Description

The Auth0 Management API supports the creation of hook secrets, which are secrets used by a hook at runtime. Add support for managing those secrets via terraform.

New or Affected Resource(s)

• HookSecret

Potential Terraform Configuration

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

References

• #0000

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I noticed the connection options for certain providers are commented out in the (interested in Facebook and Linkedin). I was wondering why that is the case and if there are plans to implement support for these.
I would be happy to work on this myself but would like to get some context before digging into it.

New or Affected Resource(s)

• auth0_connection

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.20

• provider.auth0 v0.5.1

Affected Resource(s)

• auth0_connection

Terraform Configuration Files

resource "auth0_connection" "microsoft" {
  name = "windowslive"
  strategy = "windowslive"
  is_domain_connection = true
  strategy_version = 2

  options {
    client_id = var.microsoft_azure_client_id
    client_secret = var.microsoft_azure_client_secret
    tenant_domain = var.microsoft_azure_tenant_domain
  }
}

Expected Behavior

Windowslive connection uses the new

Actual Behavior

Error: Unsupported argument

on auth0_connections.tf line 23, in resource "auth0_connection" "microsoft":
23: strategy_version = 2

Steps to Reproduce

1. terraform apply

References

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

There are two ways to configure this feature in Auth0 - as a tenant default and per-application.

Auth0 tenants have a 'Tenant Login URI' configuration field:

Auth0 clients have an 'Application Login URI' configuration field:

New or Affected Resource(s)

• auth0_tenant.tenant_login_uri (or similar)
• auth0_client.application_login_uri (or similar)

References

• https://auth0.com/docs/universal-login/default-login-url

This is verifier list that lacks send_phone_message: https://github.com/terraform-providers/terraform-provider-auth0/blob/e278f239cfe5d627831f730e9b9eea7a13cc5265/auth0/resource_auth0_hook.go#L41

And on line 50 we see mention that this trigger should be allowed with others.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

v0.12.23

Affected Resource(s)

• auth0_client_grant

Terraform Configuration Files

resource "auth0_client_grant" "foo_api_grant" {
  audience  = "https://bar/"
  client_id = "redacted"
  scope = []
}

Debug Output

auth0_client_grant.foo_api_grant: Modifying... [id=redacted]
2020/03/12 11:17:00 [DEBUG] auth0_client_grant.foo_api_grant: applying the planned Update change
2020/03/12 11:17:01 [WARN] Provider "registry.terraform.io/-/auth0" produced an unexpected new value for auth0_client_grant.foo_api_grant, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .audience: was cty.StringVal("http://bar/"), but now cty.StringVal("http://foo/")
auth0_client_grant.foo_api_grant: Modifications complete after 0s [id=redacted]

Expected Behavior

Terraform destroys the grant and creates a new one with the correct audience.

Actual Behavior

Tries to update in place, although the Auth0 API does not support this.

  # auth0_client_grant.foo_api_grant will be updated in-place
  ~ resource "auth0_client_grant" "foo_api_grant" {
      ~ audience  = "https://foo/" -> "https://bar/"
        client_id = "ASDFGHJKLQWERTYUIOP"
        id        = "redacted"
        scope     = []
    }

Steps to Reproduce

1. change the audience
2. terraform apply

Important Factoids

The Auth0 Management API does not support editing the audience field, so it's necessary to re-create the resource.

Here is the output from trying to change the audience via the API manually:

{
  "statusCode": 400,
  "error": "Bad Request",
  "message": "Payload validation error: 'Additional properties not allowed: audience'.",
  "errorCode": "invalid_body"
}

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The Universal Login feature in Auth0 can be customised with login HTML, change password HTML, and Guardian multi-factor HTML. This Terraform provider seems to be able to set all but the login HTML. It would be great to be able to control that here as well.

New or Affected Resource(s)

• auth0_tenant - Universal login

References

You can customize the HTML code for Login, Password Reset and MFA pages.

• https://auth0.com/docs/universal-login/advanced-customization

Description

when calling /oauth/token endpoint for authentication, we realised that the audience parameter is missing because it gives 403 Forbidden error.

audience paramater is missing or maybe not end with "/"

Terraform Version

Affected Resource(s)

• auth0_XXXXX

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a [Github Gist](https://gist.github.com/) instead.

Expected Behavior

200

Actual Behavior

403

Steps to Reproduce

check audience paramater

1. terraform apply

Debug Output

Panic Output

Important Factoids

References

• #0000

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The provider supports rules, rule configs, and hooks, but currently doesn't support hook secrets, which are the analog of configs for hooks.

A current workaround for this is simply to use templatefile with a hook resource. This is fully functional but somewhat less secure and requires the maintainer to store their hooks in files that are not necessarily valid JS, meaning for instance that they'll have issues with code analysis tools.

New or Affected Resource(s)

This would entail introducing a single new resource auth0_hook_secret. It's lifecycle callbacks would be implemented as follows:

• Create: makes a call to this endpoint, with a single secret in the body, then sets the id of the resource
• Read: makes a call to this endpoint (which gets all secrets for the hook) and then sets only the value for the desired secret
• Update: makes a call to this endpoint, again with a single secret
• Destroy: makes a call to this endpoint, passing an array containing only the name of the secret

Changes to the name field should force a new resource. This is equivalent to but simpler than correctly implementing name changes.

Also, there's a question about how to set the ID of a resource. Using {hook_id}{separator}{secret_name} has the advantage that it will be possible to do imports. However, since hook_id is itself an opaque string, choosing a separator is difficult. Moreover, imports seem unimportant for this resource since destroying and re-creating is generally low cost.

Potential Terraform Configuration

resource "auth0_hook_secret" "internal" {
  hook_id = auth0_hook.my-hook.id
  name = "mySecretName"
  value = "json-value"
}

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.24
+ provider.auth0 v0.8.1

Affected Resource(s)

• auth0_connection

Terraform Configuration Files

resource "auth0_connection" "google_oauth2" {
  name                 = "google-oauth2"
  strategy             = "google-oauth2"
  is_domain_connection = false
}

Debug Output

If you need this, please let me know and I'll provide a redacted version!

Panic Output

N/A

Expected Behavior

Terraform state should refresh regardless of the current state ♻️

Actual Behavior

Auth0 provider crashed with:

Error: missing expected [

Error: json: cannot unmarshal string into Go struct field ConnectionOptionsGoogleOAuth2.allowed_audiences of type []inte
rface {}

Steps to Reproduce

1. Import the default Auth0 Google connection resource (might fail here too, but not sure because we're seeing this after upgrading from v0.5.1 and already had it imported).
2. terraform plan

Important Factoids

This connection is provided/enabled by default by Auth0. We're using this configuration to explicitly disable it.

Response for this connection directly via the Auth0 Management API (sensitive info redacted):

{
  "id": "CONNECTION_ID",
  "options": {
    "email": true,
    "gmail": false,
    "orkut": false,
    "scope": [
      "email",
      "profile"
    ],
    "sites": false,
    "tasks": false,
    "blogger": false,
    "profile": true,
    "youtube": false,
    "calendar": false,
    "contacts": false,
    "analytics": false,
    "client_id": "",
    "moderator": false,
    "coordinate": false,
    "picasa_web": false,
    "google_plus": false,
    "google_books": false,
    "google_drive": false,
    "spreadsheets": false,
    "client_secret": "",
    "document_list": false,
    "latitude_best": false,
    "latitude_city": false,
    "url_shortener": false,
    "webmaster_tools": false,
    "chrome_web_store": false,
    "allowed_audiences": "",
    "adsense_management": false,
    "google_drive_files": false,
    "coordinate_readonly": false,
    "google_cloud_storage": false,
    "content_api_for_shopping": false,
    "google_affiliate_network": false
  },
  "strategy": "google-oauth2",
  "name": "google-oauth2",
  "is_domain_connection": false,
  "enabled_clients": [],
  "realms": [
    "google-oauth2"
  ]
}

References

• https://auth0.com/docs/api/management/v2#!/Connections/get_connections

Description

I noticed the provider does not support (AFAIK) the refresh token rotation for clients
In https://auth0.com/docs/api/management/v2#!/Clients/get_clients, we see there is an added refresh_token field, with this kind of format:
"refresh_token": {
"rotation_type": "non-rotating",
"expiration_type": "non-expiring",
"leeway": 0,
"token_lifetime": 2592000
}
Expect a PR, I guess, if i manage to write some go. Wish me luck ^^

New or Affected Resource(s)

• auth0_client

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

We tend to run a little behind releases, so we're on 0.12.20

$ terraform version
Terraform v0.12.20
+ provider.auth0 v0.7.0
+ provider.aws v2.54.0
+ provider.cloudflare v1.18.1
+ provider.external v1.2.0
+ provider.helm v1.0.0
+ provider.kubernetes v1.11.1
+ provider.local v1.4.0
+ provider.mysql v1.9.0
+ provider.null v2.1.2
+ provider.random v2.2.1
+ provider.sops v0.5.0
+ provider.template v2.1.2

Your version of Terraform is out of date! The latest version
is 0.12.24. You can update by downloading from https://www.terraform.io/downloads.html

Affected Resource(s)

• auth0_client

Terraform Configuration Files

resource "auth0_client" "client" {
  name        = "app"
  description = "Authentication for app"
  app_type    = "regular_web"
  callbacks = [
    local.cf_access_callback
  ]

  addons {
    samlp {
      mappings = {
        email = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
        name  = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
      }

      create_upn_claim                   = false
      passthrough_claims_with_no_mapping = false
      map_unknown_claims_as_is           = false
      map_identities                     = false
      name_identifier_format             = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"

      name_identifier_probes = [
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
      ]
    }
  }
}

resource "auth0_connection" "connection" {
  name     = "app-google-auth"
  strategy = "google-oauth2"

  options {
    client_id     = var.gsuite_client_id
    client_secret = var.gsuite_client_secret
  }

  enabled_clients = [
    auth0_client.client.id
  ]
}

Debug Output

Cannot share the whole debug out, but here is what I think is the relevant section. It appears that the state produced by previous versions (0.6.0 in our case) can't be used by 0.7.0.

2020-03-23T21:34:09.855-0700 [DEBUG] plugin.terraform-provider-auth0_v0.7.0_x4: 2020/03/23 21:34:09 [WARN] unexpected type cty.List(cty.Object(map[string]cty.Type{"length":cty.Number, "time_step":cty.Number})) for map in json state
2020/03/23 21:34:09 [ERROR] module.top.module.auth0: eval: *terraform.EvalReadState, err: missing expected [
2020/03/23 21:34:09 [ERROR] module.top.module.auth0: eval: *terraform.EvalSequence, err: missing expected [

Panic Output

N/A

Expected Behavior

plan should work

Actual Behavior

See title

Steps to Reproduce

1. terraform apply an auth0_client with 0.6.0
2. terraform init -upgrade to get 0.7.0
3. terraform plan

Important Factoids

We just started using auth0 a few weeks ago so it's possible we are a corner case of some kind that had stuff only from 0.6.0.

References

N/A

• #0000

Missing import instructions in this file.

terraform-provider-auth0/website/docs/r/resource_server.html.md

Description

It would be super nice if we could manage thenlog streams as well. This would let us configure both the sink and source of the stream of log messages within terraform.

New or Affected Resource(s)

• auth0_log_stream

Potential Terraform Configuration

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

References

• support for this is available in the api: https://auth0.com/docs/api/management/v2#!/Log_Streams/get_log_streams

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Hey,

How are we supposed to import a custom domain ?

I tried with the domain name as an ID, but it fails the Validation and I can't find any clue about it in the source code :

Error: 400 Bad Request: Path validation error: 'Object didn't pass validation for format custom-domain-id: auth.example.com' on property id (ID of the custom domain to retrieve).

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.20

• provider.auth0 v0.5.1

Affected Resource(s)

• auth0_connection

Terraform Configuration Files

resource "auth0_connection" "database" {
  name = "Username-Password-Authentication"
  strategy = "auth0"

  options {
    password_policy = "strong"
  }
}

Expected Behavior

Default database updated with the chosen password_policy

Actual Behavior

Error: 409 Conflict: A connection with the same name already exists

  on auth0_connections.tf line 1, in resource "auth0_connection" "database":
   1: resource "auth0_connection" "database" {

Steps to Reproduce

1. terraform apply