Auth0 can detect attacks and stop malicious attempts to access your application such as blocking traffic from certain IPs and displaying CAPTCHAs.
resource "auth0_attack_protection" "my_protection" {
suspicious_ip_throttling {
enabled = true
shields = ["admin_notification", "block"]
allowlist = ["192.168.1.1"]
pre_login {
max_attempts = 100
rate = 864000
}
pre_user_registration {
max_attempts = 50
rate = 1200
}
}
brute_force_protection {
allowlist = ["127.0.0.1"]
enabled = true
max_attempts = 5
mode = "count_per_identifier_and_ip"
shields = ["block", "user_notification"]
}
breached_password_detection {
admin_notification_frequency = ["daily"]
enabled = true
method = "standard"
shields = ["admin_notification", "block"]
pre_user_registration {
shields = ["block"]
}
}
}
breached_password_detection
(Block List, Max: 1) Breached password detection protects your applications from bad actors logging in with stolen credentials. (see below for nested schema)brute_force_protection
(Block List, Max: 1) Brute-force protection safeguards against a single IP address attacking a single user account. (see below for nested schema)suspicious_ip_throttling
(Block List, Max: 1) Suspicious IP throttling blocks traffic from any IP address that rapidly attempts too many logins or signups. (see below for nested schema)id
(String) The ID of this resource.breached_password_detection
Required:
enabled
(Boolean) Whether breached password detection is active.Optional:
admin_notification_frequency
(Set of String) When admin_notification
is enabled within the shields
property, determines how often email notifications are sent. Possible values: immediately
, daily
, weekly
, monthly
.method
(String) The subscription level for breached password detection methods. Use "enhanced" to enable Credential Guard. Possible values: standard
, enhanced
.pre_user_registration
(Block List, Max: 1) Configuration options that apply before every user registration attempt. Only available on public tenants. (see below for nested schema)shields
(Set of String) Action to take when a breached password is detected. Options include: block
(block compromised user accounts), user_notification
(send an email to user when we detect that they are using compromised credentials) and admin_notification
(send an email with a summary of the number of accounts logging in with compromised credentials).breached_password_detection.pre_user_registration
Optional:
shields
(Set of String) Action to take when a breached password is detected during a signup. Possible values: block
(block compromised credentials for new accounts), admin_notification
(send an email notification with a summary of compromised credentials in new accounts).brute_force_protection
Required:
enabled
(Boolean) Whether brute force attack protections are active.Optional:
allowlist
(Set of String) List of trusted IP addresses that will not have attack protection enforced against them. This field allows you to specify multiple IP addresses, or ranges. You can use IPv4 or IPv6 addresses and CIDR notation.max_attempts
(Number) Maximum number of consecutive failed login attempts from a single user before blocking is triggered. Only available on public tenants.mode
(String) Determines whether the IP address is used when counting failed attempts. Possible values: count_per_identifier_and_ip
(lockout an account from a given IP Address) or count_per_identifier
(lockout an account regardless of IP Address).shields
(Set of String) Action to take when a brute force protection threshold is violated. Possible values: block
(block login attempts for a flagged user account), user_notification
(send an email to user when their account has been blocked).suspicious_ip_throttling
Required:
enabled
(Boolean) Whether suspicious IP throttling attack protections are active.Optional:
allowlist
(Set of String) List of trusted IP addresses that will not have attack protection enforced against them. This field allows you to specify multiple IP addresses, or ranges. You can use IPv4 or IPv6 addresses and CIDR notation.pre_login
(Block List, Max: 1) Configuration options that apply before every login attempt. Only available on public tenants. (see below for nested schema)pre_user_registration
(Block List, Max: 1) Configuration options that apply before every user registration attempt. Only available on public tenants. (see below for nested schema)shields
(Set of String) Action to take when a suspicious IP throttling threshold is violated. Possible values: block
(throttle traffic from an IP address when there is a high number of login attempts targeting too many different accounts), admin_notification
(send an email notification when traffic is throttled on one or more IP addresses due to high-velocity traffic).suspicious_ip_throttling.pre_login
Optional:
max_attempts
(Number) The maximum number of failed login attempts allowed from a single IP address.rate
(Number) Interval of time, given in milliseconds at which new login tokens will become available after they have been used by an IP address. Each login attempt will be added on the defined throttling rate.suspicious_ip_throttling.pre_user_registration
Optional:
max_attempts
(Number) The maximum number of sign up attempts allowed from a single IP address.rate
(Number) Interval of time, given in milliseconds at which new sign up tokens will become available after they have been used by an IP address. Each sign up attempt will be added on the defined throttling rate.Import is supported using the following syntax:
# As this is not a resource identifiable by an ID within the Auth0 Management API,
# attack_protection can be imported using a random string.
#
# We recommend [Version 4 UUID](https://www.uuidgenerator.net/version4)
#
# Example:
terraform import auth0_attack_protection.my_protection "24940d4b-4bd4-44e7-894e-f92e4de36a40"