Merge branch 'main' into DXCDT-776/Token_exchange

.github/workflows/main.yml

@@ -44,6 +44,9 @@ jobs:
           go-version-file: go.mod
           check-latest: true
 
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+
       - name: Run tests
         run: make test-acc
 

docs/data-sources/connection.md

@@ -167,6 +167,7 @@ Read-Only:
 - `identifier` (List of Object) (see [below for nested schema](#nestedobjatt--options--attributes--email--identifier))
 - `profile_required` (Boolean)
 - `signup` (List of Object) (see [below for nested schema](#nestedobjatt--options--attributes--email--signup))
+- `verification_method` (String)
 
 <a id="nestedobjatt--options--attributes--email--identifier"></a>
 ### Nested Schema for `options.attributes.email.identifier`

docs/resources/action.md

@@ -68,7 +68,7 @@ resource "auth0_action" "my_action" {
 - `dependencies` (Block Set) List of third party npm modules, and their versions, that this action depends on. (see [below for nested schema](#nestedblock--dependencies))
 - `deploy` (Boolean) Deploying an action will create a new immutable version of the action. If the action is currently bound to a trigger, then the system will begin executing the newly deployed version of the action immediately.
 - `runtime` (String) The Node runtime. Defaults to `node18`. Possible values are: `node16` (not recommended), or `node18` (recommended).
-- `secrets` (Block List) List of secrets that are included in an action or a version of an action. Partial management of secrets is not supported. (see [below for nested schema](#nestedblock--secrets))
+- `secrets` (Block Set) List of secrets that are included in an action or a version of an action. Partial management of secrets is not supported. (see [below for nested schema](#nestedblock--secrets))
 
 ### Read-Only
 

docs/resources/connection.md

@@ -729,7 +729,7 @@ Optional:
 - `requires_username` (Boolean) Indicates whether the user is required to provide a username in addition to an email address.
 - `scopes` (Set of String) Permissions to grant to the connection. Within the Auth0 dashboard these appear under the "Attributes" and "Extended Attributes" sections. Some examples: `basic_profile`, `ext_profile`, `ext_nested_groups`, etc.
 - `scripts` (Map of String) A map of scripts used for an OAuth connection. Only accepts a `fetchUserProfile` script.
-- `set_user_root_attributes` (String) Determines whether to sync user profile attributes (`name`, `given_name`, `family_name`, `nickname`, `picture`) at each login or only on the first login. Options include: `on_each_login`, `on_first_login`. Default value: `on_each_login`.
+- `set_user_root_attributes` (String) Determines whether to sync user profile attributes (`name`, `given_name`, `family_name`, `nickname`, `picture`) at each login or only on the first login. Options include: `on_each_login`, `on_first_login`, `never_on_login`. Default value: `on_each_login`.
 - `should_trust_email_verified_connection` (String) Choose how Auth0 sets the email_verified field in the user profile.
 - `sign_in_endpoint` (String) SAML single login URL for the connection.
 - `sign_out_endpoint` (String) SAML single logout URL for the connection.
@@ -788,6 +788,7 @@ Optional:
 - `identifier` (Block List) Connection Options Email Attribute Identifier (see [below for nested schema](#nestedblock--options--attributes--email--identifier))
 - `profile_required` (Boolean) Defines whether Profile is required
 - `signup` (Block List) Defines signup settings for Email attribute (see [below for nested schema](#nestedblock--options--attributes--email--signup))
+- `verification_method` (String) Defines whether whether user will receive a link or an OTP during user signup for email verification and password reset for email verification
 
 <a id="nestedblock--options--attributes--email--identifier"></a>
 ### Nested Schema for `options.attributes.email.identifier`

docs/resources/email_template.md

@@ -47,7 +47,7 @@ resource "auth0_email_template" "my_email_template" {
 - `from` (String) Email address to use as the sender. You can include [common variables](https://auth0.com/docs/customize/email/email-templates#common-variables).
 - `subject` (String) Subject line of the email. You can include [common variables](https://auth0.com/docs/customize/email/email-templates#common-variables).
 - `syntax` (String) Syntax of the template body. You can use either text or HTML with Liquid syntax.
-- `template` (String) Template name. Options include `verify_email`, `verify_email_by_code`, `reset_email`, `welcome_email`, `blocked_account`, `stolen_credentials`, `enrollment_email`, `mfa_oob_code`, `user_invitation`, `change_password` (legacy), or `password_reset` (legacy).
+- `template` (String) Template name. Options include `verify_email`, `verify_email_by_code`, `reset_email`, `reset_email_by_code`, `welcome_email`, `blocked_account`, `stolen_credentials`, `enrollment_email`, `mfa_oob_code`, `user_invitation`, `change_password` (legacy), or `password_reset` (legacy).
 
 ### Optional
 

go.sum

@@ -229,8 +229,6 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ=
 golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg=
-golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
-golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/exp v0.0.0-20240525044651-4c93da0ed11d h1:N0hmiNbwsSNwHBAvR3QB5w25pUwH4tK0Y/RltD1j1h4=
 golang.org/x/exp v0.0.0-20240525044651-4c93da0ed11d/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
@@ -244,15 +242,11 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE=
 golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg=
-golang.org/x/oauth2 v0.24.0 h1:KTBBxWqUa0ykRPLtV69rRto9TLXcqYkeswu48x/gvNE=
-golang.org/x/oauth2 v0.24.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/oauth2 v0.25.0 h1:CY4y7XT9v0cRI9oupztF8AgiIu99L/ksR/Xp/6jrZ70=
 golang.org/x/oauth2 v0.25.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ=
-golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -269,8 +263,6 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s=
-golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
@@ -283,8 +275,6 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug=
-golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4=
 golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

internal/auth0/action/expand.go

@@ -113,12 +113,22 @@ func preventErasingUnmanagedSecrets(ctx context.Context, data *schema.ResourceDa
 		return diag.FromErr(internalError.HandleAPIError(data, err))
 	}
 
-	// We need to also include the secrets that we're about to remove
-	// against the checks, not just the ones with which we are left.
+	// Extract changes to secrets from the resource data.
 	oldSecrets, newSecrets := data.GetChange("secrets")
-	allSecrets := append(oldSecrets.([]interface{}), newSecrets.([]interface{})...)
 
-	return checkForUnmanagedActionSecrets(allSecrets, preUpdateAction.GetSecrets())
+	// Stores the old and secrets from *schema.Set to slices of interface{}.
+	var secretsList []interface{}
+
+	if oldSecrets != nil {
+		secretsList = append(secretsList, oldSecrets.(*schema.Set).List()...)
+	}
+
+	if newSecrets != nil {
+		secretsList = append(secretsList, newSecrets.(*schema.Set).List()...)
+	}
+
+	// Pass allSecrets to check for unmanaged action secrets.
+	return checkForUnmanagedActionSecrets(secretsList, preUpdateAction.GetSecrets())
 }
 
 func checkForUnmanagedActionSecrets(
@@ -127,7 +137,30 @@ func checkForUnmanagedActionSecrets(
 ) diag.Diagnostics {
 	secretKeysInConfigMap := make(map[string]bool, len(secretsFromConfig))
 	for _, secret := range secretsFromConfig {
-		secretKeyName := secret.(map[string]interface{})["name"].(string)
+		// Check if the element can be asserted as a map.
+		secretMap, ok := secret.(map[string]interface{})
+		if !ok {
+			return diag.Diagnostics{
+				diag.Diagnostic{
+					Severity: diag.Error,
+					Summary:  "Invalid Configuration Format",
+					Detail:   "Secrets configuration contains improperly formatted elements. Each secret must be a map with 'name' and 'value'.",
+				},
+			}
+		}
+
+		// Safely extract the "name" field from the secret map.
+		secretKeyName, nameOk := secretMap["name"].(string)
+		if !nameOk || secretKeyName == "" {
+			return diag.Diagnostics{
+				diag.Diagnostic{
+					Severity: diag.Error,
+					Summary:  "Invalid Secret Name",
+					Detail:   "Each secret in the configuration must have a valid 'name' as a string.",
+				},
+			}
+		}
+
 		secretKeysInConfigMap[secretKeyName] = true
 	}
 

internal/auth0/action/resource.go

@@ -93,7 +93,7 @@ func NewResource() *schema.Resource {
 				Description: "The Node runtime. Defaults to `node18`. Possible values are: `node16` (not recommended), or `node18` (recommended).",
 			},
 			"secrets": {
-				Type:        schema.TypeList,
+				Type:        schema.TypeSet,
 				Optional:    true,
 				Description: "List of secrets that are included in an action or a version of an action. Partial management of secrets is not supported.",
 				Elem: &schema.Resource{

internal/auth0/action/resource_test.go

@@ -182,10 +182,10 @@ func TestAccAction(t *testing.T) {
 					resource.TestCheckResourceAttr("auth0_action.my_action", "dependencies.1.name", "moment"),
 					resource.TestCheckResourceAttr("auth0_action.my_action", "dependencies.1.version", "2.29.4"),
 					resource.TestCheckResourceAttr("auth0_action.my_action", "secrets.#", "2"),
-					resource.TestCheckResourceAttr("auth0_action.my_action", "secrets.0.name", "foo"),
-					resource.TestCheckResourceAttr("auth0_action.my_action", "secrets.0.value", "123456"),
-					resource.TestCheckResourceAttr("auth0_action.my_action", "secrets.1.name", "bar"),
-					resource.TestCheckResourceAttr("auth0_action.my_action", "secrets.1.value", "654321"),
+					resource.TestCheckResourceAttr("auth0_action.my_action", "secrets.0.name", "bar"),
+					resource.TestCheckResourceAttr("auth0_action.my_action", "secrets.0.value", "654321"),
+					resource.TestCheckResourceAttr("auth0_action.my_action", "secrets.1.name", "foo"),
+					resource.TestCheckResourceAttr("auth0_action.my_action", "secrets.1.value", "123456"),
 				),
 			},
 			{

internal/auth0/client/resource.go

@@ -1330,6 +1330,7 @@ func NewResource() *schema.Resource {
 			"oidc_logout": {
 				Type:        schema.TypeList,
 				Optional:    true,
+				Computed:    true,
 				MaxItems:    1,
 				Description: "Configure OIDC logout for the Client",
 				Elem: &schema.Resource{
@@ -1385,6 +1386,8 @@ func createClient(ctx context.Context, data *schema.ResourceData, meta interface
 		return diag.FromErr(err)
 	}
 
+	time.Sleep(800 * time.Millisecond)
+
 	data.SetId(client.GetClientID())
 	return readClient(ctx, data, meta)
 }

internal/auth0/client/resource_test.go

@@ -2497,7 +2497,7 @@ func TestAccClientOIDCLogout(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("auth0_client.my_client", "name", fmt.Sprintf("Acceptance Test - OIDC Logout - %s", t.Name())),
 					resource.TestCheckResourceAttr("auth0_client.my_client", "app_type", "spa"),
-					resource.TestCheckResourceAttr("auth0_client.my_client", "oidc_logout.#", "0"),
+					resource.TestCheckResourceAttr("auth0_client.my_client", "oidc_logout.#", "1"),
 				),
 			},
 		},

internal/auth0/connection/expand.go

@@ -199,9 +199,10 @@ func expandConnectionOptionsEmailAttribute(config cty.Value) *management.Connect
 	config.GetAttr("email").ForEachElement(
 		func(_ cty.Value, email cty.Value) (stop bool) {
 			coea = &management.ConnectionOptionsEmailAttribute{
-				Identifier:      expandConnectionOptionsAttributeIdentifier(email),
-				ProfileRequired: value.Bool(email.GetAttr("profile_required")),
-				Signup:          expandConnectionOptionsAttributeSignup(email),
+				Identifier:         expandConnectionOptionsAttributeIdentifier(email),
+				ProfileRequired:    value.Bool(email.GetAttr("profile_required")),
+				VerificationMethod: (*management.ConnectionOptionsEmailAttributeVerificationMethod)(value.String(email.GetAttr("verification_method"))),
+				Signup:             expandConnectionOptionsAttributeSignup(email),
 			}
 			return stop
 		})

internal/auth0/connection/flatten.go

@@ -189,9 +189,10 @@ func flattenEmailAttribute(emailAttribute *management.ConnectionOptionsEmailAttr
 
 	return []map[string]interface{}{
 		{
-			"identifier":       flattenIdentifier(emailAttribute.GetIdentifier()),
-			"profile_required": emailAttribute.GetProfileRequired(),
-			"signup":           flattenSignUp(emailAttribute.GetSignup()),
+			"identifier":          flattenIdentifier(emailAttribute.GetIdentifier()),
+			"profile_required":    emailAttribute.GetProfileRequired(),
+			"signup":              flattenSignUp(emailAttribute.GetSignup()),
+			"verification_method": emailAttribute.GetVerificationMethod(),
 		},
 	}
 }

internal/auth0/connection/resource_test.go

@@ -237,6 +237,7 @@ func TestAccConnectionOptionsAttrEmail(t *testing.T) {
 					active = true
 				}
 				profile_required = true
+				verification_method = "otp"
 				signup {
 					status = "required"
 					verification {
@@ -256,6 +257,7 @@ func TestAccConnectionOptionsAttrEmail(t *testing.T) {
 					resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.attributes.#", "1"),
 					resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.attributes.0.email.0.identifier.0.active", "true"),
 					resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.attributes.0.email.0.profile_required", "true"),
+					resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.attributes.0.email.0.verification_method", "otp"),
 					resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.attributes.0.email.0.signup.0.status", "required"),
 					resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.attributes.0.email.0.signup.0.verification.0.active", "false"),
 				),

internal/auth0/connection/schema.go

@@ -520,10 +520,10 @@ var optionsSchema = &schema.Schema{
 				Type:         schema.TypeString,
 				Optional:     true,
 				Computed:     true,
-				ValidateFunc: validation.StringInSlice([]string{"on_each_login", "on_first_login"}, false),
+				ValidateFunc: validation.StringInSlice([]string{"on_each_login", "on_first_login", "never_on_login"}, false),
 				Description: "Determines whether to sync user profile attributes (`name`, `given_name`, " +
 					"`family_name`, `nickname`, `picture`) at each login or only on the first login. Options " +
-					"include: `on_each_login`, `on_first_login`. Default value: `on_each_login`.",
+					"include: `on_each_login`, `on_first_login`, `never_on_login`. Default value: `on_each_login`.",
 			},
 			"non_persistent_attrs": {
 				Type:     schema.TypeSet,
@@ -911,6 +911,12 @@ var optionsSchema = &schema.Schema{
 										Computed:    false,
 										Description: "Defines whether Profile is required",
 									},
+									"verification_method": {
+										Type:        schema.TypeString,
+										Optional:    true,
+										Computed:    true,
+										Description: "Defines whether whether user will receive a link or an OTP during user signup for email verification and password reset for email verification",
+									},
 									"signup": {
 										Type:        schema.TypeList,
 										Optional:    true,

internal/auth0/email/resource_template.go

@@ -36,6 +36,7 @@ func NewTemplateResource() *schema.Resource {
 					"verify_email",
 					"verify_email_by_code",
 					"reset_email",
+					"reset_email_by_code",
 					"welcome_email",
 					"blocked_account",
 					"stolen_credentials",
@@ -45,7 +46,7 @@ func NewTemplateResource() *schema.Resource {
 					"mfa_oob_code",
 					"user_invitation",
 				}, true),
-				Description: "Template name. Options include `verify_email`, `verify_email_by_code`, `reset_email`, " +
+				Description: "Template name. Options include `verify_email`, `verify_email_by_code`, `reset_email`, `reset_email_by_code`, " +
 					"`welcome_email`, `blocked_account`, `stolen_credentials`, `enrollment_email`, `mfa_oob_code`, " +
 					"`user_invitation`, `change_password` (legacy), or `password_reset` (legacy).",
 			},