Skip to content

Add Auth0 Pulumi config for DB connection and multi-tenant AD SSO#796

Open
hf-mrdachner wants to merge 1 commit intoHochfrequenz:mainfrom
hf-mrdachner:feature/auth0-pulumi-config
Open

Add Auth0 Pulumi config for DB connection and multi-tenant AD SSO#796
hf-mrdachner wants to merge 1 commit intoHochfrequenz:mainfrom
hf-mrdachner:feature/auth0-pulumi-config

Conversation

@hf-mrdachner
Copy link
Copy Markdown

@hf-mrdachner hf-mrdachner commented Mar 29, 2026

Summary

  • Add pulumi-auth0 dependency and new pulumi/auth0_config.py module
  • Configure Database Connection (username/password authentication) in Auth0
  • Support multi-tenant Azure AD SSO: reads a JSON list of tenant configs from pulumi.Config("auth0Tenants") and creates one auth0.Connection + auth0.ConnectionClient per entry
  • Enable all connections on both the production (VSkXGqlTD7Rf5Q4n9a0h00rInEyL2ZQj) and dev/stage (Hku0EniRjy4B2krnx1sCwTIOzAiVta1B) Auth0 applications
  • Add pulumi/AUTH0_SETUP.md documenting all manual prerequisites

Manual prerequisites (before pulumi up)

  1. Auth0 M2M application — create one in the Auth0 dashboard, authorize it for the Management API with connection-related scopes, and set AUTH0_DOMAIN / AUTH0_CLIENT_ID / AUTH0_CLIENT_SECRET environment variables (or use pulumi config set auth0:*)
  2. Azure App Registration per customer — in each customer's Entra ID, create an App Registration with redirect URI https://auth.hochfrequenz.de/login/callback and User.Read permission
  3. Pulumi config — set auth0Tenants as a --secret JSON array (see AUTH0_SETUP.md for the exact format)

How to add a new customer AD tenant

  1. Create an App Registration in the customer's Azure Entra ID
  2. Append a new entry to the auth0Tenants JSON array in Pulumi config: 
    pulumi config set auth0Tenants '[...existing..., {"name": "NewCustomer", "domain": "newcustomer.de", "tenantDomain": "newcustomer.onmicrosoft.com", "clientId": "...", "clientSecret": "..."}]' --secret
  3. Run pulumi up

Notes

  • No Angular frontend code changes are needed; Auth0 Universal Login handles the new connection types automatically
  • If the database connection already exists in Auth0, use pulumi import to adopt it (see AUTH0_SETUP.md)
  • Full setup documentation: pulumi/AUTH0_SETUP.md

Test plan

  • Verify pulumi preview succeeds with Auth0 provider credentials configured
  • Verify database connection is created/imported in Auth0 dashboard
  • Verify adding a tenant entry to config creates the corresponding Azure AD connection
  • Verify connections appear enabled on both Auth0 applications

🤖 Generated with Claude Code

@hf-mrdachner @claude
Add Auth0 infrastructure management via Pulumi
33a3e88 
Configure database connection (username/password) and multi-tenant Azure AD
SSO connections, driven by Pulumi config. Includes setup documentation for
prerequisites and adding new customer AD tenants.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hf-mrdachner