diff --git a/modules/auth0/app/README.md b/modules/auth0/app/README.md
index fa48107c0..223e4a4f9 100644
--- a/modules/auth0/app/README.md
+++ b/modules/auth0/app/README.md
@@ -78,6 +78,7 @@ components:
| Name | Type |
|------|------|
| [auth0_client.this](https://registry.terraform.io/providers/auth0/auth0/latest/docs/resources/client) | resource |
+| [auth0_client_credentials.this](https://registry.terraform.io/providers/auth0/auth0/latest/docs/resources/client_credentials) | resource |
| [aws_ssm_parameter.auth0_client_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
| [aws_ssm_parameter.auth0_client_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
| [aws_ssm_parameter.auth0_domain](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
@@ -95,9 +96,9 @@ components:
| [auth0\_tenant\_environment\_name](#input\_auth0\_tenant\_environment\_name) | The name of the environment where the Auth0 tenant component is deployed. Defaults to the environment of the current stack. | `string` | `""` | no |
| [auth0\_tenant\_stage\_name](#input\_auth0\_tenant\_stage\_name) | The name of the stage where the Auth0 tenant component is deployed. Defaults to the stage of the current stack. | `string` | `""` | no |
| [auth0\_tenant\_tenant\_name](#input\_auth0\_tenant\_tenant\_name) | The name of the tenant where the Auth0 tenant component is deployed. Yes this is a bit redundant, since Auth0 also calls this resource a tenant. Defaults to the tenant of the current stack. | `string` | `""` | no |
+| [authentication\_method](#input\_authentication\_method) | The authentication method for the client credentials | `string` | `"client_secret_post"` | no |
| [callbacks](#input\_callbacks) | Allowed Callback URLs | `list(string)` | `[]` | no |
| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | {
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
} | no |
-| [create\_auth0\_ssm\_parameters\_enabled](#input\_create\_auth0\_ssm\_parameters\_enabled) | Whether or not to create a duplicate of the AWS SSM parameter for the Auth0 domain, client ID, and client secret in this account. | `bool` | `false` | no |
| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
@@ -114,6 +115,7 @@ components:
| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
| [oidc\_conformant](#input\_oidc\_conformant) | OIDC Conformant | `bool` | `true` | no |
+| [provider\_ssm\_base\_path](#input\_provider\_ssm\_base\_path) | The base path for the SSM parameters. If not defined, this is set to the module context ID. This is also required when `var.enabled` is set to `false` | `string` | `""` | no |
| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
| [region](#input\_region) | AWS Region | `string` | n/a | yes |
| [sso](#input\_sso) | Single Sign-On for the Auth0 app | `bool` | `true` | no |
diff --git a/modules/auth0/app/main.tf b/modules/auth0/app/main.tf
index 9a098c365..1e1ee4f68 100644
--- a/modules/auth0/app/main.tf
+++ b/modules/auth0/app/main.tf
@@ -1,5 +1,9 @@
locals {
enabled = module.this.enabled
+
+ ssm_path = coalesce(var.provider_ssm_base_path, module.this.id)
+ client_id_ssm_path = format("/%s/client_id", local.ssm_path)
+ client_secret_ssm_path = format("/%s/client_secret", local.ssm_path)
}
resource "auth0_client" "this" {
@@ -23,3 +27,36 @@ resource "auth0_client" "this" {
logo_uri = var.logo_uri
}
+
+resource "auth0_client_credentials" "this" {
+ count = local.enabled ? 1 : 0
+
+ client_id = try(auth0_client.this[0].client_id, "")
+ authentication_method = var.authentication_method
+}
+
+module "auth0_ssm_parameters" {
+ source = "cloudposse/ssm-parameter-store/aws"
+ version = "0.13.0"
+
+ enabled = local.enabled
+
+ parameter_write = [
+ {
+ name = local.client_id_ssm_path
+ value = try(auth0_client.this[0].client_id, "")
+ type = "SecureString"
+ overwrite = "true"
+ description = "Auth0 client ID for the Auth0 ${module.this.id} application"
+ },
+ {
+ name = local.client_secret_ssm_path
+ value = try(auth0_client_credentials.this[0].client_secret, "")
+ type = "SecureString"
+ overwrite = "true"
+ description = "Auth0 client secret for the Auth0 ${module.this.id} application"
+ }
+ ]
+
+ context = module.this.context
+}
diff --git a/modules/auth0/app/provider-auth0-client.tf b/modules/auth0/app/provider-auth0-client.tf
index 1b35cf9b5..f7fb49f27 100644
--- a/modules/auth0/app/provider-auth0-client.tf
+++ b/modules/auth0/app/provider-auth0-client.tf
@@ -105,45 +105,3 @@ provider "auth0" {
client_secret = data.aws_ssm_parameter.auth0_client_secret.value
debug = var.auth0_debug
}
-
-#
-# Finally if enabled, create a duplicate of the AWS SSM parameters for Auth0 in this account.
-#
-variable "create_auth0_ssm_parameters_enabled" {
- description = "Whether or not to create a duplicate of the AWS SSM parameter for the Auth0 domain, client ID, and client secret in this account."
- type = bool
- default = false
-}
-
-module "auth0_ssm_parameters" {
- source = "cloudposse/ssm-parameter-store/aws"
- version = "0.13.0"
-
- enabled = local.enabled && var.create_auth0_ssm_parameters_enabled
-
- parameter_write = [
- {
- name = module.auth0_tenant[0].outputs.domain_ssm_path
- value = data.aws_ssm_parameter.auth0_domain.value
- type = "SecureString"
- overwrite = "true"
- description = "Auth0 domain value for the Auth0 ${local.auth0_tenant_tenant_name}-${local.auth0_tenant_environment_name}-${local.auth0_tenant_stage_name} tenant"
- },
- {
- name = module.auth0_tenant[0].outputs.client_id_ssm_path
- value = data.aws_ssm_parameter.auth0_client_id.value
- type = "SecureString"
- overwrite = "true"
- description = "Auth0 client ID for the Auth0 ${local.auth0_tenant_tenant_name}-${local.auth0_tenant_environment_name}-${local.auth0_tenant_stage_name} tenant"
- },
- {
- name = module.auth0_tenant[0].outputs.client_secret_ssm_path
- value = data.aws_ssm_parameter.auth0_client_secret.value
- type = "SecureString"
- overwrite = "true"
- description = "Auth0 client secret for the Auth0 ${local.auth0_tenant_tenant_name}-${local.auth0_tenant_environment_name}-${local.auth0_tenant_stage_name} tenant"
- },
- ]
-
- context = module.this.context
-}
diff --git a/modules/auth0/app/variables.tf b/modules/auth0/app/variables.tf
index bacbf38c0..8c7497fd2 100644
--- a/modules/auth0/app/variables.tf
+++ b/modules/auth0/app/variables.tf
@@ -62,3 +62,15 @@ variable "jwt_alg" {
description = "JWT Algorithm"
default = "RS256"
}
+
+variable "provider_ssm_base_path" {
+ type = string
+ description = "The base path for the SSM parameters. If not defined, this is set to the module context ID. This is also required when `var.enabled` is set to `false`"
+ default = ""
+}
+
+variable "authentication_method" {
+ type = string
+ description = "The authentication method for the client credentials"
+ default = "client_secret_post"
+}
diff --git a/modules/auth0/connection/README.md b/modules/auth0/connection/README.md
index 89d4305a3..ddeeb5298 100644
--- a/modules/auth0/connection/README.md
+++ b/modules/auth0/connection/README.md
@@ -75,7 +75,6 @@ components:
| Name | Source | Version |
|------|--------|---------|
| [auth0\_apps](#module\_auth0\_apps) | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 |
-| [auth0\_ssm\_parameters](#module\_auth0\_ssm\_parameters) | cloudposse/ssm-parameter-store/aws | 0.13.0 |
| [auth0\_tenant](#module\_auth0\_tenant) | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 |
| [iam\_roles](#module\_iam\_roles) | ../../account-map/modules/iam-roles | n/a |
| [iam\_roles\_auth0\_provider](#module\_iam\_roles\_auth0\_provider) | ../../account-map/modules/iam-roles | n/a |
@@ -107,7 +106,6 @@ components:
| [brute\_force\_protection](#input\_brute\_force\_protection) | Indicates whether to enable brute force protection, which will limit the number of signups and failed logins from a suspicious IP address. | `bool` | `true` | no |
| [connection\_name](#input\_connection\_name) | The name of the connection | `string` | `""` | no |
| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | {
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
} | no |
-| [create\_auth0\_ssm\_parameters\_enabled](#input\_create\_auth0\_ssm\_parameters\_enabled) | Whether or not to create a duplicate of the AWS SSM parameter for the Auth0 domain, client ID, and client secret in this account. | `bool` | `false` | no |
| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
| [disable\_signup](#input\_disable\_signup) | Indicates whether to allow user sign-ups to your application. | `bool` | `false` | no |
diff --git a/modules/auth0/connection/provider-auth0-client.tf b/modules/auth0/connection/provider-auth0-client.tf
index 1b35cf9b5..f7fb49f27 100644
--- a/modules/auth0/connection/provider-auth0-client.tf
+++ b/modules/auth0/connection/provider-auth0-client.tf
@@ -105,45 +105,3 @@ provider "auth0" {
client_secret = data.aws_ssm_parameter.auth0_client_secret.value
debug = var.auth0_debug
}
-
-#
-# Finally if enabled, create a duplicate of the AWS SSM parameters for Auth0 in this account.
-#
-variable "create_auth0_ssm_parameters_enabled" {
- description = "Whether or not to create a duplicate of the AWS SSM parameter for the Auth0 domain, client ID, and client secret in this account."
- type = bool
- default = false
-}
-
-module "auth0_ssm_parameters" {
- source = "cloudposse/ssm-parameter-store/aws"
- version = "0.13.0"
-
- enabled = local.enabled && var.create_auth0_ssm_parameters_enabled
-
- parameter_write = [
- {
- name = module.auth0_tenant[0].outputs.domain_ssm_path
- value = data.aws_ssm_parameter.auth0_domain.value
- type = "SecureString"
- overwrite = "true"
- description = "Auth0 domain value for the Auth0 ${local.auth0_tenant_tenant_name}-${local.auth0_tenant_environment_name}-${local.auth0_tenant_stage_name} tenant"
- },
- {
- name = module.auth0_tenant[0].outputs.client_id_ssm_path
- value = data.aws_ssm_parameter.auth0_client_id.value
- type = "SecureString"
- overwrite = "true"
- description = "Auth0 client ID for the Auth0 ${local.auth0_tenant_tenant_name}-${local.auth0_tenant_environment_name}-${local.auth0_tenant_stage_name} tenant"
- },
- {
- name = module.auth0_tenant[0].outputs.client_secret_ssm_path
- value = data.aws_ssm_parameter.auth0_client_secret.value
- type = "SecureString"
- overwrite = "true"
- description = "Auth0 client secret for the Auth0 ${local.auth0_tenant_tenant_name}-${local.auth0_tenant_environment_name}-${local.auth0_tenant_stage_name} tenant"
- },
- ]
-
- context = module.this.context
-}