Use HashiCorp Terraform to Manage Your Auth0 Configuration

Thanks for sharing all that James with the rest of community!

Hi,

I just noticed your reply @jamesmehorter1 about importing existing resources. How about other resources like the email provider or email templates? Any idea how to retrieve these id’s?

I tried importing an email provider by name which failed, but I’m not able to retrieve the id by the Auth0 API.

Hello Dan,

Is there any movement on that feature? We’re looking to move to managing auth0 via terraform and being able to export config from auth0 into a terraform configuration would save a huge amount of time.

Stuart,

If you are still using the Auth0 terraform provider and are still in need of this feature I would ask that you raise it with your account manager. I would like to see Auth0 provide an official terraform provider that provides full feature parity with the Auth0 UI and is kept in sync as new features are developed. If you are a paying customer please raise this as a requirement with your account manager so that internal resources can be allocated and a commitment made

regards

Andrew

This question is based on the Auth0 blog - Use Terraform to Manage Your Auth0 Configuration

I’ve been playing with the sample secure_express app from the Terraform blog post linked above and it’s working great. I have extended it to use my idp for authentication (instead of just the local database) and that works great too.

Now I am trying to get idp-initiated login to work and that is failing. I believe the problem is that Auth0 does a POST to the /callback url after the idp initiates the login.

When the idp flow POSTs to the /callback url, I get this error:

If I place my cursor in the url field of the browser window and just press enter - this does an HTTP GET request to the callback url and the login is successful.

Is there a way I can change the IDP initiated flow (or the auth in general) so that it does a GET to the /callback url instead of a POST?

Hey there @robertino.calcaterra and @dan-auth0 can we get some eyes on this thread? Thanks!

2 Likes

Hi again - I’m wondering if I could get a response on this?

Hello chaps. How are we doing on this?

Hi @camepp. We are working on your question. We’ll be back here as soon as possible.

2 Likes

Thanks for the update @robertino.calcaterra !

1 Like

Hello, it’s been a week so I’m checking in. Can I assist with any samples or info?

Hi @camepp. Could you please provide your sample code with the customizations? I just to check with the team for more information about it.

for sure! Here is the terraform code that has added the samlp provider. It works great, but the IdP initiated flow fails because Auth0 is doing a ‘POST’ to http://localhost:8300/callback instead of a GET.


variable "auth0_domain" {}
variable "auth0_client_id" {}
variable "auth0_client_secret" {}

terraform {
  required_providers {
    docker = {
      source  = "kreuzwerker/docker"
      version = "3.0.1"
    }
    auth0 = {
      source  = "auth0/auth0"
      version = "0.44.1"
    }
  }
}

provider "auth0" {
  domain        = var.auth0_domain
  client_id     = var.auth0_client_id
  client_secret = var.auth0_client_secret
}

provider "docker" {
  # Configuration options
  host = "unix:///Users/me/.docker/run/docker.sock"
}

resource "auth0_tenant" "dev_tenant" {
  allowed_logout_urls = []

  enabled_locales = [
    "en",
  ]

  sandbox_version = "16"

  flags {
    allow_legacy_delegation_grant_types    = false
    allow_legacy_ro_grant_types            = false
    allow_legacy_tokeninfo_endpoint        = false
    dashboard_insights_view                = false
    dashboard_log_streams_next             = false
    disable_clickjack_protection_headers   = false
    disable_fields_map_fix                 = false
    disable_management_api_sms_obfuscation = false
    enable_adfs_waad_email_verification    = false
    enable_apis_section                    = false
    enable_client_connections              = false
    enable_custom_domain_in_emails         = false
    enable_dynamic_client_registration     = false
    enable_idtoken_api2                    = false
    enable_legacy_logs_search_v2           = false
    enable_legacy_profile                  = false
    enable_pipeline2                       = false
    enable_public_signup_user_exists_error = false
    no_disclose_enterprise_connections     = false
    revoke_refresh_token_grant             = false
    use_scope_descriptions_for_consent     = false
  }

  session_cookie {}
}

resource "auth0_client" "terraform-secure-express" {
  name           = "Terraform Secure Express"
  description    = "App for running Dockerized Express application via Terraform"
  app_type       = "regular_web"
  is_first_party = true
  callbacks      = ["http://localhost:8300/callback"]
  allowed_logout_urls = [
    "http://localhost:8300/callback",
    "http://localhost:8300/"
  ]
  oidc_conformant = true

  jwt_configuration {
    alg = "RS256"
  }
}

resource "auth0_connection" "terraform-express-user-db" {
  name     = "terraform-express-user-db"
  strategy = "auth0"
  options {
    password_policy        = "excellent"
    brute_force_protection = true
    disable_signup         = true
    password_history {
      enable = true
      size   = 3
    }

    password_no_personal_info {
      enable = true
    }
  }
}
resource "auth0_connection_client" "associate_terraform_client" {
  connection_id = auth0_connection.terraform-express-user-db.id
  client_id     = var.auth0_client_id
}

resource "auth0_connection_client" "my_conn_client_assoc" {
  connection_id = auth0_connection.terraform-express-user-db.id
  client_id     = auth0_client.terraform-secure-express.id
}

resource "auth0_connection_client" "samlp_client" {
  connection_id = auth0_connection.samlp.id
  client_id     = auth0_client.terraform-secure-express.id
}

# SAML connection
resource "auth0_connection" "samlp" {

    display_name         = "foo-face"
    is_domain_connection = false
    metadata             = {}
    name                 = "foo-face"
    realms               = [
        "foo-face",
    ]
    show_as_button       = false
    strategy             = "samlp"

    options {
        debug                          = true
        digest_algorithm               = "sha256"
        disable_cache                  = false
        disable_sign_out               = true
        disable_signup                 = false
        domain_aliases                 = [
            "my-domain.com",
        ]
        set_user_root_attributes       = "on_first_login"
        sign_in_endpoint               = "https://sso.jumpcloud.com/saml2/auth0_testing"
        sign_saml_request              = true
        signature_algorithm            = "rsa-sha256"
        signing_cert                   =  <<EOF
-----BEGIN CERTIFICATE-----
MIIFcDCCA1igAwIBAgIUFu/iJtW01d7pZlSRwueJpaXXo5gwDQYJKoZIhvcNAQEL
<cert stuff here>
adqX5IxGO/2C/AGwVe9qZivj4/xr/KJ+cDJyrwwPm/4LTi+ji8mx3CfxZZ7HPj4/
XGgpBQ==
-----END CERTIFICATE-----
EOF
    idp_initiated {
        client_id       = "my application ID (in Auth0)"
        client_protocol = "samlp"
    }
    }
}


resource "auth0_user" "terraform-express-admin-user" {
  connection_name = auth0_connection.terraform-express-user-db.name
  user_id         = "adminface"
  email           = "admin@example.com"
  email_verified  = true
  password        = "passwords"
  roles           = [auth0_role.terraform-express-admin-role.id]
}

resource "auth0_user" "terraform-express-basic-user" {
  connection_name = auth0_connection.terraform-express-user-db.name
  user_id         = "useyface"
  email           = "user@example.com"
  email_verified  = true
  password        = "passwords"
#   roles           = [auth0_role.terraform-express-basic-user-role.id]
}

resource "docker_image" "terraform-secure-express" {
  name = "terraform-secure-express:1.0"
  build {
    context = "."
  }
}

resource "docker_container" "terraform-secure-express" {
  image = docker_image.terraform-secure-express.image_id
  name  = "terraform-secure-express"
  ports {
    internal = 8300
    external = 8300
  }
  env = [
    "AUTH0_CLIENT_ID=${auth0_client.terraform-secure-express.client_id}",
    "AUTH0_CLIENT_SECRET=${auth0_client.terraform-secure-express.client_secret}",
    "AUTH0_CLIENT_DOMAIN=${var.auth0_domain}",
    "AUTH0_API_IDENTIFIER=${var.terraform-express-api-identifier}"
  ]
}

1 Like

When I click the button in the IdP to initiate the login, I get this error page on my local app.

1 Like

if you ever encouter a this problem :
on main.tf line 46, in resource “docker_container” “terraform-secure-express”:
│ 46: image = docker_image.terraform-secure-express.latest

│ This object has no argument, nested block, or exported attribute named “latest”.

simply replace the ```
image = docker_image.terraform-secure-express.latest

to ```
image = docker_image.terraform-secure-express.image_id

in the container resource

Hi @robertino.calcaterra - have you had a chance to follow up with the team?

Hi, I can’t seem to find any docs on how to add “Application Metadata” to an Auth0 Application via a Terraform script. Is it possible ?

Hi @david.isackson, how are you?

Have you tried to use the client_metadata property in the client object? You can find more information in the Terraform docs: Terraform Registry

Please let me know if this helps,
Juan

1 Like

Thank you. That looks like what I need.

Hey there everyone! :wave:t3:

I thought I’m gonna chime in again with something that might be of your interest! We’re hosting an Ask Me Anything Session in our Forum regarding Auth0 Terraform Provider.

It’s gonna be on Thursday, September 28, 2023. Check out more info about it here!