Merge branch 'main' into v1

MIGRATION_GUIDE.md

@@ -1,5 +1,164 @@
 # Migration Guide
 
+## Upgrading from v0.49.0 → v0.50.0
+
+There are deprecations in this update. Please ensure you read this guide thoroughly and prepare your potential
+automated workflows before upgrading.
+
+### Deprecations
+
+- [Global Client](#global-client)
+- [Tenant Pages](#tenant-pages)
+- [Tenant Universal Login](#tenant-universal-login)
+
+#### Global Client
+
+The `auth0_global_client` resource and data source were introduced primarily to allow managing the `custom_login_page`
+and `custom_login_page_on` attributes in order to manage the custom login page of a tenant. These are now deprecated in
+favor of the `auth0_pages` resource.
+
+To ensure a smooth transition when we eventually remove the capability to manage the custom 
+login page through the `auth0_global_client`, we recommend proactively migrating to the `auth0_pages` resource. 
+This will help you stay prepared for future changes.
+
+<table>
+<tr>
+<th>Before (v0.49.0)</th>
+<th>After (v0.50.0)</th>
+</tr>
+<tr>
+<td>
+
+```terraform
+resource "auth0_global_client" "global" {
+  custom_login_page_on = true
+  custom_login_page    = "<html>My Custom Login Page</html>"
+}
+```
+
+</td>
+<td>
+
+```terraform
+resource "auth0_pages" "my_pages" {
+  login {
+    enabled = true
+    html    = "<html><body>My Custom Login Page</body></html>"
+  }
+}
+```
+
+</td>
+</tr>
+</table>
+
+#### Tenant Pages
+
+The `change_password`, `guardian_mfa_page` and `error_page` attributes on the `auth0_tenant` have been deprecated in
+favor of managing them with the `auth0_pages` resource. 
+
+To ensure a smooth transition when we eventually remove the capability to manage these custom Auth0 pages through the
+`auth0_tenant` resource, we recommend proactively migrating to the `auth0_pages` resource. This will help you stay
+prepared for future changes.
+
+<table>
+<tr>
+<th>Before (v0.49.0)</th>
+<th>After (v0.50.0)</th>
+</tr>
+<tr>
+<td>
+
+```terraform
+resource "auth0_tenant" "my_tenant" {
+  change_password {
+    enabled = true
+    html    = "<html>My Custom Reset Password Page</html>"
+  }
+
+  guardian_mfa_page {
+    enabled = true
+    html    = "<html>My Custom MFA Page</html>"
+  }
+
+  error_page {
+    html          = "<html>My Custom Error Page</html>"
+    show_log_link = true
+    url           = "https://example.com/errors"
+  }
+}
+```
+
+</td>
+<td>
+
+```terraform
+resource "auth0_pages" "my_pages" {
+  change_password {
+    enabled = true
+    html    = "<html><body>My Custom Reset Password Page</body></html>"
+  }
+
+  guardian_mfa {
+    enabled = true
+    html    = "<html><body>My Custom MFA Page</body></html>"
+  }
+
+  error {
+    show_log_link = true
+    html          = "<html><body>My Custom Error Page</body></html>"
+    url           = "https://example.com"
+  }
+}
+```
+
+</td>
+</tr>
+</table>
+
+#### Tenant Universal Login
+
+The `universal_login` settings on the `auth0_tenant` have been deprecated in favor of managing them through the `auth0_branding` resource.
+
+To ensure a smooth transition when we eventually remove the capability to manage these settings through the
+`auth0_tenant` resource, we recommend proactively migrating to the `auth0_branding` resource. This will help you stay
+prepared for future changes.
+
+<table>
+<tr>
+<th>Before (v0.49.0)</th>
+<th>After (v0.50.0)</th>
+</tr>
+<tr>
+<td>
+
+```terraform
+resource "auth0_tenant" "my_tenant" {
+  universal_login {
+    colors {
+      primary         = "#0059d6"
+      page_background = "#000000"
+    }
+  }
+}
+```
+
+</td>
+<td>
+
+```terraform
+resource "auth0_branding" "my_branding" {
+  colors {
+    primary         = "#0059d6"
+    page_background = "#000000"
+  } 
+}
+```
+
+</td>
+</tr>
+</table>
+
 ## Upgrading from v0.48.0 → v0.49.0
 
 There are deprecations in this update. Please ensure you read this guide thoroughly and prepare your potential

docs/data-sources/client.md

@@ -40,7 +40,7 @@ data "auth0_client" "some-client-by-id" {
 - `callbacks` (List of String) URLs that Auth0 may call back to after a user authenticates for the client. Make sure to specify the protocol (https://) otherwise the callback may fail in some cases. With the exception of custom URI schemes for native clients, all callbacks should use protocol https://.
 - `client_aliases` (List of String) List of audiences/realms for SAML protocol. Used by the wsfed addon.
 - `client_metadata` (Map of String) Metadata associated with the client, in the form of an object with string values (max 255 chars). Maximum of 10 metadata properties allowed. Field names (max 255 chars) are alphanumeric and may only include the following special characters: `:,-+=_*?"/\()<>@ [Tab] [Space]`.
-- `client_secret` (String) Secret for the client. Keep this private. To access this attribute you need to add the `read:client_keys` scope to the Terraform client. Otherwise, the attribute will contain an empty string. Use this attribute on the `auth0_client_credentials` resource instead, to allow managing it directly.
+- `client_secret` (String) Secret for the client. Keep this private. To access this attribute you need to add the `read:client_keys` scope to the Terraform client. Otherwise, the attribute will contain an empty string.
 - `cross_origin_auth` (Boolean) Whether this client can be used to make cross-origin authentication requests (`true`) or it is not allowed to make such requests (`false`). Requires the `coa_toggle_enabled` feature flag to be enabled on the tenant by the support team.
 - `cross_origin_loc` (String) URL of the location in your site where the cross-origin verification takes place for the cross-origin auth flow when performing authentication in your own domain instead of Auth0 Universal Login page.
 - `custom_login_page` (String) The content (HTML, CSS, JS) of the custom login page.
@@ -52,20 +52,20 @@ data "auth0_client" "some-client-by-id" {
 - `id` (String) The ID of this resource.
 - `initiate_login_uri` (String) Initiate login URI. Must be HTTPS or an empty string.
 - `is_first_party` (Boolean) Indicates whether this client is a first-party client.
-- `is_token_endpoint_ip_header_trusted` (Boolean) Indicates whether the token endpoint IP header is trusted.
+- `is_token_endpoint_ip_header_trusted` (Boolean) Indicates whether the token endpoint IP header is trusted. This attribute can only be updated after the client gets created.
 - `jwt_configuration` (List of Object) Configuration settings for the JWTs issued for this client. (see [below for nested schema](#nestedatt--jwt_configuration))
 - `logo_uri` (String) URL of the logo for the client. Recommended size is 150px x 150px. If none is set, the default badge for the application type will be shown.
 - `mobile` (List of Object) Additional configuration for native mobile apps. (see [below for nested schema](#nestedatt--mobile))
 - `native_social_login` (List of Object) Configuration settings to toggle native social login for mobile native applications. Once this is set it must stay set, with both resources set to `false` in order to change the `app_type`. (see [below for nested schema](#nestedatt--native_social_login))
 - `oidc_backchannel_logout_urls` (Set of String) Set of URLs that are valid to call back from Auth0 for OIDC backchannel logout. Currently only one URL is allowed.
 - `oidc_conformant` (Boolean) Indicates whether this client will conform to strict OIDC specifications.
-- `organization_require_behavior` (String) Defines how to proceed during an authentication transaction when `organization_usage = "require"`. Can be `no_prompt` (default) or `pre_login_prompt`.
+- `organization_require_behavior` (String) Defines how to proceed during an authentication transaction when `organization_usage = "require"`. Can be `no_prompt` (default), `pre_login_prompt` or  `post_login_prompt`.
 - `organization_usage` (String) Defines how to proceed during an authentication transaction with regards to an organization. Can be `deny` (default), `allow` or `require`.
 - `refresh_token` (List of Object) Configuration settings for the refresh tokens issued for this client. (see [below for nested schema](#nestedatt--refresh_token))
 - `signing_keys` (List of Map of String) List containing a map of the public cert of the signing key and the public cert of the signing key in PKCS7.
 - `sso` (Boolean) Applies only to SSO clients and determines whether Auth0 will handle Single Sign-On (true) or whether the identity provider will (false).
 - `sso_disabled` (Boolean) Indicates whether or not SSO is disabled.
-- `token_endpoint_auth_method` (String) Defines the requested authentication method for the token endpoint. Options include `none` (public client without a client secret), `client_secret_post` (client uses HTTP POST parameters), `client_secret_basic` (client uses HTTP Basic).
+- `token_endpoint_auth_method` (String) Defines the requested authentication method for the token endpoint. Options include `none` (public client without a client secret), `client_secret_post` (client uses HTTP POST parameters), `client_secret_basic` (client uses HTTP Basic). Managing the authentication method through this attribute is deprecated and it will be removed in a future major version. Migrate to the `auth0_client_credentials` resource to manage a client's authentication method instead. Check the [MIGRATION GUIDE](https://github.com/auth0/terraform-provider-auth0/blob/main/MIGRATION_GUIDE.md#client-authentication-method) on how to do that.
 - `web_origins` (List of String) URLs that represent valid web origins for use with web message response mode.
 
 <a id="nestedatt--addons"></a>

docs/data-sources/connection.md

@@ -36,7 +36,7 @@ data "auth0_connection" "some-connection-by-id" {
 - `enabled_clients` (Set of String) IDs of the clients for which the connection is enabled.
 - `id` (String) The ID of this resource.
 - `is_domain_connection` (Boolean) Indicates whether the connection is domain level.
-- `metadata` (Map of String) Metadata associated with the connection, in the form of a map of string values (max 255 chars). Maximum of 10 metadata properties allowed.
+- `metadata` (Map of String) Metadata associated with the connection, in the form of a map of string values (max 255 chars).
 - `options` (List of Object) Configuration settings for connection options. (see [below for nested schema](#nestedatt--options))
 - `realms` (List of String) Defines the realms for which the connection will be used (e.g., email domains). If not specified, the connection name is added as the realm.
 - `show_as_button` (Boolean) Display connection as a button. Only available on enterprise connections.

docs/data-sources/global_client.md

@@ -2,11 +2,14 @@
 page_title: "Data Source: auth0_global_client"
 description: |-
   Retrieve a tenant's global Auth0 application client.
+  !> This resource has been deprecated in favor of the auth0_pages resource and it will be removed in a future version.Check the MIGRATION_GUIDE https://github.com/auth0/terraform-provider-auth0/blob/main/MIGRATION_GUIDE.md#global-client for more info.
 ---
 
 # Data Source: auth0_global_client
 
-Retrieve a tenant's global Auth0 application client.
+Retrieve a tenant's global Auth0 application client. 
+
+!> This resource has been deprecated in favor of the `auth0_pages` resource and it will be removed in a future version.Check the [MIGRATION_GUIDE](https://github.com/auth0/terraform-provider-auth0/blob/main/MIGRATION_GUIDE.md#global-client) for more info.
 
 ## Example Usage
 
@@ -28,7 +31,7 @@ data "auth0_global_client" "global" {}
 - `client_aliases` (List of String) List of audiences/realms for SAML protocol. Used by the wsfed addon.
 - `client_id` (String) The ID of the client.
 - `client_metadata` (Map of String) Metadata associated with the client, in the form of an object with string values (max 255 chars). Maximum of 10 metadata properties allowed. Field names (max 255 chars) are alphanumeric and may only include the following special characters: `:,-+=_*?"/\()<>@ [Tab] [Space]`.
-- `client_secret` (String) Secret for the client. Keep this private. To access this attribute you need to add the `read:client_keys` scope to the Terraform client. Otherwise, the attribute will contain an empty string. Use this attribute on the `auth0_client_credentials` resource instead, to allow managing it directly.
+- `client_secret` (String) Secret for the client. Keep this private. To access this attribute you need to add the `read:client_keys` scope to the Terraform client. Otherwise, the attribute will contain an empty string. Use this attribute on the `auth0_client_credentials` resource instead, to allow managing it directly or use the `auth0_client` data source to read this property.
 - `cross_origin_auth` (Boolean) Whether this client can be used to make cross-origin authentication requests (`true`) or it is not allowed to make such requests (`false`). Requires the `coa_toggle_enabled` feature flag to be enabled on the tenant by the support team.
 - `cross_origin_loc` (String) URL of the location in your site where the cross-origin verification takes place for the cross-origin auth flow when performing authentication in your own domain instead of Auth0 Universal Login page.
 - `custom_login_page` (String) The content (HTML, CSS, JS) of the custom login page.
@@ -40,21 +43,21 @@ data "auth0_global_client" "global" {}
 - `id` (String) The ID of this resource.
 - `initiate_login_uri` (String) Initiate login URI. Must be HTTPS or an empty string.
 - `is_first_party` (Boolean) Indicates whether this client is a first-party client.
-- `is_token_endpoint_ip_header_trusted` (Boolean) Indicates whether the token endpoint IP header is trusted.
+- `is_token_endpoint_ip_header_trusted` (Boolean) Indicates whether the token endpoint IP header is trusted. This attribute can only be updated after the client gets created.
 - `jwt_configuration` (List of Object) Configuration settings for the JWTs issued for this client. (see [below for nested schema](#nestedatt--jwt_configuration))
 - `logo_uri` (String) URL of the logo for the client. Recommended size is 150px x 150px. If none is set, the default badge for the application type will be shown.
 - `mobile` (List of Object) Additional configuration for native mobile apps. (see [below for nested schema](#nestedatt--mobile))
 - `name` (String) Name of the client.
 - `native_social_login` (List of Object) Configuration settings to toggle native social login for mobile native applications. Once this is set it must stay set, with both resources set to `false` in order to change the `app_type`. (see [below for nested schema](#nestedatt--native_social_login))
 - `oidc_backchannel_logout_urls` (Set of String) Set of URLs that are valid to call back from Auth0 for OIDC backchannel logout. Currently only one URL is allowed.
 - `oidc_conformant` (Boolean) Indicates whether this client will conform to strict OIDC specifications.
-- `organization_require_behavior` (String) Defines how to proceed during an authentication transaction when `organization_usage = "require"`. Can be `no_prompt` (default) or `pre_login_prompt`.
+- `organization_require_behavior` (String) Defines how to proceed during an authentication transaction when `organization_usage = "require"`. Can be `no_prompt` (default), `pre_login_prompt` or  `post_login_prompt`.
 - `organization_usage` (String) Defines how to proceed during an authentication transaction with regards to an organization. Can be `deny` (default), `allow` or `require`.
 - `refresh_token` (List of Object) Configuration settings for the refresh tokens issued for this client. (see [below for nested schema](#nestedatt--refresh_token))
 - `signing_keys` (List of Map of String) List containing a map of the public cert of the signing key and the public cert of the signing key in PKCS7.
 - `sso` (Boolean) Applies only to SSO clients and determines whether Auth0 will handle Single Sign-On (true) or whether the identity provider will (false).
 - `sso_disabled` (Boolean) Indicates whether or not SSO is disabled.
-- `token_endpoint_auth_method` (String) Defines the requested authentication method for the token endpoint. Options include `none` (public client without a client secret), `client_secret_post` (client uses HTTP POST parameters), `client_secret_basic` (client uses HTTP Basic).
+- `token_endpoint_auth_method` (String) Defines the requested authentication method for the token endpoint. Options include `none` (public client without a client secret), `client_secret_post` (client uses HTTP POST parameters), `client_secret_basic` (client uses HTTP Basic). Managing the authentication method through this attribute is deprecated and it will be removed in a future major version. Migrate to the `auth0_client_credentials` resource to manage a client's authentication method instead. Check the [MIGRATION GUIDE](https://github.com/auth0/terraform-provider-auth0/blob/main/MIGRATION_GUIDE.md#client-authentication-method) on how to do that.
 - `web_origins` (List of String) URLs that represent valid web origins for use with web message response mode.
 
 <a id="nestedatt--addons"></a>

docs/data-sources/role.md

@@ -34,7 +34,7 @@ data "auth0_role" "some-role-by-id" {
 
 - `description` (String) Description of the role.
 - `id` (String) The ID of this resource.
-- `permissions` (Set of Object) Configuration settings for permissions (scopes) attached to the role. (see [below for nested schema](#nestedatt--permissions))
+- `permissions` (Set of Object) Configuration settings for permissions (scopes) attached to the role. Managing permissions through the `permissions` attribute is deprecated and it will be removed in a future major version. Migrate to the `auth0_role_permission` or `auth0_role_permissions` resource to manage role permissions instead. Check the [MIGRATION GUIDE](https://github.com/auth0/terraform-provider-auth0/blob/main/MIGRATION_GUIDE.md#role-permissions) for more info. (see [below for nested schema](#nestedatt--permissions))
 
 <a id="nestedatt--permissions"></a>
 ### Nested Schema for `permissions`