developers

What's New in the Auth0 Terraform Provider?

The Auth0 Terraform provider has many new features and updates. Learn all about what's new.

The Auth0 Terraform Provider allows you to automate the configuration of Auth0 resources like applications, connections, actions, and more. You can also use it to manage users and groups. With the Auth0 Terraform provider, you can automate almost everything you can do via the management UI.

Check out our blog post to get started with Auth0 and Terraform.

Get Started with the Auth0 Terraform Provider
Get Started with the Auth0 Terraform Provider
Learn how to get started with the Auth0 Terraform Provider to automate your identity infrastructure.

What's New in the Auth0 Terraform Provider

The latest versions (1.4 to 1.7) of the Auth0 Terraform provider have many new features and updates. Here are the top six features to look out for.

Auth0 Forms

Auth0 Forms is a robust visual editor that enables you to create custom, dynamic forms seamlessly integrating with your authentication workflows.

Available from v1.7.3

Forms offer a secure and controlled experience within your tenant's domain, eliminating the need for external site redirects. You can manage Auth0 Forms and Flows via Terraform, enabling you to automate the creation and management of forms and flows.

# Create an Auth0 Form
resource "auth0_form" "sample_form" {
  name = "KYC Form"

  start = jsonencode({
    coordinates = { x = 0, y = 0 }
    next_node = "username_step"
  })

  nodes = jsonencode([{
    id   = "username_step"
    type = "STEP"
    config = {
      components = [{
        category = "FIELD"
        config = {
          max_length = 50
          min_length = 1
          multiline  = false
        }
        id        = "full_name"
        label     = "Your Name"
        required  = true
        sensitive = false
        type      = "TEXT"
        },
        {
          category = "BLOCK"
          config = { text = "Continue" }
          id   = "next_button_3FbA"
          type = "NEXT_BUTTON"
      }]
      next_node = "$ending"
    }
    coordinates = { x = 500, y = 0 }
  }])

  ending = jsonencode({
    after_submit = {
      flow_id = auth0_flow.sample_flow.id
    }
    coordinates = { x = 1250, y = 0 }
    resume_flow = true
  })

  style = jsonencode({ css = "h1 { color: white; text-align: center; }" })
}

# Create an Auth0 Flow to use the Form
resource "auth0_flow" "sample_flow" {
  actions = jsonencode([{
    action = "UPDATE_USER"
    allow_failure = false
    id            = "update_user_metadata"
    mask_output   = false
    params = {
      changes = {
        user_metadata = { full_name = "{{fields.full_name}}" }
      }
      connection_id = auth0_flow_vault_connection.sample_connection.id
      user_id       = "{{context.user.user_id}}"
    }
    type = "AUTH0"
  }])
  name = "Flow KYC update data"
}

# Create a Flow Vault Connection to use in a Flow
resource "auth0_flow_vault_connection" "sample_connection" {
  app_id = "AUTH0"
  name   = "Auth0 M2M Connection"
  setup = {
    client_id     = var.auth0_client_id # The M2M app must be authorized to use the Auth0 Management API
    client_secret = var.auth0_client_secret
    domain        = var.auth0_domain # without https:// in the domain
    type          = "OAUTH_APP"
  }
}

Machine-to-Machine Access for Organizations

Machine-to-Machine (M2M) Access for Organizations enables you to define the organizations that a given application can access for each API using the Client Credentials Flow. This enables customers to sell and operate their services in M2M environments properly, cover scenarios with consumption devices with limited user experience capabilities, and simplify configuration and usage.

This is being implemented so that M2M Apps can be associated with a given organization, as currently done for Connections. This will enable that application to request an access token for that specific Organization.

Note: This feature is available from B2B Professional, Enterprise, and Enterprise premium plans.

Available from v1.7.0

# Create an Auth0 Organization
resource "auth0_organization" "my_organization" {
  name         = "auth0-inc"
  display_name = "Auth0 Inc."

  branding {
    logo_url = "https://example.com/assets/icons/icon.png"
    colors = {
      primary         = "#f2f2f2"
      page_background = "#e1e1e1"
    }
  }
}

# Create a new Auth0 M2M application
resource "auth0_client" "sample_client" {
  name                = "MyCoolApp"
  description         = "My Cool App Client Created Through Terraform"
  app_type            = "non_interactive"
}

# Create a Client Grant for the Client
resource "auth0_client_grant" "my_client_grant" {
  client_id = auth0_client.sample_client.id
  audience  = "https://passkeys-demo.eu.auth0.com/api/v2/"
  scopes    = ["create:foo", "create:bar"]
}

# Create a Client Grant for the Organization
resource "auth0_organization_client_grant" "sample_organization_client_grant" {
  organization_id = auth0_organization.my_organization.id
  grant_id       = auth0_client_grant.my_client_grant.id
}

Bring Your Own Key (BYOK)

Bring Your Own Key allows you to securely replace your tenant’s top-level encryption key with a key of your own, hence gaining control of your key material in Auth0’s hardware security module (HSM). It allows compliance with specific secret custody and key provenance requirements. Once you have uploaded your key, data encryption and decryption operations use that key to encrypt your tenant's secrets and data.

Note: This feature is available as Early Access on Enterprise plans with the Highly Regulated Identity add-on.

Available from v1.7.0

# Modifying the key_rotation_id causes the keys to be rotated/rekeyed.
resource "auth0_encryption_key_manager" "sample_key_manager_initial" {
  key_rotation_id = "da9f2f3b-1c7e-4245-8982-9a25da8407c4"
}

resource "auth0_encryption_key_manager" "sample_key_manager_rekey" {
  key_rotation_id = "68feba2c-7768-40f3-9d71-4b91e0233abf"
}

# To initialize the process of providing the root key by the customer, create a
# `customer_provided_root_key` block.
resource "auth0_encryption_key_manager" "sample_key_manager" {
  customer_provided_root_key {
  }
}

# The public_wrapping_key and wrapping_algorithm should be available to
# be used to wrap the new key by the customer
output "key_manager" {
  depends_on = [auth0_encryption_key_manager.sample_key_manager]
  value = {
    public_wrapping_key = auth0_encryption_key_manager.sample_key_manager.customer_provided_root_key.*.public_wrapping_key
    wrapping_algorithm  = auth0_encryption_key_manager.sample_key_manager.customer_provided_root_key.*.wrapping_algorithm
  }
}

# The root key should be wrapped using the specified algorithm by the customer and Base64 encoded.
resource "auth0_encryption_key_manager" "sample_key_manager" {
  customer_provided_root_key {
    wrapped_key = "your_base64_encoded_wrapped_root_key"
  }
}

Customize Signup and Login Prompts

Customize Signup and Login Prompts is a feature that allows customers with a Custom Domain and Custom Page Template enabled to add custom fields and content to their app’s signup and login prompts.

Available from v1.7.0

Customize Signup and Login Prompts supports two use cases.

  • Custom content: Custom content is static content like text, links, or images placed directly on the signup and login prompts.
  • Data capture: Data capture uses form elements dynamically added to the signup and login prompts, which is useful for collecting and validating user consent or user-produced data like a surname.
# For managing a single prompt screen
resource "auth0_prompt_screen_partial" "login" {
  prompt_type = "login"
  screen_name = "login"
  insertion_points {
    form_content_start = "<div>Form Content Start</div>"
    form_content_end   = "<div>Form Content End</div>"
  }
}

# For managing multiple prompt screens
resource "auth0_prompt_screen_partials" "prompt_screen_partials" {
  prompt_type = "login-passwordless"

  screen_partials {
    screen_name = "login-passwordless-email-code"
    insertion_points {
      form_content_start = "<div>Form Content Start</div>"
      form_content_end   = "<div>Form Content End</div>"
    }
  }

  screen_partials {
    screen_name = "login-passwordless-sms-otp"
    insertion_points {
      form_content_start = "<div>Form Content Start</div>"
      form_content_end   = "<div>Form Content End</div>"
    }
  }
}

Self-Service Single Sign-On

Self-Service Single-Sign On (SSO) provides business-to-business (B2B) customers with the tools needed to delegate SSO setup to their enterprise customers. This enables your B2B customers to configure and manage their own ways of logging in to your SaaS application.

Self-Service SSO provides a packaged experience that Auth0 customers can offer to their business customers so that they can set up their own SSO access. Customers can take advantage of this time-saving feature to reduce support costs and time-to-value for their business customers.

Note: This feature is available as limited Early Access on Enterprise plans.

Available from v1.5.0

resource "auth0_self_service_profile" "my_self_service_profile" {
  user_attributes {
    name        = "sample-name"
    description = "sample-description"
    is_optional = true
  }
  branding {
    logo_url = "https://mycompany.org/v2/logo.png"
    colors {
      primary = "#0059d6"
    }
  }
}

SCIM Configuration

System for Cross-domain Identity Management (SCIM), is a protocol and schema used by enterprise organizations for provisioning, de-provisioning, and managing user identity-related information across systems in a standardized way. SaaS developers selling their SaaS apps and services to large enterprises may be asked, or even required, by those customers to implement a SCIM-based API to integrate with the user provisioning tooling they use.

With support for inbound SCIM, SaaS application builders will be able to:

  • Use the Auth0 Dashboard or APIs to quickly and easily enable support inbound SCIM user provisioning and de-provisioning workflows to their Auth0 user identity stores
  • Get out-of-box support for top Workforce IDPs that implement outbound SCIM (including Okta Workforce Identity Cloud and Azure AD) without needing to build or self-host any custom endpoints

Note: This feature is available on Enterprise plans.

Available from v1.4.0

resource "auth0_connection" "my_enterprise_connection" {
  name         = "my-enterprise-connection"
  display_name = "My Enterprise Connection"
  strategy     = "okta"

  options {
    client_id              = "1234567"
    client_secret          = "1234567"
    issuer                 = "https://example.okta.com"
    jwks_uri               = "https://example.okta.com/oauth2/v1/keys"
    token_endpoint         = "https://example.okta.com/oauth2/v1/token"
    authorization_endpoint = "https://example.okta.com/oauth2/v1/authorize"
  }
}

# A resource for configuring an Auth0 Connection SCIM Configuration, specifying `user_id_attribute` and `mapping`.
# Only one can be specified for a connection.
resource "auth0_connection_scim_configuration" "my_conn_scim_configuration" {
  connection_id     = auth0_connection.my_enterprise_connection.id
  user_id_attribute = "attribute1"
  mapping {
    auth0 = "auth0_attribute1"
    scim  = "sacim_attribute1"
  }
  mapping {
    auth0 = "auth0_attribute2"
    scim  = "sacim_attribute2"
  }
}

Learn More

I hope that you found this article helpful. Here are some additional resources to learn more about Auth0 and DevOps.

You can also sign up for our newsletter to stay updated on everything about identity and security.

If you liked this tutorial, chances are you'll enjoy the others we publish. Please follow @auth0 on Twitter and subscribe to our YouTube channel to get notified when we publish new developer tutorials.