Merge branch 'main' into oidc-pkce-fix

.github/workflows/main.yml

@@ -3,7 +3,7 @@ name: Main Workflow
 on:
   pull_request: {}
   push:
-    branches: [ "main", "v1" ]
+    branches: ["main", "v1"]
 
 jobs:
   checks:
@@ -45,7 +45,7 @@ jobs:
         run: make test-acc
 
       - name: Update codecov report
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # pin@3.1.4
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: ./coverage.out

.github/workflows/release.yml

@@ -2,7 +2,7 @@ name: Release
 on:
   push:
     tags:
-      - 'v*'
+      - "v*"
 jobs:
   goreleaser:
     runs-on: ubuntu-latest
@@ -22,13 +22,13 @@ jobs:
 
       - name: Import GPG key
         id: import_gpg
-        uses: crazy-max/ghaction-import-gpg@v5
+        uses: crazy-max/ghaction-import-gpg@72b6676b71ab476b77e676928516f6982eef7a41 # pin@5.3.0
         with:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.PASSPHRASE }}
 
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v3
+        uses: goreleaser/goreleaser-action@b508e2e3ef3b19d4e4146d4f8fb3ba9db644a757 # pin@4.3.0
         with:
           version: latest
           args: release --rm-dist

.github/workflows/security.yml

@@ -3,10 +3,10 @@ name: Security
 on:
   pull_request: {}
   push:
-    branches: [ "main", "v1" ]
+    branches: ["main", "v1"]
 
   schedule:
-    - cron: '30 0 1,15 * *'
+    - cron: "30 0 1,15 * *"
 
 jobs:
   semgrep:
@@ -24,7 +24,7 @@ jobs:
           SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_TOKEN }}
 
   govulncheck:
-    name : Vulnerabilities Scan
+    name: Vulnerabilities Scan
     runs-on: ubuntu-latest
     steps:
       - name: Scan for vulnerabilities in go code

.semgrepignore

@@ -0,0 +1,5 @@
+docs/
+examples/
+test/
+\_.md
+internal/\*\_test.go

CHANGELOG.md

@@ -1,3 +1,127 @@
+## v1.1.1
+
+BUG FIXES:
+
+- `resource/auth0_client_grant`: Allowing `scopes` to be set as empty ([#888](https://github.com/auth0/terraform-provider-auth0/pull/888))
+
+## v1.1.0
+
+FEATURES:
+
+- `resource/auth0_tenant`: Add support for `customize_mfa_in_postlogin_action` setting ([#871](https://github.com/auth0/terraform-provider-auth0/pull/871))
+
+ENHANCEMENTS:
+
+- `resource/auth0_client`: Set default `token_endpoint_auth_method` based on `app_type` on creation ([#878](https://github.com/auth0/terraform-provider-auth0/pull/878))
+
+BUG FIXES:
+
+- `resource/auth0_tenant`: Set default `idle_session_lifetime` and `session_lifetime` on import ([#849](https://github.com/auth0/terraform-provider-auth0/pull/849))
+- `resource/auth0_connection`: Prevent panic when checking for database config secrets ([#864](https://github.com/auth0/terraform-provider-auth0/pull/864))
+- `resource/auth0_branding`: Allow deleting the resource even on free tenants ([#875](https://github.com/auth0/terraform-provider-auth0/pull/875))
+- `data-source/auth0_organization`: Fix how we fetch organizations by name ([#877](https://github.com/auth0/terraform-provider-auth0/pull/877))
+- `resource/auth0_connection`: Add support for `disable_self_service_change_password` on AD connection options ([#874](https://github.com/auth0/terraform-provider-auth0/pull/874))
+
+
+## v1.0.0
+
+NOTES:
+
+- :warning: Check our [migration guide](https://github.com/auth0/terraform-provider-auth0/blob/main/MIGRATION_GUIDE.md) to navigate the breaking changes that were added in this release.
+- This release supports auto generated terraform configuration. [Check our guide for more info](https://registry.terraform.io/providers/auth0/auth0/latest/docs/guides/generate_terraform_config).
+
+FEATURES:
+
+- `resource/auth0_connection`: Add support for Line strategy ([#818](https://github.com/auth0/terraform-provider-auth0/pull/818))
+- `resource/auth0_connection`: Add `pkce` and `attribute_map` settings to OIDC and Okta Workforce connection options ([#815](https://github.com/auth0/terraform-provider-auth0/pull/815))
+- `resource/auth0_client`: Add support for pushed authorization requests setting ([#756](https://github.com/auth0/terraform-provider-auth0/pull/756))
+- `resource/auth0_tenant`: Add support for pushed authorization requests setting ([#756](https://github.com/auth0/terraform-provider-auth0/pull/756))
+- `resource/auth0_tenant`: Add support for `allow_organization_name_in_authentication_api` toggle ([#832](https://github.com/auth0/terraform-provider-auth0/pull/832))
+- `data-source/auth0_pages`: Add new data source to retrieve Auth0 pages ([#706](https://github.com/auth0/terraform-provider-auth0/pull/706))
+- `data-source/auth0_signing_keys`: Add new data source to retrieve signing keys for applications ([#839](https://github.com/auth0/terraform-provider-auth0/pull/839))
+
+ENHANCEMENTS:
+
+- `resource/auth0_branding`: Improve validation for universal login template body ([#819](https://github.com/auth0/terraform-provider-auth0/pull/819))
+- `resource/auth0_client`: Improve DX for managing `is_token_endpoint_ip_header_trusted` ([#796](https://github.com/auth0/terraform-provider-auth0/pull/796))
+- `resource/auth0_log_stream`: Improve resource schema ([#798](https://github.com/auth0/terraform-provider-auth0/pull/798))
+- `data-source/auth0_role`: Add ability to retrieve users assigned to a role ([#758](https://github.com/auth0/terraform-provider-auth0/pull/758))
+- `resource/auth0_email_provider`: Add support for `azure_cs` and `ms365` email providers ([#752](https://github.com/auth0/terraform-provider-auth0/pull/752))
+- `resource/auth0_connection`: Add support for `decryption_key` on SAML Connection Options ([#755](https://github.com/auth0/terraform-provider-auth0/pull/755))
+- `resource/auth0_tenant`: Add support for `OIDCLogoutPrompt` toggle ([#754](https://github.com/auth0/terraform-provider-auth0/pull/754))
+- `resource/auth0_action`: Add support for GA version of Node 18 within `runtime` field ([#709](https://github.com/auth0/terraform-provider-auth0/pull/709), [#722](https://github.com/auth0/terraform-provider-auth0/pull/722))
+- `resource/auth0_trigger_actions`: Add `password-reset-post-challenge` to available trigger bindings ([#726](https://github.com/auth0/terraform-provider-auth0/pull/726))
+- `resource/auth0_trigger_action`: Add `password-reset-post-challenge` to available trigger bindings ([#746](https://github.com/auth0/terraform-provider-auth0/pull/746))
+- `resource/auth0_*`: Improve how we check for 404 errors ([#727](https://github.com/auth0/terraform-provider-auth0/pull/727))
+- `resource/auth0_client`: Add validation to prevent empty `mobile` block ([#742](https://github.com/auth0/terraform-provider-auth0/pull/742))
+- `resource/auth0_prompt_custom_text`: Add support for six new languages ([#732](https://github.com/auth0/terraform-provider-auth0/pull/732))
+- `resource/auth0_connection`: Add support for `map_user_id_to_id` options field for Google Workspace connections ([#840](https://github.com/auth0/terraform-provider-auth0/pull/840))
+
+BUG FIXES:
+
+- `resource/auth0_prompt_custom_text`: Prevent `"null"` string literal when importing resource ([#821](https://github.com/auth0/terraform-provider-auth0/pull/821))
+- `resource/auth0_guardian`: Remove minor `phone.message_types` validation ([#820](https://github.com/auth0/terraform-provider-auth0/pull/820))
+- `resource/auth0_connection`: Allow sending `null` values for `from` and `messagingServiceSID` in SMS connection options ([#829](https://github.com/auth0/terraform-provider-auth0/pull/829))
+- `resource/auth0_connection`: Passing-through Google Workspace admin tokens when managing the connection ([#830](https://github.com/auth0/terraform-provider-auth0/pull/830))
+- `resource/auth0_tenant`: Allow creating native apps with device code grant ([#833](https://github.com/auth0/terraform-provider-auth0/pull/833))
+- `resource/auth0_client_credentials`: Stop requiring `read:client_keys` permission when reading the resource ([#795](https://github.com/auth0/terraform-provider-auth0/pull/795))
+- `resource/auth0_connection`: Passing-through critical connection options for following connection types: Ping Federate, AD, Azure AD, SAML ([#802](https://github.com/auth0/terraform-provider-auth0/pull/802))
+- `resource/*`: Fix pagination issues when fetching resources ([#807](https://github.com/auth0/terraform-provider-auth0/pull/807))
+- `data-source/*`: Fix pagination issues when fetching data sources ([#807](https://github.com/auth0/terraform-provider-auth0/pull/807))
+- `resource/auth0_client_grant`: Add validation to prevent empty string scope values ([#793](https://github.com/auth0/terraform-provider-auth0/pull/793))
+- `provider`: Fix issue with rate limit retry mechanism ([#788](https://github.com/auth0/terraform-provider-auth0/pull/788))
+- `resource/auth0_client`: Prevent sending empty payloads for client addons ([#759](https://github.com/auth0/terraform-provider-auth0/pull/759))
+- `resource/auth0_connection`: Correctly expand `shopify` connection strategy types ([#728](https://github.com/auth0/terraform-provider-auth0/pull/728))
+- `data-source/auth0_*`: Raise 404 errors when retrieving data sources ([#698](https://github.com/auth0/terraform-provider-auth0/pull/698))
+
+BREAKING CHANGES:
+
+- `resource/auth0_client`: Formally type the `addons` sub-properties ([#655](https://github.com/auth0/terraform-provider-auth0/pull/655), [#656](https://github.com/auth0/terraform-provider-auth0/pull/656), [#657](https://github.com/auth0/terraform-provider-auth0/pull/657), [#658](https://github.com/auth0/terraform-provider-auth0/pull/658), [#661](https://github.com/auth0/terraform-provider-auth0/pull/661), [#662](https://github.com/auth0/terraform-provider-auth0/pull/662), [#663](https://github.com/auth0/terraform-provider-auth0/pull/663), [#664](https://github.com/auth0/terraform-provider-auth0/pull/664), [#665](https://github.com/auth0/terraform-provider-auth0/pull/665), [#666](https://github.com/auth0/terraform-provider-auth0/pull/666), [#667](https://github.com/auth0/terraform-provider-auth0/pull/667), [#668](https://github.com/auth0/terraform-provider-auth0/pull/668), [#669](https://github.com/auth0/terraform-provider-auth0/pull/669), [#670](https://github.com/auth0/terraform-provider-auth0/pull/670), [#671](https://github.com/auth0/terraform-provider-auth0/pull/671), [#672](https://github.com/auth0/terraform-provider-auth0/pull/672), [#673](https://github.com/auth0/terraform-provider-auth0/pull/673), [#674](https://github.com/auth0/terraform-provider-auth0/pull/674), [#675](https://github.com/auth0/terraform-provider-auth0/pull/675), [#676](https://github.com/auth0/terraform-provider-auth0/pull/676), [#677](https://github.com/auth0/terraform-provider-auth0/pull/677), [#678](https://github.com/auth0/terraform-provider-auth0/pull/678), [#681](https://github.com/auth0/terraform-provider-auth0/pull/681), [#682](https://github.com/auth0/terraform-provider-auth0/pull/682))
+- `resource/auth0_user`: Remove `roles` and `permissions` fields ([#703](https://github.com/auth0/terraform-provider-auth0/pull/703))
+- `resource/auth0_resource_server`: Remove `scopes` field ([#703](https://github.com/auth0/terraform-provider-auth0/pull/703))
+- `resource/auth0_global_client`: Remove resource ([#704](https://github.com/auth0/terraform-provider-auth0/pull/704))
+- `data-source/auth0_global_client`: Remove data source ([#704](https://github.com/auth0/terraform-provider-auth0/pull/704))
+- `resource/auth0_tenant`: Remove `change_password`, `error_page` and `guardian_mfa_page` fields ([#711](https://github.com/auth0/terraform-provider-auth0/pull/711))
+- `resource/auth0_tenant`: Remove `universal_login` block ([#712](https://github.com/auth0/terraform-provider-auth0/pull/712))
+- `resource/auth0_client`: Remove `client_secret_rotation_trigger` field ([#711](https://github.com/auth0/terraform-provider-auth0/pull/711))
+- `resource/auth0_role`: Remove `permissions` field ([#714](https://github.com/auth0/terraform-provider-auth0/pull/714))
+- `resource/auth0_organization_member`: Remove `roles` field ([#715](https://github.com/auth0/terraform-provider-auth0/pull/715))
+- `resource/auth0_client_grant`: Rename `scope` field to `scopes` ([#717](https://github.com/auth0/terraform-provider-auth0/pull/717))
+- `resource/auth0_*`: Align resource import separators ([#718](https://github.com/auth0/terraform-provider-auth0/pull/718))
+- `resource/auth0_client`: Remove `client_secret` and `token_endpoint_auth_method` fields ([#725](https://github.com/auth0/terraform-provider-auth0/pull/725))
+- `resource/auth0_email`: Remove `api_user` field ([#730](https://github.com/auth0/terraform-provider-auth0/pull/730))
+- `resource/auth0_connection`: Remove `enabled_clients` field ([#730](https://github.com/auth0/terraform-provider-auth0/pull/730))
+- `resource/auth0_trigger_binding`: Remove resource ([#730](https://github.com/auth0/terraform-provider-auth0/pull/730))
+- `resource/auth0_email`: Rename resource to `auth0_email_provider` ([#731](https://github.com/auth0/terraform-provider-auth0/pull/731))
+
+## v1.0.0-beta.4
+
+NOTES:
+
+- This release supports auto generated terraform configuration. [Check our guide for more info](https://registry.terraform.io/providers/auth0/auth0/latest/docs/guides/generate_terraform_config).
+- :warning: Check our [migration guide](https://github.com/auth0/terraform-provider-auth0/blob/main/MIGRATION_GUIDE.md) to navigate the breaking changes that were added in this release.
+
+FEATURES:
+
+- `resource/auth0_connection`: Add support for Line strategy ([#818](https://github.com/auth0/terraform-provider-auth0/pull/818))
+- `resource/auth0_connection`: Add `pkce` and `attribute_map` settings to OIDC and Okta Workforce connection options ([#815](https://github.com/auth0/terraform-provider-auth0/pull/815))
+- `resource/auth0_client`: Add support for pushed authorization requests setting ([#756](https://github.com/auth0/terraform-provider-auth0/pull/756))
+- `resource/auth0_tenant`: Add support for pushed authorization requests setting ([#756](https://github.com/auth0/terraform-provider-auth0/pull/756))
+- `resource/auth0_tenant`: Add support for `allow_organization_name_in_authentication_api` toggle ([#832](https://github.com/auth0/terraform-provider-auth0/pull/832))
+
+ENHANCEMENTS:
+
+- `resource/auth0_branding`: Improve validation for universal login template body ([#819](https://github.com/auth0/terraform-provider-auth0/pull/819))
+
+BUG FIXES:
+
+- `resource/auth0_prompt_custom_text`: Prevent `"null"` string literal when importing resource ([#821](https://github.com/auth0/terraform-provider-auth0/pull/821))
+- `resource/auth0_guardian`: Remove minor `phone.message_types` validation  ([#820](https://github.com/auth0/terraform-provider-auth0/pull/820))
+- `resource/auth0_connection`: Allow sending `null` values for `from` and `messagingServiceSID` in SMS connection options ([#829](https://github.com/auth0/terraform-provider-auth0/pull/829))
+- `resource/auth0_connection`: Passing-through Google Workspace admin tokens when managing the connection ([#830](https://github.com/auth0/terraform-provider-auth0/pull/830))
+- `resource/auth0_tenant`: Allow creating native apps with device code grant  ([#833](https://github.com/auth0/terraform-provider-auth0/pull/833))
+
+
 ## v1.0.0-beta.3
 
 NOTES:
@@ -12,7 +136,7 @@ ENHANCEMENTS:
 BUG FIXES:
 
 - `resource/auth0_client_credentials`: Stop requiring `read:client_keys` permission when reading the resource ([#795](https://github.com/auth0/terraform-provider-auth0/pull/795))
-- `resource/auth0_connection`: Passing-through critical connection options for following connection types: Ping Federate, AD, Azure AD, SAML([#802](https://github.com/auth0/terraform-provider-auth0/pull/802))
+- `resource/auth0_connection`: Passing-through critical connection options for following connection types: Ping Federate, AD, Azure AD, SAML ([#802](https://github.com/auth0/terraform-provider-auth0/pull/802))
 - `resource/*`: Fix pagination issues when fetching resources ([#807](https://github.com/auth0/terraform-provider-auth0/pull/807))
 - `data-source/*`: Fix pagination issues when fetching data sources ([#807](https://github.com/auth0/terraform-provider-auth0/pull/807))
 
@@ -92,6 +216,20 @@ BREAKING CHANGES:
 - `resource/auth0_email`: Rename resource to `auth0_email_provider` ([#731](https://github.com/auth0/terraform-provider-auth0/pull/731))
 
 
+## 0.50.2
+
+ENHANCEMENTS:
+
+- `resource/auth0_action`: Add node18 GA (`node18-actions`) option to `runtime`([#803](https://github.com/auth0/terraform-provider-auth0/pull/803))
+
+
+## 0.50.1
+
+BUG FIXES:
+
+- `resource/auth0_connection`: Passing-through critical connection options for following connection types: Ping Federate, AD, Azure AD, SAML([#786](https://github.com/auth0/terraform-provider-auth0/pull/786))
+
+
 ## 0.50.0
 
 FEATURES:

README.md

@@ -44,7 +44,7 @@ terraform {
   required_providers {
     auth0 = {
       source  = "auth0/auth0"
-      version = "1.0.0-beta.0" # Refer to docs for latest version
+      version = ">= 1.0.0" # Refer to docs for latest version
     }
   }
 }

docs/data-sources/client.md

@@ -41,7 +41,7 @@ data "auth0_client" "some-client-by-id" {
 - `client_aliases` (List of String) List of audiences/realms for SAML protocol. Used by the wsfed addon.
 - `client_metadata` (Map of String) Metadata associated with the client, in the form of an object with string values (max 255 chars). Maximum of 10 metadata properties allowed. Field names (max 255 chars) are alphanumeric and may only include the following special characters: `:,-+=_*?"/\()<>@ [Tab] [Space]`.
 - `client_secret` (String, Sensitive) Secret for the client. Keep this private. To access this attribute you need to add the `read:client_keys` scope to the Terraform client. Otherwise, the attribute will contain an empty string.
-- `cross_origin_auth` (Boolean) Whether this client can be used to make cross-origin authentication requests (`true`) or it is not allowed to make such requests (`false`). Requires the `coa_toggle_enabled` feature flag to be enabled on the tenant by the support team.
+- `cross_origin_auth` (Boolean) Whether this client can be used to make cross-origin authentication requests (`true`) or it is not allowed to make such requests (`false`).
 - `cross_origin_loc` (String) URL of the location in your site where the cross-origin verification takes place for the cross-origin auth flow when performing authentication in your own domain instead of Auth0 Universal Login page.
 - `custom_login_page` (String) The content (HTML, CSS, JS) of the custom login page.
 - `custom_login_page_on` (Boolean) Indicates whether a custom login page is to be used.
@@ -62,6 +62,7 @@ data "auth0_client" "some-client-by-id" {
 - `organization_require_behavior` (String) Defines how to proceed during an authentication transaction when `organization_usage = "require"`. Can be `no_prompt` (default), `pre_login_prompt` or  `post_login_prompt`.
 - `organization_usage` (String) Defines how to proceed during an authentication transaction with regards to an organization. Can be `deny` (default), `allow` or `require`.
 - `refresh_token` (List of Object) Configuration settings for the refresh tokens issued for this client. (see [below for nested schema](#nestedatt--refresh_token))
+- `require_pushed_authorization_requests` (Boolean) Makes the use of Pushed Authorization Requests mandatory for this client. This feature currently needs to be enabled on the tenant in order to make use of it.
 - `signing_keys` (List of Map of String) List containing a map of the public cert of the signing key and the public cert of the signing key in PKCS7.
 - `sso` (Boolean) Applies only to SSO clients and determines whether Auth0 will handle Single Sign-On (true) or whether the identity provider will (false).
 - `sso_disabled` (Boolean) Indicates whether or not SSO is disabled.

docs/data-sources/connection.md

@@ -88,6 +88,7 @@ Read-Only:
 - `issuer` (String)
 - `jwks_uri` (String)
 - `key_id` (String)
+- `map_user_id_to_id` (Boolean)
 - `max_groups_to_retrieve` (String)
 - `messaging_service_sid` (String)
 - `metadata_url` (String)