cloudposse · milldr · Sep 5, 2024 · Sep 4, 2024 · Sep 4, 2024 · Sep 4, 2024
@@ -78,6 +78,7 @@ components:
 | Name | Type |
 |------|------|
 | [auth0_client.this](https://registry.terraform.io/providers/auth0/auth0/latest/docs/resources/client) | resource |
+| [auth0_client_credentials.this](https://registry.terraform.io/providers/auth0/auth0/latest/docs/resources/client_credentials) | resource |
 | [aws_ssm_parameter.auth0_client_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 | [aws_ssm_parameter.auth0_client_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 | [aws_ssm_parameter.auth0_domain](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
@@ -95,9 +96,9 @@ components:
 | <a name="input_auth0_tenant_environment_name"></a> [auth0\_tenant\_environment\_name](#input\_auth0\_tenant\_environment\_name) | The name of the environment where the Auth0 tenant component is deployed. Defaults to the environment of the current stack. | `string` | `""` | no |
 | <a name="input_auth0_tenant_stage_name"></a> [auth0\_tenant\_stage\_name](#input\_auth0\_tenant\_stage\_name) | The name of the stage where the Auth0 tenant component is deployed. Defaults to the stage of the current stack. | `string` | `""` | no |
 | <a name="input_auth0_tenant_tenant_name"></a> [auth0\_tenant\_tenant\_name](#input\_auth0\_tenant\_tenant\_name) | The name of the tenant where the Auth0 tenant component is deployed. Yes this is a bit redundant, since Auth0 also calls this resource a tenant. Defaults to the tenant of the current stack. | `string` | `""` | no |
+| <a name="input_authentication_method"></a> [authentication\_method](#input\_authentication\_method) | The authentication method for the client credentials | `string` | `"client_secret_post"` | no |
 | <a name="input_callbacks"></a> [callbacks](#input\_callbacks) | Allowed Callback URLs | `list(string)` | `[]` | no |
 | <a name="input_context"></a> [context](#input\_context) | Single object for setting entire context at once.<br>See description of individual variables for details.<br>Leave string and numeric variables as `null` to use default value.<br>Individual variable settings (non-null) override settings in context object,<br>except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | <pre>{<br>  "additional_tag_map": {},<br>  "attributes": [],<br>  "delimiter": null,<br>  "descriptor_formats": {},<br>  "enabled": true,<br>  "environment": null,<br>  "id_length_limit": null,<br>  "label_key_case": null,<br>  "label_order": [],<br>  "label_value_case": null,<br>  "labels_as_tags": [<br>    "unset"<br>  ],<br>  "name": null,<br>  "namespace": null,<br>  "regex_replace_chars": null,<br>  "stage": null,<br>  "tags": {},<br>  "tenant": null<br>}</pre> | no |
-| <a name="input_create_auth0_ssm_parameters_enabled"></a> [create\_auth0\_ssm\_parameters\_enabled](#input\_create\_auth0\_ssm\_parameters\_enabled) | Whether or not to create a duplicate of the AWS SSM parameter for the Auth0 domain, client ID, and client secret in this account. | `bool` | `false` | no |
 | <a name="input_delimiter"></a> [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.<br>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
 | <a name="input_descriptor_formats"></a> [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.<br>Map of maps. Keys are names of descriptors. Values are maps of the form<br>`{<br>   format = string<br>   labels = list(string)<br>}`<br>(Type is `any` so the map values can later be enhanced to provide additional options.)<br>`format` is a Terraform format string to be passed to the `format()` function.<br>`labels` is a list of labels, in order, to pass to `format()` function.<br>Label values will be normalized before being passed to `format()` so they will be<br>identical to how they appear in `id`.<br>Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
@@ -114,6 +115,7 @@ components:
 | <a name="input_name"></a> [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.<br>This is the only ID element not also included as a `tag`.<br>The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
 | <a name="input_oidc_conformant"></a> [oidc\_conformant](#input\_oidc\_conformant) | OIDC Conformant | `bool` | `true` | no |
+| <a name="input_provider_ssm_base_path"></a> [provider\_ssm\_base\_path](#input\_provider\_ssm\_base\_path) | The base path for the SSM parameters. If not defined, this is set to the module context ID. This is also required when `var.enabled` is set to `false` | `string` | `""` | no |
 | <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
 | <a name="input_region"></a> [region](#input\_region) | AWS Region | `string` | n/a | yes |
 | <a name="input_sso"></a> [sso](#input\_sso) | Single Sign-On for the Auth0 app | `bool` | `true` | no |

@@ -1,5 +1,9 @@
 locals {
   enabled = module.this.enabled
+
+  ssm_path               = coalesce(var.provider_ssm_base_path, module.this.id)
+  client_id_ssm_path     = format("/%s/client_id", local.ssm_path)
+  client_secret_ssm_path = format("/%s/client_secret", local.ssm_path)
 }
 
 resource "auth0_client" "this" {
@@ -23,3 +27,36 @@ resource "auth0_client" "this" {
   logo_uri        = var.logo_uri
 
 }
+
+resource "auth0_client_credentials" "this" {
+  count = local.enabled ? 1 : 0
+
+  client_id             = try(auth0_client.this[0].client_id, "")
+  authentication_method = var.authentication_method
+}
+
+module "auth0_ssm_parameters" {
+  source  = "cloudposse/ssm-parameter-store/aws"
+  version = "0.13.0"
+
+  enabled = local.enabled
+
+  parameter_write = [
+    {
+      name        = local.client_id_ssm_path
+      value       = try(auth0_client.this[0].client_id, "")
+      type        = "SecureString"
+      overwrite   = "true"
+      description = "Auth0 client ID for the Auth0 ${module.this.id} application"
+    },
+    {
+      name        = local.client_secret_ssm_path
+      value       = try(auth0_client_credentials.this[0].client_secret, "")
+      type        = "SecureString"
+      overwrite   = "true"
+      description = "Auth0 client secret for the Auth0 ${module.this.id} application"
+    }
+  ]
+
+  context = module.this.context
+}
@@ -105,45 +105,3 @@ provider "auth0" {
   client_secret = data.aws_ssm_parameter.auth0_client_secret.value
   debug         = var.auth0_debug
 }
-
-#
-# Finally if enabled, create a duplicate of the AWS SSM parameters for Auth0 in this account.
-#
-variable "create_auth0_ssm_parameters_enabled" {
-  description = "Whether or not to create a duplicate of the AWS SSM parameter for the Auth0 domain, client ID, and client secret in this account."
-  type        = bool
-  default     = false
-}
-
-module "auth0_ssm_parameters" {
-  source  = "cloudposse/ssm-parameter-store/aws"
-  version = "0.13.0"
-
-  enabled = local.enabled && var.create_auth0_ssm_parameters_enabled
-
-  parameter_write = [
-    {
-      name        = module.auth0_tenant[0].outputs.domain_ssm_path
-      value       = data.aws_ssm_parameter.auth0_domain.value
-      type        = "SecureString"
-      overwrite   = "true"
-      description = "Auth0 domain value for the Auth0 ${local.auth0_tenant_tenant_name}-${local.auth0_tenant_environment_name}-${local.auth0_tenant_stage_name} tenant"
-    },
-    {
-      name        = module.auth0_tenant[0].outputs.client_id_ssm_path
-      value       = data.aws_ssm_parameter.auth0_client_id.value
-      type        = "SecureString"
-      overwrite   = "true"
-      description = "Auth0 client ID for the Auth0 ${local.auth0_tenant_tenant_name}-${local.auth0_tenant_environment_name}-${local.auth0_tenant_stage_name} tenant"
-    },
-    {
-      name        = module.auth0_tenant[0].outputs.client_secret_ssm_path
-      value       = data.aws_ssm_parameter.auth0_client_secret.value
-      type        = "SecureString"
-      overwrite   = "true"
-      description = "Auth0 client secret for the Auth0 ${local.auth0_tenant_tenant_name}-${local.auth0_tenant_environment_name}-${local.auth0_tenant_stage_name} tenant"
-    },
-  ]
-
-  context = module.this.context
-}
@@ -62,3 +62,15 @@ variable "jwt_alg" {
   description = "JWT Algorithm"
   default     = "RS256"
 }
+
+variable "provider_ssm_base_path" {
+  type        = string
+  description = "The base path for the SSM parameters. If not defined, this is set to the module context ID. This is also required when `var.enabled` is set to `false`"
+  default     = ""
+}
+
+variable "authentication_method" {
+  type        = string
+  description = "The authentication method for the client credentials"
+  default     = "client_secret_post"
+}
@@ -75,7 +75,6 @@ components:
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_auth0_apps"></a> [auth0\_apps](#module\_auth0\_apps) | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 |
-| <a name="module_auth0_ssm_parameters"></a> [auth0\_ssm\_parameters](#module\_auth0\_ssm\_parameters) | cloudposse/ssm-parameter-store/aws | 0.13.0 |
 | <a name="module_auth0_tenant"></a> [auth0\_tenant](#module\_auth0\_tenant) | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 |
 | <a name="module_iam_roles"></a> [iam\_roles](#module\_iam\_roles) | ../../account-map/modules/iam-roles | n/a |
 | <a name="module_iam_roles_auth0_provider"></a> [iam\_roles\_auth0\_provider](#module\_iam\_roles\_auth0\_provider) | ../../account-map/modules/iam-roles | n/a |
@@ -107,7 +106,6 @@ components:
 | <a name="input_brute_force_protection"></a> [brute\_force\_protection](#input\_brute\_force\_protection) | Indicates whether to enable brute force protection, which will limit the number of signups and failed logins from a suspicious IP address. | `bool` | `true` | no |
 | <a name="input_connection_name"></a> [connection\_name](#input\_connection\_name) | The name of the connection | `string` | `""` | no |
 | <a name="input_context"></a> [context](#input\_context) | Single object for setting entire context at once.<br>See description of individual variables for details.<br>Leave string and numeric variables as `null` to use default value.<br>Individual variable settings (non-null) override settings in context object,<br>except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | <pre>{<br>  "additional_tag_map": {},<br>  "attributes": [],<br>  "delimiter": null,<br>  "descriptor_formats": {},<br>  "enabled": true,<br>  "environment": null,<br>  "id_length_limit": null,<br>  "label_key_case": null,<br>  "label_order": [],<br>  "label_value_case": null,<br>  "labels_as_tags": [<br>    "unset"<br>  ],<br>  "name": null,<br>  "namespace": null,<br>  "regex_replace_chars": null,<br>  "stage": null,<br>  "tags": {},<br>  "tenant": null<br>}</pre> | no |
-| <a name="input_create_auth0_ssm_parameters_enabled"></a> [create\_auth0\_ssm\_parameters\_enabled](#input\_create\_auth0\_ssm\_parameters\_enabled) | Whether or not to create a duplicate of the AWS SSM parameter for the Auth0 domain, client ID, and client secret in this account. | `bool` | `false` | no |
 | <a name="input_delimiter"></a> [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.<br>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
 | <a name="input_descriptor_formats"></a> [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.<br>Map of maps. Keys are names of descriptors. Values are maps of the form<br>`{<br>   format = string<br>   labels = list(string)<br>}`<br>(Type is `any` so the map values can later be enhanced to provide additional options.)<br>`format` is a Terraform format string to be passed to the `format()` function.<br>`labels` is a list of labels, in order, to pass to `format()` function.<br>Label values will be normalized before being passed to `format()` so they will be<br>identical to how they appear in `id`.<br>Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
 | <a name="input_disable_signup"></a> [disable\_signup](#input\_disable\_signup) | Indicates whether to allow user sign-ups to your application. | `bool` | `false` | no |

@@ -105,45 +105,3 @@ provider "auth0" {
   client_secret = data.aws_ssm_parameter.auth0_client_secret.value
   debug         = var.auth0_debug
 }
-
-#
-# Finally if enabled, create a duplicate of the AWS SSM parameters for Auth0 in this account.
-#
-variable "create_auth0_ssm_parameters_enabled" {
-  description = "Whether or not to create a duplicate of the AWS SSM parameter for the Auth0 domain, client ID, and client secret in this account."
-  type        = bool
-  default     = false
-}
-
-module "auth0_ssm_parameters" {
-  source  = "cloudposse/ssm-parameter-store/aws"
-  version = "0.13.0"
-
-  enabled = local.enabled && var.create_auth0_ssm_parameters_enabled
-
-  parameter_write = [
-    {
-      name        = module.auth0_tenant[0].outputs.domain_ssm_path
-      value       = data.aws_ssm_parameter.auth0_domain.value
-      type        = "SecureString"
-      overwrite   = "true"
-      description = "Auth0 domain value for the Auth0 ${local.auth0_tenant_tenant_name}-${local.auth0_tenant_environment_name}-${local.auth0_tenant_stage_name} tenant"
-    },
-    {
-      name        = module.auth0_tenant[0].outputs.client_id_ssm_path
-      value       = data.aws_ssm_parameter.auth0_client_id.value
-      type        = "SecureString"
-      overwrite   = "true"
-      description = "Auth0 client ID for the Auth0 ${local.auth0_tenant_tenant_name}-${local.auth0_tenant_environment_name}-${local.auth0_tenant_stage_name} tenant"
-    },
-    {
-      name        = module.auth0_tenant[0].outputs.client_secret_ssm_path
-      value       = data.aws_ssm_parameter.auth0_client_secret.value
-      type        = "SecureString"
-      overwrite   = "true"
-      description = "Auth0 client secret for the Auth0 ${local.auth0_tenant_tenant_name}-${local.auth0_tenant_environment_name}-${local.auth0_tenant_stage_name} tenant"
-    },
-  ]
-
-  context = module.this.context
-}