cloudposse · milldr · Aug 27, 2024 · Aug 26, 2024 · Aug 26, 2024 · Aug 27, 2024
@@ -67,6 +67,7 @@ components:
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_auth0_ssm_parameters"></a> [auth0\_ssm\_parameters](#module\_auth0\_ssm\_parameters) | cloudposse/ssm-parameter-store/aws | 0.13.0 |
 | <a name="module_auth0_tenant"></a> [auth0\_tenant](#module\_auth0\_tenant) | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 |
 | <a name="module_iam_roles"></a> [iam\_roles](#module\_iam\_roles) | ../../account-map/modules/iam-roles | n/a |
 | <a name="module_iam_roles_auth0_provider"></a> [iam\_roles\_auth0\_provider](#module\_iam\_roles\_auth0\_provider) | ../../account-map/modules/iam-roles | n/a |
@@ -96,6 +97,7 @@ components:
 | <a name="input_auth0_tenant_tenant_name"></a> [auth0\_tenant\_tenant\_name](#input\_auth0\_tenant\_tenant\_name) | The name of the tenant where the Auth0 tenant component is deployed. Yes this is a bit redundant, since Auth0 also calls this resource a tenant. Defaults to the tenant of the current stack. | `string` | `""` | no |
 | <a name="input_callbacks"></a> [callbacks](#input\_callbacks) | Allowed Callback URLs | `list(string)` | `[]` | no |
 | <a name="input_context"></a> [context](#input\_context) | Single object for setting entire context at once.<br>See description of individual variables for details.<br>Leave string and numeric variables as `null` to use default value.<br>Individual variable settings (non-null) override settings in context object,<br>except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | <pre>{<br>  "additional_tag_map": {},<br>  "attributes": [],<br>  "delimiter": null,<br>  "descriptor_formats": {},<br>  "enabled": true,<br>  "environment": null,<br>  "id_length_limit": null,<br>  "label_key_case": null,<br>  "label_order": [],<br>  "label_value_case": null,<br>  "labels_as_tags": [<br>    "unset"<br>  ],<br>  "name": null,<br>  "namespace": null,<br>  "regex_replace_chars": null,<br>  "stage": null,<br>  "tags": {},<br>  "tenant": null<br>}</pre> | no |
+| <a name="input_create_auth0_ssm_parameters_enabled"></a> [create\_auth0\_ssm\_parameters\_enabled](#input\_create\_auth0\_ssm\_parameters\_enabled) | Whether or not to create a duplicate of the AWS SSM parameter for the Auth0 domain, client ID, and client secret in this account. | `bool` | `false` | no |
 | <a name="input_delimiter"></a> [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.<br>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
 | <a name="input_descriptor_formats"></a> [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.<br>Map of maps. Keys are names of descriptors. Values are maps of the form<br>`{<br>   format = string<br>   labels = list(string)<br>}`<br>(Type is `any` so the map values can later be enhanced to provide additional options.)<br>`format` is a Terraform format string to be passed to the `format()` function.<br>`labels` is a list of labels, in order, to pass to `format()` function.<br>Label values will be normalized before being passed to `format()` so they will be<br>identical to how they appear in `id`.<br>Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |

@@ -25,6 +25,12 @@ variable "auth0_tenant_tenant_name" {
   default     = ""
 }
 
+locals {
+  auth0_tenant_environment_name = length(var.auth0_tenant_environment_name) > 0 ? var.auth0_tenant_environment_name : module.this.environment
+  auth0_tenant_stage_name       = length(var.auth0_tenant_stage_name) > 0 ? var.auth0_tenant_stage_name : module.this.stage
+  auth0_tenant_tenant_name      = length(var.auth0_tenant_tenant_name) > 0 ? var.auth0_tenant_tenant_name : module.this.tenant
+}
+
 module "auth0_tenant" {
   source  = "cloudposse/stack-config/yaml//modules/remote-state"
   version = "1.5.0"
@@ -33,9 +39,9 @@ module "auth0_tenant" {
 
   component = var.auth0_tenant_component_name
 
-  environment = length(var.auth0_tenant_environment_name) > 0 ? var.auth0_tenant_environment_name : module.this.environment
-  stage       = length(var.auth0_tenant_stage_name) > 0 ? var.auth0_tenant_stage_name : module.this.stage
-  tenant      = length(var.auth0_tenant_tenant_name) > 0 ? var.auth0_tenant_tenant_name : module.this.tenant
+  environment = local.auth0_tenant_environment_name
+  stage       = local.auth0_tenant_stage_name
+  tenant      = local.auth0_tenant_tenant_name
 }
 
 #
@@ -61,9 +67,9 @@ provider "aws" {
 module "iam_roles_auth0_provider" {
   source = "../../account-map/modules/iam-roles"
 
-  environment = length(var.auth0_tenant_environment_name) > 0 ? var.auth0_tenant_environment_name : module.this.environment
-  stage       = length(var.auth0_tenant_stage_name) > 0 ? var.auth0_tenant_stage_name : module.this.stage
-  tenant      = length(var.auth0_tenant_tenant_name) > 0 ? var.auth0_tenant_tenant_name : module.this.tenant
+  environment = local.auth0_tenant_environment_name
+  stage       = local.auth0_tenant_stage_name
+  tenant      = local.auth0_tenant_tenant_name
 
   context = module.this.context
 }
@@ -99,3 +105,45 @@ provider "auth0" {
   client_secret = data.aws_ssm_parameter.auth0_client_secret.value
   debug         = var.auth0_debug
 }
+
+#
+# Finally if enabled, create a duplicate of the AWS SSM parameters for Auth0 in this account.
+#
+variable "create_auth0_ssm_parameters_enabled" {
+  description = "Whether or not to create a duplicate of the AWS SSM parameter for the Auth0 domain, client ID, and client secret in this account."
+  type        = bool
+  default     = false
+}
+
+module "auth0_ssm_parameters" {
+  source  = "cloudposse/ssm-parameter-store/aws"
+  version = "0.13.0"
+
+  enabled = local.enabled && var.create_auth0_ssm_parameters_enabled
+
+  parameter_write = [
+    {
+      name        = module.auth0_tenant[0].outputs.domain_ssm_path
+      value       = data.aws_ssm_parameter.auth0_domain.value
+      type        = "SecureString"
+      overwrite   = "true"
+      description = "Auth0 domain value for the Auth0 ${local.auth0_tenant_tenant_name}-${local.auth0_tenant_environment_name}-${local.auth0_tenant_stage_name} tenant"
+    },
+    {
+      name        = module.auth0_tenant[0].outputs.client_id_ssm_path
+      value       = data.aws_ssm_parameter.auth0_client_id.value
+      type        = "SecureString"
+      overwrite   = "true"
+      description = "Auth0 client ID for the Auth0 ${local.auth0_tenant_tenant_name}-${local.auth0_tenant_environment_name}-${local.auth0_tenant_stage_name} tenant"
+    },
+    {
+      name        = module.auth0_tenant[0].outputs.client_secret_ssm_path
+      value       = data.aws_ssm_parameter.auth0_client_secret.value
+      type        = "SecureString"
+      overwrite   = "true"
+      description = "Auth0 client secret for the Auth0 ${local.auth0_tenant_tenant_name}-${local.auth0_tenant_environment_name}-${local.auth0_tenant_stage_name} tenant"
+    },
+  ]
+
+  context = module.this.context
+}
@@ -98,11 +98,13 @@ add the following parameters to the `plat-prod` account in `us-west-2`:
 |------|------|
 | [auth0_custom_domain.this](https://registry.terraform.io/providers/auth0/auth0/latest/docs/resources/custom_domain) | resource |
 | [auth0_custom_domain_verification.this](https://registry.terraform.io/providers/auth0/auth0/latest/docs/resources/custom_domain_verification) | resource |
+| [auth0_email_provider.this](https://registry.terraform.io/providers/auth0/auth0/latest/docs/resources/email_provider) | resource |
 | [auth0_tenant.this](https://registry.terraform.io/providers/auth0/auth0/latest/docs/resources/tenant) | resource |
 | [aws_route53_record.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_ssm_parameter.auth0_client_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 | [aws_ssm_parameter.auth0_client_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 | [aws_ssm_parameter.auth0_domain](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
+| [aws_ssm_parameter.sendgrid_api_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 
 ## Inputs
 
@@ -119,6 +121,8 @@ add the following parameters to the `plat-prod` account in `us-west-2`:
 | <a name="input_disable_clickjack_protection_headers"></a> [disable\_clickjack\_protection\_headers](#input\_disable\_clickjack\_protection\_headers) | Whether to disable clickjack protection headers. | `bool` | `true` | no |
 | <a name="input_disable_fields_map_fix"></a> [disable\_fields\_map\_fix](#input\_disable\_fields\_map\_fix) | Whether to disable fields map fix. | `bool` | `false` | no |
 | <a name="input_disable_management_api_sms_obfuscation"></a> [disable\_management\_api\_sms\_obfuscation](#input\_disable\_management\_api\_sms\_obfuscation) | Whether to disable management API SMS obfuscation. | `bool` | `false` | no |
+| <a name="input_email_provider_default_from_address"></a> [email\_provider\_default\_from\_address](#input\_email\_provider\_default\_from\_address) | The default from address for the email provider. | `string` | `""` | no |
+| <a name="input_email_provider_name"></a> [email\_provider\_name](#input\_email\_provider\_name) | The name of the email provider. If not defined, no email provider will be created. | `string` | `""` | no |
 | <a name="input_enable_public_signup_user_exists_error"></a> [enable\_public\_signup\_user\_exists\_error](#input\_enable\_public\_signup\_user\_exists\_error) | Whether to enable public signup user exists error. | `bool` | `true` | no |
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
 | <a name="input_enabled_locales"></a> [enabled\_locales](#input\_enabled\_locales) | The enabled locales. | `list(string)` | <pre>[<br>  "en"<br>]</pre> | no |
@@ -139,6 +143,7 @@ add the following parameters to the `plat-prod` account in `us-west-2`:
 | <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
 | <a name="input_region"></a> [region](#input\_region) | AWS Region | `string` | n/a | yes |
 | <a name="input_sandbox_version"></a> [sandbox\_version](#input\_sandbox\_version) | The sandbox version. | `string` | `"18"` | no |
+| <a name="input_sendgrid_api_key_ssm_path"></a> [sendgrid\_api\_key\_ssm\_path](#input\_sendgrid\_api\_key\_ssm\_path) | The SSM path to the SendGrid API key. Only required if `email_provider_name` is `sendgrid`. | `string` | `""` | no |
 | <a name="input_session_cookie_mode"></a> [session\_cookie\_mode](#input\_session\_cookie\_mode) | The session cookie mode. | `string` | `"persistent"` | no |
 | <a name="input_session_lifetime"></a> [session\_lifetime](#input\_session\_lifetime) | The session lifetime in hours. | `number` | `168` | no |
 | <a name="input_stage"></a> [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |

@@ -1,5 +1,6 @@
 locals {
-  enabled = module.this.enabled
+  enabled                = module.this.enabled
+  email_provider_enabled = length(var.email_provider_name) > 0 && local.enabled
 
   name        = length(module.this.name) > 0 ? module.this.name : "auth0"
   domain_name = format("%s.%s", local.name, module.dns_gbl_delegated.outputs.default_domain_name)
@@ -87,3 +88,24 @@ resource "auth0_custom_domain_verification" "this" {
     aws_route53_record.this,
   ]
 }
+
+data "aws_ssm_parameter" "sendgrid_api_key" {
+  count = local.email_provider_enabled ? 1 : 0
+
+  name = var.sendgrid_api_key_ssm_path
+}
+
+resource "auth0_email_provider" "this" {
+  count = local.email_provider_enabled ? 1 : 0
+
+  name                 = var.email_provider_name
+  enabled              = local.email_provider_enabled
+  default_from_address = var.email_provider_default_from_address
+
+  dynamic "credentials" {
+    for_each = var.email_provider_name == "sendgrid" ? ["1"] : []
+    content {
+      api_key = data.aws_ssm_parameter.sendgrid_api_key[0].value
+    }
+  }
+}
@@ -108,3 +108,21 @@ variable "oidc_logout_prompt_enabled" {
   description = "Whether the OIDC logout prompt is enabled."
   default     = false
 }
+
+variable "email_provider_name" {
+  type        = string
+  description = "The name of the email provider. If not defined, no email provider will be created."
+  default     = ""
+}
+
+variable "email_provider_default_from_address" {
+  type        = string
+  description = "The default from address for the email provider."
+  default     = ""
+}
+
+variable "sendgrid_api_key_ssm_path" {
+  type        = string
+  description = "The SSM path to the SendGrid API key. Only required if `email_provider_name` is `sendgrid`."
+  default     = ""
+}