allow_legacy_delegation_grant_types    = "false"
      allow_legacy_ro_grant_types            = "false"
      allow_legacy_tokeninfo_endpoint        = "false"
      dashboard_insights_view                = "false"
      dashboard_log_streams_next             = "false"
      disable_clickjack_protection_headers   = "false"
      disable_fields_map_fix                 = "false"
      disable_management_api_sms_obfuscation = "false"
      enable_adfs_waad_email_verification    = "false"
      enable_apis_section                    = "false"
      enable_client_connections              = "false"
      enable_custom_domain_in_emails         = "false"
      enable_dynamic_client_registration     = "false"
      enable_idtoken_api2                    = "false"
      enable_legacy_logs_search_v2           = "false"
      enable_legacy_profile                  = "false"
      enable_pipeline2                       = "false"
      enable_public_signup_user_exists_error = "false"
      no_disclose_enterprise_connections     = "false"
      revoke_refresh_token_grant             = "false"
      universal_login                        = "true"
      use_scope_descriptions_for_consent     = "false"
    })

  }))
 [] no
users n/a 
list(object({
    name     = string
    email    = string
    roles    = list(string)
    password = string
  }))
 [] no

Outputs

Name Description
client_credentials Client credentials for each client created.