Skip to content

auth_provider.md

Latest commit

 

History

History
194 lines (142 loc) · 7.23 KB

auth_provider.md

File metadata and controls

194 lines (142 loc) · 7.23 KB
page_title dbtcloud_auth_provider Resource - dbtcloud
subcategory
description Manages an SSO auth provider for a dbt Cloud account. Supports SAML/Okta, Azure Active Directory (single-tenant, multi-tenant), and Google Workspace. Only one auth provider may exist per account. Requires the SSO feature enabled on the account (enterprise plans only). See the documentation https://docs.getdbt.com/docs/cloud/manage-access/sso-overview for more information.

dbtcloud_auth_provider (Resource)

Manages an SSO auth provider for a dbt Cloud account. Supports SAML/Okta, Azure Active Directory (single-tenant, multi-tenant), and Google Workspace.

Only one auth provider may exist per account. Requires the SSO feature enabled on the account (enterprise plans only).

See the documentation for more information.

Example Usage

// SAML — write-only cert (recommended, not stored in state)
//
// Requires Terraform >= 1.11 for write-only attribute support.
// Bump cert_wo_version to rotate the cert without recreating the resource.

variable "saml_cert" {
  type      = string
  ephemeral = true
}

resource "dbtcloud_auth_provider" "saml" {
  type      = "saml"
  entity_id = "https://your-idp.example.com/metadata"
  sso_url   = "https://your-idp.example.com/sso/saml"

  cert_wo         = var.saml_cert
  cert_wo_version = 1
}

output "login_url" {
  description = "SSO login URL to share with users."
  value       = dbtcloud_auth_provider.saml.login_url
}


// SAML — all optional fields

resource "dbtcloud_auth_provider" "saml_full" {
  type      = "saml"
  entity_id = "https://your-idp.example.com/metadata"
  sso_url   = "https://your-idp.example.com/sso/saml"
  cert      = file("idp-cert.pem")

  sign_request  = true
  attribute_map = jsonencode({
    email      = "nameID"
    first_name = "firstName"
    last_name  = "lastName"
  })

  allow_password_backdoor = false
}


// Okta (identical to SAML, different type value)

resource "dbtcloud_auth_provider" "okta" {
  type      = "okta"
  entity_id = "http://www.okta.com/<okta_app_id>"
  sso_url   = "https://<your-org>.okta.com/app/<app_path>/sso/saml"

  cert_wo         = var.saml_cert
  cert_wo_version = 1
}


// Azure AD — single tenant

variable "azure_client_secret" {
  type      = string
  ephemeral = true
}

resource "dbtcloud_auth_provider" "azure_single_tenant" {
  type      = "azure_single_tenant"
  client_id = "00000000-0000-0000-0000-000000000000"
  tenant_id = "11111111-1111-1111-1111-111111111111"

  client_secret_wo         = var.azure_client_secret
  client_secret_wo_version = 1

  domain                  = "acme.com"
  include_indirect_groups = true
  max_groups_to_retrieve  = 500
}


// Azure AD — multi tenant (no tenant_id required)

resource "dbtcloud_auth_provider" "azure_multi_tenant" {
  type      = "azure_multi_tenant"
  client_id = "00000000-0000-0000-0000-000000000000"

  client_secret_wo         = var.azure_client_secret
  client_secret_wo_version = 1
}


// Azure Active Directory

resource "dbtcloud_auth_provider" "azure_active_directory" {
  type      = "azure_active_directory"
  client_id = "00000000-0000-0000-0000-000000000000"
  tenant_id = "11111111-1111-1111-1111-111111111111"

  client_secret_wo         = var.azure_client_secret
  client_secret_wo_version = 1

  domain = "acme.com"
}


// Google Workspace

variable "gsuite_client_secret" {
  type      = string
  ephemeral = true
}

resource "dbtcloud_auth_provider" "gsuite" {
  type      = "gsuite"
  client_id = "000000000000-xxxx.apps.googleusercontent.com"

  client_secret_wo         = var.gsuite_client_secret
  client_secret_wo_version = 1

  admin_refresh_token = "<oauth-refresh-token>"
  domain              = "acme.com"
  gsuite_admin_id     = "admin@acme.com"
}

Schema

Required

  • type (String) The SSO provider type. One of: saml, okta, gsuite, azure_single_tenant, azure_multi_tenant, azure_active_directory. Changing this value forces a new resource.

Optional

  • admin_refresh_token (String, Sensitive) Google Workspace admin OAuth refresh token used to fetch group memberships.
  • allow_password_backdoor (Boolean) When true (default), users can still log in with email and password as a fallback. Set to false to enforce SSO-only access.
  • attribute_map (String) JSON map of SAML attribute names to dbt Cloud user fields.
  • authorization_url (String) OAuth authorization URL for Google Workspace. May be auto-populated server-side.
  • cert (String, Sensitive) SAML X.509 certificate (PEM format). Sensitive — stored in state. Consider using cert_wo instead. Conflicts with cert_wo.
  • cert_wo (String) Write-only alternative to cert. Not stored in state. Use cert_wo_version to trigger updates. Conflicts with cert.
  • cert_wo_version (Number) Increment to rotate cert_wo without changing the value.
  • client_id (String) OAuth client ID. Required for Azure AD and Google Workspace providers. Not returned by the API after save (encrypted at rest).
  • client_secret (String, Sensitive) OAuth client secret. Required for Azure AD and Google Workspace providers. Sensitive — stored in state. Consider using client_secret_wo instead. Conflicts with client_secret_wo.
  • client_secret_wo (String) Write-only alternative to client_secret. Not stored in state. Use client_secret_wo_version to trigger updates. Conflicts with client_secret.
  • client_secret_wo_version (Number) Increment to rotate client_secret_wo without changing the value.
  • domain (String) Primary domain for the Azure AD or Google Workspace tenant.
  • entity_id (String) SAML entity ID (Issuer) from your identity provider. Required for saml and okta.
  • gsuite_admin_id (String) Google Workspace admin email used to fetch group memberships.
  • include_indirect_groups (Boolean) Whether to include transitive (indirect) group memberships from Azure AD. Defaults to true.
  • max_groups_to_retrieve (Number) Maximum number of Azure AD groups to fetch per user. Defaults to 250.
  • resource_metadata (Dynamic) Metadata for tracking resource identity during account migrations. Stored in Terraform state only and not sent to the API.
  • sign_request (Boolean) Whether to sign SAML authentication requests. Defaults to false.
  • slug (String) URL-safe identifier used in the SSO login URL. Auto-generated if omitted. Immutable on accounts where auto-slug enforcement is enabled.
  • sso_url (String) SAML Single Sign-On URL from your identity provider. Required for saml and okta.
  • tenant_id (String, Sensitive) Azure AD tenant ID. Required for azure_single_tenant.

Read-Only

  • cert_expiry_date (String) Expiry date of the SAML X.509 certificate (SAML/Okta only).
  • created_at (String)
  • id (Number) The ID of the auth provider.
  • login_url (String) The SSO login URL for the account, auto-generated from the slug.
  • state (Number) The state of the auth provider (1 = active).
  • updated_at (String)

Import

Import is supported using the following syntax:

# Import an existing auth provider by its numeric ID.
# The ID can be found via the dbt Cloud API:
#   GET /api/v3/accounts/{account_id}/auth-provider/

terraform import dbtcloud_auth_provider.example 12345