Multi-Factor Authentication works by requiring additional factors during the login process to prevent unauthorized access. With this resource you can configure some options available for MFA.
resource "auth0_guardian" "my_guardian" {
policy = "all-applications"
email = true
otp = true
recovery_code = true
webauthn_platform {
enabled = true
}
webauthn_roaming {
enabled = true
user_verification = "required"
}
phone {
enabled = true
provider = "auth0"
message_types = ["sms", "voice"]
options {
enrollment_message = "{{code}} is your verification code for {{tenant.friendly_name}}. Please enter this code to verify your enrollment."
verification_message = "{{code}} is your verification code for {{tenant.friendly_name}}."
}
}
push {
enabled = true
provider = "sns"
amazon_sns {
aws_access_key_id = "test1"
aws_region = "us-west-1"
aws_secret_access_key = "secretKey"
sns_apns_platform_application_arn = "test_arn"
sns_gcm_platform_application_arn = "test_arn"
}
custom_app {
app_name = "CustomApp"
apple_app_link = "https://itunes.apple.com/us/app/my-app/id123121"
google_app_link = "https://play.google.com/store/apps/details?id=com.my.app"
}
}
duo {
enabled = true
integration_key = "someKey"
secret_key = "someSecret"
hostname = "api-hostname"
}
}
policy
(String) Policy to use. Available options are never
, all-applications
and confidence-score
.duo
(Block List, Max: 1) Configuration settings for the Duo MFA. If this block is present, Duo MFA will be enabled, and disabled otherwise. (see below for nested schema)email
(Boolean) Indicates whether email MFA is enabled.otp
(Boolean) Indicates whether one time password MFA is enabled.phone
(Block List, Max: 1) Configuration settings for the phone MFA. If this block is present, Phone MFA will be enabled, and disabled otherwise. (see below for nested schema)push
(Block List, Max: 1) Configuration settings for the Push MFA. If this block is present, Push MFA will be enabled, and disabled otherwise. (see below for nested schema)recovery_code
(Boolean) Indicates whether recovery code MFA is enabled.webauthn_platform
(Block List, Max: 1) Configuration settings for the WebAuthn with FIDO Device Biometrics MFA. If this block is present, WebAuthn with FIDO Device Biometrics MFA will be enabled, and disabled otherwise. (see below for nested schema)webauthn_roaming
(Block List, Max: 1) Configuration settings for the WebAuthn with FIDO Security Keys MFA. If this block is present, WebAuthn with FIDO Security Keys MFA will be enabled, and disabled otherwise. (see below for nested schema)id
(String) The ID of this resource.duo
Required:
enabled
(Boolean) Indicates whether Duo MFA is enabled.Optional:
hostname
(String) Duo API Hostname, see the Duo documentation for more details on Duo setup.integration_key
(String) Duo client ID, see the Duo documentation for more details on Duo setup.secret_key
(String, Sensitive) Duo client secret, see the Duo documentation for more details on Duo setup.phone
Required:
enabled
(Boolean) Indicates whether Phone MFA is enabled.Optional:
message_types
(List of String) Message types to use, array of sms
and/or voice
. Adding both to the array should enable the user to choose.options
(Block List, Max: 1) Options for the various providers. (see below for nested schema)provider
(String) Provider to use, one of auth0
, twilio
or phone-message-hook
. Selecting phone-message-hook
will require a Phone Message Action to be created before. Learn how.phone.options
Optional:
auth_token
(String, Sensitive) AuthToken for your Twilio account.enrollment_message
(String) This message will be sent whenever a user enrolls a new device for the first time using MFA. Supports Liquid syntax, see Auth0 docs.from
(String) Phone number to use as the sender.messaging_service_sid
(String) Messaging service SID.sid
(String) SID for your Twilio account.verification_message
(String) This message will be sent whenever a user logs in after the enrollment. Supports Liquid syntax, see Auth0 docs.push
Required:
enabled
(Boolean) Indicates whether Push MFA is enabled.Optional:
amazon_sns
(Block List, Max: 1) Configuration for Amazon SNS. (see below for nested schema)custom_app
(Block List, Max: 1) Configuration for the Guardian Custom App. (see below for nested schema)direct_apns
(Block List, Max: 1) Configuration for the Apple Push Notification service (APNs) settings. (see below for nested schema)direct_fcm
(Block List, Max: 1) Configuration for Firebase Cloud Messaging (FCM) settings. (see below for nested schema)provider
(String) Provider to use, one of direct
, guardian
, sns
.push.amazon_sns
Required:
aws_access_key_id
(String) Your AWS Access Key ID.aws_region
(String) Your AWS application's region.aws_secret_access_key
(String, Sensitive) Your AWS Secret Access Key.sns_apns_platform_application_arn
(String) The Amazon Resource Name for your Apple Push Notification Service.sns_gcm_platform_application_arn
(String) The Amazon Resource Name for your Firebase Cloud Messaging Service.push.custom_app
Optional:
app_name
(String) Custom Application Name.apple_app_link
(String) Apple App Store URL. Must be HTTPS or an empty string.google_app_link
(String) Google Store URL. Must be HTTPS or an empty string.push.direct_apns
Required:
bundle_id
(String) The Apple Push Notification service Bundle ID.p12
(String, Sensitive) The base64 encoded certificate in P12 format.sandbox
(Boolean) Set to true to use the sandbox iOS app environment, otherwise set to false to use the production iOS app environment.Optional:
enabled
(Boolean) Indicates whether the Apple Push Notification service is enabled.push.direct_fcm
Required:
server_key
(String, Sensitive) The Firebase Cloud Messaging Server Key. For security purposes, we don’t retrieve your existing FCM server key to check for drift.webauthn_platform
Required:
enabled
(Boolean) Indicates whether WebAuthn with FIDO Device Biometrics MFA is enabled.Optional:
override_relying_party
(Boolean) The Relying Party is the domain for which the WebAuthn keys will be issued, set to true
if you are customizing the identifier.relying_party_identifier
(String) The Relying Party should be a suffix of the custom domain.webauthn_roaming
Required:
enabled
(Boolean) Indicates whether WebAuthn with FIDO Security Keys MFA is enabled.Optional:
override_relying_party
(Boolean) The Relying Party is the domain for which the WebAuthn keys will be issued, set to true
if you are customizing the identifier.relying_party_identifier
(String) The Relying Party should be a suffix of the custom domain.user_verification
(String) User verification, one of discouraged
, preferred
or required
.Import is supported using the following syntax:
# As this is not a resource identifiable by an ID within the Auth0 Management API,
# guardian can be imported using a random string.
#
# We recommend [Version 4 UUID](https://www.uuidgenerator.net/version4)
#
# Example:
terraform import auth0_guardian.my_guardian "24940d4b-4bd4-44e7-894e-f92e4de36a40"